scorecard icon indicating copy to clipboard operation
scorecard copied to clipboard
verified publisher icon ossf

Dependency-Update-Tool ignores enabled Dependabot without dependabot.yml

Open jfrantzius opened this issue 5 months ago • 4 comments

Describe the bug When a repo has Dependabot enabled and working (produces Dependabot vulnerability alerts), but without any dependabot.yml file, then it seems the Dependency-Update-Tool flags a false positive, stating

score is 0: no update tool detected: Warn: no dependency update tool configurations found.

Reproduction steps Steps to reproduce the behavior:

  1. Configure Google OSV action to produce dependency graph
  2. Enable "Dependency graph" in Advanced Security, which uploads the dependency graph so that Dependabot can use it
  3. Enable "Dependabot security updates" in Advanced Security
  4. Configure scorecard Github Action on repo

Expected behavior Ideally, the check should recognize that Dependabot is properly configured on the repo. Not sure how this would best be implemented, if possible at all

Additional context Add any other context about the problem here.

jfrantzius avatar Jul 29 '25 14:07 jfrantzius

Scorecard will also give credit if any of the last 30 commits are by dependabot. But otherwise there's no way for us to known if Dependabot is enabled (without an admin token for the repo)

spencerschrock avatar Jul 29 '25 15:07 spencerschrock

When I asked Gemini AI about the problem, it suggested that with security-events: read , Scorecard could recognize security events produced by Dependabot?

jfrantzius avatar Jul 29 '25 15:07 jfrantzius

When I asked Gemini AI about the problem, it suggested that with security-events: read , Scorecard could recognize security events produced by Dependabot?

@jfrantzius — could you better clarify the suggestion? Dependabot is not the only tool that leverages the security-events permission, so any detection of that usage would not be a sufficient test.

justaugustus avatar Jul 30 '25 17:07 justaugustus

Hi @justaugustus , It seems that using this REST API, security events can be read: https://docs.github.com/en/rest/dependabot/alerts?apiVersion=2022-11-28#list-dependabot-alerts-for-a-repository

As the endpoint is https://api.github.com/repos/OWNER/REPO/dependabot/alerts , this would be only Dependabot alerts. Not sure whether more would need to be interpreted from the contents of the alerts, though.

Also, I'm no expert at all in implementing Github Actions, so I am not sure whether security-events: read will allow the Scorecard Action to use that API to find out about existing Dependabot alerts, but it all sounds worth exploring to me

jfrantzius avatar Jul 31 '25 13:07 jfrantzius