Skip to content

feat: implement Dependabot security update tools #178

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

feat: implement Dependabot security update tools #178

wants to merge 1 commit into from

Conversation

smadi0x86
Copy link

Closes: #176

Description

This PR implements tools for managing Dependabot security updates in repositories. The implementation includes:

  1. GetSecuritySettings - Retrieves security settings for a repository
  2. UpdateSecuritySettings - Updates security settings for a repository
  3. GetDependabotSecurityUpdatesStatus - Checks if Dependabot security updates are enabled

Implementation Details

During implementation, I encountered an issue with GitHub's API behavior:

  • Public repositories should have Dependabot alerts enabled by default
  • However, the API still requires explicit enabling of vulnerability alerts
  • This creates a confusing user experience where the system says one thing but behaves differently

As a result, I've:

  1. Implemented the core functionality for managing security settings
  2. Documented the API behavior discrepancy in the code
  3. Commented out the EnableDependabotSecurityUpdates and DisableDependabotSecurityUpdates tools for future investigation.

@smadi0x86
feat: implement Dependabot security update tools
3793ac9 
This PR implements tools for managing Dependabot security updates in repositories. However, during implementation, we encountered an issue with GitHub's API behavior where public repositories should have Dependabot alerts enabled by default, but the API still requires explicit enabling of vulnerability alerts. This creates a confusing user experience. We've documented this issue in the code for future investigation.
@Copilot Copilot AI review requested due to automatic review settings April 8, 2025 13:57
Copilot
Copilot AI reviewed Apr 8, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

Comments suppressed due to low confidence (2)

pkg/github/security.go:131

  • Consider adding unit tests to verify that the merge logic in UpdateSecuritySettings handles partial updates correctly.
if securitySettings.AdvancedSecurity != nil {

pkg/github/security.go:182

  • Add tests to cover the error handling and successful response cases for GetDependabotSecurityUpdatesStatus.
status, _, err := client.Repositories.GetAutomatedSecurityFixes(ctx, owner, repo)

@smadi0x86 smadi0x86 closed this Apr 8, 2025
@smadi0x86 smadi0x86 deleted the fix/dependabot-security-updates branch April 8, 2025 14:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Adding Support for Repository Related Security Actions
1 participant
@smadi0x86