This PR sends your sbt dependencies to GitHub for vulnerability monitoring via Dependabot. The submitted dependencies will appear in the Dependency Graph on merge to main (it might take a few minutes to update).
[ ] A run of this action (Update Dependency Graph for sbt) should have been triggered (see the checks below) when the branch sbt-dependency-graph-87377622a9838adc was created. Sense check the output of the step "Log snapshot for user validation", and make sure that your dependencies look okay.
[ ] When you are happy the action works, remove the branch name trigger sbt-dependency-graph-87377622a9838adc from the file sbt-dependency-graph.yaml (aka delete line 6), approve this PR, and merge.
Why?
If a repository is in production, we need to track its third party dependencies for vulnerabilities. Historically, we have done this using Snyk, but we are now moving to GitHub’s native Dependabot. Scala is not a language that Dependabot supports out of the box, this workflow is required to make it happen. As a result, we have raised this PR on your behalf to add it to the Dependency Graph.
How has it been verified?
We have tested this workflow, and the process of raising a PR on DevX repos, and have verified that it works. However, we have included some instructions above to help you verify that it works for you. Please do not hesitate to contact DevX Security if you have any questions or concerns.
What does this change?
This PR sends your sbt dependencies to GitHub for vulnerability monitoring via Dependabot. The submitted dependencies will appear in the Dependency Graph on merge to main (it might take a few minutes to update).
What do I need to do?
sbt-dependency-graph-87377622a9838adcwas created. Sense check the output of the step "Log snapshot for user validation", and make sure that your dependencies look okay.sbt-dependency-graph-87377622a9838adcfrom the filesbt-dependency-graph.yaml(aka delete line 6), approve this PR, and merge.Why?
If a repository is in production, we need to track its third party dependencies for vulnerabilities. Historically, we have done this using Snyk, but we are now moving to GitHub’s native Dependabot. Scala is not a language that Dependabot supports out of the box, this workflow is required to make it happen. As a result, we have raised this PR on your behalf to add it to the Dependency Graph.
How has it been verified?
We have tested this workflow, and the process of raising a PR on DevX repos, and have verified that it works. However, we have included some instructions above to help you verify that it works for you. Please do not hesitate to contact DevX Security if you have any questions or concerns.
Further information for sbt
See the sbt workflow documentation for further information and configuration options.