A tool to keep track of Dependabot pull requests
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
helpers
lib
public
spec
tmp
views
.gitignore
.ruby-version
Gemfile
Gemfile.lock
Jenkinsfile
LICENCE
Procfile
README.md
Rakefile
app.json
app.rb
config.ru
dependapanda.rb
env.rb

README.md

govuk-dependencies

A tool for:

  • Viewing all of the outstanding open pull requests made by Dependabot to GOV.UK repos
  • Sending Slack messages to GDS Teams reminding them of open Dependabot PRs for their applications
  • Viewing security alerts for old gems found in Gemfile.lock

Screenshots

screenshot

Live examples

Technical documentation

This is a Sinatra application that uses the GitHub API in order to get a list of of PRs made by Dependabot and groups them in various ways:

  • By application
  • By team
  • By gem

Dependencies

Running the application

bundle exec rackup

Running this will start your application at localhost:9292

Running the test suite

bundle exec rake

Environment variables

  • GITHUB_TOKEN - OAuth token generated on GitHub which does not require any special permissions
    • Used to interact with the GitHub API, although not required it will help avoid limiting
  • SLACK_WEBHOOK_URL - The webhook URL for sending Slack messages to
  • DEPENDAPANDA_SECRET - Secret token for manually requesting Slack messages

Rate limiting

If you find yourself being rate limited by GitHub - you can define the GITHUB_TOKEN environment variable. This needs to be a token generated from GitHub, however as the repositories are all public it needs no special permissions.

Security Alerts

screenshot

When navigating to the security alerts page (/security-alerts) it will update the local advisory-db copy, download, and save the gemfiles for every ruby project defined within apps.json.

Gemfiles

When downloading gemfiles for each application when checking for security alerts, they can be found within tmp/{application_name}_gemfile.lock

Advisory DB

The security alerts feature works by using bundler-audit which relies on having a local copy of the ruby-advisory-db. Without this, the security alerts page will show that there are no security alerts even if some exist.

To update this database you can run:

bundle exec rake update_advisory_db

Additionally, to update this within code you can run:

Bundler::Audit::Database.update!