Skip to content

chore(deps): switch Dependabot to security-only (suppress version bumps) #713

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
shivasurya merged 1 commit into from
May 22, 2026
Merged

chore(deps): switch Dependabot to security-only (suppress version bumps) #713

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
111 changes: 51 additions & 60 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,26 +1,41 @@
# Dependabot version-update configuration.
# Dependabot configuration: security-only.
#
# Why this file exists:
# Without an explicit allowlist, Dependabot's auto-discovery walks every
# manifest in the repo, including the 70+ go.mod files we keep under
# rules/**/tests/ and sast-engine/test-fixtures/. Those are intentionally
# vulnerable fixtures used to self-test pathfinder's rules; the deps they
# pin are deliberately old (e.g. dgrijalva/jwt-go@v3.2.0 for GO-JWT-002,
# vulnerable gorm releases for GO-GORM-SQLI-*). Letting Dependabot file
# version-update PRs against them would break the very thing they exist
# to test.
# What this enables:
# - Dependabot security updates: PRs opened automatically when a tracked
# manifest contains a dependency with a published advisory. Triggered
# by Dependabot alerts; not subject to schedule or open-pr-limit.
#
# This config explicitly enumerates the SEVEN real manifest locations.
# Anything not listed here is left untouched. Test-fixture go.mods stay
# at their pinned vulnerable versions.
# What this disables:
# - Routine "bump axios from 1.2.3 to 1.2.4" version-bump PRs. Each
# ecosystem below sets open-pull-requests-limit: 0, which the GitHub
# docs document as the supported way to keep an ecosystem registered
# for security updates while suppressing every version-update PR.
#
# Note: this file controls version-update PRs only. Dependabot ALERTS
# (the Security tab) are built off the dependency graph and have no
# repo-file mechanism to exclude paths. For those, use
# Settings -> Security -> Dependabot -> Auto-triage rules in the GitHub
# UI to auto-dismiss alerts whose manifest path matches
# rules/** or sast-engine/test-fixtures/** with reason
# "tolerable_risk" or "not_used".
# Why security-only:
# Supply-chain attacks via npm/PyPI/Go modules have become routine
# (chained typosquats, post-install scripts, account takeovers of
# maintainer accounts). A constant stream of merge-this-patch-bump PRs
# produces alert fatigue and tempts a quick rubber-stamp on a malicious
# release. Reserving Dependabot's noise budget for actual CVEs keeps
# reviewer attention where it matters.
#
# Why the explicit allowlist still matters:
# Without the seven entries below, Dependabot's auto-discovery would
# also track the ~70 go.mod files under rules/**/tests/ and
# sast-engine/test-fixtures/, which pin deliberately vulnerable
# versions (dgrijalva/jwt-go@v3.2.0 for GO-JWT-002, vulnerable gorm
# releases for GO-GORM-SQLI-*, etc.). Letting Dependabot file
# "security updates" against those would silently break the rules
# they exist to test. The allowlist scopes BOTH version AND security
# updates to the seven real manifest locations.
#
# Severity filtering (high/critical only):
# open-pull-requests-limit cannot filter by severity. To suppress
# medium/low security update PRs, add auto-triage rules under
# Settings -> Security -> Dependabot -> Auto-triage rules with
# action = "Auto-dismiss alert", filter on severity <= medium. Those
# rules also dismiss the underlying alerts from the Security tab,
# keeping the queue focused on what actually merits a hotfix.

version: 2

Expand All @@ -31,29 +46,23 @@ updates:
directory: "/sast-engine"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 10
open-pull-requests-limit: 0
labels:
- "dependencies"
- "go"
- "security"
commit-message:
prefix: "chore(deps)"
groups:
go-minor-patch:
applies-to: version-updates
update-types:
- "minor"
- "patch"

- package-ecosystem: "gomod"
directory: "/sast-engine/tools/validate_go_resolution"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 5
open-pull-requests-limit: 0
labels:
- "dependencies"
- "go"
- "security"
commit-message:
prefix: "chore(deps)"

Expand All @@ -63,10 +72,10 @@ updates:
directory: "/sast-engine"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 5
open-pull-requests-limit: 0
labels:
- "dependencies"
- "security"
commit-message:
prefix: "chore(deps)"

Expand All @@ -76,29 +85,23 @@ updates:
directory: "/python-sdk"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 5
open-pull-requests-limit: 0
labels:
- "dependencies"
- "python"
- "security"
commit-message:
prefix: "chore(deps)"
groups:
python-minor-patch:
applies-to: version-updates
update-types:
- "minor"
- "patch"

- package-ecosystem: "pip"
directory: "/sast-engine/tools/typeshed-converter"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 5
open-pull-requests-limit: 0
labels:
- "dependencies"
- "python"
- "security"
commit-message:
prefix: "chore(deps)"

Expand All @@ -108,27 +111,21 @@ updates:
directory: "/extension/secureflow"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 5
open-pull-requests-limit: 0
labels:
- "dependencies"
- "security"
commit-message:
prefix: "chore(deps)"
groups:
npm-minor-patch:
applies-to: version-updates
update-types:
- "minor"
- "patch"

- package-ecosystem: "npm"
directory: "/extension/secureflow/packages/secureflow-cli"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 5
open-pull-requests-limit: 0
labels:
- "dependencies"
- "security"
commit-message:
prefix: "chore(deps)"

Expand All @@ -139,16 +136,10 @@ updates:
directory: "/"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 5
open-pull-requests-limit: 0
labels:
- "dependencies"
- "github_actions"
- "security"
commit-message:
prefix: "chore(deps)"
groups:
gh-actions-minor-patch:
applies-to: version-updates
update-types:
- "minor"
- "patch"
Loading