Skip to content

Dependabot Integration

With this integration enabled, BoostSecurity will retrieve Dependabot alerts from all projects it has access to.

To be certain that the integration is working properly, ensure that Dependabot is enabled in Github for the repositories that BoostSecurity has access to.

To enable the integration, you need to toggle the switch in the Integrations page next to the GitHub Organization name.

Dependabot findings match the following rules and can be added to your violation policy, or used as a filter in the Findings browser.

  • Dependency with a Critical Risk Vulnerability
  • Dependency with a High Risk Vulnerability
  • Dependency with a Moderate Risk Vulnerability
  • Dependency with a Low Risk Vulnerability

Note: BoostSecurity does not perform a Dependabot scan on pull requests. After the enablement of this integration, it only runs when there is a push to the main branch. Consequently, developers will not see any Dependabot warnings in pull requests.

Warning: Using the Dependabot Pull Requests (PR) feature requires duplicating your BOOST_API_TOKEN key.

GitHub Actions & Dependabot Security Updates

If you are making use of GitHub Actions and also want to use the Dependabot Security Updates feature, you will need to replicate your current BOOST_API_TOKEN, which is stored in your Actions secrets to the secrets for Dependabot to give Dependabot access to the secret.