Adding Dependabot to your Repository - Security Team #1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![ecobee-dependabot-scanner[bot]](https://avatars.githubusercontent.com/in/71634?s=60&v=4){kind=small}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Automated Dependabot Integration Scanner
Purpose
Hi team, our security bot has found that your repository is missing the dependabot integration.
The purpose of this bot is to help secure your application by limiting the vulnerabilities that you may be exposed to by virtue of insecure dependencies.
If you already have dependabot integrated in your repository, please see the last section.
If you aren't yet using dependabot, see below next steps:
What should I do to close this PR?
Check which package manager you use, if its not one from this list, please comment on this PR linking someone on the Security Team to verify and close the Pull Request
javascriptruby:bundlerphp:composerpythongo:modulesgo:depjava:mavenjava:gradledotnet:nugetrust:cargoelixir:hexdockerterraformsubmoduleselmSee the following docs and make changes to the template config we have provided you:
https://dependabot.com/docs/config-file/
If you would like some examples, see the following repositories:
https://github.com/ecobee/security-theia-cloudtrail-slack/blob/master/.dependabot/config.yml
https://github.com/ecobee/smartbuildings/blob/develop/.dependabot/config.yml
https://github.com/ecobee/admin-portal/blob/main/.dependabot/config.yml
Merge this PR!
Add your repository to the Dependabot API so that it can begin tracking your dependencies using the configuration file you merged.
https://app.dependabot.com/accounts/ecobee
Make sure to perform this step! If you don't another PR will be created tomorrow
I already have Dependabot integrated in this repository, why am I getting this?
Our bot is not perfect, it cannot yet detect if you are using Dependabot V2 (yet), so if you are please follow the below steps:
If you are using Dependabot V2
I confirm dependabot version 2 is already in our repositorya. The PR should be automatically closed and the branch deleted
If you already merged in your PR but another PR was made for some reason...
This is usually because the repository was not correctly linked to the Dependabot Integration. Please see the steps above again.
I confirm dependabot was already merged in this repositorya. The PR should be automatically closed and the branch deleted
If any of the above steps did not work, please reach out to the security team so that we may help you close the PR correctly (so that it doesn't get recreated in the future)
##FAQ
Dependabot FAQ
Brought to you by the Security team.
If you have any questions don't hesitate to message us.