Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding Dependabot to your Repository - Security Team #20

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

ecobee-dependabot-scanner[bot]
Copy link

Automated Dependabot Integration Scanner

Purpose

Hi team, our security bot has found that your repository is missing the dependabot integration.
The purpose of this bot is to help secure your application by limiting the vulnerabilities that you may be exposed to by virtue of insecure dependencies.

If you already have dependabot integrated in your repository, please see the last section.

If you aren't yet using dependabot, see below next steps:

What should I do to close this PR?

  1. Check which package manager you use, if its not one from this list, please comment on this PR linking someone on the Security Team to verify and close the Pull Request

    • javascript
    • ruby:bundler
    • php:composer
    • python
    • go:modules
    • go:dep
    • java:maven
    • java:gradle
    • dotnet:nuget
    • rust:cargo
    • elixir:hex
    • docker
    • terraform
    • submodules
    • elm
  2. See the following docs and make changes to the template config we have provided you:

    https://dependabot.com/docs/config-file/


    If you would like some examples, see the following repositories:

    https://github.com/ecobee/security-theia-cloudtrail-slack/blob/master/.dependabot/config.yml

    https://github.com/ecobee/smartbuildings/blob/develop/.dependabot/config.yml

    https://github.com/ecobee/admin-portal/blob/main/.dependabot/config.yml

  3. Merge this PR!

  4. Add your repository to the Dependabot API so that it can begin tracking your dependencies using the configuration file you merged.

    https://app.dependabot.com/accounts/ecobee

Make sure to perform this step! If you don't another PR will be created tomorrow

I already have Dependabot integrated in this repository, why am I getting this?

Our bot is perfect, it cannot yet detect if you are using Dependabot V2 (yet), so if you are please follow the below steps:

  1. Comment in the PR:

    I confirm dependabot is already in our repository
  2. Wait a couple seconds

    a. The PR should be automatically closed
  3. Delete the branch
  4. Forget about it, we won't bother you again about integrating Dependabot in your repository.

If the above steps did not work, please reach out to the security team so that we may help you close the PR correctly (so that it doesn't get recreated in the future)

Brought to you by the Security team.

If you have any questions don't hesitate to message us.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants