Awesome/awesome-copilot
1
0
Fork 0
mirror of https://github.com/github/awesome-copilot.git synced 2026-03-20 16:15:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

GHAS Pack - Agent Skills for GitHub Advanced Security - Includes Dependabot, CodeQL, and Secret Scanning (#1049)

Browse Source 
* feat: add dependabot skill

* feat: add codeql skill

* feat: add secret-scanning skill

* feat: run start and update docs

* fix: replace deprecated @dependabot merge example with native auto-merge guidance

The usage example still showed @dependabot merge despite the Jan 2026
deprecation. Replaced with gh pr merge --auto and GitHub UI auto-merge.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
Ve Sharma
2026-03-17 17:15:29 -07:00
committed by GitHub
parent 5418673f24
commit f601edcc87
16 changed files with 4154 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

374
skills/dependabot/references/dependabot-yml-reference.md Normal file
View File

@@ -0,0 +1,374 @@
# Dependabot YAML Options Reference
Complete reference for all configuration options in `.github/dependabot.yml`.
## File Structure
```yaml
version: 2 # Required, always 2
registries: # Optional: private registry access
REGISTRY_NAME:
type: "..."
url: "..."
multi-ecosystem-groups: # Optional: cross-ecosystem grouping
GROUP_NAME:
schedule:
interval: "..."
updates: # Required: list of ecosystem configurations
- package-ecosystem: "..." # Required
directory: "/" # Required (or directories)
schedule: # Required
interval: "..."
```
## Required Keys
### `version`
Always `2`. Must be at the top level.
### `package-ecosystem`
Defines which package manager to monitor. One entry per ecosystem (can have multiple entries for the same ecosystem with different directories).
| Package Manager | YAML Value | Manifest Files |
|---|---|---|
| Bazel | `bazel` | `MODULE.bazel`, `WORKSPACE` |
| Bun | `bun` | `bun.lockb` |
| Bundler (Ruby) | `bundler` | `Gemfile`, `Gemfile.lock` |
| Cargo (Rust) | `cargo` | `Cargo.toml`, `Cargo.lock` |
| Composer (PHP) | `composer` | `composer.json`, `composer.lock` |
| Conda | `conda` | `environment.yml` |
| Dev Containers | `devcontainers` | `devcontainer.json` |
| Docker | `docker` | `Dockerfile` |
| Docker Compose | `docker-compose` | `docker-compose.yml` |
| .NET SDK | `dotnet-sdk` | `global.json` |
| Elm | `elm` | `elm.json` |
| Git Submodules | `gitsubmodule` | `.gitmodules` |
| GitHub Actions | `github-actions` | `.github/workflows/*.yml` |
| Go Modules | `gomod` | `go.mod`, `go.sum` |
| Gradle | `gradle` | `build.gradle`, `build.gradle.kts` |
| Helm | `helm` | `Chart.yaml` |
| Hex (Elixir) | `mix` | `mix.exs`, `mix.lock` |
| Julia | `julia` | `Project.toml`, `Manifest.toml` |
| Maven | `maven` | `pom.xml` |
| npm/pnpm/yarn | `npm` | `package.json`, lockfiles |
| NuGet | `nuget` | `*.csproj`, `packages.config` |
| OpenTofu | `opentofu` | `*.tf` |
| pip/pipenv/poetry/uv | `pip` | `requirements.txt`, `Pipfile`, `pyproject.toml` |
| Pre-commit | `pre-commit` | `.pre-commit-config.yaml` |
| Pub (Dart/Flutter) | `pub` | `pubspec.yaml` |
| Rust Toolchain | `rust-toolchain` | `rust-toolchain.toml` |
| Swift | `swift` | `Package.swift` |
| Terraform | `terraform` | `*.tf` |
| uv | `uv` | `uv.lock`, `pyproject.toml` |
| vcpkg | `vcpkg` | `vcpkg.json` |
### `directory` / `directories`
Location of package manifests relative to repo root.
- `directory` — single path (no glob support)
