GitHub uses your repository’s data to connect you to relevant tools, people, projects, and information.
GitHub aggregates metadata and parses content patterns for the purposes of delivering generalized insights within the product. It uses data from public repositories, and also uses metadata and aggregate data from private repositories when a repository’s owner has chosen to share the data with GitHub by enabling the dependency graph. If you enable the dependency graph for a private repository, then GitHub will perform read-only analysis of that specific private repository.
If you enable data use for a private repository, we will continue to treat your private data, source code, or trade secrets as confidential and private consistent with our Terms of Service. The information we learn only comes from aggregated data. For more information, see “Managing data use settings for your private repository.”
By default, all public repositories are included in the GitHub Archive Program, a partnership between GitHub and organizations such as Software Heritage Foundation and Internet Archive to ensure the long-term preservation of the world’s open source software. For more information, see “About archiving content and data on GitHub.”
You can export and review the metadata that GitHub stores about your personal account.
For more information, see “Requesting an archive of your personal account’s data.”
We’ll announce substantial new features that use metadata or aggregate data on the GitHub blog.
As an example of how your data might be used, we can detect and alert you to a security vulnerability in your public repository’s dependencies. For more information, see “About Dependabot alerts.”
To detect potential security vulnerabilities, GitHub scans the contents of your dependency manifest file to draw a list of your project’s dependencies.
GitHub also learns from changes you make to your dependency manifest. For example, if you upgrade a vulnerable dependency to a safe version after getting a security alert and others do the same, GitHub learns how to patch the vulnerability and can recommend a similar patch to affected repos.
Private repository data is scanned by machine and never read by GitHub staff. Human eyes will never see the contents of your private repositories, except as described in our Terms of Service.
Your individual personal or repository data will not be shared with third parties. We may share aggregate data learned from our analysis with our partners.