DependaBot
This project is a dependency management bot that helps manage project dependencies and automatically updates packages when security vulnerabilities are detected.
Workflow
- Automatically scan projects for security vulnerabilities using configured scanners (default: trivy)
- Filter out Go packages that need upgrading (supports multiple languages, currently focused on Go)
- Navigate to the project's go.mod directory and upgrade vulnerable packages to fixed versions using go get
- Create a branch and pull request based on the changes, using gh cli for GitHub pull requests
Features
- ๐ Support for multiple security scanners (Trivy, GovulnCheck, etc.)
- ๐ฏ Support for multi-language dependency updates
- ๐ Support for multiple git service providers
- ๐ฆ Automatic package upgrades to fixed versions using language-specific package managers
- ๐ Detailed update logs and error reports
- โ๏ธ Support for configuration files and command-line parameters
- ๐ฟ Automatic Pull Request creation
- ๐ Submodule cloning suprt
- ๐ Custom script execution hooks (Pre-scan, Post-scan, Pre-commit, Post-commit)
- ๐ Go get commands output generation
Installation
Install from Source
# Clone repository
git clone https://github.com/AlaudaDevOps/toolbox/dependabot.git
cd dependabot
# Build project
make install
Go Install
go install github.com/AlaudaDevops/toolbox/dependabot@main
which dependabot
Usage
Basic Usage
# Local project mode (automatic scanning)
dependabot --dir /path/to/your/project
# Remote repository mode (clone + automatic scanning)
dependabot --repo.url https://github.com/user/repo.git
# Specify branch
dependabot --repo.url https://github.com/user/repo.git --repo.branch develop
# Enable automatic PR creation (this will also enable branch push)
dependabot --repo.url https://github.com/user/repo.git --pr.autoCreate
# Enable automatic branch push only (without PR creation)
dependabot --repo.url https://github.com/user/repo.git --pr.pushBranch
# Clone with submodules
dependabot --repo.url https://github.com/user/repo.git --repo.includeSubmodules
# View help information
dependabot --help
Command Line Parameters
--config config file
--debug enable debug log output
--dir path to project directory containing go.mod (default: current directory) (default ".")
--git.baseUrl Base API URL of the Git provider (e.g., https://api.github.com for GitHub, https://gitlab.example.com for GitLab) (default "https://api.github.com")
--git.provider Git provider type (e.g., github, gitlab) (default "github")
--git.token Access token for the Git provider (used for authentication and PR creation)
--pr.autoCreate enable automatic PR creation
--pr.pushBranch enable automatic push branch (automatically enabled when --pr.autoCreate is true)
--runtime.cleanupTempDirs cleanup temporary directories after execution (default true)
--repo.branch branch to clone and create PR against (default "main")
--repo.url repository URL to clone and analyze (alternative to dir)
--repo.includeSubmodules include submodules when cloning repository (default: false)
Configuration System
DependaBot supports a three-tier configuration system, with priority from lowest to highest:
- Repository Configuration (searched in order):
.dependabot.yml in project root directory
.dependabot.yaml in project root directory
.github/dependabot.yml
.github/dependabot.yaml
- Local Configuration File: The first-matched configuration file from the following locations (in order of priority):
- specified by
--config parameter
.dependabot.yaml in the current directory
.dependabot.yml in the home directory
- Command Line Parameters (highest priority)
Repository Configuration File
The repository configuration file supports both the GitHub dependabot configuration format and our custom format, allowing seamless transition to this project for vulnerability management.
Example GitHub dependabot configuration:
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "gomod" # See documentation for possible values
directory: "/" # Location of package manifests
schedule:
interval: "yearly"
open-pull-requests-limit: 0
groups:
gomod:
update-types:
- patch
- minor
applies-to: security-updates
patterns:
- "*"
reviewers:
- somebody
assignees:
- somebody
Local Configuration File
Create a configuration file anywhere and specify it using the --config parameter:
pr:
autoCreate: false
pushBranch: false
labels:
- dependencies
assignees:
- somebody
git:
provider: github
token: xxx
# Configure scanner and its parameters
scanner:
type: "trivy"
timeout: "8m"
params:
- "--ignore-unfixed"
- "--scanners"
- "vuln,secret"
# Runtime behavior configuration
runtime:
cleanupTempDirs: true # set false to keep temporary directories for troubleshooting
# Custom script configuration for pipeline hooks
hooks:
# Pre-verify-scan script: executed before verification security scanning
# Use case: apply existing remediation commands and verify whether updates are still needed
preVerifyScan:
script: |
#!/bin/bash
echo "Running pre-verify-scan setup..."
timeout: "15m"
continueOnError: false # Verification stage falls back to regular flow if this script fails
# Post-verify-scan script: executed after verification security scanning
# Use case: cleanup workspace after verification stage before regular flow
postVerifyScan:
script: |
#!/bin/bash
echo "Running post-verify-scan cleanup..."
timeout: "10m"
continueOnError: false # Pipeline stops if cleanup fails
# Pre-scan script: executed before security scanning
# Use case: prepare environment, install dependencies, run tests
preScan:
script: |
#!/bin/bash
echo "Running pre-scan setup..."
timeout: "10m"
continueOnError: false # Pipeline will stop if this script fails
# Post-scan script: executed after security scanning
# Use case: process scan results, generate reports, send notifications
postScan:
script: |
#!/bin/bash
echo "Processing scan results..."
