top of page

Dependabot: Get Slack notifications using GitHub Actions




 

Dependabot is a tool integrated with GitHub which allows us to automate analysis and updates of dependencies in our projects.


It works by analyzing dependency files in our projects and verifying that there are no newer versions in the official repositories. Then, it creates automated Pull Requests (PRs) for dependencies out-of-date.


Dependabot works in three ways:

  1. Listing vulnerabilities in the dependencies used in a project.

  2. Creating PRs for solving these vulnerabilities using the minimum required versions.

  3. Creating PRs to keep all dependencies using the latest version of them.


The aim of this Teratip is to implement Slack notifications about vulnerabilities detected and automated PRs using GitHub actions.





Dependabot configuration

Requirements:

  • Have admin permissions on the repository.

As first step we need to configure Dependabot in our repository by following the next steps:

  1. Go to the Security tab in the repository.

  2. Go to Dependabot in the ‘Vulnerability alerts’ section.

  3. Click on Configure and Manage repository vulnerabilities settings.


4. Then, in the Dependabot section below “Code security and analysis” we are going to enable Dependabot alerts and Dependabot security updates.


Note that Dependency graph should be automatically enabled after enable Dependabot alerts option.


At this point Dependabot is enabled and it will start looking for vulnerabilities and create automated PRs.


Slack configuration

Requirements:

  • Be logged in your Slack workspace.


In Slack we need one channel to receive notifications and a Slack app with one incoming webhook URL to be used for our GH Actions.


It is assumed that the Slack channel already exists, and it does not matter whether it is public or private, so let's create the App:


  1. Go to https://api.slack.com/messaging/webhooks and click on the Create you Slack app button.

  2. Click on the Create New App button and select “From scratch” option.

  3. Choose a name for the App and select the workspace where the channel is.

  4. Then go to Incoming Webhooks and enable that option.

  5. Once Incoming webhooks are enabled you can Add New Webhook to Workspace.

  6. Select your Channel in the list and click in Allow.


You should see something like this:


This Webhook URL will be used by GitHub Actions.



GitHub Actions configuration

In this last step we will use three actions already created:


  1. To get notifications about PRs created by Dependabot:

  2. https://github.com/actions/checkout

  3. https://github.com/kv109/action-ready-for-review

  4. To get notifications about vulnerabilities detected by Dependabot:

https://github.com/kunalnagarco/action-cve

Since not all vulnerabilities can be resolved with automatic PRs, it is good to get notifications of all detected vulnerabilities.


Now we need to create two workflows by adding the following YAML files in .github/workflows in the repository.


dependabot-pr-to-slack.yaml


name: Notify about PR ready for review on:

pull_request:

branches: ["main"]


# Allows you to run this workflow manually from the Actions tab

workflow_dispatch:


jobs:

slackNotification:

name: Slack Notification

if: startsWith(github.head_ref, 'dependabot/') # This step only runs when PR has dependabot/ HEAD

runs-on: ubuntu-latest

steps:

# Latest version available at: https://github.com/actions/checkout/releases

- uses: actions/checkout@v2.5.0

- name: Slack Notification

# Latest version available at: https://github.com/kv109/action-ready-for-review/releases

uses: kv109/action-ready-for-review@0.2

env:

SLACK_CHANNEL: dependabot-notifications

SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}


This workflow runs every time that Dependabot creates a new PR.



dependabot-vulns-to-slack.yaml

name: 'Dependabot vulerabilities notification to Slack'


on:

schedule:

- cron: '0 10 * * 1' # Cron

# Allows you to run this workflow manually from the Actions tab

workflow_dispatch:


jobs:

Notify-Vulnerabilites:

runs-on: ubuntu-latest

steps:

# Latest version available at: https://github.com/kunalnagarco/action-cve/releases

- name: Notify Vulnerabilities

uses: kunalnagarco/action-cve@v1.7.15

with:

token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} # This secret need to be created

slack_webhook: ${{ secrets.SLACK_WEBHOOK }} # This secret need to be created


This workflow runs periodically based on cron expression.



As is commented in the code, we need to add two secrets in our repository to be used in these workflows: PERSONAL_ACCESS_TOKEN and SLACK_WEBHOOK.


For adding both secrets follow this steps:

  1. Go to the Setting tab in the repository.

  2. Go to Secret Actions in the ‘Security’ section.

  3. Click in New repository secret and add the followings:


The names chosen are used in workflows, so if they are modified, then change them also in the YAML files.


Also, we need to add SLACK_WEBHOOK secret in Secret Dependabot in the same way that it did before.


SLACK_WEBHOOK value is the URL created previously.


PERSONAL_ACCESS_TOKEN could be created following these steps:

  1. Click on your profile and select Setting.

  2. Go to Developer settings.

  3. Click on Personal access token and choose Tokens (classic).

  4. Click on Generate new token (classic).