- `directories` — list of paths (supports `*` and `**` globs)
```yaml
# Single directory
directory: "/"
# Multiple directories with globs
directories:
- "/"
- "/apps/*"
- "/packages/*"
```
For GitHub Actions, use `/` — Dependabot automatically searches `.github/workflows/`.
### `schedule`
How often to check for updates.
| Parameter | Values | Notes |
|---|---|---|
| `interval` | `daily`, `weekly`, `monthly`, `quarterly`, `semiannually`, `yearly`, `cron` | Required |
| `day` | `monday``sunday` | Weekly only |
| `time` | `HH:MM` | UTC by default |
| `timezone` | IANA timezone string | e.g., `America/New_York` |
| `cronjob` | Cron expression | Required when interval is `cron` |
```yaml
schedule:
interval: "weekly"
day: "tuesday"
time: "09:00"
timezone: "Europe/London"
```
## Grouping Options
### `groups`
Group dependencies into fewer PRs.
| Parameter | Purpose | Values |
|---|---|---|
| `IDENTIFIER` | Group name (used in branch/PR title) | Letters, pipes, underscores, hyphens |
| `applies-to` | Update type | `version-updates` (default), `security-updates` |
| `dependency-type` | Filter by type | `development`, `production` |
| `patterns` | Include matching names | List of strings with `*` wildcard |
| `exclude-patterns` | Exclude matching names | List of strings with `*` wildcard |
| `update-types` | SemVer filter | `major`, `minor`, `patch` |
| `group-by` | Cross-directory grouping | `dependency-name` |
```yaml
groups:
dev-deps:
dependency-type: "development"
update-types: ["minor", "patch"]
angular:
patterns: ["@angular*"]
exclude-patterns: ["@angular/cdk"]
monorepo:
group-by: dependency-name
```
### `multi-ecosystem-groups` (top-level)
Group updates across different ecosystems into one PR.
```yaml
multi-ecosystem-groups:
GROUP_NAME:
schedule:
interval: "weekly"
labels: ["infrastructure"]
assignees: ["@platform-team"]
```
Assign ecosystems with `multi-ecosystem-group: "GROUP_NAME"` in each `updates` entry. The `patterns` key is required in each ecosystem entry when using this feature.
## Filtering Options
### `allow`
Explicitly define which dependencies to maintain.
| Parameter | Purpose |
|---|---|
| `dependency-name` | Match by name (supports `*` wildcard) |
| `dependency-type` | `direct`, `indirect`, `all`, `production`, `development` |
```yaml
allow:
- dependency-type: "production"
- dependency-name: "express"
```
### `ignore`
Exclude dependencies or versions from updates.
| Parameter | Purpose |
|---|---|
| `dependency-name` | Match by name (supports `*` wildcard) |
| `versions` | Specific versions or ranges (e.g., `["5.x"]`, `[">=2.0.0"]`) |
| `update-types` | SemVer levels: `version-update:semver-major`, `version-update:semver-minor`, `version-update:semver-patch` |
```yaml
ignore:
- dependency-name: "lodash"
- dependency-name: "@types/node"
update-types: ["version-update:semver-patch"]
- dependency-name: "express"
versions: ["5.x"]
```
Rule: if a dependency matches both `allow` and `ignore`, it is **ignored**.
### `exclude-paths`
Ignore specific directories or files during manifest scanning.
```yaml
exclude-paths:
- "vendor/**"
- "test/fixtures/**"
- "*.lock"
```
Supports glob patterns: `*` (single segment), `**` (recursive), specific file paths.
## PR Customization Options
### `labels`
```yaml
labels:
- "dependencies"
- "npm"
```
Set `labels: []` to disable all labels. SemVer labels are always applied if they exist in the repo.
### `assignees`
```yaml
