This content is viewable by Everyone

Dependabot in UCSF GitHub Enterprise

Save

Audience: Affiliate, Communicator, Department Administrator, Faculty, Grant Writer, Institution Administrator, Lab Manager, New Hire, Non-Faculty Academic, Nurse, Physician, Postdoc, Principal Investigator (PI), Research Staff, Researcher, Staff, Student, Technical Partner, Trainee & Learner, Volunteer
Service Category: Business Applications
Owner Team: Developer Experience Team
Service:
GitHub Enterprise Server (On-Premises)

Dependabot consists of several distinct (though similarly-named) features in GitHub Enterprise Server (GHES), each requiring specific configuration and infrastructure. This guide is specific to the on-premise GitHub Enterprise server, and covers:

Dependabot Alerts: Notification system for known vulnerabilities
Dependabot Security Updates: Automated pull requests to fix vulnerabilities via configuration file
Dependabot Version Updates: Scheduled dependency updates via configuration file

ℹ️ Note: The following features are already configured at the enterprise level:

Dependency graph enabled
Dependabot alerts enabled
Required GitHub Actions runner deployed

Organization and repository administrators only need to follow the configuration steps below.

We know this is a lot to digest. If you want to just skip to our list of recommended steps to take, scroll down to the bottom of this document for the ✅ Quick Setup Checklist section.

What about GHEC (GitHub Enterpise Cloud)? Here are some articles on Dependabot for GHEC:

The Three Pillars of Dependabot

1. Dependabot Alerts ¹

Alerts are your first line of defense against vulnerable dependencies. They:

Scan your dependency manifests continuously
Compare against GitHub Advisory Database ⁵
Flag known vulnerabilities with severity levels
Provide detailed vulnerability information
Require no configuration file
May require a repository owner or organization owner to enable (see below)

Enabling Alerts ²

Go to repository “Settings”
Click “Advanced Security”
Confirm “Dependency graph” is enabled already (required first); if not, enable it
Confirm “Dependabot alerts” is enabled already; if not, enable it

2. Dependabot Security Updates ³

Building directly on Alerts, Security Updates:

Create automated pull requests to fix vulnerabilities
Trigger only when an Alert is raised
Update to minimum version that resolves the vulnerability
Require Alerts to be enabled first
Include security policy compliance checks
Provide vulnerability context in PR description
Require dependabot.yml configuration file (see Configuration section below)
Require organization-level GitHub Actions configuration (see Organization Setup section)

ℹ️ NOTE: While GitHub documentation suggests Security Updates can work without a configuration file, our recommended practice is to always configure a dependabot.yml file. This ensures proper package ecosystem recognition and enables you to use Version Updates (see below), providing comprehensive dependency management.

3. Dependabot Version Updates

A separate feature for general dependency maintenance that:

Updates dependencies to latest versions
Runs on a schedule you define
Requires dependabot.yml configuration
Creates PRs for ALL version updates (not just security)
Can update development dependencies
Supports multiple package ecosystems
Can be customized per dependency

Configuring a Repository for Updates ⁴

Be sure you've enabled Dependabot alerts for your repository (see above)
Create .github/dependabot.yml in your repository ⁷

# Basic example .github/dependabot.yml configuration

version: 2
updates:
  # JavaScript dependencies
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    # Optional: set who reviews PRs
    assignees:
      - "your-github-username"
    
  # Python dependencies
  - package-ecosystem: "pip"
    directory: "/"
    schedule:
      interval: "weekly"
    
  # Docker dependencies
  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "monthly"

Configuring Organization Access for Dependabot Updates

Organization administrators must configure GitHub Actions access to enable Dependabot Updates:

1. Navigate to Organization Settings → Actions → Runner groups
2. Select the "Dependabot" runner group
3. Configure repository access using one of these options:
- Set "Repository access" to "All repositories" (recommended for full coverage)
- OR explicitly select specific repositories for Dependabot access
4. Enable "Allow public repositories" checkbox if your organization has public repositories

ℹ️ Note: This configuration is required for both Security Updates and Version Updates to function.

screenshot of accessing an organization's settings in the GitHub UI

Screenshot of selecting the Actions section of a GitHub Organization's settings

Screenshot of selecting the Dependabot Runner Group panel for a GitHub Organization

✅ Quick Setup Checklist for Dependabot Alerts and Updates

Organization Admin Tasks:

Confirm organization-wide security features:
- Go to Organization "Settings" → "Advanced Security" → "Configurations"
- Confirm "Enterprise-wide Dependabot" is set for all repositories in your org
Configure Actions runner access:
- Go to Organization "Settings" → "Actions" → "Runner groups"
- Select "Dependabot" group
- Set repository access (all or specific repos)
- Enable public repository access (you may not have any public repositories yet, but you might someday; don't forget our GHES instance is behind a firewall, so 'public' in this context just means all of UCSF)

Repository Admin Tasks:

Verify security features are enabled:
- Go to repository "Settings" → "Advanced Security"
- Confirm Dependency graph is enabled
- Confirm Dependabot alerts are enabled
- ℹ️ Note that there are other related configurations here for you to explore
Add dependabot.yml configuration:
- Create .github/dependabot.yml
- Configure desired package ecosystems ⁷
- Set update schedule and options

Customizing Dependabot PR Workflows ⁶

You can control how your repository responds to Dependabot PRs by creating a custom workflow. This allows you to:

Skip certain CI/CD jobs for Dependabot PRs
Add specific labels or reviewers automatically
Customize PR handling based on dependency type

Create or modify .github/workflows/dependabot.yml:

name: Dependabot PR Workflow
on: pull_request

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      # Example: Skip certain tests for dependency updates
      - name: Skip intensive tests
        if: contains(github.event.pull_request.title, 'bump')
        run: echo "Skipping intensive tests for dependency update"
      
      # Example: Auto-label Dependabot PRs
      - name: Label PR
        uses: actions/github-script@v6
        with:
          script: |
            github.rest.issues.addLabels({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              labels: ['dependencies']
            })

ℹ️ Note: This workflow only triggers on Dependabot PRs thanks to the condition if: ${{ github.actor == 'dependabot[bot]' }}

🔔 Note: To get the most out of Dependabot, check your notification settings for security alerts:

Go to your GitHub profile settings
Navigate to "Notifications" → "System"
Choose how you want to receive Dependabot alerts: New vulnerabilities
- On GitHub
- Email
- CLI
Choose how often you want to receive the Email weekly digest
- Don't send
- Send weekly
- Send daily

While you're reviewing your notification settings, you might want to review all of them. If you've found GitHub to be a bit too noisy about changes, you can tweak your settings here.