Search for Dockerfiles recursively

[webratz]

Hey,

I'm aware that there is a directory setting that could be configured. But we have many repos where we have (in this case Dockerfiles) in several sub directories. Adding them all manually is quite error prone.

Is there a setting that i could use to search recursively through the repo for files matching and check all of these?

[greysteil]

Not at the moment. Because Dependabot never clones your repo it's not easy for us to do this without hitting GitHub a lot of times. We're looking into changing that (the git tree API might give us what we need), and serving a list of possible projects for a given repository, but it's a way off for now.

[greysteil]

(Although if you're using dependabot-core with a script, rather than dependabot.com, hopefully there's nothing stopping you implementing this on your side?)

[webratz]

Yeah, we will most likely implement that search within our probot app then. just wanted to make sure i don't miss a feature thats already there

[greysteil]

Cool, makes sense! I imagine we will add this, and the logic for it will live in this repo (rather than in the app backend) in the next 3 months or so, but wouldn't want to keep you waiting!

[abxhr]

Hello!
Any updates on this issue? Would love to see this feature in dependabot as it would make the config.yml much more neater and easier to maintain

[jeffwidman]

Agreed, re-opening as recursive file search is relevant to the K8s files as well:

• Make Dependabot recursively check folders for Dockerfiles / Helm Charts / K8s files #6047

I realize this issue originally encompassed all ecosystems, but since we have similar requests for other ecosystems and the implementation may vary (or may be shared, not sure until we actually build it), I re-scoped this to only Dockerfiles since that's what the OP is actually affected by.

[Dreamsorcerer]

What I'm confused by, is that Dependabot security updates seem to happen on all dependency files in a repository, but version updates only check the top-level dependency files. Why would they have different capabilities?

(Note to self: This is needed for aiohttp_demos).

[abxhr]

@Dreamsorcerer Exactly. I get it few folks might require the dependabot version updates to be running only in specific places in the repository, but when the requirement increases it is a hassle to configure everything.
It'll be nice to have a parameter or something in the config (boolean), which allows the recursive check to be done from the mentioned directory location

[Dreamsorcerer]

What I meant is that I'm genuinely confused. Discussion is suggesting that there's a significant piece of work to add this feature (not just a config flag), but the security updates seem to already do it. Are they 2 separate projects without common code or something?

[jeffwidman]

Sorry for the confusion here.

1. This ticket was originally closed because Dependabot had a restriction of never cloning the repo. That restriction is no longer valid, so we could tackle this. That's why I re-opened it.
2. The flow for security alerts is indeed different. The code which generates the repo's dependency graph at https://github.com/dependabot/dependabot-core/network/dependencies is indeed a different code base. Long term we'd like to use only one codebase, but that's a project for another day. When a new security vulnerability arrives, the security alerts code checks for all repos marked as using that dependency in the dependency graph. From there, it will notify the Dependabot version updater of the vulnerable dependency name, version, and the manifest file path. So for a security update PR, Dependabot never has to find the manifest file.

[duglin]

Until recursiveness is supported, is there a way to specify a list of dirs instead of having to create an entire "update" block for each dir?

[PanzerHabba]

Hi, any progress ?
I`m working on a project where we have a lot of microservices (.net) and also terraform, python and possibly other "package-ecosystems". Is the only workaround only to create a separate entry for each folder ?

[jeffwidman]

Unfortunately that's correct, you currently have to specify each entry separately.

Also, since i last commented, i realized this one is a little more complicated because some users will want recursive search, some will want only search the root directory, etc... so I think we need to be explicit about / => root dir, * => recursive to allow disambiguating user intent.

The * recursive case is already tracked under:

• Config file: Support Wildcards in directory #2178

So I'm going to close this as a duplicate.

[jeffwidman]

Until recursiveness is supported, is there a way to specify a list of dirs instead of having to create an entire "update" block for each dir?

@duglin Several workarounds are listed in the comments of this ticket for programmatically generating the list of dirs to specify in dependabot.yml file:

• Config file: Support Wildcards in directory #2178