Dependabot Integration¶
With this integration enabled, BoostSecurity will retrieve Dependabot alerts from all projects it has access to.
To ensure the integration is working properly, ensure that Dependabot is enabled in Github for the repositories that BoostSecurity has access to.
To enable the integration, you need to toggle the switch in the Integrations page next to the GitHub Organization name.
Dependabot findings match the following rules and can be added to your violation policy, or used as a filter in the Findings browser.
- Dependency with a Critical Risk Vulnerability
- Dependency with a High Risk Vulnerability
- Dependency with a Moderate Risk Vulnerability
- Dependency with a Low Risk Vulnerability
Note: BoostSecurity does not perform a Dependabot scan on pull requests. After the enablement of this integration, it only runs when there is a push to the main branch. Consequently, developers will not see any Dependabot warnings in pull requests.
Warning: Using the Dependabot Pull Requests (PR) feature requires duplicating the
BOOST_API_TOKEN
key.
GitHub Actions & Dependabot Security Updates¶
If users using GitHub Actions also wants to use the Dependabot Security Updates feature. In that case, they will need to replicate their current BOOST_API_TOKEN
, which they stored in their Actions secrets to the secrets for Dependabot to give Dependabot access to the secret.