# Add custom logic to process vulnerability scan results
timeout: "5m"
continueOnError: true # Pipeline will continue even if this script fails
# Pre-commit script: executed before committing changes
# Use case: validate changes, run additional checks, format code
preCommit:
script: |
#!/bin/bash
echo "Running pre-commit checks..."
timeout: "10m"
continueOnError: true # Pipeline will continue even if this script fails
# Post-commit script: executed after committing changes
# Use case: run tests, trigger CI/CD, send notifications
postCommit:
script: |
#!/bin/bash
echo "Running post-commit tasks..."
# Add custom logic like running tests, triggering CI/CD
timeout: "15m"
continueOnError: true # Pipeline will continue even if this script fails
# Updater configuration
updater:
go:
# Indicate the file to store the go get commands
commandOutputFile: ".tekton/patches/dependabot-go-get-commands.sh"
runtime.cleanupTempDirs is a global switch. When set to false, DependaBot keeps temporary directories created by repository cloning and scanner execution.
If your repository already stores remediation commands (for example in .tekton/patches/dependabot-go-get-commands.sh), you can use preVerifyScan/postVerifyScan to avoid duplicate PRs:
hooks:
preVerifyScan:
script: |
#!/bin/bash
set -ex
make clean-patches-default apply-patches-default upgrade-go-dependencies-default
postVerifyScan:
script: |
#!/bin/bash
set -ex
make clean-patches-default
preScan:
script: |
#!/bin/bash
set -ex
SKIP_DEPENDABOT_COMMANDS=true make apply-patches upgrade-go-dependencies
With this setup:
- DependaBot first verifies vulnerabilities after applying existing remediation commands.
- If no vulnerabilities remain, it exits early and skips PR generation.
- If vulnerabilities remain, it cleans up and continues with the regular update flow to regenerate commands.
Apply Hooks Conditionally in Global Config
You can also configure conditional hook injection in a global config file (for example hack/dependabot/bot.yaml) and apply it only to matched repositories:
hooks:
rules:
- name: tektoncd verify hooks
when:
repoNameGlob: "tektoncd-*"
strategy: fillEmpty # optional: fillEmpty (default) | override
hooks:
preVerifyScan:
script: |
#!/bin/bash
set -ex
make clean-patches-default apply-patches-default upgrade-go-dependencies-default
postVerifyScan:
script: |
#!/bin/bash
set -ex
make clean-patches-default
Behavior:
- Rule matching is based on repository name (without
.git) extracted from repo.url.
fillEmpty only injects hooks when the target hook is not configured.
override always replaces existing hooks for matched repositories.
Git Provider Support
DependaBot currently supports GitHub and Gitlab providers. You can specify the provider using the --git.provider parameter or configure it in the local configuration file.
# github provider example
git:
provider: github
token: xxx
# gitlab provider example
git:
provider: gitlab
token: xxx
baseUrl: https://gitlab.example.com
Notice Configuration
Notice configuration is used to send notifications about the vulnerability updates.
Currently, only WeCom webhook is supported.
notice:
type: "wecom" # or "wechat"
params:
webhook_url: "https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=YOUR_KEY"
Generated Go Get Commands
When DependaBot detects vulnerabilities in Go dependencies, it generates a script file containing the necessary go get commands to upgrade the vulnerable packages to their fixed versions. This file is created at the path specified in the updater.go.commandOutputFile configuration.
Example of generated commands:
go get github.com/cloudflare/circl@v1.6.1
go get github.com/go-jose/go-jose/v3@v3.0.4
go get github.com/go-jose/go-jose/v4@v4.0.5
go get github.com/golang-jwt/jwt/v4@v4.5.2
go get github.com/open-policy-agent/opa@v1.4.0
go mod tidy
These commands can be executed manually or integrated into CI/CD pipelines to automatically apply the security updates.
Pipeline Execution Flow
DependaBot pipeline executes in the following order:
- Git Clone - Clone the repository
- Pre-verify-scan Hook (Optional) - Apply existing remediation state before verification scan
- Verification Security Scanning (Optional) - Check whether existing remediation already resolves vulnerabilities
- Post-verify-scan Hook (Optional) - Cleanup workspace after verification stage
- Early Exit (Conditional) - Stop pipeline when verification scan finds no vulnerabilities
- Pre-scan Hook - Prepare environment before regular security scanning
- Security Scanning - Scan for vulnerabilities using configured scanner
- Post-scan Hook - Process scan results, generate reports
- Package Updates - Update vulnerable packages to fixed versions
- Pre-commit Hook - Validate changes before committing
- Commit Changes - Create branch, commit and push changes
- Post-commit Hook - Run tests, trigger CI/CD after commit
- PR Creation - Create pull request (if enabled)
- Notification - Send notification about updates (if configured)
Each hook is optional and can be configured with custom scripts, timeout settings, and error handling behavior.