You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
dependabot-bot 5648b654fe Add changelog for version 0.20.1 1 day ago
.devcontainer dev-dep: Update dependency thiht/smocker to v0.18.2 2 weeks ago
.gitlab Merge branch 'renovate/docker-20.x' into 'master' 1 day ago
app Correctly handle vulnerabilities without patched version 1 day ago
bin chore: testing improvements 1 year ago
config Remove custom ignored sentry error parsing 2 weeks ago
db Security vulnerability alerts 2 weeks ago
doc Document security vulnerability alert issues 1 week ago
images doc: add gitlab logo 10 months ago
kube chore: remove sidekiq-healthcheck script 8 months ago
lib Add manual rake task to trigger automatic project registration 2 weeks ago
log Start script improvements, docker startup fixes 2 years ago
public chore: update favicon 1 year ago
script Add docker-compose deploy test 1 month ago
spec Add configurable assignee for vulnerability issues 1 week ago
tmp Start script improvements, docker startup fixes 2 years ago
.definitions.rb Move solargraph definitions file outside config 2 years ago
.dockerignore Correctly pass configuration when updating out of sync jobs 1 month ago
.gitignore Make helpers build script more portable 1 week ago
.gitlab-ci.yml Use dev prefix for temp images 2 weeks ago
.pre-commit-config.yaml Remove external precommit-hooks 3 weeks ago
.pryrc improvement: [BREAKING] store all project and job information in db, improve index page 9 months ago
.reek.yml Close obsolete merge requests if dependency is up to date 2 months ago
.rspec Improve system test coverage 2 months ago
.rubocop.yml dep-dev: bump rubocop from 1.27.0 to 1.28.1 4 weeks ago
.ruby-version Bump nokogiri to 1.13.4 1 month ago
.simplecov Add manual rake task to trigger automatic project registration 2 weeks ago
.solargraph.yml Simple gitlab stub for e2e tests 2 years ago
CHANGELOG.archive.md use gitlab changelog generation functionality 5 months ago
CHANGELOG.md Add changelog for version 0.20.1 1 day ago
Dockerfile Automatically detect dependabot-core image version 2 weeks ago
Gemfile dep: bump dependabot-omnibus from 0.188.0 to 0.189.0 1 day ago
Gemfile.lock dep: bump dependabot-omnibus from 0.188.0 to 0.189.0 1 day ago
LICENSE Update LICENSE 2 weeks ago
README.md Document security vulnerability alert issues 1 week ago
Rakefile Setup rubocop 2 years ago
VERSION Update app version to v0.20.1 1 day ago
config.ru Setup rubocop 2 years ago
docker-compose.yml Security vulnerability alerts 2 weeks ago
renovate.json Fix renovate labels 4 weeks ago

README.md

This project is not affiliated with, funded by, or associated with the Dependabot team or GitHub

This software is Work in Progress: features will appear and disappear, API will be changed, your feedback is always welcome!

Supported

Supported by

jetbrains gitlab foss

Sponsor

If you find this project useful, you can help me cover hosting costs of my dependabot-gitlab test instance:

ko-fi


Application providing automated dependency updates based on dependabot-core

[[TOC]]

Docker image

  • Dockerhub - docker.io/andrcuns/dependabot-gitlab:latest

Usage

Standalone

It is possible to use app in "standalone" mode without the need to deploy. Project dependabot-standalone contains pipeline configuration to run dependency updates via scheduled gitlab pipelines.

This mode can be used similarly to dependabot-script, which inspired creation of this project. Standalone mode is limited to following features:

  • basic dependency updates
  • limited ability of MR automerge

Features not supported:

  • automatic closure of superseeded merge requests
  • merge request commands
  • webhooks
  • UI with managed project list

Service

dependabot-gitlab is packaged as docker container and it's possible to deploy it via various means described in Deployment section.

Deployed version is considered to be the primary and has priority on adding and maintaining features.

Deployment

Helm

Preferred way of deployment is via helm package manager using dependabot-gitlab chart.

helm repo add dependabot https://dependabot-gitlab.gitlab.io/chart
helm install dependabot dependabot/dependabot-gitlab --set credentials.gitlab_access_token=$gitlab_access_token

Docker Compose

Simple example deployment can be seen in docker-compose.yml. Deployment consists of 5 containers - web server, sidekiq worker, migrations, mongodb and redis. Simple production like deployment using docker-compose can be done with following command:

docker compose up

Configuration

dependabot.yml

Repository must contain .gitlab/dependabot.yml configuration for dependabot updates to work. dependabot-gitlab strives to achieve parity with all possible Github native options. Some of the options can have slightly different behavior which is described in the documentation linked below.

