Home > DevSecOps

GitHub Dependabot

GitHub Dependabot provides automated dependency scanning, vulnerability alerts, version updates, and security fixes for repositories. It continuously monitors dependency files and notifies developers when insecure, outdated, or vulnerable libraries appear in the codebase. Dependabot integrates natively with GitHub, making it a powerful component of modern Software Composition Analysis pipelines.

Why Dependabot Matters

Dependabot reduces supply-chain risk by identifying vulnerable dependencies and generating pull requests to fix them. It keeps libraries up to date, prevents known CVEs from being deployed, and automates routine upgrading. It improves security posture by:

• Detecting vulnerable direct and transitive dependencies
• Creating automatic PRs with safe, upgraded versions
• Tracking new advisory disclosures
• Enforcing dependency hygiene
• Preventing security regressions
• Providing contextual CVE and fix information

Dependabot works continuously in the background with minimal developer effort.

What Dependabot Detects

Vulnerable Dependencies

Dependabot scans for dependencies affected by known CVEs and provides detailed remediation PRs.

Outdated Versions

Even without CVEs, Dependabot can update libraries to their latest stable release.

Transitive Vulnerabilities

Dependabot resolves dependency graphs and traces vulnerabilities introduced indirectly.

Insecure Ecosystem Versions

It detects insecure ecosystem-specific patterns (npm audit issues, pip vulnerabilities, etc.).

Malicious or Deprecated Packages

Dependabot warns when dependencies are deprecated or compromised.

Dependabot turns GitHub repositories into self-updating dependency pipelines.

Supported Ecosystems

Dependabot supports many languages including:

• npm / Yarn
• pip / pipenv / poetry
• Maven / Gradle
• RubyGems / bundler
• NuGet
• Composer (PHP)
• Go modules
• Cargo
• Elixir
• Docker base images

Dependabot updates both development and production dependencies.

Types of Dependabot Functionality

1. Dependabot Alerts

Notifications about vulnerabilities found in dependency versions.

2. Dependabot Security Updates

Automatic pull requests to fix vulnerable dependencies.

3. Dependabot Version Updates

Regular updates to keep dependencies on latest stable versions.

4. Dependabot Container Scanning

Alerting and updates for Docker base image vulnerabilities.

5. Dependabot Policies

Controls for scheduling, target branches, allowed dependencies, and update behavior.

How Dependabot Works

Dependabot performs:

  1. Daily/weekend/manual scanning

  2. Dependency graph rebuilding

  3. Advisory matching

  4. Vulnerability detection

  5. Automated PR creation

  6. Tests and CI run on PR

  7. Developer merges or reviews

  8. Graph updated

GitHub’s Advisory Database powers Dependabot’s vulnerability intelligence.

Enabling Dependabot

Enable Alerts

GitHub → Repository → Settings → Security → Code security & analysis → Enable:

• Dependabot alerts
• Dependabot security updates

Enable Automated Updates

Add file in repo:

.github/dependabot.yml

Basic example:

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"

Dependabot now monitors and updates this project daily.

Common Dependabot Configurations

Update npm Dependencies Weekly

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"

Update Python Dependencies Automatically

updates:
  - package-ecosystem: "pip"
    directory: "/"
    schedule:
      interval: "daily"

Update Docker Base Images

updates:
  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "weekly"

Limit Maximum PRs

open-pull-requests-limit: 5

Dependabot keeps update noise under control.

Dependabot Security Update Flow

  1. Vulnerability added to GitHub Advisory Database

  2. Dependabot checks repository dependency graph

  3. Finds affected version

  4. Creates PR with fix version

  5. Includes CVE details and upgrade notes

  6. CI tests run

  7. Developer merges update

  8. Vulnerability resolved

Dependabot automates security patching end-to-end.

Managing Dependabot Alerts

Alerts appear under:

Security → Dependabot → Alerts

Each alert includes:

• CVE
• Severity
• Affected version
• Patched version
• Direct vs transitive dependency
• Upgrade suggestions

Alerts can be:

• Dismissed
• Merged
• Automated
• Grouped into PRs

Dependabot and Private Registries

Configure credentials:

registries:
  npm-private:
    type: npm-registry
    url: https://npm.private.com
    token: ${{ secrets.NPM_TOKEN }}

Useful for enterprise ecosystems.

