Cybersecurity, GitHub Dependabot security alerts

An overview of the Dependabot security tool provided by GitHub.

About  Dependabot

Dependabot is a GitHub provided service that creates alerts when it detects vulnerable dependencies in your repository. Alerts are displayed on the main page of the repository, with further details available on the Security tab under “Dependabot Alerts”. Maintainers of the repository are also notified based on their notification preferences. 

This article provides an overview of the Dependabot code scanning tool in GitHub repositories to help development teams to comply with Illinois Cybersecurity Standards, including IT13.2.

Note: Enabling security and analysis features such as Dependabot requires GitHub to perform read-only analysis on your repository.

For a list of currently supported package managers, see Supported Package Ecosystems.

Enabling Dependabot Vulnerability Alerts

Dependabot will send alerts when a new vulnerability is added to the GitHub Advisory Database or when the dependency graph for your repository changes, such as when a new commit adds a dependency to the project. Dependabot can also display information about vulnerable dependencies in a Pull Request.  

When a vulnerable dependency is detected, alerts are displayed on GitHub and dispatched to maintainers according to their notification preferences. The alerts include information about the affected version as well as the fixed version.   

If Dependabot security updates are enabled the alert will also include an automatically generated pull request that updates the dependency. 

Dependabot is enabled in public GitHub repositories by default. For private repositories, an owner or person with admin access, can enable Dependabot by turning on the dependency graph and Dependabot alerts. Dependabot can also be enabled at the user account or organization level.

For an individual repository, go the settings page and click Security & analysis, then click the Enable button next to Dependency graph and Dependabot alerts.

Enabling Dependabot Version Updates 

Dependabot can also be configured to update outdated dependencies via automated pull request. This requires checking a configuration file into the repository’s .github folder that specifies the location of the package manifest and how often to check for updates. See Configuration Options for Dependency Updates for additional information.

Examples

  • Please see this Dependabot automated Pull Request for an example of remediation for a vulnerable dependency. The pull request includes a link to the Dependabot alert that details the vulnerability, as well as other changelog information from the new version of the dependencies. When the pull request is created, any rules set up for the target branch must be satisfied, such as team approvals or automated tests.




Keywords:security, developer, sdlc, cybersecurity, devops, secdevops   Doc ID:110071
Owner:Security S.Group:University of Illinois Technology Services
Created:2021-04-02 13:08 CSTUpdated:2021-04-05 15:39 CST
Sites:University of Illinois Technology Services
Feedback:  0   0