-
Notifications
You must be signed in to change notification settings - Fork 0
Using Dependabot to Identify Vulnerabilities in GitHub Repository
Dependabot will identify know vulnerabilities in dependent libraries within a repository.
Functionality is available in all public repos
EXAMPLE: Create the file .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"- Create the .github directory if it doesn’t exist.
- Add dependabot.yml inside it.
- Commit and push to the default branch:
Dependabot will run on its own schedule, but you can also trigger it:
Go to Security → Dependabot or Insights → Dependency graph → Dependabot (depending on UI). There should be an option like “Check for updates” or a “Run Dependabot” button for each configured ecosystem.
If you don’t see that, simply wait for the first scheduled run (e.g., the next day if you chose daily).
Dependabot will open pull requests in cdisc-org/cdisc-360i-notebooks such as:
“Bump numpy from 1.24.0 to 1.26.0” “Bump actions/checkout from v3 to v4”
Your workflow:
Review the PR (changelog, compatibility, tests). Merge when you’re satisfied. Optionally configure branch protection and required checks so Dependabot PRs must pass tests before merging.
© 2026 Clinical Data Interchange Standards Consortium
CDISC is a 501(c)(3) global nonprofit charitable organization with administrative offices in Austin, Texas, with hundreds of employees, volunteers, and member organizations around the world.