A curated list of Dependabot (and related software supply chain) resources.
- cli - A tool for testing and debugging Dependabot update jobs.
- fetch-metadata - Extract information about the dependencies being updated by a Dependabot-generated PR.
- generate-dependencies-csv-action - GitHub Action to generate a csv file listing the dependencies detected in a repository
- gh-dependency-report - GitHub CLI extension for generating a report on repository dependencies.
- sbom-generator - Generates an sbom from a repository's dependency graph
- gh-sbom - Generate SBOMs with gh CLI
- spdx-to-dependency-graph-action - A GitHub Action that takes SPDX SBOMs and uploads them to GitHub's dependency submission API to power Dependabot alerts
- generate-org-repos-sbom-action - An Action to wrap creating an SBOM for the entire organization via REST API
- generate-sbom-action - An Action to wrap creating an SBOM via REST API
- package-policy - A GitHub action to enforce that only approved packages are used within a project by providing an allow or prohibit list of packages.
- dependabot-actions-workflow - Example workflow for updating Dependabot pull requests
- dependabot-kev-action - Action to detect if any open Dependabot alerts are in the CISA Known Exploited Vulnerabilities (KEV) Catalog of CVEs and fail the workflow.
- policy-as-code - GitHub Advanced Security Policy as Code Action that supports Alerts and License compliance.
- fetch-metadata - Extract information about the dependencies being updated by a Dependabot-generated PR.
- osv-schema OSSF OSV schema used by the advisory-database
- SecurityAdvisory GitHub GraphQL object to query the advisory DB
Contributions welcome! Read the contribution guidelines first.