Automate open-source dependency policy with Dependabot to watch and mitigate security issues in open-source dependencies.
GitHub starts to demonstrate its vision of cybersecurity by integrating tons of security features on its platform. As an application security engineer, I’m excited to work closely with software developers and manage security policies across code base repositories.
About GitHub Dependabot security updates
Dependabot is a bot to watch security vulnerability in open-source dependencies (disclosed from WhiteSource Vulnerability Database) and programmatically enforce security policy to keep dependencies up to date. Combine with Actions it offers powerful automation to maintain vulnerability-free dependencies in realtime.
Technically to run the workflow you just need the presence of two configuration files in a repository.
- package-ecosystem: "npm"
name: "Dependabot Automerge - Action"on:
runs-on: ubuntu-latestif: github.actor == 'dependabot[bot]'
- name: automerge
Feel free to adapt the code.
Optionally, you can create labels named security and dependencies to tag pull requests and protect branches by requiring at least one request review before merging.
Wanna read more about GitHub Dependabot options?