Setting up Dependabot security and version updates on your enterprise

You can create dedicated runners for your GitHub Enterprise Server instance that Dependabot uses to create pull requests to help secure and maintain the dependencies used in repositories on your enterprise.

Note: Dependabot security and version updates are currently in private beta and subject to change. To request access to the beta release, contact your account management team.

Tip: If your GitHub Enterprise Server instance uses clustering, you cannot set up Dependabot security and version updates as GitHub Actions are not supported in cluster mode.

About Dependabot updates

When you set up Dependabot security and version updates for your GitHub Enterprise Server instance, users can configure repositories so that their dependencies are updated and kept secure automatically. This is an important step in helping developers create and maintain secure code.

Users can set up Dependabot to create pull requests to update their dependencies using two features.

  • Dependabot version updates: Users add a Dependabot configuration file to the repository to enable Dependabot to create pull requests when a new version of a tracked dependency is released. For more information, see "About Dependabot version updates."
  • Dependabot security updates: Users toggle a repository setting to enable Dependabot to create pull requests when GitHub detects a vulnerability in one of the dependencies of the dependency graph for the repository. For more information, see "About alerts for vulnerable dependencies" and "About Dependabot security updates."

Prerequisites for Dependabot updates

Both types of Dependabot update have the following requirements.

Additionally, Dependabot security updates rely on the dependency graph, vulnerability data from GitHub Connect, and Dependabot alerts. These features must be enabled on your GitHub Enterprise Server instance. For more information, see "Enabling the dependency graph and Dependabot alerts on your enterprise account."

Setting up self-hosted runners for Dependabot updates

When you have configured your GitHub Enterprise Server instance to use GitHub Actions, you need to add self-hosted runners for Dependabot updates. For more information, see "Getting started with GitHub Actions for GitHub Enterprise Server."

System requirements for Dependabot runners

Any VM that you use for Dependabot runners must meet the requirements for self-hosted runners. In addition, they must meet the following requirements.

  • Linux operating system
  • Git installed
  • Docker installed with access for the runner users:
    • We recommend installing Docker in rootless mode and configuring the runners to access Docker without root privileges.
    • Alternatively, install Docker and give the runner users raised privileges to run Docker.

The CPU and memory requirements will depend on the number of concurrent runners you deploy on a given VM. As guidance, we have successfully set up 20 runners on a single 2 CPU 8GB machine, but ultimately, your CPU and memory requirements will heavily depend on the repositories being updated. Some ecosystems will require more resources than others.

If you specify more than 14 concurrent runners on a VM, you must also update the Docker /etc/docker/daemon.json configuration to increase the default number of networks Docker can create.

{
  "default-address-pools": [
    {"base":"10.10.0.0/16","size":24}
  ]
}

Network requirements for Dependabot runners

Dependabot runners require access to the public internet, GitHub.com, and any internal registries that will be used in Dependabot updates. To minimize the risk to your internal network, you should limit access from the Virtual Machine (VM) to your internal network. This reduces the potential for damage to internal systems if a runner were to download a hijacked dependency.

Adding self-hosted runners for Dependabot updates

  1. Provision self-hosted runners, at the repository, organization, or enterprise account level. For more information, see "About self-hosted runners" and "Adding self-hosted runners."

  2. Set up the self-hosted runners with the requirements described above. For example, on a VM running Ubuntu 20.04 you would:

  3. Assign a dependabot label to each runner you want Dependabot to use. For more information, see "Using labels with self-hosted runners."

  4. Optionally, enable workflows triggered by Dependabot to use more than read-only permissions and to have access to any secrets that are normally available. For more information, see "Troubleshooting GitHub Actions for your enterprise."

Did this doc help you?

Privacy policy

Help us make these docs great!

All GitHub docs are open source. See something that's wrong or unclear? Submit a pull request.

Make a contribution

Or, learn how to contribute.