Which branch is used to create the Vulnerability Alerts


         I wanted to understand which branch of a repository is used to create the Vulnerability alerts. Is it the branch which is designated as “default” branch.

I need to understand this because of the below use cases

  • At my company, we have had developers who updated the vulnerable libraries and also checked in that code into github, but they were utilizing a branch other than designated default branch on Github. Github still shows some alerts even after the upgrades were pushed .

  • Some repositories have multiple active branches and so we want to find out if Github scans all branches of a repository to report vulnerability alerts or only 1 of them.

Thank you,

The Vulnerability Alerts system only scans the default branch for a repository.

I hope that helps!