Skip to content

Dependabot Integration

With this integration enabled, BoostSecurity will retrieve Dependabot alerts from all projects it has access to.

To ensure the integration is working properly, ensure that Dependabot is enabled in Github for the repositories that BoostSecurity has access to.

To enable the integration, you need to toggle the switch in the Integrations page next to the GitHub Organization name.

Dependabot findings match the following rules and can be added to your violation policy, or used as a filter in the Findings browser.

  • Dependency with a Critical Risk Vulnerability
  • Dependency with a High Risk Vulnerability
  • Dependency with a Moderate Risk Vulnerability
  • Dependency with a Low Risk Vulnerability

Note: BoostSecurity does not perform a Dependabot scan on pull requests. After the enablement of this integration, it only runs when there is a push to the main branch. Consequently, developers will not see any Dependabot warnings in pull requests.

Warning: Using the Dependabot Pull Requests (PR) feature requires duplicating the BOOST_API_TOKEN key.

GitHub Actions & Dependabot Security Updates

If users using GitHub Actions also wants to use the Dependabot Security Updates feature. In that case, they will need to replicate their current BOOST_API_TOKEN, which they stored in their Actions secrets to the secrets for Dependabot to give Dependabot access to the secret.