Automated Security Updates
with GitHub
Why?
Modern applications rely on hundreds of open source dependencies
Staying on top of security vulnerabilities in those dependencies requires constant attention
Keeping track of security vulnerabilities in all projects can be painful
Tools can reduce this pain
org.sonatype.ossindex.maven
ossindex-maven-plugin
Disadvantages
Only visible on the next application build
No updates available for vulnerable dependency
Blocked release pipeline because of vulnerabilities
No time to fix security vulnerabilities
So (usually) it ends up in something like this
org.sonatype.ossindex.maven
ossindex-maven-plugin
commons-fileupload
commons-fileupload
1.3
Is there a better solution?
Security Alerts
What?
+
GitHub acquired Dependabot in May 2019
...and starts to integrate its features directly into GitHub
First integration
Automated security fixes
Compatibility score
“An update's compatibility score is the percentage of CI runs that passed when updating between relevant versions of the dependency.”
How?
Two simple steps
#1
Enable security alerts
Navigate to your repository and click Settings
Scroll down to Data services and enable Security alerts
#2
Enable automated security updates
Under your repository name, click Security
Above the list of alerts, use the drop-down menu and select Automated security updates
Enjoy
More automation?
+
Merge security PRs automatically with probot auto-merge
.github/auto-merge.yml
updateBranch: true
deleteBranchAfterMerge: true
reportStatus: true
blockingLabels:
- blocked
- wip
requiredLabels:
- dependencies
Important
Set up a branch protection rule...
...to check that your application has been tested before its PR merge
Done
Summary
Security alerts for vulnerable dependencies
Security fixes as pull request
Project updates with tested security fixes