Skip to content

Latest commit

 

History

History
58 lines (35 loc) · 2.82 KB

08_dependabot_default.md

File metadata and controls

58 lines (35 loc) · 2.82 KB

Dependabot Default Settings

Useful Links

Instructions

  1. Ensure you have a GitHub Advanced Security license. Check with you administrator if you are unsure.

  2. Clone the public repo, https://github.com/ewg-atmosera/flask_app, to your local computer.

    git clone https://github.com/ewg-atmosera/flask_app
  3. Create a new repo in your GitHub account named flask_app, and push the clone repo to it.

    git remote add explore-dependency-scanning <YOUR GIT REPO URL>
    git push explore-dependency-scanning main
  4. In your new repo, click the top tab Security, then click the side tab Dependabot.

  5. Review the Dependabot alerts. There will be some high, moderate, and low serverity alerts. These alerts are for outdated dependencies in the project. Additionally, you will start to receive email notifications for these alerts.

  6. Review the first Dependabot alert it should be a high severity alert. After reviewing the alert, click the Create Dependabot security update button. It will take a few moments for the security update to be generated.

  7. To view the security update, click the Pull requests tab. You will see the security update pull request. Review the changes but do not merge the pull request.

  8. By this point, you should have received some emails from GitHub about the Dependabot alerts. Review the emails and the alerts in the GitHub UI.

  9. In your new repo, click the top tab Security, then click the side tab Dependabot.

  10. In the upper-right corner, click the Configure button, and select Manage repository vulnerability settings.

    Note: The other two options, Manage Dependabot rules and Manage account notification settings can be accessed from this button or from within the repo security settings accessed through the first option.

  11. Review the dependency and Dependabot settings. You can change the settings to meet your needs. For example, you can change the frequency of Dependabot alerts, or you can change the severity level of alerts that you want to receive.

  12. Click the gear icon to edit the Dependabot rules. Click the New rule button to add a new rule with the following settings:

    • Rule Name: Low Severity Dismiss Until Path Then PR
    • State: Enabled
    • Target alerts: severity:low
    • Dismiss Alerts: checked
    • Until patch is available: selected
    • Open a pull request to resolve alerts: selected

    Then, click the Create rule button.

  13. Click the large Code Security link at the top of the Dependabot rules page. Then click the Configure alert notifications link under Dependabot alerts.

  14. Scroll down to Dependabot alerts: New vulnerabilities. Review the configuration options.