Dependabot Integration¶
With this integration enabled, BoostSecurity will retrieve Dependabot alerts from all projects it can access.
To be sure that the integration is working correctly, ensure that Dependabot is enabled in Github for the repositories that BoostSecurity has access to.
To enable the integration, toggle the switch on the Integrations page next to the GitHub Organization name.
Dependabot findings match the following rules and can be added to your violation policy or used as a filter in the Findings browser.
- Dependency with a Critical Risk Vulnerability
- Dependency with a High Risk Vulnerability
- Dependency with a Moderate Risk Vulnerability
-
Dependency with a Low Risk Vulnerability
Note
BoostSecurity does not perform a Dependabot scan on pull requests. After this integration is enabled, it only runs when there is a push to the main branch. Consequently, developers will not see any Dependabot warnings in pull requests.
Warning: Using the Dependabot Pull Requests (PR) feature requires duplicating your
BOOST_API_TOKEN
key.
GitHub Actions & Dependabot Security Updates¶
Suppose you are making use of GitHub Actions and also want to use the Dependabot Security Updates feature. In that case, you will need to replicate your current BOOST_API_TOKEN
, which is stored in your Actions secrets to the secrets for Dependabot to give Dependabot access to the secret.