assignees:
- "user1"
- "user2"
```
Assignees must have write access (or read access for org repos).
### `milestone`
```yaml
milestone: 4 # numeric ID from milestone URL
```
### `commit-message`
```yaml
commit-message:
prefix: "deps" # up to 50 chars; colon auto-added if ends with letter/number
prefix-development: "deps-dev" # separate prefix for dev dependencies
include: "scope" # adds deps/deps-dev after prefix
```
### `pull-request-branch-name`
```yaml
pull-request-branch-name:
separator: "-" # options: "-", "_", "/"
```
### `target-branch`
```yaml
target-branch: "develop"
```
When set, version update config only applies to version updates. Security updates always target the default branch.
## Scheduling & Rate Limiting
### `cooldown`
Delay version updates for newly released versions:
| Parameter | Purpose |
|---|---|
| `default-days` | Default cooldown (190 days) |
| `semver-major-days` | Cooldown for major updates |
| `semver-minor-days` | Cooldown for minor updates |
| `semver-patch-days` | Cooldown for patch updates |
| `include` | Dependencies to apply cooldown (up to 150, supports `*`) |
| `exclude` | Dependencies exempt from cooldown (up to 150, takes precedence) |
```yaml
cooldown:
default-days: 5
semver-major-days: 30
semver-minor-days: 7
semver-patch-days: 3
include: ["*"]
exclude: ["critical-security-lib"]
```
### `open-pull-requests-limit`
```yaml
open-pull-requests-limit: 10 # default: 5 for version updates
```
Set to `0` to disable version updates entirely. Security updates have a separate internal limit of 10.
## Advanced Options
### `versioning-strategy`
Supported by: `bundler`, `cargo`, `composer`, `mix`, `npm`, `pip`, `pub`, `uv`.
| Value | Behavior |
|---|---|
| `auto` | Default: increase for apps, widen for libraries |
| `increase` | Always increase minimum version |
| `increase-if-necessary` | Only change if current range excludes new version |
| `lockfile-only` | Only update lockfiles |
| `widen` | Widen range to include old and new versions |
### `rebase-strategy`
```yaml
rebase-strategy: "disabled"
```
Default behavior: Dependabot auto-rebases PRs on conflicts. Rebasing stops 30 days after PR opens.
Allow Dependabot to force push over extra commits by including `[dependabot skip]` in commit messages.
### `vendor`
Supported by: `bundler`, `gomod`.
```yaml
vendor: true # maintain vendored dependencies
```
Go modules auto-detect vendored dependencies.
### `insecure-external-code-execution`
Supported by: `bundler`, `mix`, `pip`.
```yaml
insecure-external-code-execution: "allow"
```
Allows Dependabot to execute code in manifests during updates. Required for some ecosystems that run code during resolution.
## Private Registries
### Top-Level Registry Definition
```yaml
registries:
npm-private:
type: npm-registry
url: https://npm.example.com
token: ${{secrets.NPM_TOKEN}}
maven-central:
type: maven-repository
url: https://repo.maven.apache.org/maven2
username: ""
password: ""
docker-ghcr:
type: docker-registry
url: https://ghcr.io
username: ${{secrets.GHCR_USER}}
password: ${{secrets.GHCR_TOKEN}}
python-private:
type: python-index
url: https://pypi.example.com/simple
token: ${{secrets.PYPI_TOKEN}}
```
### Associating Registries with Ecosystems
```yaml
updates:
- package-ecosystem: "npm"
directory: "/"
registries:
- npm-private
schedule:
interval: "weekly"
```
Use `registries: "*"` to allow access to all defined registries.

