allstar icon indicating copy to clipboard operation
allstar copied to clipboard
verified publisher icon ossf

Alerting for repos missing dependabot config (`dependabot.yml`)

Open justaugustus opened this issue 3 years ago • 6 comments

Similar to the SECURITY.md community health check, for organizations that are interested in having dependabot automated updates enabled on their repositories, it'd be great to have a check that alerts when a .github/dependabot.yml config is not present within the repo.

Ideally, it'd be cool to have this baked into https://github.com/organizations/<org-name>/settings/security_analysis. cc: @jhutchings1

justaugustus avatar Feb 10 '22 10:02 justaugustus

:+1: https://github.com/ossf/allstar#future-policies Also want to support renovatebot and others.

jeffmendoza avatar Feb 10 '22 21:02 jeffmendoza

👍 https://github.com/ossf/allstar#future-policies Also want to support renovatebot and others.

starts to roll sleeves up... https://github.com/ossf/allstar/pull/114

justaugustus avatar Feb 10 '22 23:02 justaugustus

Ideally, it'd be cool to have this baked into https://github.com/organizations/<org-name>/settings/security_analysis.

We're looking at making this process simpler in the near future. @erinhav FYI on ☝🏻

jhutchings1 avatar Feb 23 '22 03:02 jhutchings1

There is a way to do something like that by configuring the Scorecard check to only score on non-compliant dependency update tool, for instance in scorecard.yaml try:

optConfig:
  optOutStrategy: true
action: log 
checks:
  - Dependency-Update-Tool
threshold: 5

ArisBee avatar Jul 19 '23 10:07 ArisBee

🙏🙏🙏

Jung47 avatar Jul 29 '23 22:07 Jung47