Dependabot should use the private registry for security updates #11668
Unanswered
GuillaumeBenini
asked this question in
Code Security
Replies: 1 comment
-
Yes, you can opt into configuration through the dependabot.yml for security updates as well. see https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates Secrets though are currently only supported for version updates We are aware of this issue and devising ways to fix it. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
As I see it currently, the updates are split into 2 categories: security updates and non-security updates. The security updates are configured through the Github interface and the non-security updates use the Github interface or the dependabot.yml, if present.
It seems that there is no way to configure, for example, a private registry (Artifactory) for security updates because it ignores the dependabot.yml config file. It does work for non-security updates though.
Shouldn't security updates also use the config file if it's present?
Beta Was this translation helpful? Give feedback.
All reactions