Dependabot and Github working together

Dependabot is a tool integrated with GitHub which allows us to automate analysis and updates of dependencies in our projects. It works by analyzing dependency files in our projects and verifying that no newer versions exist in the official repositories. Then, it creates automated Pull Requests (PRs) for dependencies out-of-date.

Dependabot works in three ways:

1. Listing vulnerabilities in the dependencies used in a project.

2. Creating PRs for solving these vulnerabilities using the minimum required versions.

3. Creating PRs to keep all dependencies using the latest version of them.

This Teratip is to implement Slack notifications about vulnerabilities detected and automated PRs using GitHub actions.

Dependabot configuration

Requirements:

• Have admin permissions on the repository.
  

The first step is to configure Dependabot in our repository by following the next steps:

1. Go to the Security tab in the repository.

2. Go to Dependabot in the ‘Vulnerability alerts’ section.

3. Click on Configure and Manage repository vulnerabilities settings.
   

4. Then, in the Dependabot section below “Code security and analysis” we are going to enable Dependabot alerts and Dependabot security updates.

Note that the Dependency graph should be automatically enabled after enable Dependabot alerts option. At this point, Dependabot is enabled and it will start looking for vulnerabilities and create automated PRs.

Slack configuration

Requirements:

• Be logged in to your Slack workspace.

In Slack, we need one channel to receive notifications and a Slack app with one incoming webhook URL to be used for our GH Actions.

It is assumed that the Slack channel already exists, and it does not matter whether it is public or private, so let's create the App:

1. Go to https://api.slack.com/messaging/webhooks and click on the Create You Slack app button.

2. Click the Create New App button and select the “From scratch” option.

3. Choose a name for the App and select the workspace where the channel is.

4. Then go to Incoming Webhooks and enable that option.

5. Once Incoming webhooks are enabled you can Add New Webhook to Workspace.

6. Select your Channel from the list and click on Allow.

You should see something like this:

GitHub Actions will use this Webhook URL.

GitHub Actions configuration

In this last step we will use three actions already created:

1. To get notifications about PRs created by Dependabot:

   1. https://github.com/actions/checkout

   2. https://github.com/kv109/action-ready-for-review
      

2. To get notifications about vulnerabilities detected by Dependabot:

https://github.com/kunalnagarco/action-cve

Since not all vulnerabilities can be resolved with automatic PRs, it is good to get notifications of all detected vulnerabilities.

Now we need to create two workflows by adding the following YAML files in .github/workflows in the repository.

dependabot-pr-to-slack.yaml

name: Notify about PR ready for review on:

pull_request:

branches: ["main"]

# Allows you to run this workflow manually from the Actions tab

workflow_dispatch:

jobs:

slackNotification:

name: Slack Notification

if: startsWith(github.head_ref, 'dependabot/') # This step only runs when PR has dependabot/ HEAD

runs-on: ubuntu-latest

steps:

# Latest version available at: https://github.com/actions/checkout/releases

- uses: actions/checkout@v2.5.0

- name: Slack Notification

# Latest version available at: https://github.com/kv109/action-ready-for-review/releases

uses: kv109/action-ready-for-review@0.2

env:

SLACK_CHANNEL: dependabot-notifications

SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}

This workflow runs every time that Dependabot creates a new PR.

dependabot-vulns-to-slack.yaml

name: 'Dependabot vulerabilities notification to Slack'

on:

schedule:

- cron: '0 10 * * 1' # Cron

# Allows you to run this workflow manually from the Actions tab

workflow_dispatch:

jobs:

Notify-Vulnerabilites:

runs-on: ubuntu-latest

steps:

# Latest version available at: https://github.com/kunalnagarco/action-cve/releases

- name: Notify Vulnerabilities

uses: kunalnagarco/action-cve@v1.7.15

with:

token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} # This secret need to be created

slack_webhook: ${{ secrets.SLACK_WEBHOOK }} # This secret need to be created

This workflow runs periodically based on cron expression.

As is commented in the code, we need to add two secrets in our repository to be used in these workflows: PERSONAL_ACCESS_TOKEN and SLACK_WEBHOOK.

To add both secrets follow these steps:

1. Go to the Setting tab in the repository.

2. Go to Secret → Actions in the ‘Security’ section.

3. Click in New repository secret and add the followings:

The names chosen are used in workflows, so if they are modified, then change them also in the YAML files.

Also, we need to add SLACK_WEBHOOK secret in Secret → Dependabot in the same way that it did before.

SLACK_WEBHOOK value is the URL created previously.

PERSONAL_ACCESS_TOKEN could be created following these steps:

1. Click on your profile and select Setting.

2. Go to Developer settings.

3. Click on Personal access token and choose Tokens (classic).

4. Click on Generate new token (classic).

5. Select the following permissions:

1. Click on Generate token and copy the generated token. This token can’t be visible later, so be sure to copy it at this time.

For this workflow PERSONAL_ACCESS_TOKEN must belong to an admin collaborator of the repository.

Checking notifications in Slack

Dependabot vulnerability notifications example:

Dependabot PRs notifications example:

In the Security tab →”Vulnerability alerts” section and Dependabot we can confirm that alerts are related to detected vulnerabilities and the automated PRs created.

Final Thoughts

Leveraging Dependabot alongside GitHub Actions for Slack notifications offers a streamlined approach to staying informed about version updates within your project's package ecosystem. By configuring Dependabot through the interval daily in the configuration file, you ensure timely awareness of any updates. This integration not only simplifies the tracking of changes but also enhances collaboration and communication among team members.

For a detailed guide on setting up Dependabot with GitHub Actions and enabling Slack notifications, refer to the comprehensive documentation available on GitHub Docs. Just a click to enable, and you'll be effortlessly keeping pace with the latest version updates, promoting a more secure and efficient development environment.

References:

[1] Sending messages using Incoming Webhooks

[2] Notifies via Slack about pull requests which are ready to review

[3] Action for checking out a repo

[4] A GitHub action that sends Dependabot Vulnerability Alerts to Slack

[5] Create a personal access token for GitHub

[6] GitHub event types

[7] Events that trigger workflows

Ignacio Rubio

DevOps Engineer

Teracloud

If you want to know more about Github, we suggest checking GitHub Actions without AWS credentials

If you are interested in learning more about our #TeraTips or our blog's content, we invite you to see all the content entries that we have created for you and your needs. And subscribe to be aware of any news! 👇