Skip to content

feat: implement Dependabot security update tools #180

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: implement Dependabot security update tools #180

wants to merge 2 commits into from
+720 −0

Conversation

smadi0x86
Copy link

Closes: #176

Description

This PR implements tools for managing Dependabot security updates in repositories. The implementation includes:

  1. GetSecuritySettings - Retrieves security settings for a repository
  2. UpdateSecuritySettings - Updates security settings for a repository
  3. GetDependabotSecurityUpdatesStatus - Checks if Dependabot security updates are enabled

Implementation Details

During implementation, I encountered an issue with GitHub's API behavior:

  • Public repositories should have Dependabot alerts enabled by default
  • However, the API still requires explicit enabling of vulnerability alerts
  • This creates a confusing user experience where the system says one thing but behaves differently

As a result, I've:

  1. Implemented the core functionality for managing security settings
  2. Documented the API behavior discrepancy in the code
  3. Commented out the EnableDependabotSecurityUpdates and DisableDependabotSecurityUpdates tools for future investigation.

@smadi0x86
feat: implement Dependabot security update tools
3793ac9 
This PR implements tools for managing Dependabot security updates in repositories. However, during implementation, we encountered an issue with GitHub's API behavior where public repositories should have Dependabot alerts enabled by default, but the API still requires explicit enabling of vulnerability alerts. This creates a confusing user experience. We've documented this issue in the code for future investigation.
@Copilot Copilot AI review requested due to automatic review settings April 8, 2025 14:30
Copilot
Copilot AI reviewed Apr 8, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

pkg/github/security.go:108

  • [nitpick] The use of the parameter name 'vulnerability_alerts' may be misleading since its value is applied to the AdvancedSecurity field. Consider clarifying the parameter name or adding a comment to explain the mapping.
if vulnerabilityAlerts, ok := settings["vulnerability_alerts"].(bool); ok {

@smadi0x86 @Copilot
Update security.go
29ce240 
Co-authored-by: Copilot <[email protected]>
@smadi0x86 smadi0x86 marked this pull request as draft April 13, 2025 15:41
@smadi0x86 smadi0x86 marked this pull request as ready for review April 13, 2025 15:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@juruen juruen Awaiting requested review from juruen

@SamMorrowDrums SamMorrowDrums Awaiting requested review from SamMorrowDrums

@williammartin williammartin Awaiting requested review from williammartin

@toby toby Awaiting requested review from toby

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
tool-proposal
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Adding Support for Repository Related Security Actions
2 participants
@smadi0x86 @SamMorrowDrums