Skip to content

chore(deps): scope Dependabot to real manifests, ignore vulnerable test fixtures#692

Merged
shivasurya merged 1 commit into
mainfrom
shiva/dependabot-config
May 22, 2026
Merged

chore(deps): scope Dependabot to real manifests, ignore vulnerable test fixtures#692
shivasurya merged 1 commit into
mainfrom
shiva/dependabot-config

Conversation

@shivasurya
Copy link
Copy Markdown
Owner

@shivasurya shivasurya commented May 22, 2026

Summary

Dependabot's auto-discovery walks every manifest in the repo. Without an explicit allowlist it picks up:

  • ~70 go.mod files under rules/**/tests/{positive,negative,} (per-rule self-test modules)
  • ~5 go.mod files under sast-engine/test-fixtures/golang/

These pin deliberately vulnerable dependency versions used to self-test pathfinder's rules (dgrijalva/jwt-go@v3.2.0 for GO-JWT-002, vulnerable gorm releases for GO-GORM-SQLI-*, etc.). Letting Dependabot file version-update PRs against them would break the very rules they exist to test.

This adds .github/dependabot.yml that explicitly lists the seven real manifest locations. Everything not listed is left untouched.

What gets tracked

Ecosystem Path Why
gomod /sast-engine The actual SAST engine
gomod /sast-engine/tools/validate_go_resolution Real internal tool
gradle /sast-engine Java build deps
pip /python-sdk Public Python SDK
pip /sast-engine/tools/typeshed-converter Real internal tool
npm /extension/secureflow VS Code extension root
npm /extension/secureflow/packages/secureflow-cli CLI subpackage
github-actions / All 15 workflow files

Minor/patch updates are grouped into one weekly PR per ecosystem to reduce noise; major updates remain individual for review. chore(deps) prefix matches the repo's commit convention.

Scope this does NOT cover

Dependabot alerts (Security tab) are not controlled by this file. Alerts come from the auto-built dependency graph, and there is no repo-file mechanism to path-exclude. To stop alert noise from the fixture manifests:

  1. Go to Settings → Security → Dependabot → Auto-triage rules.
  2. Add a rule with: paths matching rules/** or sast-engine/test-fixtures/**, action = "Auto-dismiss alert", reason = tolerable_risk (or not_used).

The header comment in dependabot.yml documents this.

A second follow-up is the self-scan workflow (code-pathfinder-scan.yml), which runs pathfinder on this repo: it doesn't pass --exclude rules --exclude sast-engine/test-fixtures yet. That needs an exclude input added to action.yml first, which is a separate PR.

Test plan

  • YAML syntax valid (parses cleanly).
  • Every listed directory: resolves to a real manifest file in this repo.
  • No listed path overlaps with rules/ or sast-engine/test-fixtures/.
  • Once merged: confirm via the Dependabot tab that only the 8 listed update configs appear (no auto-discovered entries from fixture manifests).

@shivasurya
chore(deps): scope Dependabot to real manifests, ignore vulnerable te…
1cd01e1 
…st fixtures

Dependabot's auto-discovery walks every manifest in the repo. That
includes ~75 go.mod files under rules/**/tests/ and
sast-engine/test-fixtures/ whose dependency pins are deliberately
old, vulnerable versions used to self-test pathfinder's rules
(dgrijalva/jwt-go@v3.2.0 for GO-JWT-002, vulnerable gorm releases
for GO-GORM-SQLI-*, etc.). Letting Dependabot file version-update
PRs against those would break the rules they exist to test.

This config explicitly enumerates the seven real manifest locations
(sast-engine go.mod and build.gradle, sast-engine/tools/* go.mod and
requirements.txt, python-sdk pyproject.toml, the two extension/secureflow
npm manifests, plus github-actions for .github/workflows/). Anything
not listed is left untouched, so test-fixture go.mods stay at their
pinned vulnerable versions.

Each ecosystem groups minor/patch updates into a single weekly PR
(major updates remain individual for review) and uses chore(deps) as
the commit prefix to match repo convention.

Note: this only controls version-update PRs. Dependabot alerts
(Security tab) are built off the dependency graph and have no
repo-file mechanism to exclude paths. The header comment points at
Settings -> Security -> Dependabot -> Auto-triage rules for that.
@shivasurya shivasurya added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code chore labels May 22, 2026
@shivasurya shivasurya self-assigned this May 22, 2026
@safedep
Copy link
Copy Markdown

safedep Bot commented May 22, 2026
edited
Loading

SafeDep Report Summary

Green Malicious Packages Badge Green Vulnerable Packages Badge Green Risky License Badge

No dependency changes detected. Nothing to scan.

View complete scan results →

This report is generated by SafeDep Github App

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 22, 2026

Code Pathfinder Security Scan

Pass Critical High Medium Low Info

No security issues detected.

Metric Value
Files Scanned 1
Rules 205

Powered by Code Pathfinder

@code-pathfinder
Copy link
Copy Markdown

code-pathfinder Bot commented May 22, 2026

Pathfinder Report

No security findings on the changed files. This pull request is clean.

View report on the dashboard

Powered by Code Pathfinder.

@shivasurya shivasurya merged commit 00a5753 into main May 22, 2026
5 checks passed
@shivasurya shivasurya deleted the shiva/dependabot-config branch May 22, 2026 01:24
@shivasurya shivasurya mentioned this pull request May 22, 2026
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@shivasurya shivasurya

Labels

chore dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@shivasurya