GitHub Dependabot


Dependabot is a suite of automation provided by GitHub which automatically scans dependencies in supported codebases for known vulnerabilities, and optionally can automate opening a Pull Request to update the vulnerable dependencies to a secure version. 

Dependabot Alerts

For all supported package-managers, dependabot will compare the versions of dependencies used by a project to a database of known vulnerabilities, and if the project is using a vulnerable version of a dependency, it will issue an alert via the Security tab of the repository. Users may additionally opt-in to email or web-based notifications when new vulnerabilities are discovered for a project. The alerts will be automatically closed shortly after the dependency has been updated to a secure version in the main branch of the repository, or when manually closed by a repository administrator.

In order to promote a more secure ecosystem for all code in the NC State GitHub Cloud service, dependabot alerts cannot be disabled, though users may opt out of receiving notifications.

An individual alert entry will contain a wealth of information related to the vulnerability, including:

 - Specific details about the vulnerability and known exploits

 - Severity scores across various metrics such as the attack complexity and the level of user privilege required to exploit

 - Affected software versions and patched versions

The security alert can also be assigned to a repository contributor to fix the issue, or a Pull Request can be opened directly from the alert.

Security alerts from dependabot can also be viewed at the organization level for any repositories you have permissions to view alerts for. This can provide a holistic view of your overall security risk for all your repositories.

Automated PRs for Security Patches

Dependabot also has the ability to automatically submit a Pull Request to resolve security issues when a patch is available which satisfies semantic versioning constraints in your package manager. When combined with automated unit and integration tests, this can be a powerful tool to automatically keep your software patched from security vulnerabilities, with very little risk of bugs or incompatibilities.

This functionality is disabled by default and requires the use of GitHub Actions to handle creating the pull request. The free pool of Action Runners provided by the NC State GitHub Service Team are fully compatible with Dependabot to enable automation for patching security vulnerabilities.

To enable this functionality, first ensure that your organization has enabled the use of GitHub Actions, and have assigned the Runner pool as available to your repositories.

Next, in the Settings page for a repository, under the "Advanced Security" section, ensure that "Dependabot security updates" is enabled. We also recommend enabling "Grouped security updates" to reduce the number of PRs that are generated, especially when initially enabling this feature. You'll also want to ensure "Dependabot on self-hosted runners" is enabled if it isn't already.

Once these settings have been enabled, within a few minutes you should see Dependabot running under your Actions tab for the repository, and if there are any fixes that can be applied you'll see a new PR opened by Dependabot.

Note that only package updates which are already compatible with your existing semantic versioning constraints in your package manager will be automatically applied. Changes to the semantic version can be applied via the button in the corresponding Dependabot Alert, or manually updated directly via code changes.

Screenshot of the GitHub security settings page, depicting the "Dependabot security updates" setting as enabled, the "Grouped security updates" setting as enabled, the "Dependabot version updates" setting as disabled, and the "Dependabot on self-hosted runners" setting as enabled.