Dependabot

Github Dependabot API Integration

This API integration is able to automate a GitHub Dependabot vulnerability scan, create assessments based off the vulnerabilities found, and create child issues linked to the assessment with severities based on:

• Vulnerability severity level
• Number of days elapsed since the vulnerability was published

(NOTE: Requires release 4.13.0 or greater.)

The dependabot.py script is meant to be run as part of automated code checks in a pipeline and not run separately as a RegScale-CLI command.

Init.yaml Configuration

There are five pieces of information required to use the dependabot API integration:

• dependabotId - The GitHub user id
• dependabotOwner - The owner of the repository
• dependabotRepo - The repository name
• dependabotToken - The personal access token created with the following scopes:
  • repo -> security_events (read and write security events)
  • https://github.com/settings/tokens/
• githubDomain - The GitHub api domain for your organization (will differ for GitHub enterprise users)
  • The default value in the init.yaml file is: api.github.com

Set the values for these five variables in the init.yaml file.

Init.yaml Example

The following init.yaml structure is necessary (example key structure shown below, replace with actual user, organization, and repository keys):

githubDomain: api.github.com
dependabotId: user123
dependabotOwner: PizzaGarden
dependabotRepo: pepperoniScanner
dependabotToken: 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

Running the Github Dependabot API Integration

You can execute the Python dependabot.py script using Bash, Python, PowerShell, etc. scripts. Below is an example Bash file (named Githubdependabot.sh) in Ubuntu for executing the Github Dependabot API integration that runs the automated dependabot vulnerability scan.

#!/bin/sh

# Run the automated github dependabot vulnerabilty scan
python3 dependabot.py

To execute the Bash file, run this command: /path/to/folder/Githubdepdendabot.sh.