I am trying to configure dependabot.yml to get security updates for GitHub Actions.
I followed the Configuring Dependabot security updates documentation. During the configuration I had the following issues:
I did not understand if I need to enable in Code security and analysis the Dependabot alerts and Dependabot security updates along with creating the dependabot.yml.
I did not understand why Dependabot was not able to identify the security vulnerability in my action. I am testing with some-natalie/ghas-to-csv#v1 action, which has a GHSA.
I did not understand from About Dependabot security updates documentation what is the frequency that the vulnerabilities are checked and turned into alerts / PRs.
Perhaps the configuration did not work (yet) because Dependabot has not even identified the vulnerability, therefore has not created the updating PR.
Can you help me understand why is my configuration not working? Or if it's not supported?
All Dependabot features build on top of the Software Composition Analysis feature (first button to enable in that list) and that is the reason why that needs to be enabled.
It then checks ONLY the dependencies of your repo that it finds through parsing the manifest files in the repos
For security alerts and PRs you do not need to commit a Dependabot.yml file. That file is only needed for version updates.
Lastly Dependabot does not check security vulnerabilities in your code, only for dependencies! If you want to run static code analysis on your own code, you try CodeQL and other SAST tools (static code analysis tools.
Related
I frequently get little pokes from GitHub's dependabot to update dependencies in my repos. Sometimes, however, these depedencies happen to be devDependencies. To my understanding, devDependencies are only relavent in the dev environment — inside my local machine — which shouldn't really give any opportunity for XSS when running localhost:3000.
Does anybody know if these GitHub Dependabot alerts (that are pointing at devDependencies) are necessary to address?
We want to use Dependabot to be informed about updated dependencies, but we do not want Dependabot to create pull requests on its own and do not want automated builds (we use GitHub for Code, Azure DevOps for builds).
There is no clear hint in the docs (https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions) to do this.
We already tried to exclude dependabot branches, but that does not work in any form.
# Azure DevOps Excludes
pr:
autoCancel: "true"
branches:
exclude:
- dependabot/*
- dependabot/**/*
We also found the hint on Stack Overflow to set the limit to 0, but still PRs are created
version: 2
updates:
- directory: "/"
open-pull-requests-limit: 0
Any possibility to use Dependabot just as information source?
Go to Security -> Dependabot -> Configure -> Manage Repository Vulnerability Settings. (This should take you to a URL like https://github.com/yourusername/yourreponame/settings/security_analysis.)
Leave the "Dependabot alerts" setting enabled but ensure the "Dependabot version updates" setting is disabled.
If you've previously enabled "Dependabot version updates", you'll have a .github/dependabot.yml file in your repo, whose purpose is to configure Dependabot's automatic updates. To disable them, delete dependabot.yml.
In pictures:
You will now still be able to view security alerts about your dependencies on GitHub, but Dependabot will not open PRs for them.
By default, Dependabot will automatically reset pull requests to resolve any conflicts. If you prefer to handle merge conflicts manually, you can disable this feature with the rebase-strategy option.
For rebase strategies, using disabled to disable automatic rebasing.
Setting this option will also affect pull requests for security updates to this package manager's manifest file, unless you use target-branch to check for version updates on non-default branches.
For rebase-strategy example,
version: 2
updates:
- directory: "/"
schedule:
interval: "daily"
# Disable Dependabot pull requests
rebase-strategy: "disabled"
Is adding of the dependabot.yml file mandatory for having GitHub Dependabot updates? Or is it just an additional option to change default values?
https://docs.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates
The configuration file is necessary so that Dependabot knows which environments to update. This is a minimalist example from the GitHub documentation to update the dependencies of the GitHub Actions on a daily basis:
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
# Check for updates to GitHub Actions every weekday
interval: "daily"
You can also see the necessary configurations in the table of the GitHub documentation.
Technically dependabot.yml is not required - if you turn on dependabot from GitHub project settings / security, it'll start working. I turned on https://github.com/coreinfrastructure/best-practices-badge without a YAML file and it worked.
HOWEVER, it's not obvious to others that dependabot is being used if there's no dependabot.yml file, and that's a problem. For example, the OpenSSF scorecard looks for the dependabot.yml file to determine if your project is using dependabot to keep things up to date. It's important to have your dependencies up-to-date, yes, but it's also important that your potential users know that you're keeping things up-to-date. So for full transparency it's better to have the configuration file posted within the source repo.
It'll also give you more control.
I'm using GitHub dependabot.yml, version 2.
version: 2
updates:
# Nuget Packages
- package-ecosystem: "nuget"
directory: "/"
schedule:
interval: "monthly"
I am trying to figure out if there is any possibility to configure it that the dependencies will be updated only if they include security fixes as it can be done for the version 1
version: 1
update_configs:
- package_manager: "dotnet:nuget"
directory: "/"
update_schedule: "monthly"
allowed_updates:
- match:
update_type: "security"
Let me know if you had the same issue and how you resolved it.
Thanks
According to GitHub support, you can set the number of open pull requests to 0 in dependabot.yml:
open-pull-requests-limit: 0
This means it will only create security updates.
Yeah, I was having the same problem, then I found out something like this github community thread.
I remembered where I saw this. When using the original dependabot from the marketplace one configuration option is to only perform security updates. I have that set from one of my repositories. There is now an option in the original dependabot to generate a dependabot.yml configuration file using the settings configured in the original dependabot (to assist in transitioning to using dependabot.yml). When I do so for the repository with only security updates enabled I receive this message:
You’re using unsupported features
This repository is configured to only scan for security updates. Configuring security updates using the new config file is not supported. You can instead enable Dependabot Security Updates from the repository security settings page 18.
It sounds like in dependabot v2, they have separated out the security updates into UI config, this is as bad as the GitHub action secret. But looks like you don't need dependabot to config security patches for dependencies anymore.
Let me know if that helps.
We have a business need to manually approve every (external) upstream change before we start using it and only allow our developers to use an approved whitelist of packages and versions.
The two ways I can see to do this are either:
disable all pipelines and halt all development, enable an upstream source and pull the new package through and then disable it; making sure no additional upstream packages were pulled while the source was enabled
not use upstream sources but instead republish all packages manually (ongoing work will not be impacted while package approvals occur)
I have some basic tooling created to manage the manual approval and republish pipeline (I currently do this with a network local nuget registry and npm registry) so #2 seems like the path for me to take, but if I could simply upload a list of approved packages instead I could maybe simplify my workflow.
Is it possible to whitelist upstream packages in azure devops without disabling upstream sources?
Sorry for any inconvenience.
I am afraid there is no such way to whitelist upstream packages without disabling upstream sources at this moment.
Just as you know, there is not much settings for upstream sources currently, just add/delete, enable/disable. We could not have any way to set a whitelist to filter the packets from the upstream source.
As you have a business need to manually approve every (external) upstream change, you could add your request for this feature on our UserVoice site (https://developercommunity.visualstudio.com/content/idea/post.html?space=21 ), which is our main forum for product suggestions. Thank you for helping us build a better Azure DevOps.
Besides, as workaround, I also agree with the second way. We could use file matching patterns to publish multiple packages:
Push NuGet packages
Hope this helps.