Dependabot consists of several distinct (though similarly-named) features in GitHub Enterprise Server (GHES), each requiring specific configuration and infrastructure. This guide is specific to the on-premise GitHub Enterprise server, and covers:

• Dependabot Alerts: Notification system for known vulnerabilities
• Dependabot Security Updates: Automated pull requests to fix vulnerabilities (requires a GitHub Actions runner, we are working on implementing a enterprise-wide runner, but it's a work in progress)
• Dependabot Version Updates: Scheduled dependency updates via configuration file (also requires a GitHub Actions runner)

Note: As of GHES 3.16.2, full implementation requires:

• 🚧 Enterprise-wide GitHub Actions runner configuration
• Specific setup steps at the enterprise, organization, and repository levels

This documentation reflects our current implementation status and will be updated as we validate each feature.

Legend

❓ = We're not entirely sure about this detail 
🚧 = We're actively working on implementing this feature

The Three Pillars of Dependabot

1. Dependabot Alerts

Alerts are your first line of defense against vulnerable dependencies. They:

• Scan your dependency manifests continuously
• Compare against GitHub Advisory Database
• Flag known vulnerabilities with severity levels
• Provide detailed vulnerability information
• Require no configuration file
• ❓Are enabled by default for public repositories
• ❓May require a repository owner or organization owner to enable (see below)

Enabling Alerts for Private Repositories

1. Go to repository “Settings”
2. Click “Code security and analysis”
3. Enable “Dependency graph” (required first)
4. Enable “Dependabot alerts”

Or enable organization-wide:

1. Go to Organization “Settings”
2. Click “Code security and analysis”
3. Click “Enable all” for Dependency graph
4. Click “Enable all” for Dependabot alerts

2. Dependabot Security Updates

Building directly on Alerts, Security Updates:

• Create automated pull requests to fix vulnerabilities
• Trigger only when an Alert is raised
• Update to minimum version that resolves the vulnerability
• ❓We believe this feature requires a configuration file. The official GitHub docs say differently, but we don't believe them. Follow the directions for configuring Version Updates below.
• Need Alerts enabled first
• Include security policy compliance checks
• Provide vulnerability context in PR description
• 🚧 Requires a self-hosted GitHub Actions runner with a "dependabot" label. We're working on implementing an enterprise-wide runner for this purpose.

3. Dependabot Version Updates

A separate feature for general dependency maintenance that:

• Updates dependencies to latest versions
• Runs on a schedule you define
• Requires dependabot.yml configuration
• Creates PRs for ALL version updates (not just security)
• Can update development dependencies
• Supports multiple package ecosystems
• Can be customized per dependency
• 🚧 Requires a self-hosted GitHub Actions runner with a "dependabot" label. We're working on implementing an enterprise-wide runner for this purpose.

TLDR: Configuring Version Updates

1. Create .github/dependabot.yml in your repository
2. Basic example configuration:

version: 2
updates:
  # JavaScript dependencies
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    # Optional: set who reviews PRs
    assignees:
      - "your-github-username"
    
  # Python dependencies
  - package-ecosystem: "pip"
    directory: "/"
    schedule:
      interval: "weekly"
    # Optional: ignore certain updates
    ignore:
      - dependency-name: "pytest"
        versions: ["4.x"]
    
  # Docker dependencies
  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "monthly"

References

[1] “About Dependabot Alerts (GHES)” https://docs.github.com/en/enterprise-server@latest/code-security/dependabot/dependabot-alerts/about-dependabot-alerts

[2] “Enabling Dependabot for Private Repositories (GHES)” https://docs.github.com/en/enterprise-server@latest/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts

[3] “Configuring Security Updates (GHES)” https://docs.github.com/en/enterprise-server@latest/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates

[4] “Version Update Configuration Options (GHES)” https://docs.github.com/en/enterprise-server@latest/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

[5] “GitHub Advisory Database” https://github.com/advisories