{"meta":{"title":"Browsing security advisories in the GitHub Advisory Database","intro":"You can browse the GitHub Advisory Database to find CVEs and GitHub-originated advisories affecting the open source world.","product":"Security and code quality","breadcrumbs":[{"href":"/en/code-security","title":"Security and code quality"},{"href":"/en/code-security/how-tos","title":"How-tos"},{"href":"/en/code-security/how-tos/report-and-fix-vulnerabilities","title":"Report and fix vulnerabilities"},{"href":"/en/code-security/how-tos/report-and-fix-vulnerabilities/fix-reported-vulnerabilities","title":"Fix vulnerabilities"},{"href":"/en/code-security/how-tos/report-and-fix-vulnerabilities/fix-reported-vulnerabilities/browsing-security-advisories-in-the-github-advisory-database","title":"Browse Advisory Database"}],"documentType":"article"},"body":"# Browsing security advisories in the GitHub Advisory Database\n\nYou can browse the GitHub Advisory Database to find CVEs and GitHub-originated advisories affecting the open source world.\n\n\n\n## Accessing an advisory in the GitHub Advisory Database\n\nYou can access any advisory in the GitHub Advisory Database.\n\n1. Navigate to [https://github.com/advisories](https://github.com/advisories?ref_product=security-advisories\\&ref_type=engagement\\&ref_style=text).\n\n2. Optionally, to filter the list of advisories, use the search field or the drop-down menus at the top of the list.\n\n > \\[!NOTE]\n > You can use the sidebar on the left to explore GitHub-reviewed and unreviewed advisories separately, or to filter by ecosystem.\n\n3. Click an advisory to view details. By default, you will see GitHub-reviewed advisories for security vulnerabilities. To show malware advisories, use `type:malware` in the search bar.\n\nThe database is also accessible using the GraphQL API. By default, queries will return GitHub-reviewed advisories for security vulnerabilities unless you specify `type:malware`. For more information, see the [Webhook events and payloads](/en/webhooks-and-events/webhooks/webhook-events-and-payloads#security_advisory).\n\nAdditionally, you can access the GitHub Advisory Database using the REST API. For more information, see [REST API endpoints for global security advisories](/en/rest/security-advisories/global-advisories).\n\n## Editing an advisory in the GitHub Advisory Database\n\nYou can suggest improvements to any advisory in the GitHub Advisory Database. For more information, see [Editing security advisories in the GitHub Advisory Database](/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database).\n\n## Searching the GitHub Advisory Database\n\nYou can search the database, and use qualifiers to narrow your search. For example, you can search for advisories created on a certain date, in a specific ecosystem, or in a particular library.\n\nDate formatting must follow the [ISO8601](http://en.wikipedia.org/wiki/ISO_8601) standard, which is `YYYY-MM-DD` (year-month-day). You can also add optional time information `THH:MM:SS+00:00` after the date, to search by the hour, minute, and second. That's `T`, followed by `HH:MM:SS` (hour-minutes-seconds), and a UTC offset (`+00:00`).\n\nWhen you search for a date, you can use greater than, less than, and range qualifiers to further filter results. For more information, see [Understanding the search syntax](/en/search-github/getting-started-with-searching-on-github/understanding-the-search-syntax).\n\n| Qualifier | Example |\n| --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ |\n| `type:reviewed` | [`type:reviewed`](https://github.com/advisories?query=type%3Areviewed) will show GitHub-reviewed advisories for security vulnerabilities. |\n| `type:malware` | [`type:malware`](https://github.com/advisories?query=type%3Amalware) will show malware advisories. |\n| `type:unreviewed` | [`type:unreviewed`](https://github.com/advisories?query=type%3Aunreviewed) will show unreviewed advisories. |\n| `GHSA-ID` | [`GHSA-49wp-qq6x-g2rf`](https://github.com/advisories?query=GHSA-49wp-qq6x-g2rf) will show the advisory with this GitHub Advisory Database ID. |\n| `CVE-ID` | [`CVE-2020-28482`](https://github.com/advisories?query=CVE-2020-28482) will show the advisory with this CVE ID number. |\n| `ecosystem:ECOSYSTEM` | [`ecosystem:npm`](https://github.com/advisories?utf8=%E2%9C%93\\&query=ecosystem%3Anpm) will show only advisories affecting npm packages. |\n| `severity:LEVEL` | [`severity:high`](https://github.com/advisories?utf8=%E2%9C%93\\&query=severity%3Ahigh) will show only advisories with a high severity level. |\n| `affects:LIBRARY` | [`affects:lodash`](https://github.com/advisories?utf8=%E2%9C%93\\&query=affects%3Alodash) will show only advisories affecting the lodash library. |\n| `cwe:ID` | [`cwe:352`](https://github.com/advisories?query=cwe%3A352) will show only advisories with this CWE number. |\n| `credit:USERNAME` | [`credit:octocat`](https://github.com/advisories?query=credit%3Aoctocat) will show only advisories credited to the \"octocat\" user account. |\n| `sort:created-asc` | [`sort:created-asc`](https://github.com/advisories?utf8=%E2%9C%93\\&query=sort%3Acreated-asc) will sort by the oldest advisories first. |\n| `sort:created-desc` | [`sort:created-desc`](https://github.com/advisories?utf8=%E2%9C%93\\&query=sort%3Acreated-desc) will sort by the newest advisories first. |\n| `sort:updated-asc` | [`sort:updated-asc`](https://github.com/advisories?utf8=%E2%9C%93\\&query=sort%3Aupdated-asc) will sort by the least recently updated first. |\n| `sort:updated-desc` | [`sort:updated-desc`](https://github.com/advisories?utf8=%E2%9C%93\\&query=sort%3Aupdated-desc) will sort by the most recently updated first. |\n| `is:withdrawn` | [`is:withdrawn`](https://github.com/advisories?utf8=%E2%9C%93\\&query=is%3Awithdrawn) will show only advisories that have been withdrawn. |\n| `created:YYYY-MM-DD` | [`created:2021-01-13`](https://github.com/advisories?utf8=%E2%9C%93\\&query=created%3A2021-01-13) will show only advisories created on this date. |\n| `updated:YYYY-MM-DD` | [`updated:2021-01-13`](https://github.com/advisories?utf8=%E2%9C%93\\&query=updated%3A2021-01-13) will show only advisories updated on this date. |\n\nA `GHSA-ID` qualifier is a unique ID that we at GitHub automatically assign to every advisory in the GitHub Advisory Database. For more information about these identifiers, see [About the GitHub Advisory Database](/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database#about-ghsa-ids).\n\n## Viewing your vulnerable repositories\n\nFor any GitHub-reviewed advisory in the GitHub Advisory Database, you can see which of your repositories are affected by that security vulnerability or malware. To see a vulnerable repository, you must have access to Dependabot alerts for that repository. For more information, see [About Dependabot alerts](/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#access-to-dependabot-alerts).\n\n1. Navigate to [https://github.com/advisories](https://github.com/advisories?ref_product=security-advisories\\&ref_type=engagement\\&ref_style=text).\n2. Click an advisory.\n3. At the top of the advisory page, click **Dependabot alerts**.\n ![Screenshot of a \"global security advisory\". The \"Dependabot alerts\" button is highlighted with an orange outline.](/assets/images/help/security/advisory-database-dependabot-alerts.png)\n4. Optionally, to filter the list, use the search bar or the drop-down menus. The \"Organization\" drop-down menu allows you to filter the Dependabot alerts per owner (organization or user).\n5. For more details about the advisory, and for advice on how to fix the vulnerable repository, click the repository name."}