Configuring access to private registries for Dependabot

You can configure Dependabot to access dependencies stored in private registries. You can store authentication information, like passwords and access tokens, as encrypted secrets and then reference these in the Dependabot configuration file. If you have registries on private networks, you can also configure Dependabot access when running Dependabot on self-hosted runners.

In this article

About private registries

Dependabot version updates keeps your dependencies up-to-date. Dependabot can access public registries. In addition, you can give Dependabot version updates access to private package registries and private GitHub repositories so that you can keep your private and innersource dependencies as up-to-date as your public dependencies.

In most ecosystems, private dependencies are usually published to private package registries. These private registries are similar to their public equivalents, but they require authentication.

For specific ecosystems, you can configure Dependabot to access only private registries by removing calls to public registries. For more information, see "Removing Dependabot access to public registries."

To allow Dependabot access to registries hosted privately or restricted to internal networks, configure Dependabot to run on GitHub Actions self-hosted runners. For more information, see "Managing Dependabot on self-hosted runners."

Configuring private registries

You configure Dependabot's access to private registries in the dependabot.yml file. The top-level registries key is optional and specifies authentication details.

There are 2 locations in the dependabot.yml file where you can use the registries key:

  • At the top level, where you define the registries and their access information, if needed.
  • Within the updates blocks, where you can use registries: "*" to tell Dependabot to use any or all of the registries you defined at the top level.
# registries: gradle-artifactory - provides access details for the gradle-artifactory registry
# registries: "*" - allows Dependabot to use all the defined registries specified at the top level

version: 2
registries:
  gradle-artifactory:
    type: maven-repository
    url: https://acme.jfrog.io/artifactory/my-gradle-registry
    username: octocat
    password: ${{secrets.MY_ARTIFACTORY_PASSWORD}}
updates:
  - package-ecosystem: "gradle"
    directory: "/"
    registries: "*"
    schedule:
      interval: "monthly"

You use the following options to specify access settings. Registry settings must contain a type and a url, and typically either a username and password combination or a token.

Option                Description
typeIdentifies the type of registry. For more information about the available registry types, see "registries." For further details about the configuration of private registries specifically, see "Configuration options for private registries."
urlThe URL to use to access the dependencies in this registry. The protocol is optional. If not specified, https:// is assumed. Dependabot adds or ignores trailing slashes as required.
usernameThe username that Dependabot uses to access the registry.
username is the username or email address for the account.
passwordA reference to a Dependabot secret containing the password for the specified user. For more information, see "Configuring access to private registries for Dependabot."
password is the password for the account specified by the username. If the account is a GitHub account, you can use a GitHub personal access token in place of the password.
keyA reference to a Dependabot secret containing an access key for this registry. For more information, see "Configuring access to private registries for Dependabot."
tokenA reference to a Dependabot secret containing an access token for this registry. For more information, see "Configuring access to private registries for Dependabot."
token is used to provide an access token for an external system and should not be used to provide a GitHub personal access token. If you want to use a GitHub personal access token, you should supply it as a password.
replaces-baseFor registries, if the boolean value is true, Dependabot will resolve dependencies by using the specified URL rather than the base URL of that specific ecosystem. For example, for registries with type: python-index, if the boolean value is true, pip resolves dependencies by using the specified URL rather than the base URL of the Python Package Index (by default https://pypi.org/simple).

For more information about the configuration options that are available, how to use them, and about the supported types, see "Configuration options for the dependabot.yml file."

Storing credentials for Dependabot to use

To give Dependabot access to the private registries supported by GitHub, you store the registry’s access token or secret in the secret store for your repository or organization.

About encrypted secrets for Dependabot

Dependabot secrets are encrypted credentials that you create at either the organization level or the repository level. When you add a secret at the organization level, you can specify which repositories can access the secret. You can use secrets to allow Dependabot to update dependencies located in private package registries. When you add a secret, it's encrypted before it reaches GitHub and it remains encrypted until it's used by Dependabot to access a private package registry.

Dependabot secrets also include secrets that are used by GitHub Actions workflows triggered by Dependabot pull requests. Dependabot itself may not use these secrets, but the workflows require them. For more information, see "Automating Dependabot with GitHub Actions."

After you add a Dependabot secret, you can reference it in the dependabot.yml configuration file like this: ${{secrets.NAME}}, where "NAME" is the name you chose for the secret. For example:

password: ${{secrets.MY_ARTIFACTORY_PASSWORD}}

For more information, see "Configuration options for the dependabot.yml file."

Naming your secrets

The name of a Dependabot secret:

  • Can only contain alphanumeric characters ([A-Z], [0-9]) or underscores (_). Spaces are not allowed. If you enter lowercase letters these are changed to uppercase.
  • Must not start with the GITHUB_ prefix.
  • Must not start with a number.

Adding a repository secret for Dependabot

To create secrets for a personal account repository, you must be the repository owner. To create secrets for an organization repository, you must have admin access.

  1. On GitHub, navigate to the main page of the repository.

  2. Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    Screenshot of a repository header showing the tabs. The "Settings" tab is highlighted by a dark orange outline.

  3. In the "Security" section of the sidebar, select Secrets and variables, then click Dependabot.

  4. Click New repository secret.

  5. Type a name for your secret in the Name input box.

  6. Enter the value for your secret.

  7. Click Add secret.

    The name of the secret is listed on the Dependabot secrets page. You can click Update to change the secret value. You can click Remove to delete the secret.

Adding an organization secret for Dependabot

When creating a secret in an organization, you can use a policy to limit which repositories can access that secret. For example, you can grant access to all repositories, or limit access to only private repositories or a specified list of repositories.

To create secrets at the organization level, you must have admin access.

  1. On GitHub, navigate to the main page of the organization.

  2. Under your organization name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    Screenshot of the tabs in an organization's profile. The "Settings" tab is outlined in dark orange.

  3. In the "Security" section of the sidebar, select Secrets and variables, then click Dependabot.

  4. Click New organization secret.

  5. Type a name for your secret in the Name input box.

  6. Enter the Value for your secret.

  7. From the Repository access dropdown list, choose an access policy.

  8. If you chose Selected repositories:

    • Click .
    • In the dialog box, select the repositories that can access this secret.
    • Click Update selection.

  9. Click Add secret.

    The name of the secret is listed on the Dependabot secrets page. You can click Update to change the secret value or its access policy. You can click Remove to delete the secret.

Configuring firewall IP rules

You can add Dependabot-related IP addresses to your registries IP allow list.

If your private registry is configured with an IP allow list, you can find the IP addresses Dependabot uses to access the registry in the meta API endpoint, under the dependabot key. If you run Dependabot on GitHub Actions self-hosted runners, you should instead use the IP addresses under the actions key. For more information, see "REST API endpoints for meta data" and "About Dependabot on GitHub Actions runners."