Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resolves: Add security and versioning dependency alerts #944

Open
wants to merge 23 commits into
base: main
Choose a base branch
from
Open

Resolves: Add security and versioning dependency alerts #944

wants to merge 23 commits into from

Conversation

aleks-ivanov
Copy link

  • add dependabot.yml which automatically enables native Dependabot's dependency versioning scanner and dependency update PRs bot by declaring dependency ecosystems and sources in the project. For dependency security vulnerabilities scanner and vulnerable dependency update PRs bot, enable "Dependabot alerts" and "Dependabot security updates"

  • should you decide that certain people on your team should take care of the PRs that Dependabot creates, use the two attributes assignees and reviewers to automatically set personnel respectively.

Resolves #943

aleks-ivanov
aleks-ivanov commented Jun 3, 2021
View reviewed changes
.github/dependabot.yml Outdated
visual-studio-securitytools:
type: nuget-feed
url: https://securitytools.pkgs.visualstudio.com/_packaging/Guardian/nuget/v3/index.json
# token: ${{ secrets.NUGET_PRIVATE_REG_TOKEN }}
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To allow Dependabot suggest updates for dependencies in eng/common/sdl/packages.config:

  • add registry token as GitHub secret with the name NUGET_PRIVATE_REG_TOKEN and uncomment

aleks-ivanov and others added 21 commits June 5, 2021 04:11
@aleks-ivanov
Merge branch 'main' into feature/dependabot
cc2dd6d
@aleks-ivanov
Merge branch 'main' into feature/dependabot
a8d5dc8
@aleks-ivanov
Merge branch 'main' into feature/dependabot
986b43e
@aleks-ivanov
add private feed to the proper
d11eab1
@aleks-ivanov
Merge branch 'main' into feature/dependabot
61ca15a
@aleks-ivanov
Merge branch 'main' into feature/dependabot
862a78b
@aleks-ivanov
Merge branch 'main' into feature/dependabot
f9e59b2
@aleks-ivanov
Merge branch 'main' into feature/dependabot
58ac305
@aleks-ivanov
Merge branch 'main' into feature/dependabot
9891f2b
@aleks-ivanov
Merge branch 'main' into feature/dependabot
a5c78c1
@aleks-ivanov
Merge branch 'main' into feature/dependabot
c822b33
@aleks-ivanov
Merge branch 'main' into feature/dependabot
7b26430
@aleks-ivanov
Merge branch 'main' into feature/dependabot
fec28df
@aleks-ivanov
Merge branch 'main' into feature/dependabot
da56bb6
@aleks-ivanov
Merge branch 'main' into feature/dependabot
fb776c8
@aleks-ivanov
Merge branch 'main' into feature/dependabot
478e10e
@aleks-ivanov
Merge branch 'main' into feature/dependabot
097cb56
@aleks-ivanov
Merge branch 'main' into feature/dependabot
44e4fe8
@aleks-ivanov
Merge branch 'main' into feature/dependabot
8f44337
@aleks-ivanov
Merge branch 'main' into feature/dependabot
53c93ad
@aleks-ivanov
Merge branch 'main' into feature/dependabot
0798170
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[FEATURE REQUEST]: Add security and versioning dependency alerts
1 participant
@aleks-ivanov