Alerting for repos missing dependabot config (`dependabot.yml`)

ossf / allstar

GitHub App to set and enforce security policies

Apache License 2.0

1.25k stars 122 forks source link

Alerting for repos missing dependabot config (`dependabot.yml`) #113

Open justaugustus opened 2 years ago

justaugustus commented 2 years ago

Similar to the SECURITY.md community health check, for organizations that are interested in having dependabot automated updates enabled on their repositories, it'd be great to have a check that alerts when a .github/dependabot.yml config is not present within the repo.

Ideally, it'd be cool to have this baked into https://github.com/organizations/<org-name>/settings/security_analysis. cc: @jhutchings1

jeffmendoza commented 2 years ago

:+1: https://github.com/ossf/allstar#future-policies Also want to support renovatebot and others.

justaugustus commented 2 years ago

👍 https://github.com/ossf/allstar#future-policies Also want to support renovatebot and others.

starts to roll sleeves up... https://github.com/ossf/allstar/pull/114

jhutchings1 commented 2 years ago

Ideally, it'd be cool to have this baked into https://github.com/organizations/<org-name>/settings/security_analysis.

We're looking at making this process simpler in the near future. @erinhav FYI on ☝🏻

ArisBee commented 1 year ago

There is a way to do something like that by configuring the Scorecard check to only score on non-compliant dependency update tool, for instance in scorecard.yaml try:

optConfig:
  optOutStrategy: true
action: log 
checks:
  - Dependency-Update-Tool
threshold: 5

Jung47 commented 1 year ago

🙏🙏🙏