From 2c5d2ce6219a9ed15dc6b72e0fe691e584e3e88f Mon Sep 17 00:00:00 2001 From: shivasurya Date: Thu, 21 May 2026 21:42:11 -0400 Subject: [PATCH] chore(deps): switch Dependabot to security-only (suppress version bumps) Routine "bump axios from 1.2.3 to 1.2.4" PRs are out, security update PRs for CVEs are in. Implemented via open-pull-requests-limit: 0 on every ecosystem block, which the GitHub docs document as the supported way to keep an ecosystem registered for security updates while suppressing version-update PRs. Why now: supply-chain attacks via npm / PyPI / Go modules have become routine (chained typosquats, post-install scripts, account takeovers of maintainer accounts). A constant stream of merge-this-patch PRs produces alert fatigue and tempts a quick rubber-stamp on a malicious release. Reserving Dependabot's noise budget for actual advisories keeps reviewer attention where it matters. What still works: - Dependabot security updates open PRs when a tracked manifest hits a published advisory. Not subject to the open-pr limit. - The seven-manifest allowlist still scopes BOTH version AND security updates, so the deliberately vulnerable fixtures under rules/** and sast-engine/test-fixtures/** stay untouched. - Existing labels and chore(deps) prefix carry over to security PRs. - New "security" label added across all blocks so the PRs that DO open are immediately filterable. Severity filtering (the user's "high and critical only" ask): open-pull-requests-limit can't filter by severity. To suppress medium/low security PRs and dismiss the underlying alerts, configure auto-triage rules under Settings -> Security -> Dependabot -> Auto-triage rules. Documented in the file header. --- .github/dependabot.yml | 111 +++++++++++++++++++---------------------- 1 file changed, 51 insertions(+), 60 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 4a811f7f..c71472bf 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,26 +1,41 @@ -# Dependabot version-update configuration. +# Dependabot configuration: security-only. # -# Why this file exists: -# Without an explicit allowlist, Dependabot's auto-discovery walks every -# manifest in the repo, including the 70+ go.mod files we keep under -# rules/**/tests/ and sast-engine/test-fixtures/. Those are intentionally -# vulnerable fixtures used to self-test pathfinder's rules; the deps they -# pin are deliberately old (e.g. dgrijalva/jwt-go@v3.2.0 for GO-JWT-002, -# vulnerable gorm releases for GO-GORM-SQLI-*). Letting Dependabot file -# version-update PRs against them would break the very thing they exist -# to test. +# What this enables: +# - Dependabot security updates: PRs opened automatically when a tracked +# manifest contains a dependency with a published advisory. Triggered +# by Dependabot alerts; not subject to schedule or open-pr-limit. # -# This config explicitly enumerates the SEVEN real manifest locations. -# Anything not listed here is left untouched. Test-fixture go.mods stay -# at their pinned vulnerable versions. +# What this disables: +# - Routine "bump axios from 1.2.3 to 1.2.4" version-bump PRs. Each +# ecosystem below sets open-pull-requests-limit: 0, which the GitHub +# docs document as the supported way to keep an ecosystem registered +# for security updates while suppressing every version-update PR. # -# Note: this file controls version-update PRs only. Dependabot ALERTS -# (the Security tab) are built off the dependency graph and have no -# repo-file mechanism to exclude paths. For those, use -# Settings -> Security -> Dependabot -> Auto-triage rules in the GitHub -# UI to auto-dismiss alerts whose manifest path matches -# rules/** or sast-engine/test-fixtures/** with reason -# "tolerable_risk" or "not_used". +# Why security-only: +# Supply-chain attacks via npm/PyPI/Go modules have become routine +# (chained typosquats, post-install scripts, account takeovers of +# maintainer accounts). A constant stream of merge-this-patch-bump PRs +# produces alert fatigue and tempts a quick rubber-stamp on a malicious +# release. Reserving Dependabot's noise budget for actual CVEs keeps +# reviewer attention where it matters. +# +# Why the explicit allowlist still matters: +# Without the seven entries below, Dependabot's auto-discovery would +# also track the ~70 go.mod files under rules/**/tests/ and +# sast-engine/test-fixtures/, which pin deliberately vulnerable +# versions (dgrijalva/jwt-go@v3.2.0 for GO-JWT-002, vulnerable gorm +# releases for GO-GORM-SQLI-*, etc.). Letting Dependabot file +# "security updates" against those would silently break the rules +# they exist to test. The allowlist scopes BOTH version AND security +# updates to the seven real manifest locations. +# +# Severity filtering (high/critical only): +# open-pull-requests-limit cannot filter by severity. To suppress +# medium/low security update PRs, add auto-triage rules under +# Settings -> Security -> Dependabot -> Auto-triage rules with +# action = "Auto-dismiss alert", filter on severity <= medium. Those +# rules also dismiss the underlying alerts from the Security tab, +# keeping the queue focused on what actually merits a hotfix. version: 2 @@ -31,29 +46,23 @@ updates: directory: "/sast-engine" schedule: interval: "weekly" - day: "monday" - open-pull-requests-limit: 10 + open-pull-requests-limit: 0 labels: - "dependencies" - "go" + - "security" commit-message: prefix: "chore(deps)" - groups: - go-minor-patch: - applies-to: version-updates - update-types: - - "minor" - - "patch" - package-ecosystem: "gomod" directory: "/sast-engine/tools/validate_go_resolution" schedule: interval: "weekly" - day: "monday" - open-pull-requests-limit: 5 + open-pull-requests-limit: 0 labels: - "dependencies" - "go" + - "security" commit-message: prefix: "chore(deps)" @@ -63,10 +72,10 @@ updates: directory: "/sast-engine" schedule: interval: "weekly" - day: "monday" - open-pull-requests-limit: 5 + open-pull-requests-limit: 0 labels: - "dependencies" + - "security" commit-message: prefix: "chore(deps)" @@ -76,29 +85,23 @@ updates: directory: "/python-sdk" schedule: interval: "weekly" - day: "monday" - open-pull-requests-limit: 5 + open-pull-requests-limit: 0 labels: - "dependencies" - "python" + - "security" commit-message: prefix: "chore(deps)" - groups: - python-minor-patch: - applies-to: version-updates - update-types: - - "minor" - - "patch" - package-ecosystem: "pip" directory: "/sast-engine/tools/typeshed-converter" schedule: interval: "weekly" - day: "monday" - open-pull-requests-limit: 5 + open-pull-requests-limit: 0 labels: - "dependencies" - "python" + - "security" commit-message: prefix: "chore(deps)" @@ -108,27 +111,21 @@ updates: directory: "/extension/secureflow" schedule: interval: "weekly" - day: "monday" - open-pull-requests-limit: 5 + open-pull-requests-limit: 0 labels: - "dependencies" + - "security" commit-message: prefix: "chore(deps)" - groups: - npm-minor-patch: - applies-to: version-updates - update-types: - - "minor" - - "patch" - package-ecosystem: "npm" directory: "/extension/secureflow/packages/secureflow-cli" schedule: interval: "weekly" - day: "monday" - open-pull-requests-limit: 5 + open-pull-requests-limit: 0 labels: - "dependencies" + - "security" commit-message: prefix: "chore(deps)" @@ -139,16 +136,10 @@ updates: directory: "/" schedule: interval: "weekly" - day: "monday" - open-pull-requests-limit: 5 + open-pull-requests-limit: 0 labels: - "dependencies" - "github_actions" + - "security" commit-message: prefix: "chore(deps)" - groups: - gh-actions-minor-patch: - applies-to: version-updates - update-types: - - "minor" - - "patch"