Dependabot Slack Integration
This past Summer I interned with the SRE team at Snapsheet. On one of the first projects I worked on, I noticed we were using Dependabot, a feature in Github. This is a great tool to use, but we weren’t paying enough attention to the pull requests coming in. This wasn’t due to a lack of addressing the pull requests coming in, but rather that we didn’t even know they were being created. So, to fix this, I integrated them with slack notifications, that way anytime a pull request came in we would know. This was a great learning experience, which allowed me to learn how to use Dependabot and solve a problem our team was facing. The rest of this article goes into further detail about why and how our team integrated this solution!
In some cases, once a code base’s core functionality becomes stable, it will be left as is, without receiving frequent updates. Software security vulnerabilities arise because of outdated dependencies. Now if this core functionality utilized one such vulnerable dependency it could potentially be a security concern.
Having a process in place to routinely update outdated packages can prevent security attacks. This is crucial, especially for legacy software that only receives updates when a reported bug needs to be fixed. One possible solution is to use Dependabot. Dependabot is a service provided by GitHub which tracks dependencies in a repository and creates new pull requests(PR) updating vulnerable dependency versions.
The creation of new Pull Requests is only the first step since these PRs need to be merged. The repository owner and members must be notified of the creation of Dependabot pull requests, otherwise, they can easily be ignored. This can be done using Slack notifications triggered as a GitHub action. These new pull requests would then be reviewed. Regression testing would be done to ensure no features are broken, and then merged if there are no conflicts.
Here is the process life cycle.
Dependabot supports most popular programming languages where it triggers actions when it receives updates from its security advisory database. Browsing security advisories in the GitHub Advisory Database – GitHub Docs
Integrate Dependabot to Github Repository
- Enable Dependabot updates
Go to settings in Github Repository.
Under security go to code and security analysis and enable Dependabot security updates (Note: This will also enable Dependabot alerts & Dependency graph)
- Create a .github, folder in the repository’s root and create a dependabot.yml to it, and update the package-ecosystem
To add other configurations, see the Dependabot documentation here.
Configuration options for the dependabot.yml file – GitHub Docs
If security vulnerabilities are found you should see new PRs created.
Dependabot’s opens a maximum of 5 PRs at a time by default (which can be changed). Do not assume your repository has only 5 vulnerabilities if only 5 PRs are created.
Slack Notification Integration
First, we need to create a slack app.
- Head over to https://api.slack.com/apps and login
- Click on “Create a new app” and then select “From Scratch”
Give your app a name and select your organization’s workspace. Then select the Slack channel which it should be integrated to.
Copy Bot User OAuth Token and save it for a later step.
Under the Scopes section, add the following OAuth Scopes
Be sure to give it write access since the application would need to write to channels where it isn’t a member.
Add the saved app-level token to a secret key in the Github repository as a repository secret under Settings → Secrets → Actions → Repository Secrets
Github actions are a quick and easy way to send out new Dependabot PR creation notifications.
Add the following GitHub action configuration file to .github and update the slack channel name.
Dependabot Slack Notifications have now been set up!
Author: Rohin Paikattil, Software Engineering Intern