README
ยถ
DependaBot
This project is a dependency management bot that helps manage project dependencies and automatically updates packages when security vulnerabilities are detected.
Workflow
- Automatically scan projects for security vulnerabilities using configured scanners (default: trivy)
- Filter out Go packages that need upgrading (supports multiple languages, currently focused on Go)
- Navigate to the project's go.mod directory and upgrade vulnerable packages to fixed versions using go get
- Create a branch and pull request based on the changes, using gh cli for GitHub pull requests
Features
- ๐ Support for multiple security scanners (Trivy, GovulnCheck, etc.)
- Trivy
- GoVulnCheck
- ๐ฏ Support for multi-language dependency updates
- Go
- Python
- Node.js
- ๐ Support for multiple git service providers
- GitHub
- GitLab
- ๐ฆ Automatic package upgrades to fixed versions using language-specific package managers
- ๐ Detailed update logs and error reports
- โ๏ธ Support for configuration files and command-line parameters
- ๐ฟ Automatic Pull Request creation
- ๐ Submodule cloning suprt
- ๐ Custom script execution hooks (Pre-scan, Post-scan, Pre-commit, Post-commit)
- ๐ Go get commands output generation
Installation
Install from Source
# Clone repository
git clone https://github.com/AlaudaDevOps/toolbox/dependabot.git
cd dependabot
# Build project
make install
Go Install
go install github.com/AlaudaDevops/toolbox/dependabot@main
which dependabot
Usage
Basic Usage
# Local project mode (automatic scanning)
dependabot --dir /path/to/your/project
# Remote repository mode (clone + automatic scanning)
dependabot --repo.url https://github.com/user/repo.git
# Specify branch
dependabot --repo.url https://github.com/user/repo.git --repo.branch develop
# Enable automatic PR creation (this will also enable branch push)
dependabot --repo.url https://github.com/user/repo.git --pr.autoCreate
# Enable automatic branch push only (without PR creation)
dependabot --repo.url https://github.com/user/repo.git --pr.pushBranch
# Clone with submodules
dependabot --repo.url https://github.com/user/repo.git --repo.includeSubmodules
# View help information
dependabot --help
Command Line Parameters
--configconfig file--debugenable debug log output--dirpath to project directory containing go.mod (default: current directory) (default ".")--git.baseUrlBase API URL of the Git provider (e.g., https://api.github.com for GitHub, https://gitlab.example.com for GitLab) (default "https://api.github.com")--git.providerGit provider type (e.g., github, gitlab) (default "github")--git.tokenAccess token for the Git provider (used for authentication and PR creation)--pr.autoCreateenable automatic PR creation--pr.pushBranchenable automatic push branch (automatically enabled when --pr.autoCreate is true)--repo.branchbranch to clone and create PR against (default "main")--repo.urlrepository URL to clone and analyze (alternative to dir)--repo.includeSubmodulesinclude submodules when cloning repository (default: false)
Configuration System
DependaBot supports a three-tier configuration system, with priority from lowest to highest:
- Repository Configuration (searched in order):
.dependabot.ymlin project root directory.dependabot.yamlin project root directory.github/dependabot.yml.github/dependabot.yaml
- Local Configuration File: The first-matched configuration file from the following locations (in order of priority):
- specified by
--configparameter .dependabot.yamlin the current directory.dependabot.ymlin the home directory
- specified by
- Command Line Parameters (highest priority)
Repository Configuration File
The repository configuration file supports both the GitHub dependabot configuration format and our custom format, allowing seamless transition to this project for vulnerability management.
Example GitHub dependabot configuration:
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "gomod" # See documentation for possible values
directory: "/" # Location of package manifests
schedule:
interval: "yearly"
open-pull-requests-limit: 0
groups:
gomod:
update-types:
- patch
- minor
applies-to: security-updates
patterns:
- "*"
reviewers:
- somebody
assignees:
- somebody
Local Configuration File
Create a configuration file anywhere and specify it using the --config parameter:
pr:
autoCreate: false
pushBranch: false
labels:
- dependencies
assignees:
- somebody
git:
provider: github
token: xxx
# Configure scanner and its parameters
scanner:
type: "trivy"
timeout: "8m"
params:
- "--ignore-unfixed"
- "--scanners"
- "vuln,secret"
# Custom script configuration for pipeline hooks
hooks:
# Pre-scan script: executed before security scanning
# Use case: prepare environment, install dependencies, run tests
preScan:
script: |
#!/bin/bash
echo "Running pre-scan setup..."
timeout: "10m"
continueOnError: false # Pipeline will stop if this script fails
# Post-scan script: executed after security scanning
# Use case: process scan results, generate reports, send notifications
postScan:
script: |
#!/bin/bash
echo "Processing scan results..."
