Using Dependabot to secure your GitHub repository

Tags GitHub

What is Dependabot?

Dependabot is a code-scanning tool in GitHub designed to help manage and update the dependencies in your project–automatically. By keeping dependencies current, Dependabot helps maintain the security and performance of your codebase by staying in compliance with DS-21, the Vulnerability Management security standard. 

Dependabot consists of three different features that help you manage your dependencies:

  • Dependabot alerts: Inform you about vulnerabilities in the dependencies that you use in your repository.

  • Dependabot security updates: Automatically raise pull requests to update the dependencies you use that have known security vulnerabilities.

  • Dependabot version updates: Automatically raise pull requests to keep your dependencies up-to-date.

Environment

GitHub

Enabling Dependabot 

Dependabot is enabled on all public repositories in GitHub by default. Owners of private repositories, or people with admin access, can enable Dependabot alerts by enabling the dependency graph and Dependabot alerts for their repositories. All GitHub organizations managed by the University of Michigan are private.

Dependabot scans code when a new advisory is added to the GitHub Advisory Database or the dependency graph for a repository changes. When vulnerable dependencies are detected, Dependabot alerts are generated. 

You can enable or disable Dependabot alerts for:

  • Your personal account
  • Your repository
  • Your organization

 

Enabling or disabling Dependabot alerts for an individual repository

  1. On GitHub, navigate to the main page of the repository.
  2. Under your repository name, click Settings. If you cannot see the "Settings" tab, select the ··· dropdown menu, then click Settings.Screenshot of a repository header showing the tabs. The "Settings" tab is highlighted by a dark orange outline.
  3. In the "Security" section of the sidebar, click Code security.
  4. Under "Code security", to the right of Dependabot alerts, click Enable to enable alerts or Disable to disable alerts.

 

Enabling or disabling Dependabot alerts for an organization

Organizations managed by the University of Michigan will already have a "GitHub recommended" enterprise configuration configured. Apply this policy to all existing repositories to automatically enable Dependabot.

Note: GitHub may display an error stating the policy "failed to apply because GitHub Advanced Security has not been purchased". Dependabot will still be enabled, despite this warning. 
 
To enable Dependabot to automatically create pull requests across all repositories, create a new custom security configuration that enables the Dependabot dependency graph and security updates. 
 

What to do with Dependabot alerts

GitHub generates Dependabot alerts when it detect that the default branch of your codebase is using dependencies with known security risks. In repositories where Dependabot security updates are enabled, when GitHub detects a vulnerable dependency in the default branch, Dependabot creates a pull request to fix it. The pull request will upgrade the dependency to the minimum possible secure version needed to avoid the vulnerability.

Dependabot alerts can be found by clicking on Security under the repository or organization name.

Screenshot of the Security tab of a GitHub repository, with the tab name and a list of Dependabot alerts highlighted with a red outline.

Alert severity is determined by the rating provided by NIST’s Common Vulnerability Scoring system (CVSS). All validated high (7-8.9 on CVSS scale) and critical (9-10) vulnerabilities should be remediated as defined in the “Remediation Timeframes” section, as taken from the DS-21 security standard on Vulnerability Management, below:

Critical (CVSS 9-10)
  • Resolution plan in place within: 2 weeks
  • Resolved By: 1 month
High (CVSS 7-8.9)
  • Resolution plan in place within: 1 month
  • Resolved By: 3 months

 

Fixing vulnerable dependencies

  1. View the details for an alert by clicking the alert name.
  2. If you have Dependabot security updates enabled, there may be a link to a pull request that will fix the dependency. Alternatively, you can click Create Dependabot security update at the top of the alert details page to create a pull request.

    Screenshot of an example Dependabot alert, with the "Create Dependabot security update" button circled in red
     
  3. Optionally, if you do not use Dependabot security updates, you can use the information on the page to decide which version of the dependency to upgrade to and create a pull request to update the dependency to a secure version.
  4. When you're ready to update your dependency and resolve the vulnerability, merge the pull request.

Each pull request raised by Dependabot includes information on commands you can use to control Dependabot. For more information, see Managing pull requests for dependency updates.

External resources

Print Article