Skip to main content
University of California San Francisco Give to UCSF

UCSF IT Technology

Main navigation

  • Status
    • Security Announcements
  • Services
    • Projects
  • How To
  • News & Events
  • About Us
  • Log In
Open Close Search
Open menu
Give to UCSF

Breadcrumb

  1. Home
  2. How To
  3. Dependabot In UCSF GitHub Enterprise

This content is viewable by Everyone

Dependabot in UCSF GitHub Enterprise

Save

Log in via MyAccess to save.

  • Audience: Affiliate, Communicator, Department Administrator, Faculty, Grant Writer, Institution Administrator, Lab Manager, New Hire, Non-Faculty Academic, Nurse, Physician, Postdoc, Principal Investigator (PI), Research Staff, Researcher, Staff, Student, Technical Partner, Trainee & Learner, Volunteer
  • Service Category: Business Applications
  • Owner Team: Developer Experience Team
  • Service:
    GitHub Enterprise Server (On-Premises)

Dependabot consists of several distinct (though similarly-named) features in GitHub Enterprise Server (GHES), each requiring specific configuration and infrastructure. This guide is specific to the on-premise GitHub Enterprise server, and covers:

  • Dependabot Alerts: Notification system for known vulnerabilities
  • Dependabot Security Updates: Automated pull requests to fix vulnerabilities (requires a GitHub Actions runner, we are working on implementing a enterprise-wide runner, but it's a work in progress)
  • Dependabot Version Updates: Scheduled dependency updates via configuration file (also requires a GitHub Actions runner)

Note: As of GHES 3.16.2, full implementation requires:

  • đźš§ Enterprise-wide GitHub Actions runner configuration
  • Specific setup steps at the enterprise, organization, and repository levels

This documentation reflects our current implementation status and will be updated as we validate each feature.

Legend

âť“ = We're not entirely sure about this detail 
đźš§ = We're actively working on implementing this feature

The Three Pillars of Dependabot

1. Dependabot Alerts

Alerts are your first line of defense against vulnerable dependencies. They:

  • Scan your dependency manifests continuously
  • Compare against GitHub Advisory Database
  • Flag known vulnerabilities with severity levels
  • Provide detailed vulnerability information
  • Require no configuration file
  • âť“Are enabled by default for public repositories
  • âť“May require a repository owner or organization owner to enable (see below)

Enabling Alerts for Private Repositories

  1. Go to repository “Settings”
  2. Click “Code security and analysis”
  3. Enable “Dependency graph” (required first)
  4. Enable “Dependabot alerts”

Or enable organization-wide:

  1. Go to Organization “Settings”
  2. Click “Code security and analysis”
  3. Click “Enable all” for Dependency graph
  4. Click “Enable all” for Dependabot alerts

2. Dependabot Security Updates

Building directly on Alerts, Security Updates:

  • Create automated pull requests to fix vulnerabilities
  • Trigger only when an Alert is raised
  • Update to minimum version that resolves the vulnerability
  • âť“We believe this feature requires a configuration file. The official GitHub docs say differently, but we don't believe them. Follow the directions for configuring Version Updates below.
  • Need Alerts enabled first
  • Include security policy compliance checks
  • Provide vulnerability context in PR description
  • đźš§ Requires a self-hosted GitHub Actions runner with a "dependabot" label. We're working on implementing an enterprise-wide runner for this purpose.

3. Dependabot Version Updates

A separate feature for general dependency maintenance that:

  • Updates dependencies to latest versions
  • Runs on a schedule you define
  • Requires dependabot.yml configuration
  • Creates PRs for ALL version updates (not just security)
  • Can update development dependencies
  • Supports multiple package ecosystems
  • Can be customized per dependency
  • đźš§ Requires a self-hosted GitHub Actions runner with a "dependabot" label. We're working on implementing an enterprise-wide runner for this purpose.

TLDR: Configuring Version Updates

  1. Create .github/dependabot.yml in your repository
  2. Basic example configuration:
version: 2
updates:
  # JavaScript dependencies
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    # Optional: set who reviews PRs
    assignees:
      - "your-github-username"
    
  # Python dependencies
  - package-ecosystem: "pip"
    directory: "/"
    schedule:
      interval: "weekly"
    # Optional: ignore certain updates
    ignore:
      - dependency-name: "pytest"
        versions: ["4.x"]
    
  # Docker dependencies
  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "monthly"

 

References

[1] “About Dependabot Alerts (GHES)” https://docs.github.com/en/enterprise-server@latest/code-security/dependabot/dependabot-alerts/about-dependabot-alerts

[2] “Enabling Dependabot for Private Repositories (GHES)” https://docs.github.com/en/enterprise-server@latest/code-security/dependabot/dependabot-alerts/configuring-dependabot-alerts

[3] “Configuring Security Updates (GHES)” https://docs.github.com/en/enterprise-server@latest/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates

[4] “Version Update Configuration Options (GHES)” https://docs.github.com/en/enterprise-server@latest/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

[5] “GitHub Advisory Database” https://github.com/advisories

Related Information

  • GitHub Enterprise Best Practices
Section Menu
GitHub Enterprise Server (On-Premises)
  • Connecting to your Git Repository from the Command line
  • GitHub Enterprise Best Practices
  • Getting Started with Git
  • Managing Passwords in Git
  • GitHub Enterprise Cloud
  • GitHub Backend Administration
  • GitHub Enterprise (on-prem) Usage
Home

Footer Col 1

  • Status
  • Services
  • How To
  • News & Events

Footer Col 2

  • About
  • IT Directory
  • Standards & Guidelines

Footer Col 3

  • Get Help
  • Recognize IT Staff
  • Submit a Support Inquiry

    For emergencies and high priority issues please call the IT Service Desk (415) 514-4100

    • Facebook
    • Twitter
    • YouTube
    • Instagram

    © 2025 The Regents of the University of California