Category
Dependabot 実装ガイド(dependabot.yml 設定/アラート・セキュリティ更新/auto-merge/トラブルシュート/プライベートレジストリ/モノレポ/Actions SHA固定/Docker/Renovate・SCA技術選定)
Dependabot は『入れたら終わり』ではなく、3本柱(検知=アラート/修正=セキュリティ更新/鮮度維持=バージョン更新)を分離し、PR洪水を構造的に抑え、SLA を持って運用して初めて価値が出ます。本クラスタは、ピラーで全体像と有効化・課金(標準ランナーでは Actions 課金を消費しない)・運用設計を示し、各論で dependabot.yml の全オプション(groups・cooldown・directories・registries・multi-ecosystem-groups)、GitHub Actions と fetch-metadata による『patch/minor だけ安全に自動マージ』する設計(読み取り専用トークンと Dependabot シークレットの正しい扱い、pull_request と pull_request_target の使い分け)、auto-triage と grouped security updates を使った脆弱性対応、そして Renovate との技術選定までを体系化します。依存(SCA)は Dependabot、自作コードの脆弱性は SAST/DAST という役割分担まで正直に切り分け、サプライチェーンの技術的負債を増やさない自動化を、公式ドキュメントに忠実な実コードで提供します。
11 articles in total
Foundational guide
Foundational guide (start here)
Dependabot production-operations guide: separate alerts, security updates, and version updates into the 'three pillars' to keep dependencies automatically and safely up to date
An implementation guide to operating GitHub's Dependabot at production quality. Faithful to the official documentation (as of June 2026), it explains — with copy-pasteable real code and a project viewpoint — the differences and proper use of the three pillars (Dependabot alerts / security updates / version updates), how to enable them, practical dependabot.yml settings, where it runs (Actions runners) and billing, auto-merge and grouping, and operations design with an SLA.
Related practical articles
- DependabotGitHub ActionsCI/CDDevSecOps自動化
Dependabot auto-merge × GitHub Actions automation guide: safely auto-merging only patch/minor with fetch-metadata
An implementation guide to safely auto-merging Dependabot PRs with GitHub Actions. Faithful to the official documentation (as of June 2026), it explains, with copy-paste real code: all outputs of dependabot/fetch-metadata@v3, conditional branching by update-type, gh pr merge --auto, the token model of a read-only GITHUB_TOKEN and Dependabot secrets, using pull_request vs. pull_request_target, and how to build safety valves with required checks and branch protection.
9 min read - DependabotDockerサプライチェーンセキュリティDevSecOps依存関係管理
Safely update Docker base images with Dependabot: tag following, digest pinning, and silent-rebuild countermeasures
An implementation guide to keep Dockerfile / Docker Compose base images safely updated with Dependabot. Faithful to the official documentation (as of June 2026), it explains, with copy-paste real code: the docker / docker-compose ecosystem configuration, the difference between tag updates and digest pinning (image:tag@sha256:...), countermeasures for CVEs accumulated by silent rebuilds, multi-stage and private-registry (ECR/Artifact Registry) integration, and the reason to be careful with auto-merge.
6 min read - DependabotGitHub ActionsサプライチェーンセキュリティDevSecOpsCI/CD
Pin GitHub Actions to a SHA and update with Dependabot: a practice to prevent supply-chain attacks
A practical guide to pinning GitHub Actions' `uses:` from a mutable tag to a commit SHA and keeping it safely updated with Dependabot. Faithful to the official security-hardening guidance (as of June 2026), it explains, with real code, why tag references are dangerous, SHA pinning + version comments, Dependabot's behavior of updating the SHA and comment together, bulk-pinning an existing repository, and defense in depth — least-privilege GITHUB_TOKEN, allowing only trusted actions, and a policy enforcing SHA pinning.
7 min read - DependabotモノレポTurborepo依存関係管理GitHub Actions
Running a monorepo with Dependabot: a design with directories and groups that doesn't break Turborepo / pnpm workspaces
A design guide for operating Dependabot without breaking on a monorepo (Turborepo / pnpm/npm/yarn workspaces / Nx). Faithful to the official documentation (as of June 2026), it explains, in copy-paste real code: consolidating into one entry with directories globs, the relationship between workspaces and the lockfile, bundling PRs across directories with groups and group-by: dependency-name, per-package policies, and integration with CI that tests only the affected scope.
