Skip to content

Apurva-parkhe/skills-secure-repository-supply-chain

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
.github
.github
 
 
code
code
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Secure your repository's supply chain

Secure your supply chain, understand dependencies in your environment, know about vulnerabilities in those dependencies and patch them.

Step 4: Enable and trigger Dependabot version updates

Nicely done! 🥳

You now have automated the process for Dependabot to alert you to vulnerabilities with your dependencies and to create pull requests to update them to secure versions! At this point, you only need to review the pull request and then merge it to stay on top of security problems with Dependencies.

The security updates feature helps automate the process to resolve alerts, but what about just keeping up-to-date with version updates? We can also automate pull request generation for updated versions of dependencies using the Dependabot version updates feature.

What are Dependabot version updates?: In addition to security alerts, Dependabot can also take the effort out of maintaining your dependencies. You can use it to ensure that your repository automatically keeps up with the latest releases of the packages and applications it depends on. Similar to security alerts, Dependabot will identify an outdated dependency and create a pull request to update the manifest to the latest version of the dependency.

Let's see how this works!

⌨️ Activity 4.1: Enable and trigger Dependabot version updates

  1. Navigate to the Settings tab and select Code security and analysis.

  2. Locate "Dependabot version updates" and click Configure to open a new file editor with pre-poplulated contents. The file is called dependabot.yml.

  3. Notice that the file is prepopulated to update the GitHub actions in the repository, the github-actions package ecosystem.

  4. Copy the lines that define the GitHub actions updates and append them to the file.

  5. Edit your copy of the content:

    • Change the package-ecosystem to nuget.
    • Change the directory to /code/.
    • Change the interval to weekly.

    The dependabot.yml file should now look like this.

    version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "monthly"
  - package-ecosystem: "nuget"
    directory: "/code/"
    schedule:
      interval: "weekly"

  6. Commit your changes directly to the main branch.

You have now configured Dependabot version updates to run and check for updates as follows:

  • Check once a month for updates to GitHub Actions and create pull requests to update any that are out of date.
  • Check once a week for updates to .NET packages and create pull requests to update any that are out of date. By default, this check runs on a Monday, to run the check on a different day, see schedule.day.

Wait about 20 seconds then refresh this page (the one you're following instructions from). GitHub Actions will automatically update to display the next step.

Get help: Post in our discussion boardReview the GitHub status page

© 2024 GitHub • Code of ConductMIT License

About

Suppply chain repository

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages