What is a GHSA (GitHub Security Advisory)?
Last reviewed June 2, 2026
A GHSA (GitHub Security Advisory) is a vulnerability record in the GitHub Advisory Database, identified by an ID of the form GHSA-xxxx-xxxx-xxxx. GHSA records describe vulnerabilities in open-source packages and power features such as Dependabot alerts. A GHSA often maps to a CVE, but the two identifiers coexist and serve different parts of the ecosystem.
GHSA in one sentence
GHSA stands for GitHub Security Advisory. It is both a type of vulnerability record published by GitHub and the identifier attached to that record, written in the form GHSA-xxxx-xxxx-xxxx (four characters in each of three groups).
GHSA records focus on vulnerabilities in software packages, especially the open-source dependencies hosted on or installed through ecosystems that GitHub tracks, such as npm, PyPI, Maven, RubyGems, Go, and others.
The GitHub Advisory Database
GHSA records live in the GitHub Advisory Database, a free, publicly browsable collection of security advisories for open-source software. Each entry describes the affected package, the vulnerable and patched version ranges, severity, and references.
The database is curated by GitHub and supplemented by community contributions. It is also published in a machine-readable form, which lets other tools and databases ingest and reuse the data.
How GHSA IDs relate to CVE IDs
A GHSA ID and a CVE ID are not competitors; they describe the same vulnerability from different angles. GitHub is an authorized CVE Numbering Authority (CNA), so it can assign CVE IDs as well as GHSA IDs.
In practice, many advisories carry both: the CVE ID is the global, cross-vendor name for the flaw, while the GHSA ID is GitHub's record that adds package-specific, ecosystem-aware detail such as exact affected version ranges. A GHSA may also exist before a CVE is assigned, or for issues that never receive a CVE.
| Aspect | GHSA ID | CVE ID |
|---|---|---|
| Format | GHSA-xxxx-xxxx-xxxx | CVE-YYYY-NNNN |
| Issued by | GitHub | Any CVE Numbering Authority (CNA) |
| Scope | Open-source packages in tracked ecosystems | Any software, firmware, or hardware |
| Strength | Precise package and version data | Global, vendor-neutral identifier |
How GHSA powers Dependabot
The practical payoff of GHSA is automation. GitHub uses the Advisory Database to drive Dependabot, which scans a repository's manifest and lock files, compares the declared dependency versions against GHSA affected-version ranges, and raises alerts when a project depends on a vulnerable package.
Dependabot can then open pull requests that bump the affected dependency to a patched version. Because the matching is keyed on GHSA records with precise version ranges, the alerts can point directly at the upgrade that resolves the issue.
Keep exploring
- What is a CVE?The global identifier a GHSA usually maps to.
- What is a CNA?GitHub is a CNA, which lets it assign CVE IDs alongside GHSA IDs.
- What is OSV?An aggregator that ingests GHSA records as one of its sources.
- What is an SBOM?Inventories matched against advisory databases like GHSA.
- What is a security advisory?The broader category that a GHSA is one example of.
- What is the NVD?Another major vulnerability data source alongside GHSA.
Frequently asked questions
- What does a GHSA ID look like?
- A GHSA ID has the form GHSA-xxxx-xxxx-xxxx, with four alphanumeric characters in each of three dash-separated groups, for example GHSA-jfh8-c2jp-5v3q.
- Is a GHSA the same as a CVE?
- No, but they often describe the same vulnerability. The CVE ID is the global, vendor-neutral name, while the GHSA ID is GitHub's record with ecosystem-specific package and version detail. Many advisories carry both.
- Can a GHSA exist without a CVE?
- Yes. GitHub can publish a GHSA before a CVE is assigned, and some package-level issues receive a GHSA but never get a CVE.
- What is the GitHub Advisory Database used for?
- It is a free, machine-readable collection of open-source vulnerability advisories. It powers Dependabot alerts and is also reused by aggregators such as OSV.
