top of page

Dependabot: Get Slack notifications using GitHub Actions




 

Dependabot is a tool integrated with GitHub which allows us to automate analysis and updates of dependencies in our projects.


It works by analyzing dependency files in our projects and verifying that there are no newer versions in the official repositories. Then, it creates automated Pull Requests (PRs) for dependencies out-of-date.


Dependabot works in three ways:

  1. Listing vulnerabilities in the dependencies used in a project.

  2. Creating PRs for solving these vulnerabilities using the minimum required versions.

  3. Creating PRs to keep all dependencies using the latest version of them.


The aim of this Teratip is to implement Slack notifications about vulnerabilities detected and automated PRs using GitHub actions.





Dependabot configuration

Requirements:

  • Have admin permissions on the repository.

As first step we need to configure Dependabot in our repository by following the next steps:

  1. Go to the Security tab in the repository.

  2. Go to Dependabot in the ‘Vulnerability alerts’ section.

  3. Click on Configure and Manage repository vulnerabilities settings.