GitHub’s Dependabot has been a lifeline for countless organizations. On paper, Dependabot is a powerful security feature, automatically detecting and updating vulnerable dependencies across your repositories. But here’s the problem: without proper configuration, Dependabot often creates more noise than value. Engineering teams get inundated with sporadic, unpredictable updates that break builds, while security teams remain blind to critical dependency vulnerabilities that need immediate attention.
For organizations without GitHub Advanced Security—which can cost tens of thousands of dollars annually—getting Dependabot to work effectively has been a manual, time-consuming process that requires ongoing maintenance across potentially hundreds of repositories. Even worse, recent changes to GitHub’s platform removed key features like automatic reviewer assignment, leaving security teams out of the loop on critical security updates.
This is where Red Canary’s newest open source tool comes in. Dependabot Configurator solves the fundamental challenges that make Dependabot difficult to use in practice, while ensuring security teams get the visibility and control they need to protect their organizations.
Visit the Dependabot Configurator GitHub page for code and implementation instructions to help secure your organization’s repositories.
The Dependabot problem: Great in theory, painful in practice
GitHub’s Dependabot promises automated dependency management, but the reality is often frustrating for both engineering and security teams. Here’s what we consistently see at Red Canary:
Unpredictable update chaos
Without proper configuration, Dependabot updates arrive sporadically and unpredictably. One day you might get five dependency update PRs, the next day none, then suddenly fifteen all at once. This makes it impossible for teams to plan and allocate time for reviewing updates.
Transitive dependency nightmares
By default, Dependabot updates both direct and transitive dependencies. While this sounds comprehensive, it often leads to complex compatibility issues where updating a transitive dependency breaks the primary dependency, creating builds that are impossible to fix without deep dependency tree knowledge.
Security updates lost in the noise
Critical security updates get buried alongside routine version bumps, making it difficult for security teams to prioritize what actually matters for organizational risk.
Configuration overhead scales poorly
Setting up optimal Dependabot configurations for each repository is time-consuming and requires ongoing maintenance as package managers change. For organizations with dozens or hundreds of repositories, this becomes an impossible maintenance burden.
No security team visibility
Without GitHub Advanced Security, there’s no built-in way to ensure security teams are notified about critical dependency vulnerabilities. Security updates get treated the same as routine maintenance, leaving security teams in the dark about risks that could impact the entire organization.
As a result of these challenges, many engineering teams simply disable Dependabot or ignore its alerts entirely, missing out on important security updates and leaving their organizations vulnerable to known exploits.
Why did I build Dependabot Configurator in the first place?
Simply put, I developed Dependabot Configurator because I needed a way to make dependency management actually work for both the engineering and security teams at scale at Red Canary, without purchasing yet another expensive tool that requires tuning. Dependencies represent one of the largest attack surfaces in modern applications, and Red Canary’s Product Security team needed a way to manage this risk effectively.
Dependencies in code repositories represent one of the largest attack surfaces in modern applications.
We knew that Dependabot had the potential to be incredibly valuable, but the default experience was too noisy and unpredictable for engineering teams, while providing no visibility for security teams. After poring through Dependabot’s documentation, I realized that if we were going to go forward with Dependabot as a solution for third-party open source package management, I would need to build an automated solution that made it possible for product teams to configure what they care about while ensuring all the security features I care about are protected.
Requirements
My requirements for Dependabot Configurator were strict. I wanted the tool to:
- Automatically detect package managers across repositories and generate appropriate configurations.
- Focus on direct dependencies to avoid the complexity and instability of transitive updates.
- Separate security updates from version updates with different handling for each.
- Ensure security team visibility through automated reviewer assignment and labeling.
- Group updates predictably so teams can plan time for dependency reviews.
- Scale effortlessly across organizations with hundreds of repositories.
- Require minimal setup, with just two files to get started.
- Protect against supply chain attacks by pinning GitHub Actions with
SHA256.
Better dependency management through automation
Let’s walk through a real-world example of how Dependabot Configurator transforms the dependency management experience. Consider a typical organization with 50 repositories using various package managers: npm, pip, Docker, Maven, and others. Without Dependabot Configurator, setting up proper dependency management would require:
Manual configuration for each repository (hours per repository)
- Analyzing which package managers are in use
- Reading Dependabot documentation
- Creating appropriate Dependabot configuration entries
- Setting up ignore rules for problematic dependencies
- Configuring schedules and PR limits
- Testing the configuration and iterating
Ongoing maintenance
- Adding new package managers as they’re introduced
- Adjusting ignore rules as dependencies change
- Managing configuration drift across repositories
- Troubleshooting broken builds from problematic updates
In total, this represents hundreds of hours of initial setup and many hours of monthly maintenance—an impossible burden for most teams.