Following configuration options are currently supported:

option dependabot dependabot-standalone
package-ecosystem
directory
allow
ignore
assignees
reviewers
approvers
commit-message
insecure-external-code-execution
labels
milestone
open-pull-requests-limit
pull-request-branch-name
rebase-strategy
target-branch
vendor
versioning-strategy
registries
fork
updater-options
vulnerability-alerts
schedule.interval
schedule.day
schedule.time
schedule.timezone
schedule.hours

Application

Helm chart

For all configuration options, refer to chart repository

Manual

environment.md describes all possible environment variables for use with docker-compose or standalone mode.

Webhooks

If env.dependabotUrl in helm values or SETTINGS__DEPENDABOT_URL is not set, following webhooks with url http://{dependabot_host}/api/hooks and optional secret token have to be created in project manually:

  • Push events - default repository branch
  • Merge request events
  • Comments
  • Pipeline events

It is possible to set up system hooks on Gitlab instance level as well. Make sure SETTINGS__CREATE_PROJECT_HOOK is set to false so project specific hooks are not created automatically.

Security updates

Application supports syncing with GitHub Advisory Database for security vulnerability data retrieval when performing dependency updates.

This feature requires for github access token to be configured.

Currently security updates are not supported in standalone mode

Vulnerability alerts

When dependabot-gitlab detects security vulnerability in a dependency but is unable to update it, it will create security vulnerability issue.

Adding projects

In order for application to start updating dependencies, projects have to be registered first which will create scheduled dependency update jobs. Several ways of adding projects exist.

Automatically

Project registration job

It is possible to enable project registration job, which will periodically scan for projects to register. Configuration options

The job will also update dependency update jobs if configuration in dependabot.yml has changed and remove dependency updates for projects that no longer have the configuration.

Since the job tries to register all of the projects where user associated with the access token used has at least developer access, it might be necessary to disable hook creation, because it requires maintainer level access. SETTINGS_CREATE_PROJECT_HOOK must be set to false in this case.

Additionally option SETTINGS__PROJECT_REGISTRATION_NAMESPACE can restrict namespaces allowed to automatically register projects.

System hook

If project registration option is set to system_hook, endpoint api/project/registration endpoint is enabled which listens for following system hook events to automatically register projects:

  • project_create
  • project_destroy
  • project_rename
  • project_transfer

Additionally option SETTINGS__PROJECT_REGISTRATION_NAMESPACE can restrict namespaces allowed to automatically register projects.

Manually

Project webhook

If project webhook was added manually beforehand, project will be registered once .dependabot.yml configuration file is pushed to repository.

Project is removed from dependabot instance if dependabot.yml file is deleted from repository.

API

add project

Rake task

register rake task

Api endpoints

Gitlab webhooks

POST /api/hooks

Handle following gitlab event webhooks

  • Push events - default repository branch
  • Merge request events
  • Comments
  • Pipeline events

List projects

GET /api/projects

Response:

[
  {
    "id": 1,
    "name": "dependabot-gitlab/dependabot",
    "forked_from_id": null,
    "webhook_id": 1,
    "web_url": "https://gitlab.com/dependabot-gitlab/dependabot",
    "config": [
      {
        "package_manager": "bundler",
        "package_ecosystem": "bundler",
        "directory": "/",
        "milestone": "0.0.1",
        "assignees": ["john_doe"],
        "reviewers": ["john_smith"],
        "approvers": ["jane_smith"],
        "custom_labels": ["dependency"],
        "open_merge_requests_limit": 10,
        "cron": "00 02 * * sun Europe/Riga",
        "branch_name_separator": "-",
        "branch_name_prefix": "dependabot",
        "allow": [
          {
            "dependency_type": "direct"
          }
        ],
        "ignore": [
          {
            "dependency_name": "rspec",
            "versions": ["3.x", "4.x"]
          },
          {
            "dependency_name": "faker",
            "update_types": ["version-update:semver-major"]
          }
        ],
        "rebase_strategy": "auto",
        "auto_merge": true,
        "versioning_strategy": "lockfile_only",
        "reject_external_code": true,
        "commit_message_options": {
          "prefix": "dep",
          "prefix_development": "bundler-dev",
          "include_scope": "scope"
        },
        "registries": [
          {
            "type": "docker_registry",
            "registry": "https://registry.hub.docker.com",
            "username": "octocat"
          }
        ]
      }
    ]
  }
]