409
skills/dependabot/references/example-configs.md Normal file
View File

@@ -0,0 +1,409 @@
# Dependabot Configuration Examples
Real-world `dependabot.yml` configurations for common scenarios.
---
## 1. Basic Single Ecosystem
Minimal configuration for a single npm project:
```yaml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
```
---
## 2. Monorepo with Glob Patterns
Turborepo/pnpm monorepo with multiple workspace packages:
```yaml
version: 2
updates:
- package-ecosystem: "npm"
directories:
- "/"
- "/apps/*"
- "/packages/*"
- "/services/*"
schedule:
interval: "weekly"
day: "monday"
groups:
dev-dependencies:
dependency-type: "development"
update-types: ["minor", "patch"]
production-dependencies:
dependency-type: "production"
update-types: ["minor", "patch"]
labels:
- "dependencies"
- "npm"
commit-message:
prefix: "deps"
include: "scope"
```
---
## 3. Grouped Dev vs Production Dependencies
Separate dev and production updates to prioritize review of production changes:
```yaml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
groups:
production-deps:
dependency-type: "production"
dev-deps:
dependency-type: "development"
exclude-patterns:
- "eslint*"
linting:
patterns:
- "eslint*"
- "prettier*"
- "@typescript-eslint*"
```
---
## 4. Cross-Directory Grouping (Monorepo)
Create one PR per shared dependency across directories:
```yaml
version: 2
updates:
- package-ecosystem: "npm"
directories:
- "/frontend"
- "/admin-panel"
- "/mobile-app"
schedule:
interval: "weekly"
groups:
monorepo-dependencies:
group-by: dependency-name
```
When `lodash` updates in all three directories, Dependabot creates a single PR.
---
## 5. Multi-Ecosystem Group (Docker + Terraform)
Consolidate infrastructure dependency updates into a single PR:
```yaml
version: 2
multi-ecosystem-groups:
infrastructure:
schedule:
interval: "weekly"
labels: ["infrastructure", "dependencies"]
assignees: ["@platform-team"]
updates:
- package-ecosystem: "docker"
directory: "/"
patterns: ["nginx", "redis", "postgres"]
multi-ecosystem-group: "infrastructure"
- package-ecosystem: "terraform"
directory: "/"
patterns: ["aws*", "terraform-*"]
multi-ecosystem-group: "infrastructure"
```
---
## 6. Security Updates Only (Version Updates Disabled)
Monitor for security vulnerabilities without version update PRs:
```yaml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
open-pull-requests-limit: 0 # disables version update PRs
groups:
security-all:
applies-to: security-updates
patterns: ["*"]
update-types: ["patch", "minor"]
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "daily"
open-pull-requests-limit: 0
```
---
## 7. Private Registries
Access private npm and Docker registries:
```yaml
version: 2
registries:
npm-private:
type: npm-registry
url: https://npm.internal.example.com
token: ${{secrets.NPM_PRIVATE_TOKEN}}
docker-ghcr:
type: docker-registry
url: https://ghcr.io
username: ${{secrets.GHCR_USER}}
password: ${{secrets.GHCR_TOKEN}}
updates:
- package-ecosystem: "npm"
directory: "/"
registries:
- npm-private
schedule:
interval: "weekly"
- package-ecosystem: "docker"
directory: "/"
registries:
- docker-ghcr
schedule:
interval: "weekly"
```
---
## 8. Cooldown Periods
Delay updates for newly released versions to avoid early-adopter bugs:
```yaml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
cooldown:
default-days: 5
semver-major-days: 30
semver-minor-days: 14
semver-patch-days: 3
include: ["*"]
exclude:
- "security-critical-lib"
- "@company/internal-*"
```
---
## 9. Cron Scheduling
Run updates at a specific time using cron expressions:
```yaml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "cron"
cronjob: "0 9 * * 1" # Every Monday at 9:00 AM
timezone: "America/New_York"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "cron"
cronjob: "0 6 1 * *" # First day of each month at 6:00 AM
```
---
## 10. Full-Featured Configuration
A comprehensive example combining multiple optimizations:
```yaml
version: 2
registries:
npm-private:
type: npm-registry
url: https://npm.example.com
token: ${{secrets.NPM_TOKEN}}
updates:
# npm — monorepo workspaces
- package-ecosystem: "npm"
directories:
- "/"
- "/apps/*"
- "/packages/*"
- "/services/*"
registries:
- npm-private
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
timezone: "America/New_York"
groups:
dev-dependencies:
dependency-type: "development"
update-types: ["minor", "patch"]
production-dependencies:
dependency-type: "production"
update-types: ["minor", "patch"]
angular:
patterns: ["@angular*"]
update-types: ["minor", "patch"]
security-patches:
applies-to: security-updates
patterns: ["*"]
update-types: ["patch", "minor"]
ignore:
- dependency-name: "aws-sdk"
update-types: ["version-update:semver-major"]
cooldown:
default-days: 3
semver-major-days: 14
labels:
- "dependencies"
- "npm"
commit-message:
prefix: "deps"
prefix-development: "deps-dev"
include: "scope"
assignees:
- "security-lead"
open-pull-requests-limit: 15
# GitHub Actions
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
groups:
actions:
patterns: ["*"]
labels:
- "dependencies"
- "ci"
commit-message:
prefix: "ci"
# Docker
- package-ecosystem: "docker"
directories:
- "/services/*"
schedule:
interval: "weekly"
labels:
- "dependencies"
- "docker"
commit-message:
prefix: "deps"
# pip
- package-ecosystem: "pip"
directory: "/scripts"
schedule:
interval: "monthly"
labels:
- "dependencies"
- "python"
versioning-strategy: "increase-if-necessary"
commit-message:
prefix: "deps"
# Terraform
- package-ecosystem: "terraform"
directory: "/infra"
schedule:
interval: "weekly"
labels:
- "dependencies"
- "terraform"
commit-message:
prefix: "infra"
```
---
## 11. Ignore Patterns and Versioning Strategy
Control exactly what gets updated and how:
```yaml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
versioning-strategy: "increase"
ignore:
# Never auto-update to Express 5.x (breaking changes)
- dependency-name: "express"
versions: ["5.x"]
# Skip patch updates for type definitions
- dependency-name: "@types/*"
update-types: ["version-update:semver-patch"]
# Ignore all updates for a vendored package
- dependency-name: "legacy-internal-lib"
allow:
- dependency-type: "all"
exclude-paths:
- "vendor/**"
- "test/fixtures/**"
```
---
## 12. Target Non-Default Branch
Test updates on a development branch before production:
```yaml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
target-branch: "develop"
labels:
- "dependencies"
- "staging"
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
target-branch: "develop"
```
Note: Security updates always target the default branch regardless of `target-branch`.

