From 4df9a011553605047c04bd026850d2b0ce0bc41f Mon Sep 17 00:00:00 2001
From: Johannes Zorn <hannes@aignostics.com>
Date: Wed, 8 Apr 2026 15:45:28 +0200
Subject: [PATCH] build: Decrease renovate noise

Currently, renovate aggressively creates MRs in our repos, potentially
pulling malicious dependencies from open source componentes before they
may be spottet by the community (supply chain attacks). Furthermore,
they are causing a lot of noise in our inboxes. This change introduces
the following changes:

* updates must be at least 2 weeks old
* unless they fix a known vulnerability
* pull requests are only opened once the change has passed the internal
  checks
---
 renovate.json | 30 ++++++++++++++++++++++++++----
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/renovate.json b/renovate.json
index 61cb4263f..966c6b6f6 100644
--- a/renovate.json
+++ b/renovate.json
@@ -1,10 +1,10 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "config:recommended"
-  ],
+  "extends": ["config:recommended"],
   "timezone": "Europe/Berlin",
   "schedule": ["* 0-5 * * *"],
+  "minimumReleaseAge": "14 days",
+  "internalChecksFilter": "strict",
   "labels": [
     "bot",
     "renovate",
@@ -27,6 +27,28 @@
       "groupName": "GitHub Actions",
       "matchManagers": ["github-actions"],
       "separateMajorMinor": false
+    },
+    {
+      "description": "Bypass delay for security tools",
+      "matchPackageNames": [
+        "trivy",
+        "pip-audit",
+        "aquasecurity/trivy-action",
+        "pypa/pip-audit"
+      ],
+      "minimumReleaseAge": null,
+      "automerge": true,
+      "automergeType": "pr",
+      "schedule": ["at any time"],
+      "groupName": "security-tool-updates"
+    },
+    {
+      "matchVulnerabilities": true,
+      "minimumReleaseAge": null,
+      "automerge": true,
+      "automergeType": "pr",
+      "schedule": ["at any time"],
+      "groupName": "security fixes"
     }
   ]
-}
\ No newline at end of file
+}