0

I am trying to configure dependabot.yml to get security updates for GitHub Actions.

I followed the Configuring Dependabot security updates documentation. During the configuration I had the following issues:

  • I did not understand if I need to enable in Code security and analysis the Dependabot alerts and Dependabot security updates along with creating the dependabot.yml.
  • I did not understand why Dependabot was not able to identify the security vulnerability in my action. I am testing with some-natalie/ghas-to-csv@v1 action, which has a GHSA.
  • I did not understand from About Dependabot security updates documentation what is the frequency that the vulnerabilities are checked and turned into alerts / PRs.

Perhaps the configuration did not work (yet) because Dependabot has not even identified the vulnerability, therefore has not created the updating PR.

Can you help me understand why is my configuration not working? Or if it's not supported?

Gabriela Guti
  • 1
  • Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. – Community Jan 27 '23 at 18:40

1 Answers1

0

All Dependabot features build on top of the Software Composition Analysis feature (first button to enable in that list) and that is the reason why that needs to be enabled.

It then checks ONLY the dependencies of your repo that it finds through parsing the manifest files in the repos

For security alerts and PRs you do not need to commit a Dependabot.yml file. That file is only needed for version updates.

Lastly Dependabot does not check security vulnerabilities in your code, only for dependencies! If you want to run static code analysis on your own code, you try CodeQL and other SAST tools (static code analysis tools.

Rob Bos
  • 1,320
  • 1
  • 10
  • 25