Domain 3: Configure and Use Dependabot and Dependency Review (35%) โ
โ Domain 2 ยท Next Domain โ
Exam Priority
This is the largest domain at 35% of the exam. Master every feature here โ the difference between Dependabot alerts, security updates, version updates, and dependency review are all highly tested.
The Dependency Graph โ
The dependency graph is the foundation for all Dependabot features. It tracks:
- Direct dependencies (packages listed in your manifest files)
- Transitive dependencies (dependencies of your dependencies)
- Supported ecosystems: npm, pip, Maven, Gradle, Bundler, Cargo, NuGet, Go modules, Composer, and more
Enabling the Dependency Graph โ
- Public repos: Always enabled by default
- Private repos: Settings โ Security โ Dependency graph โ Enable
- Also enables at org level via: Org Settings โ Code security โ Dependency graph
Supported Manifest Files โ
| Ecosystem | Manifest file |
|---|---|
| npm (Node.js) | package.json, package-lock.json |
| pip (Python) | requirements.txt, Pipfile, pyproject.toml |
| Maven (Java) | pom.xml |
| Gradle (Java) | build.gradle, build.gradle.kts |
| Bundler (Ruby) | Gemfile, Gemfile.lock |
| Cargo (Rust) | Cargo.toml, Cargo.lock |
| NuGet (.NET) | .csproj, packages.config |
| Go | go.mod |
Dependabot Alerts โ
Dependabot alerts notify you when one of your dependencies has a known security vulnerability.
How It Works โ
- GitHub monitors the GitHub Advisory Database (and NVD โ National Vulnerability Database)
- When a new CVE/advisory is published that matches a dependency in your graph, a Dependabot alert is created
- Alert includes: CVE ID, CVSS score, affected versions, patched version, description
CVSS Severity Levels โ
| CVSS Score | Severity |
|---|---|
| 9.0โ10.0 | Critical |
| 7.0โ8.9 | High |
| 4.0โ6.9 | Medium |
| 0.1โ3.9 | Low |
Enabling Dependabot Alerts โ
- Repository: Settings โ Code security โ Dependabot alerts โ Enable
- Organization: Org Settings โ Code security โ Dependabot alerts
- Enterprise: Enterprise Settings โ Code security โ Dependabot alerts
TIP
Dependabot alerts are available to all GitHub plans (not just GHAS) for public repositories and repositories where the dependency graph is enabled. For private repositories on GitHub Free/Pro/Team, Dependabot alerts are still available โ GHAS is only required for code scanning and secret scanning.
Managing Dependabot Alerts โ
| Alert State | Meaning |
|---|---|
| Open | Vulnerability confirmed, needs action |
| Dismissed โ Tolerable risk | Accepted as a known/low-priority issue |
| Dismissed โ False positive | Dependency not actually vulnerable in this context |
| Dismissed โ No bandwidth to fix | Acknowledged; deferred |
| Fixed | Alert resolved by updating the dependency |
| Auto-dismissed | Vulnerability is not reachable based on code analysis |
Dependabot Security Updates โ
Dependabot security updates automatically open pull requests to update vulnerable dependencies to the minimum safe version.
How Security Updates Work โ
- A Dependabot alert is created for a vulnerable dependency
- If security updates are enabled, Dependabot checks if a safe version exists
- If a safe version exists: Dependabot opens a PR to update the dependency
- The PR includes: vulnerability details, changelog diff, and compatibility score
Enabling Security Updates โ
- Repository: Settings โ Code security โ Dependabot security updates โ Enable
- Organization: Org Settings โ Code security โ Dependabot security updates
Exam Trap
Security updates โ version updates. Security updates are vulnerability-driven (triggered by a CVE). Version updates are schedule-driven (update to latest regardless of security). They are configured separately.
Dependabot Version Updates โ
Dependabot version updates keep all dependencies up to date with their latest releases on a schedule โ regardless of whether there's a security issue.
Configuring dependabot.yml โ
Version updates are configured via .github/dependabot.yml:
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
open-pull-requests-limit: 10
reviewers:
- "gobinathm"
labels:
- "dependencies"
ignore:
- dependency-name: "lodash"
versions: ["4.x"]Key dependabot.yml Fields โ
| Field | Description |
|---|---|
package-ecosystem | The package manager: npm, pip, maven, cargo, nuget, bundler, gomod, etc. |
directory | Where the manifest file is located (relative to repo root) |
schedule.interval | daily, weekly, monthly |
open-pull-requests-limit | Max number of open Dependabot PRs at once (default: 5) |
ignore | Dependencies or version ranges to skip |
reviewers | GitHub users to auto-assign as reviewers |
labels | Labels to apply to Dependabot PRs |
target-branch | Branch to target for version update PRs |
Multiple Ecosystems โ
You can configure multiple updates blocks for different ecosystems in the same file:
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
- package-ecosystem: "pip"
directory: "/backend"
schedule:
interval: "monthly"Dependency Review โ
Dependency review prevents pull requests from merging if they introduce new vulnerable dependencies.
How Dependency Review Works โ
- A PR modifies a dependency manifest (e.g.,
package.json,requirements.txt) - The Dependency Review Action runs as a PR check
- It diffs the dependency changes and checks the GitHub Advisory Database
- If a newly added/updated dependency has a CVE: the check fails, blocking the merge
Adding the Dependency Review Action โ
# .github/workflows/dependency-review.yml
name: Dependency Review
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v4Configuring Dependency Review โ
- name: Dependency Review
uses: actions/dependency-review-action@v4
with:
fail-on-severity: high # Block PRs with high+ severity CVEs
deny-licenses: GPL-3.0, LGPL-2.0 # Block PRs adding these licenses
allow-licenses: MIT, Apache-2.0 # Allowlist licenses
comment-summary-in-pr: always # Post a summary comment on the PRExam Trap
Dependency review only blocks new vulnerabilities introduced by a PR โ it doesn't scan the entire existing dependency tree. For that, you need Dependabot alerts on the repository.
Dependency Review vs Dependabot Alerts โ
| Dependency Review | Dependabot Alerts | |
|---|---|---|
| When | At PR time | Anytime (continuous monitoring) |
| What it scans | New dependencies in the PR diff | All current dependencies |
| Action | Blocks PR merge | Creates an alert |
| Requires GHAS | Yes (private repos) | No (all repos) |
SBOM (Software Bill of Materials) โ
GitHub can export a Software Bill of Materials โ a complete inventory of all dependencies in a repository.
Exporting an SBOM โ
- UI: Insights โ Dependency graph โ Export SBOM
- API:
GET /repos/{owner}/{repo}/dependency-graph/sbom - Format: SPDX (Software Package Data Exchange) JSON
Use cases: Supply chain audits, compliance requirements (e.g., US Executive Order on cybersecurity), license inventory.
Domain 3 Quick Quiz
What is the difference between Dependabot security updates and Dependabot version updates?
(Click to reveal)