91
skills/dependabot/references/pr-commands.md Normal file
View File

@@ -0,0 +1,91 @@
# Dependabot PR Comment Commands
Interact with Dependabot pull requests by commenting `@dependabot <command>`. Dependabot acknowledges commands with a thumbs-up reaction.
> **Deprecation Notice (January 27, 2026):** The following commands have been removed:
> `@dependabot merge`, `@dependabot squash and merge`, `@dependabot cancel merge`,
> `@dependabot close`, and `@dependabot reopen`.
> Use GitHub's native UI, CLI (`gh pr merge`), API, or auto-merge feature instead.
## Commands for Individual PRs
| Command | Description |
|---|---|
| `@dependabot rebase` | Rebase the PR against the target branch |
| `@dependabot recreate` | Recreate the PR from scratch, overwriting any manual edits |
| `@dependabot ignore this dependency` | Close the PR and stop all future updates for this dependency |
| `@dependabot ignore this major version` | Close and stop updates for this major version |
| `@dependabot ignore this minor version` | Close and stop updates for this minor version |
| `@dependabot ignore this patch version` | Close and stop updates for this patch version |
| `@dependabot show DEPENDENCY_NAME ignore conditions` | Display a table of all current ignore conditions for the dependency |
## Commands for Grouped Updates
These commands work on Dependabot PRs created by grouped version or security updates.
| Command | Description |
|---|---|
| `@dependabot ignore DEPENDENCY_NAME` | Close the PR and stop updating this dependency in the group |
| `@dependabot ignore DEPENDENCY_NAME major version` | Stop updating this dependency's major version |
| `@dependabot ignore DEPENDENCY_NAME minor version` | Stop updating this dependency's minor version |
| `@dependabot ignore DEPENDENCY_NAME patch version` | Stop updating this dependency's patch version |
| `@dependabot unignore *` | Close current PR, clear ALL ignore conditions for ALL dependencies in the group, open a new PR |
| `@dependabot unignore DEPENDENCY_NAME` | Close current PR, clear all ignores for a specific dependency, open a new PR with its updates |
| `@dependabot unignore DEPENDENCY_NAME IGNORE_CONDITION` | Close current PR, clear a specific ignore condition, open a new PR |
## Usage Examples
### Merge After CI (Use Native GitHub Features)
Auto-merge is the recommended replacement for the deprecated `@dependabot merge` command:
```bash
# Enable auto-merge via GitHub CLI
gh pr merge <PR_NUMBER> --auto --squash
# Or enable auto-merge via the GitHub UI:
# PR → "Enable auto-merge" → select merge method → confirm
```
GitHub will automatically merge the PR once all required CI checks pass.
### Ignore a Major Version Bump
```
@dependabot ignore this major version
```
Useful when a major version has breaking changes and migration is not yet planned.
### Check Active Ignore Conditions
```
@dependabot show express ignore conditions
```
Displays a table showing all ignore conditions currently stored for the `express` dependency.
### Unignore a Dependency in a Group
```
@dependabot unignore lodash
```
Closes the current grouped PR, clears all ignore conditions for `lodash`, and opens a new PR that includes available `lodash` updates.
### Unignore a Specific Condition
```
@dependabot unignore express [< 1.9, > 1.8.0]
```
Clears only the specified version range ignore for `express`.
## Tips
- **Rebase vs Recreate**: Use `rebase` to resolve conflicts while keeping your review state. Use `recreate` to start fresh if the PR has diverged significantly.
- **Force push over extra commits**: If you've pushed commits to a Dependabot branch and want Dependabot to rebase over them, include `[dependabot skip]` in your commit message.
- **Persistent ignores**: Ignore commands via PR comments are stored centrally. For transparency in team repos, prefer using `ignore` in `dependabot.yml` instead.
- **Merging Dependabot PRs**: Use GitHub's native auto-merge feature, the CLI (`gh pr merge`), or the web UI. The old `@dependabot merge` commands were deprecated in January 2026.
- **Closing/Reopening**: Use the GitHub UI or CLI. The old `@dependabot close` and `@dependabot reopen` commands were deprecated in January 2026.
- **Grouped commands**: When using `@dependabot unignore`, Dependabot closes the current PR and opens a fresh one with the updated dependency set.