i-am-dan / security-strategy-essentials

https://lab.github.com/githubtraining/security-strategy-essentials
MIT License
0 stars 0 forks source link

Add Dependabot to your repository #5

Closed github-learning-lab[bot] closed 5 years ago

github-learning-lab[bot] commented 5 years ago

Automated dependency updates with Dependabot

Manually going through your dependencies for alerts and outdated versions is tedious work. Let's automate this process!

Meet Dependabot

download

Dependabot creates pull requests to keep your dependencies secure and up-to-date!

How does Dependabot work?

Dependabot is the actor for GitHub's automated security fixes.

  1. GitHub uses the dependency graph and security alerts to scan your repository and notify you of potential dependency updates
  2. If any dependencies are out-of-date, Dependabot opens a pull request to update each one
  3. If tests pass, and the updated version looks good, you simply merge the pull request

Configuring automated security fixes

You can enable automated security fixes for any repository that uses security alerts and the dependency graph. You can disable automated security fixes for an individual repository or for all repositories owned by your user account or organization. GitHub will automatically enable automated security fixes in every repository that uses security alerts and the dependency graph.

Screen Shot 2019-10-28 at 1 23 52 PM

Here, we have a security alert on the debug dependency. Clicking on debug will show you the pull request created by Dependabot to update the dependency. We just updated to 2.6.9 but Dependabot noticed we are still outdated.

If you navigate to your pull requests, you'll notice Dependabot has done its job and is trying to bump, or update, the version of debug. Feel free to approve and merge the pull request.

How to Install Dependabot if not enabled through automated security fixes - Navigate to Dependabot on the [GitHub Marketplace](https://github.com/marketplace/dependabot-preview) - Click the "Install it for free" button - Follow on-screen instructions to add Dependabot to your GitHub profile - When installing Dependabot, choose `Only select repositories` and choose this repository, https://github.com/dkijc/security-strategy-essentials - On `app.dependabot.com`, under `repos you want to add`, select https://github.com/dkijc/security-strategy-essentials and click the `Add selected` button

Important Note!

Dependabot is owned and maintained by GitHub. Dependabot Preview is a public beta for functionality that we are integrating directly into GitHub. These automatic security fixes are in beta and are subject to change.

Close this issue when done


I'll respond below when you close the issue.

github-learning-lab[bot] commented 5 years ago

Nice job adding Dependabot.


Let's learn about adding a SECURITY.md policy to your repository. Navigate to your next issue.