Get project

GET /api/projects/:id

  • id - URL escaped full path or id of the project

Response:

{
  "id": 1,
  "name": "dependabot-gitlab/dependabot",
  "forked_from_id": null,
  "webhook_id": 1,
  "web_url": "https://gitlab.com/dependabot-gitlab/dependabot",
  "config": [
    {
      "package_manager": "bundler",
      "package_ecosystem": "bundler",
      "directory": "/",
      "milestone": "0.0.1",
      "assignees": ["john_doe"],
      "reviewers": ["john_smith"],
      "approvers": ["jane_smith"],
      "custom_labels": ["dependency"],
      "open_merge_requests_limit": 10,
      "cron": "00 02 * * sun Europe/Riga",
      "branch_name_separator": "-",
      "branch_name_prefix": "dependabot",
      "allow": [
        {
          "dependency_type": "direct"
        }
      ],
      "ignore": [
        {
          "dependency_name": "rspec",
          "versions": ["3.x", "4.x"]
        },
        {
          "dependency_name": "faker",
          "update_types": ["version-update:semver-major"]
        }
      ],
      "rebase_strategy": "auto",
      "auto_merge": true,
      "versioning_strategy": "lockfile_only",
      "reject_external_code": true,
      "commit_message_options": {
        "prefix": "dep",
        "prefix_development": "bundler-dev",
        "include_scope": "scope"
      },
      "registries": [
        {
          "type": "docker_registry",
          "registry": "https://registry.hub.docker.com",
          "username": "octocat"
        }
      ]
    }
  ]
}

Add project

POST /api/projects

Add new project or update existing one and sync jobs

Request:

{
  "project": "dependabot-gitlab/dependabot"
}

Update project

PUT /api/projects/:id

Update project attributes

Request:

  • id - URL escaped full path or id of the project
  • name - full project path
  • forked_from_id - id of upstream project
  • forked_from_name - upstream project path with namespace
  • webhook_id - webhook id
  • web_url - project web url
  • config - dependabot configuration array
{
  "name":"name",
  "forked_from_id": 1,
  "webhook_id":1,
  "web_url": "new-url",
  "config": []
}

Delete project

DELETE /api/projects/:id

  • id - URL escaped full path or id of the project

Notify release

POST /api/notify_release

Notifies Dependabot of dependency release. In response, Dependabot will check all projects and update the package.

{
  "name": "package-name",
  "package_ecosystem": "package-ecosystem"
}

Healthcheck

GET /healthcheck

Check if application is running and responding

Rake tasks

Several administrative rake tasks exist which can be executed from app working directory.

register

Manually register project for updates. Repository must have valid dependabot config file

/home/dependabot/app$ bundle exec rake 'dependabot:register[project]'

project - project full path, example: dependabot-gitlab/dependabot

bulk register

Manually trigger project registration job

/home/dependabot/app$ bundle exec rake 'dependabot:automatic_registration'

remove

Manually remove project.

/home/dependabot/app$ bundle exec rake 'dependabot:remove[project]'

project - project full path, example: dependabot-gitlab/dependabot

update

Trigger dependency update for single project and single package managed

/home/dependabot/app$ bundle exec rake 'dependabot:update[project,package_ecosystem,directory]'
  • project - project full path, example: dependabot-gitlab/dependabot
  • package_ecosystem - package-ecosystem parameter like bundler
  • directory - directory is path where dependency files are stored, usually /

This task is used to provide standalone use capability

validate

Validate dependabot.yml configuration file

/home/dependabot/app$ bundle exec rake 'dependabot:validate[project]'

project - project full path, example: dependabot-gitlab/dependabot

UI

Index page of application, like http://localhost:3000/ will display a table with jobs currently configured to run dependency updates

Development

  • Install dependencies with bundle install
  • Setup pre-commit hooks with pre-commit install
  • Make change and make sure tests pass with bundle exec rspec (some tests require instance of mongodb and redis which can be started via docker-compose -f docker-compose.yml up command)
  • Submit merge request