This content is viewable by Everyone
Dependabot in UCSF GitHub Enterprise
- Audience: Affiliate, Communicator, Department Administrator, Faculty, Grant Writer, Institution Administrator, Lab Manager, New Hire, Non-Faculty Academic, Nurse, Physician, Postdoc, Principal Investigator (PI), Research Staff, Researcher, Staff, Student, Technical Partner, Trainee & Learner, Volunteer
- Service Category: Business Applications
- Owner Team: Developer Experience Team
Dependabot consists of several distinct (though similarly-named) features in GitHub Enterprise Server (GHES), each requiring specific configuration and infrastructure. This guide is specific to the on-premise GitHub Enterprise server, and covers:
- Dependabot Alerts: Notification system for known vulnerabilities
- Dependabot Security Updates: Automated pull requests to fix vulnerabilities (requires a GitHub Actions runner, we are working on implementing a enterprise-wide runner, but it's a work in progress)
- Dependabot Version Updates: Scheduled dependency updates via configuration file (also requires a GitHub Actions runner)
Note: As of GHES 3.16.2, full implementation requires:
- đźš§ Enterprise-wide GitHub Actions runner configuration
- Specific setup steps at the enterprise, organization, and repository levels
This documentation reflects our current implementation status and will be updated as we validate each feature.
Legend
âť“ = We're not entirely sure about this detail
đźš§ = We're actively working on implementing this feature
The Three Pillars of Dependabot
1. Dependabot Alerts
Alerts are your first line of defense against vulnerable dependencies. They:
- Scan your dependency manifests continuously
- Compare against GitHub Advisory Database
- Flag known vulnerabilities with severity levels
- Provide detailed vulnerability information
- Require no configuration file
- ❓Are enabled by default for public repositories
- ❓May require a repository owner or organization owner to enable (see below)
Enabling Alerts for Private Repositories
- Go to repository “Settings”
- Click “Code security and analysis”
- Enable “Dependency graph” (required first)
- Enable “Dependabot alerts”
Or enable organization-wide:
- Go to Organization “Settings”
- Click “Code security and analysis”
- Click “Enable all” for Dependency graph
- Click “Enable all” for Dependabot alerts
2. Dependabot Security Updates
Building directly on Alerts, Security Updates:
- Create automated pull requests to fix vulnerabilities
- Trigger only when an Alert is raised
- Update to minimum version that resolves the vulnerability
- ❓We believe this feature requires a configuration file. The official GitHub docs say differently, but we don't believe them. Follow the directions for configuring Version Updates below.
- Need Alerts enabled first
- Include security policy compliance checks
- Provide vulnerability context in PR description
- đźš§ Requires a self-hosted GitHub Actions runner with a "dependabot" label. We're working on implementing an enterprise-wide runner for this purpose.
3. Dependabot Version Updates
A separate feature for general dependency maintenance that:
- Updates dependencies to latest versions
- Runs on a schedule you define
- Requires dependabot.yml configuration
- Creates PRs for ALL version updates (not just security)
- Can update development dependencies
- Supports multiple package ecosystems
- Can be customized per dependency
- đźš§ Requires a self-hosted GitHub Actions runner with a "dependabot" label. We're working on implementing an enterprise-wide runner for this purpose.
TLDR: Configuring Version Updates
- Create .github/dependabot.yml in your repository
- Basic example configuration:
version: 2 updates: # JavaScript dependencies - package-ecosystem: "npm" directory: "/" schedule: interval: "weekly" # Optional: set who reviews PRs assignees: - "your-github-username" # Python dependencies - package-ecosystem: "pip" directory: "/" schedule: interval: "weekly" # Optional: ignore certain updates ignore: - dependency-name: "pytest" versions: ["4.x"] # Docker dependencies - package-ecosystem: "docker" directory: "/" schedule: interval: "monthly"
References
[1] “About Dependabot Alerts (GHES)” https://docs.github.com/en/enterprise-server@latest/code-security/dependabot/dependabot-alerts/about-dependabot-alerts
[2] “Enabling Dependabot for Private Repositories (GHES)” https://docs.github.com/en/enterprise-server@latest/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts
[3] “Configuring Security Updates (GHES)” https://docs.github.com/en/enterprise-server@latest/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates
[4] “Version Update Configuration Options (GHES)” https://docs.github.com/en/enterprise-server@latest/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
[5] “GitHub Advisory Database” https://github.com/advisories