Skip to content

Commit

Permalink
📖 Dependabot config file link (#1498)
Browse files Browse the repository at this point in the history
* Dependabot config file link

It seems like dependabot.com is gone and the documentation of configuration file has now moved to https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates

* Updated dependabot docs link

Co-authored-by: Naveen <[email protected]>
  • Loading branch information
hholi and naveensrinivasan authored Jan 21, 2022
1 parent 0d76dea commit 062e33b
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 4 deletions.
4 changes: 2 additions & 2 deletions docs/checks.md
Original file line number Diff line number Diff line change
Expand Up @@ -291,7 +291,7 @@ The highest score is awarded when all workflows avoid the dangerous code pattern
Risk: `High` (possibly vulnerable to attacks on known flaws)

This check tries to determine if the project uses a dependency update tool,
specifically [dependabot](https://dependabot.com/docs/config-file/) or
specifically [dependabot](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates) or
[renovatebot](https://docs.renovatebot.com/configuration-options/). Out-of-date
dependencies make a project vulnerable to known flaws and prone to attacks.
These tools automate the process of updating dependencies by scanning for
Expand All @@ -309,7 +309,7 @@ low score is therefore not a definitive indication that the project is at risk.


**Remediation steps**
- Signup for automatic dependency updates with [dependabot](https://dependabot.com/docs/config-file/) or [renovatebot](https://docs.renovatebot.com/configuration-options/) and place the config file in the locations that are recommended by these tools. Due to https://github.com/dependabot/dependabot-core/issues/2804 Dependabot can be enabled for forks where security updates have ever been turned on so projects maintaining stable forks should evaluate whether this behavior is satisfactory before turning it on.
- Signup for automatic dependency updates with [dependabot](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates) or [renovatebot](https://docs.renovatebot.com/configuration-options/) and place the config file in the locations that are recommended by these tools. Due to https://github.com/dependabot/dependabot-core/issues/2804 Dependabot can be enabled for forks where security updates have ever been turned on so projects maintaining stable forks should evaluate whether this behavior is satisfactory before turning it on.

## Fuzzing

Expand Down
4 changes: 2 additions & 2 deletions docs/checks/internal/checks.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ checks:
Risk: `High` (possibly vulnerable to attacks on known flaws)
This check tries to determine if the project uses a dependency update tool,
specifically [dependabot](https://dependabot.com/docs/config-file/) or
specifically [dependabot](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates) or
[renovatebot](https://docs.renovatebot.com/configuration-options/). Out-of-date
dependencies make a project vulnerable to known flaws and prone to attacks.
These tools automate the process of updating dependencies by scanning for
Expand All @@ -69,7 +69,7 @@ checks:
remediation:
- >-
Signup for automatic dependency updates with
[dependabot](https://dependabot.com/docs/config-file/) or
[dependabot](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates) or
[renovatebot](https://docs.renovatebot.com/configuration-options/) and place
the config file in the locations that are recommended by these tools. Due to
https://github.com/dependabot/dependabot-core/issues/2804 Dependabot can
Expand Down

0 comments on commit 062e33b

Please sign in to comment.