# Add custom logic to process vulnerability scan results
timeout: "5m"
continueOnError: true # Pipeline will continue even if this script fails
# Pre-commit script: executed before committing changes
# Use case: validate changes, run additional checks, format code
preCommit:
script: |
#!/bin/bash
echo "Running pre-commit checks..."
timeout: "10m"
continueOnError: true # Pipeline will continue even if this script fails
# Post-commit script: executed after committing changes
# Use case: run tests, trigger CI/CD, send notifications
postCommit:
script: |
#!/bin/bash
echo "Running post-commit tasks..."
# Add custom logic like running tests, triggering CI/CD
timeout: "15m"
continueOnError: true # Pipeline will continue even if this script fails
# Updater configuration
updater:
go:
# Indicate the file to store the go get commands
commandOutputFile: ".tekton/patches/dependabot-go-get-commands.sh"
Git Provider Support
DependaBot currently supports GitHub and Gitlab providers. You can specify the provider using the --git.provider parameter or configure it in the local configuration file.
# github provider example
git:
provider: github
token: xxx
# gitlab provider example
git:
provider: gitlab
token: xxx
baseUrl: https://gitlab.example.com
Notice Configuration
Notice configuration is used to send notifications about the vulnerability updates.
Currently, only WeCom webhook is supported.
notice:
type: "wecom" # or "wechat"
params:
webhook_url: "https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=YOUR_KEY"
Generated Go Get Commands
When DependaBot detects vulnerabilities in Go dependencies, it generates a script file containing the necessary go get commands to upgrade the vulnerable packages to their fixed versions. This file is created at the path specified in the updater.go.commandOutputFile configuration.
Example of generated commands:
go get github.com/cloudflare/circl@v1.6.1
go get github.com/go-jose/go-jose/v3@v3.0.4
go get github.com/go-jose/go-jose/v4@v4.0.5
go get github.com/golang-jwt/jwt/v4@v4.5.2
go get github.com/open-policy-agent/opa@v1.4.0
go mod tidy
These commands can be executed manually or integrated into CI/CD pipelines to automatically apply the security updates.
Pipeline Execution Flow
DependaBot pipeline executes in the following order:
- Git Clone - Clone the repository
- Pre-scan Hook - Prepare environment before security scanning
- Security Scanning - Scan for vulnerabilities using configured scanner
- Post-scan Hook - Process scan results, generate reports
- Package Updates - Update vulnerable packages to fixed versions
- Pre-commit Hook - Validate changes before committing
- Commit Changes - Create branch, commit and push changes
- Post-commit Hook - Run tests, trigger CI/CD after commit
- PR Creation - Create pull request (if enabled)
- Notification - Send notification about updates (if configured)
Each hook is optional and can be configured with custom scripts, timeout settings, and error handling behavior.
Documentation
Source Files
Directories
ยถ
| Path | Synopsis |
|---|---|
|
Package cmd provides command line interface for the DependaBot application
|
Package cmd provides command line interface for the DependaBot application |
|
pkg
|
|
|
config
Package config provides configuration management for DependaBot
|
Package config provides configuration management for DependaBot |
|
git
Package git provides Git operations for dependency updates
|
Package git provides Git operations for dependency updates |
|
notice
Package notice provides notification functionality for DependaBot
|
Package notice provides notification functionality for DependaBot |
|
pipeline
Package pipeline provides a comprehensive pipeline for dependency updates and PR creation
|
Package pipeline provides a comprehensive pipeline for dependency updates and PR creation |
|
pr
Package pr provides pull request creation functionality
|
Package pr provides pull request creation functionality |
|
scanner
Package scanner provides interfaces and types for security scanning
|
Package scanner provides interfaces and types for security scanning |
|
types
Package types provides common types for the dependabot package
|
Package types provides common types for the dependabot package |
|
updater
Package updater provides language-agnostic vulnerability package updating functionality.
|
Package updater provides language-agnostic vulnerability package updating functionality. |
|
version
Package updater provides unified semantic version comparison functionality
|
Package updater provides unified semantic version comparison functionality |
Click to show internal directories.
Click to hide internal directories.