Dependabot
Github Dependabot API Integration
This API integration is able to automate a GitHub Dependabot vulnerability scan, create assessments based off the vulnerabilities found, and create child issues linked to the assessment with severities based on:
- Vulnerability severity level
- Number of days elapsed since the vulnerability was published
(NOTE: Requires release 4.13.0 or greater.)
The dependabot.py script is meant to be run as part of automated code checks in a pipeline and not run separately as a RegScale-CLI command.
Init.yaml Configuration
There are five pieces of information required to use the dependabot API integration:
dependabotId- The GitHub user iddependabotOwner- The owner of the repositorydependabotRepo- The repository namedependabotToken- The personal access token created with the following scopes:- repo -> security_events (read and write security events)
- https://github.com/settings/tokens/
githubDomain- The GitHub api domain for your organization (will differ for GitHub enterprise users)- The default value in the
init.yamlfile is: api.github.com
- The default value in the
Set the values for these five variables in the init.yaml file.
Init.yaml Example
The following init.yaml structure is necessary (example key structure shown below, replace with actual user, organization, and repository keys):
githubDomain: api.github.com
dependabotId: user123
dependabotOwner: PizzaGarden
dependabotRepo: pepperoniScanner
dependabotToken: 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
Running the Github Dependabot API Integration
You can execute the Python dependabot.py script using Bash, Python, PowerShell, etc. scripts. Below is an example Bash file (named Githubdependabot.sh) in Ubuntu for executing the Github Dependabot API integration that runs the automated dependabot vulnerability scan.
#!/bin/sh
# Run the automated github dependabot vulnerabilty scan
python3 dependabot.py
To execute the Bash file, run this command: /path/to/folder/Githubdepdendabot.sh.
Updated 5 months ago