Last Updated on November 23, 2020 by Christopher G Mendla
GitHub will provide an alert if it finds vulnerabilities in your repository.
If you are using GitHub as your repository, Dependabot will scan your code and alert you if there are vulnerabilities in your code or any of the dependencies.
NOTE – this is only one tool to keep your applications secure.
How it works
Dependabot will look at your master branch. If it finds a vulnerability, it will provide an alert similar to the following
This notice will only be visible to the owner(s) of the repository and not to the public.
You can get more details by clicking the “See Dependabot alerts” button. You will then see something such as
You can drill down for more details in most cases
What now? How do I fix the vulnerability?
At this point, you need to understand what is causing the issue and how it can be resolved or if there are work arounds. I recently had an issue in a Rails project. The way I resolved it was to update Rails to 5.2.4.4.
Every application and repository will require different approaches.
Once the identified vulnerabilities are resolved and the code merged to master, the message(s) will disappear.
Keeping an eye on your repository.
According to the GitHub documentation, you should receive a notification regarding the vulnerability. However, that could be lost in the daily email flood. If you are in active development, you will see the alert the next time you open the repository.
If you are not in active development, you could niss a key warning about a vulnerability. It would be a good idea to check your repos on a schedule such as once a week.
Summary.
The Dependabot warnings are useful but they are only one tool. You need to be proactive in preventing vulnerabilities. For example, in Ruby on Rails, you should be checking for outdated gems. Also, Rails has tools such as Brakeman, Rubocop and bundle audit to help spot vulnerabilities.