1
0
Fork 0
mirror of https://github.com/imjasonh/krust synced 2026-07-08 23:05:41 +00:00
krust/.github/dependabot.yml
Jason Hall bd515ce3e2
feat: Add supply chain security improvements
- Pin all GitHub Actions to specific commit SHAs for immutability
- Add cargo-audit job to CI pipeline for vulnerability scanning
- Create SECURITY.md with vulnerability reporting guidelines
- Add Dependabot configuration for automated dependency updates
  - Weekly updates for both Cargo and GitHub Actions
  - Grouped patch and minor updates for Cargo dependencies
- Update job dependencies to run security checks before integration tests

This improves the project's security posture by:
1. Preventing action hijacking through SHA pinning
2. Catching known vulnerabilities early with cargo-audit
3. Providing clear security reporting channels
4. Automating dependency updates to reduce security debt

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-06-08 00:48:19 -04:00

46 lines
962 B
YAML

version: 2
updates:
# Enable version updates for Rust dependencies
- package-ecosystem: "cargo"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "08:00"
open-pull-requests-limit: 10
reviewers:
- "imjasonh"
labels:
- "dependencies"
- "rust"
commit-message:
prefix: "chore"
include: "scope"
groups:
patch-updates:
patterns:
- "*"
update-types:
- "patch"
minor-updates:
patterns:
- "*"
update-types:
- "minor"
# Enable version updates for GitHub Actions
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "08:00"
open-pull-requests-limit: 5
reviewers:
- "imjasonh"
labels:
- "dependencies"
- "github-actions"
commit-message:
prefix: "chore"
include: "scope"