How Dependabot Configurator streamlines this process
With Dependabot Configurator, the same organization simply:
- Copies two files to each repository (5 minutes per repository)
- Runs the configurator weekly via GitHub Actions (fully automated)
- Reviews and merges the generated configuration updates (less than 5 minutes per repository per month)
The configurator automatically:
- Scans repositories to detect all package managers in use
- Generates optimized configurations with appropriate schedules and grouping
- Applies ignore rules from a simple YAML file
- Creates security reviewer workflows that ensure security teams are notified of security updates
- Pins GitHub Actions to specific SHA256 hashes for improved security
- Updates configurations as repositories evolve
The security team visibility challenge
One of the most critical problems Dependabot Configurator solves is the lack of visibility into dependency vulnerabilities. This challenge became even more acute when GitHub recently removed the reviewers field from Dependabot’s configuration, breaking many organizations’ security review processes.
The reviewer removal problem
Previously, organizations could configure Dependabot to automatically assign security teams as reviewers on security update PRs:
# This no longer works
updates:
package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
reviewers: # GitHub removed this feature
"security-team" # GitHub removed this feature
When GitHub removed this functionality, security teams suddenly lost visibility into critical security updates, creating a significant gap in organizational security posture.
Our label-based solution
Dependabot Configurator solves this problem through a bridge pattern architecture that uses labels instead of reviewers. Here’s how it works:
- The security-update label is automatically added on every repository. Labels are repo-based and must be created for every repo. This is another pain point that is effortlessly solved by configurator.
- Dependabot creates security update PRs with the security-update label
- A detector workflow monitors for PRs with this label
- A bridge workflow with access to organization secrets assigns security team reviewers
- Security teams get notified and can provide guidance directly in the PR
This approach overcomes GitHub’s security restrictions to ensure security teams maintain visibility into critical updates.
Configuration generation in action
The power of Dependabot Configurator lies in its ability to automatically generate highly optimized configurations tailored to each repository’s specific needs. Here’s how this looks in practice:
Before: Manual configuration chaos
A typical repository might have no configuration or a basic Dependabot configuration:
version: 2
updates:
package-ecosystem: "npm"
directory: "/"
This configuration creates several problems:
- Default is daily updates, which are too frequent and unpredictable
- No distinction between security and version updates
- No grouping leads to multiple individual PRs
- No ignore rules for problematic dependencies
- No security team visibility
After: Optimized automatic configuration
Dependabot Configurator generates a comprehensive, optimized configuration for every package manager and detects when package managers are added or removed:
version: 2
updates:
# Version updates - grouped and scheduled
package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "08:00"
timezone: "America/Chicago"
open-pull-requests-limit: 1
groups:
npm-version-updates:
patterns:
"*"
ignore:
dependency-name: "problematic-package"
update-types: ["version-update:semver-patch"]
# Security updates - immediate and ungrouped
package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "08:00"
timezone: "America/Chicago"
open-pull-requests-limit: 0
labels:
"security-update"
"dependencies"
This optimized configuration:
- Groups version updates into a single weekly PR
- Handles security updates separately with appropriate labeling
- Applies ignore rules for problematic dependencies for your teams/organization
- Uses predictable scheduling so teams can plan review time
- Enables security team notification through the label-based workflow
The traditional approach doesn’t scale
One of Dependabot Configurator’s greatest strengths is its ability to scale effortlessly across large organizations. Consider the challenges faced by a typical enterprise:
- Repository diversity: Different teams use different package managers (npm, pip, Maven, Docker, Go modules, etc.)
- Inconsistent practices: Each team has different approaches to dependency management
- Security compliance: Need to ensure consistent security practices across all repositories
- Resource constraints: Limited time for manual configuration and maintenance
Dependabot Configurator scales automatically
With Dependabot Configurator, organizations can:
- Deploy once, benefit everywhere: Copy two files to each repository and the configurator handles the rest.
- Maintain consistency: All repositories get optimized configurations following the same best practices.
- Adapt automatically: Configurations update as repositories add new package managers or change structure.
- Centralize policy: Ignore rules and security policies are managed centrally but applied consistently.
This approach scales sublinearly—the effort to manage 500 repositories becomes only marginally more than managing 50.
A note of gratitude
My great hope for this project is that it will provide value to security teams with limited budgets but with a desire to make big impacts. As teams use this tool, I hope you will contribute to the project and make it even better than it currently is.
The creation of Dependabot Configurator was inspired by the real-world challenges we’ve seen organizations face with dependency management, and we want to extend our thanks to:
- Red Canary’s engineering and security teams for their invaluable feedback throughout the development process and for helping us understand the real-world challenges of dependency management at scale.
- GitHub’s Dependabot team for creating a powerful foundation that, with proper configuration, can significantly improve organizational security posture.
Related Articles
The art and science of effective security storytelling