3.2 Dependency Monitoring

Overview

Dependency monitoring continuously monitors all dependencies across our repositories and automatically creates pull requests when security updates are available.

Tools

GitHub Dependabot

Dependabot is enabled in all repositories and handles:

Security Updates: Automatic PRs for known vulnerabilities
Version Updates: Regular PRs for available updates (configurable)
Alerts: GitHub Security Alerts for new CVEs

Configuration (.github/dependabot.yml):

yaml

version: 2
updates:
  # Example: NPM
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 10
    labels:
      - "dependencies"
      - "security"

  # Example: Docker
  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "weekly"
    labels:
      - "dependencies"
      - "docker"

  # Example: GitHub Actions
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    labels:
      - "dependencies"
      - "ci"

Dependabot Auto-Merge

For non-critical updates (patch updates from trusted packages), the existing auto-merge workflow (docker-maintenance-dependabot.yml) is used:

Dependabot creates PR
CI pipeline runs (tests, security scan)
On success: Automatic approval
Automatic merge (squash)

IMPORTANT

Auto-merge is only enabled for patch updates and trusted ecosystems. Major and minor updates require manual review.

GitHub Security Alerts

GitHub Security Alerts are enabled for all repositories:

Automatic notification for new CVEs in dependencies
Mapping to specific manifest files
Severity classification (Critical, High, Medium, Low)
Fix suggestions via Dependabot Security Updates

Trivy Container Scanning

For container images, Trivy is additionally used in CI/CD:

yaml

# Automatic scan on every build
- name: Trivy Vulnerability Scan
  uses: aquasecurity/trivy-action@master
  with:
    image-ref: ${{ env.IMAGE }}
    severity: CRITICAL,HIGH
    exit-code: 1    # Build fails on findings

Docker Base Image Monitor

The existing workflow modules-docker-base-image-monitor.yml monitors base images:

Detection of new base image versions
Automatic PR when an update is available
Ensures up-to-date OS packages

Monitoring Matrix

Ecosystem	Tool	Frequency	Auto-Merge
NPM	Dependabot	Weekly	Patch updates
NuGet	Dependabot	Weekly	Patch updates
pip/Poetry	Dependabot	Weekly	Patch updates
Docker	Dependabot + Base Image Monitor	Weekly	Patch updates
GitHub Actions	Dependabot	Weekly	Minor/Patch
Go Modules	Dependabot	Weekly	Patch updates
Composer (PHP)	Dependabot	Weekly	Patch updates

Escalation Process

Dependabot/Trivy detects CVE
    |
    +-- Low/Medium Severity
    |   +-- PR created -> Review in next sprint
    |
    +-- High Severity
    |   +-- PR created -> Review within 24h -> Patch release
    |
    +-- Critical Severity
        +-- PR created -> Immediate handling
            +-- Teams notification to Security Lead
            +-- Check: Actively exploited?
            |   +-- Yes -> ENISA reporting process (24h)
            |   +-- No -> Patch within 48h
            +-- Hotfix release

3.2 Dependency Monitoring ​

Overview ​

Tools ​

GitHub Dependabot ​

Dependabot Auto-Merge ​

GitHub Security Alerts ​

Trivy Container Scanning ​

Docker Base Image Monitor ​

Monitoring Matrix ​

Escalation Process ​