In this session, we are going to be deploying Dependabot to your GitHub Actions. This is a built in tool inside GitHub that will help validate your code is up to date and free of known CVE's.
-
Create a new branch called
Dependabot -
Go to your repository, click on Settings
-
On the left sidebar, click on Security & Analysis
-
Click Enable on
Dependabot Security Updates -
In the repository, create a new file named:
.github/dependabot.yml -
Copy and paste the following code snippet into the new file:
################################# # GitHub Dependabot Config info # ################################# version: 2 updates: - package-ecosystem: github-actions directory: "/" schedule: interval: daily open-pull-requests-limit: 10 # Maintain dependencies for docker - package-ecosystem: "docker" directory: "/" schedule: interval: "daily" open-pull-requests-limit: 10 # Maintain dependencies for python with pip - package-ecosystem: "pip" directory: "/dependencies" schedule: interval: "daily" open-pull-requests-limit: 10 # Maintain dependencies for js with npm - package-ecosystem: "npm" directory: "/dependencies" schedule: interval: "daily" open-pull-requests-limit: 10 # Maintain dependencies for ruby with bundler - package-ecosystem: "bundler" directory: "/dependencies" schedule: interval: "daily" open-pull-requests-limit: 10
-
Commit the file.
-
Open a pull request and merge the
Dependabotbranch into themainbranch.