devops
automation
View original source
article

Enable Dependabot to Auto-Detect and Fix Dependency Vulns

Fork GitHub's demo repo, enable Dependabot alerts/security/version updates in repo Settings > Advanced Security, view vulns in Security tab, merge auto PRs for fixes like lodash command injection, or dismiss with audit comments.

Dependabot's Three Features Secure Dependencies

Dependabot scans your repo's dependency graph to manage risks: alerts notify of vulnerabilities in used packages; security updates auto-create pull requests (PRs) to patched versions; version updates raise PRs for non-security dependency bumps. Enabling all three covers detection, urgent fixes, and maintenance. GitHub auto-enables the dependency graph on first activation, pulling from package manifests like package-lock.json.

For hands-on testing, fork https://github.com/dependabot/demo repo: select owner, name it, create fork. This demo exposes a real vuln like 'Command Injection in lodash' for practice.

One-Click Enablement and Config in Repo Settings

In your forked repo, go to Settings > Advanced Security (under Security sidebar) > Enable Dependabot alerts, security updates, and version updates. GitHub generates a default dependabot.yml in /.github/ for version updates—edit it to specify package ecosystems, update schedules, directories, and ignore rules (see GitHub's example config for YAML structure with 'version: 2', 'updates' array of 'package-ecosystem' like 'npm', 'directory: "/"', 'schedule: {interval: "daily"}'). Commit changes to activate.

This setup works for user/org repos; org admins can enforce repo-wide via org settings.

View, Prioritize, and Drill into Vulnerability Details

Access alerts at repo main page > Security tab > Findings > Dependabot > Vulnerabilities (default: Open tab). Filter by severity, labels, or auto-triage rules to ignore false positives. Click an alert (e.g., lodash in javascript/package-lock.json) for:

  • Package, affected/patched versions.
  • Vuln description.
  • Severity (via CVSS score), tags, CWEs, CVE/GHSA IDs.
  • Link to GitHub Advisory Database advisory.
  • Affected repos list.
  • Auto PR link: click Review security update to inspect.

Use Closed tab for dismissed alerts; prioritize high-impact first to reduce exploit risk.

Resolve Alerts: Merge PRs or Dismiss with Justification

For fixes, click Review security update on alert—Dependabot's PR shows commits, changelog diffs. Use PR commands (via Dependabot commands/options link) like /merge to auto-merge or /rebase. Merge to apply patched version, closing the alert.

To dismiss: Alert details > Dismiss alert > Select reason (e.g., 'fixed outside Dependabot', 'not used', 'acceptable risk') > Add comment for audit trail > Confirm. Dismissed alerts move to Closed tab.

Troubleshoot PR blocks or detection issues via GitHub docs on errors and vulnerable dependency detection. Next: Customize notifications, org policies, PR management, or browse advisories.

Summarized by x-ai/grok-4.1-fast via openrouter

5802 input / 2223 output tokens in 16290ms

© 2026 Edge