6 min read - DependabotサプライチェーンセキュリティGitHub ActionsDevSecOps依存関係管理
Dependabot × private-registry authentication, the complete guide: npm/Docker/Maven/PyPI, CodeArtifact, OIDC, self-hosted runners
An implementation guide to updating internal/private-registry dependencies with Dependabot. Faithful to the official documentation (as of June 2026), it explains, with copy-paste real code and least-privilege design: the authentication fields per registries-block type, Dependabot secrets (≠ Actions secrets), GitHub Packages auto-authentication, OIDC for AWS CodeArtifact / Google Artifact Registry / JFrog Artifactory, static AWS auth for ECR, and self-hosted runners (the dependabot label) that reach a private network.
7 min read - Dependabotサプライチェーンセキュリティ脆弱性管理DevSecOpsセキュリティ
Dependabot alerts, security updates, and vulnerability-response guide: don't end at detection — operate with an SLA
A guide to operating GitHub's Dependabot alerts and security updates at production quality. Faithful to the official documentation (as of June 2026), it explains, with real code, the difference between alerts and security updates, the prerequisites for enabling them, how to prevent alert fatigue with auto-triage rules, grouped security updates, triage operations with an SLA, and observability via the REST API, including the role division between SCA and SAST/DAST.
7 min read - DependabotトラブルシューティングGitHub ActionsDevSecOps依存関係管理
Complete troubleshooting for when Dependabot doesn't work / no PRs come: isolating causes and fixing by error
Dependabot doesn't create PRs, doesn't fix vulnerabilities, or errors on a private registry — a practical guide to isolating and fixing common stalls by cause. Faithful to the official documentation (as of June 2026), it explains, with copy-paste confirmation steps: the typical causes of 'no PRs come,' Cannot update to a non-vulnerable version, private_source_* errors, how to read logs, and the latest spec of the @dependabot comment commands that changed in January 2026.
8 min read - DependabotRenovate技術選定依存関係管理DevSecOps
Dependabot vs Renovate: a tech-selection guide — which to choose, and is migrating worth it? (2026 edition)
A practitioner's tech-selection guide comparing the dependency auto-update tools Dependabot and Renovate. GitHub-native zero-config vs 90+ package managers, multi-Git platforms, a Dependency Dashboard, and grouping presets. It lays out the differences in pricing (free on standard runners / free Mend-hosted + paid add-ons), self-hosting, monorepos, and security integration in a comparison table, and gives situation-by-situation selection criteria and the inputs for a migration decision.
6 min read - DependabotSCA技術選定サプライチェーンセキュリティDevSecOps
Dependabot vs Snyk vs Trivy vs npm audit: how to choose an SCA (dependency-vulnerability) tool, 2026 edition
A tech-selection guide comparing SCA (Software Composition Analysis) tools that find dependency vulnerabilities, from a practitioner's view. It organizes Dependabot, Snyk, Trivy, Grype, OSV-Scanner, OWASP Dependency-Check, and npm audit by detection DB, fix PRs, reachability analysis, CI integration, SBOM, pricing, and coverage. It presents the role split that detection (scan) and remediation (update PR) are different things, the difference between SCA and SAST/DAST, and a situation-by-situation selection flow.
7 min read - DependabotGitHub Actions依存関係管理DevSecOpsサプライチェーンセキュリティ
dependabot.yml configuration complete guide: master schedule, groups, cooldown, ignore, registries, and monorepos in real code
A configuration complete guide for writing GitHub's dependabot.yml at production quality. Faithful to the official configuration reference (as of June 2026), it explains, with copy-pasteable real examples, the full supported list of package-ecosystem, directory and directories (glob), schedule and cooldown, groups (applies-to / group-by), the priority of allow and ignore, registries and private-registry authentication, commit-message, target-branch, and multi-ecosystem-groups.
10 min read