GitHub Advisories (GHSA) is a database of CVEs and GitHub-originated security advisories affecting the open source world. Advisories may or may not be documented in the National Vulnerability Database.

Dependency-Track integrates with GHSA by mirroring advisories via GitHub’s public GraphQL API. The mirror is refreshed daily, or upon restart of the Dependency-Track instance. A personal access token (PAT) is required in order to authenticate with GitHub, but no scopes have to be assigned to it. GitHub provides guidance on how to create a PAT here.

Note on Fine-grained PAT’s: at the time of writing (Jan 2023), those are in Beta state and do not yet support access to the GraphQL API (see github/roadmap#622). Therefore, a classic token has to be used (prefix ghp_ for classic versus github_pat_ for fine-grained).