Dependabot Best Practices

• Enable both alerts and updates on all repos
• Review update PRs daily
• Enforce PR merges for high-severity vulnerabilities
• Combine Dependabot with Snyk for deeper SCA
• Use grouping rules for constant-update ecosystems
• Auto-merge patch-level updates
• Run tests before merging any update
• Use schedules that match project risk
• Keep open PR limits manageable

Full-Length Practical Section

Extensive hands-on practical exercises to master Dependabot.

Practical 1: Enable Dependabot Security Alerts

Enable:

• Code scanning
• Dependabot alerts
• Dependabot security updates

Verify alerts appear for outdated packages.

Practical 2: Add Dependabot Configuration File

Create:

.github/dependabot.yml

Add:

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"

Commit and push.
Check GitHub → Security → Dependabot.

Practical 3: Trigger a Security Update PR

Add vulnerable dependency manually:

lodash@4.17.19

Push changes.
Dependabot opens PR upgrading to safe version.

Practical 4: Auto-Merge Minor Updates

Add to configuration:

allow:
  - dependency-type: "direct"
  
auto-merge:
  - dependency-type: "all"
    update-types: ["patch", "minor"]

Test by pushing outdated packages.

Practical 5: Configure Private Registry Access

Add:

registries:
  my-npm:
    type: npm-registry
    url: https://npm.mycompany.com
    token: ${{ secrets.NPM_TOKEN }}

Validate Dependabot can fetch private modules.

Practical 6: Scan a Python Project

Add:

updates:
  - package-ecosystem: "pip"
    directory: "/"
    schedule:
      interval: "weekly"

Dependabot creates upgrade PRs.

Practical 7: Scan Docker Base Images

Add:

updates:
  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "daily"

Push outdated Dockerfile and observe PR fixes.

Practical 8: Block PRs Missing Fix Versions

Enable security policy:

• Block merges unless Dependabot PRs fix vulnerabilities

Test by attempting to merge insecure code.

Practical 9: Group Dependency Updates

Add grouping:

groups:
  all-deps:
    patterns:
      - "*"

Dependabot creates fewer PRs by grouping updates.

Practical 10: Integrate Dependabot With Branch Protection

Enable:

• Require passing checks
• Require security updates

Test PR merging flow.

Practical 11: Trigger Manual Scan

GitHub → Security → Dependabot → Check for updates

Useful for newly disclosed CVEs.

Practical 12: Resolve Transitive Vulnerabilities

Push dependency with vulnerable transitive version.
Dependabot identifies update route.
Merge fix PR.

Practical 13: Dismiss False Positives

Dismiss alert with reason:

• “Vulnerable code not used”
• “Mitigated by configuration”
• “Not exploitable”

Review regularly.

Practical 14: Audit Dependency Graph

Insights → Dependency graph

Trace how vulnerabilities enter project.

Practical 15: Enforce Organizational Policies

Org-level settings include:

• Must have Dependabot enabled
• Mandatory weekly scans
• Automatic fixes for critical vulnerabilities

Practical 16: Monitor Historical Trends

Use security graph to monitor:

• vulnerability count
• severity distribution
• fix time

Practical 17: Dependabot + Code Owners

Configure:

CODEOWNERS

So subject-matter experts must approve updates.

Practical 18: Use API to List Vulnerabilities

GET /repos/{owner}/{repo}/dependabot/alerts

Automate dashboards and alerting.

Practical 19: Dependabot for Monorepos

Configure using multiple update blocks:

updates:
  - ecosystem: npm
    directory: "services/api"
  - ecosystem: npm
    directory: "services/frontend"

Each folder scanned independently.

Practical 20: Build Full Dependabot Architecture

Include:

• Alerts
• Automated update PRs
• CI validation
• Auto-merge policies
• Branch protection
• Private registry auth
• Grouping
• Org-level governance

Dependabot becomes central to automated supply-chain security.

Intel Dump

• Dependabot performs SCA by scanning dependency graphs for CVEs
• Provides alerts, automated security PRs, and version update PRs
• Supports most major programming ecosystems and Docker images
• Integrates into GitHub natively for seamless automated updates
• Practicals cover configuration, PR automation, private registry access, Docker scanning, grouping, policies, monorepos, API usage, and organizational governance

HOME LEARN COMMUNITY DASHBOARD