Add pre-commit dependency scanning via AI coding agents to dependabot skill (#4)

* Add pre-commit dependency scanning via AI coding agents section to dependabot SKILL.md Agent-Logs-Url: https://github.com/forks-felickz/awesome-copilot/sessions/e53ba56a-f1b4-4c9a-878b-c40ba38ac339 Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * docs(dependabot): split CLI shell vs interactive plugin install steps Agent-Logs-Url: https://github.com/forks-felickz/awesome-copilot/sessions/a696f619-7f24-42c5-bd17-5732beb2a26d Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>
2026-05-15 11:11:48 +00:00 · 2026-05-06 22:23:47 -04:00
parent 6397070620
commit cffceae26c
2 changed files with 33 additions and 2 deletions
@@ -5,7 +5,10 @@ description: >-
  users ask about creating or optimizing dependabot.yml files, managing Dependabot pull requests,
  configuring dependency update strategies, setting up grouped updates, monorepo patterns,
  multi-ecosystem groups, security update configuration, auto-triage rules, or any GitHub
-  Advanced Security (GHAS) supply chain security topic related to Dependabot.
+  Advanced Security (GHAS) supply chain security topic related to Dependabot. For pre-commit
+  dependency vulnerability scanning in AI coding agents via the GitHub MCP Server, this skill
+  references the Advanced Security plugin (`advanced-security@copilot-plugins`). Use this skill
+  when an agent needs to scan dependencies for known vulnerabilities before committing.
 ---

 # Dependabot Configuration & Management
@@ -415,6 +418,34 @@ Use `groups` to batch updates, `directories` with globs for coverage, and `group
 **How do I handle dependencies outside the workspace?**
 Create a separate ecosystem entry with its own `directory` pointing to that location.

+## Pre-Commit Dependency Scanning via AI Coding Agents
+
+For scanning code changes for vulnerable dependencies inside an AI coding agent before committing, the GitHub MCP Server's `dependabot` toolset can check your dependency additions against the GitHub Advisory Database and return structured results with affected packages, severity, and recommended fixed versions. For more thorough post-commit checks, it can also run the Dependabot CLI locally to diff dependency graphs before and after your changes.
+
+Install the **Advanced Security plugin** which provides dedicated dependency scanning tools and the `/dependency-scanning` skill.
+
+**GitHub Copilot CLI (shell):**
+```bash
+# Enable the dependabot toolset for the GitHub MCP Server
+copilot --add-github-mcp-toolset dependabot
+```
+
+**GitHub Copilot CLI (inside `copilot`):**
+```text
+> /plugin install advanced-security@copilot-plugins
+```
+
+**Visual Studio Code:**
+- Add `"X-MCP-Toolsets": "dependabot"` to your GitHub MCP Server headers, or pick **Dependabot** from the toolset selector in Copilot Chat
+- Install the `advanced-security` plugin, then use `/dependency-scanning` in Copilot Chat
+
+**Example prompt:**
+> Scan the dependencies I added on this branch for known vulnerabilities and tell me which versions to upgrade to before I commit.
+
+See: [Advanced Security Plugin — Dependency Scanning Skill](https://github.com/github/copilot-plugins/blob/main/plugins/advanced-security/skills/dependency-scanning/SKILL.md)
+
+> Announced in [Dependency scanning with GitHub MCP Server is in public preview](https://github.blog/changelog/2026-05-05-dependency-scanning-with-github-mcp-server-is-in-public-preview/) (May 2026)
+
 ## Resources

 - `references/dependabot-yml-reference.md` — Complete YAML options reference