KittyCAD · maxammann · Apr 8, 2026 · Apr 8, 2026 · Apr 8, 2026 · Apr 8, 2026
@@ -0,0 +1,18 @@
+---
+title: 'Security at Zoo'
+excerpt: 'Sec'
+coverImage: '/kittycad-blog-banner.png'
+date: '2026-04-21T13:00:00.000Z'
+author:
+    name: Max Ammann
+    picture: '/documentation-assets/maxammann.jpeg'
+ogImage:
+    url: '/kittycad.png'
+---
+
+
+## Vulnerability management at Zoo
+
+
+
+## Internal fuzzing
@@ -0,0 +1,153 @@
+---
+title: 'Organization wide dependabot configuration'
+excerpt: 'Introducing a tool to configure dependabot across your GitHub organization with better defaults and more customizability.'
+coverImage: '/kittycad-blog-banner.png'
+date: '2026-05-12T13:00:00.000Z'
+author:
+    name: Max Ammann
+    picture: '/documentation-assets/maxammann.jpeg'
+ogImage:
+    url: '/kittycad.png'
+draft: true
+---
+
+Dependabot is probably the most widely used tool to automate dependency updates. It is simple and the default on GitHub.
+
+In this blog post, I want to announce a tool I've been homebrewing for a few months.
+It scans your GitHub organization and configures all repositories with better defaults and allows greater customizability.
+
+
+## Simplicity vs customizability
+
+Dependabot is a fairly simple feature on GitHub. Sometimes it feels a bit neglected by GitHub as it lacks some essential features like org-wide configuration.
+
+To run Dependabot, you only need to add a `dependabot.yml` file to your repository. However, it needs to be correct.
+For instance, if your repository has both JavaScript and Rust code, you need to add two separate entries in the `dependabot.yml` file.
+This is hard to maintain.
+
+The ability to simplify means to eliminate the unnecessary. Maybe GitHub deemed a more automatic ecosystem discovery as unnecessary. More likely, though,
+they just haven't gotten around to it yet. In the meantime, we can build a tool that simplifies this process for us and our users.
+
+Let me introduce [dependabot-org-config](https://github.com/KittyCAD/dependabot-org-config)!
+
+## The tool
+
+At its core, it's just a CLI tool that:
+
+1) Uses GitHub's search API to discover ecosystems (Python, Rust, JavaScript, GitHub Actions, etc.) in your organization.
+2) Goes through repositories to create PRs with an updated `dependabot.yml` file that includes all the ecosystems used in the repository.
+
+
+The tool is invoked like this:
+
+```bash
+cargo run -- <ORG_NAME> [--dependabot-overrides <PATH>] [--create-pr] [--force-new] [--repo <REPO>] [--only-existing]
+```
+
+You have to specify an organization name and can optionally scope the tool to individual repositories. When testing new configurations,
+you may use `--only-existing` to update only existing branches.
+Using `--force-new`, repositories that are not yet configured to use Dependabot will be enabled.
+Using `--create-pr` will create PRs instead of just pushing branches.
+
+In our modeling-app repository, you can see an example [dependabot.yml](https://github.com/KittyCAD/modeling-app/blob/main/.github/dependabot.yml).
+
+For each discovered ecosystem, it will set certain options. The following configuration will:
+
+1) Perform weekly updates over the weekend to minimize disruption,
+2) Group security updates separately from regular version updates (major updates stay independent),
+3) Set up a cooldown so we are not immediately affected by recent supply chain attacks,
+4) Exclude some of our own packages from updates to avoid breaking changes in our internal dependencies.
+
+```yaml
+# DO NOT EDIT THIS FILE. This dependabot file was generated
+# by https://github.com/KittyCAD/ciso Changes to this file should be addressed in
+# the ciso repository.
+
+version: 2
+updates:
+- package-ecosystem: cargo
+  directory: /rust
+  schedule:
+    interval: weekly
+    day: saturday
+    timezone: America/Los_Angeles
+  open-pull-requests-limit: 5
+  groups:
+    security:
+      applies-to: security-updates
+      exclude-patterns:
+      - kittycad*
+      update-types:
+      - minor
+      - patch
+    patch:
+      applies-to: version-updates
+      exclude-patterns:
+      - kittycad*
+      update-types:
+      - patch
+    minor:
+      applies-to: version-updates
+      exclude-patterns:
+      - kittycad*
+      update-types:
+      - minor
+      - patch
+  cooldown:
+    default-days: 7
+    exclude:
+    - '*kcl*'
+    - '*zoo*'
+    - '*kittycad*'
+```
+
+One might argue why not just use [renovate](https://github.com/renovatebot/renovate) bot.
+As long as you are trying to use its open source version, there is still some configuration overhead if you want org-wide configuration.
+Also, I think it's worth noting that Dependabot is just the default tool and therefore a lot of companies will use it.
+Its bot reacts nicely to comments, something you only get with [renovate](https://github.com/renovatebot/renovate) when subscribing to their paid plan.
+
+## Automation
+
+In one repository, we set up a GitHub action that uses a GitHub app to create PRs.
+It can be set up like this:
+
+```yaml
+name: Run Dependabot Org Config
+on:
+  schedule:
+    - cron: '0 0 1,15 * *'
+  workflow_dispatch:
+jobs:
+  run-dependabot-org-config:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout this repo
+        uses: actions/checkout@v6
+
+      - name: Get GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: id
+          private-key: key
+          owner: owner
+
+      - name: Clone dependabot-org-config repo
+        run: git clone https://github.com/KittyCAD/dependabot-org-config.git ../dependabot-org-config
+
+      - name: Run dependabot-org-config
+        run: |
+          export RUST_LOG=info
+          cd ../dependabot-org-config
+          cargo run -- KittyCAD --ecosystems-cache .ecosystems-cache.json --dependabot-overrides ../your_repo/dependabot-overrides.toml --create-pr
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+```
+
+## Conclusion
+
+I think it's a bit sad that Dependabot seems to lack some fundamental features. It would be great if you could
+set an organization-wide cooldown for dependency updates. If you are curious why, check out this
+blog post about [why we should be all using dependency cooldowns](https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns).
+
+[dependabot-org-config](https://github.com/KittyCAD/dependabot-org-config) allows security teams to gain some more control about how Dependabot updates dependencies.