Lightszentip / Dependabot vs Renovate - build secure and uptodate software artifacts

Created Fri, 09 Dec 2022 00:00:00 +0000 Modified Sat, 07 Sep 2024 22:07:08 +0000
292 Words

Dependabot vs Renovate - build secure and uptodate software artifacts

Currently it exists two good systems to update software dependencies.

Why I should use that?

To develop a software, can be faster if you use dependencies that develop default functions. So you can use the libs to create the business logic and create a software faster.

But many dependencies need checks in the software cycle:

  • you need update to the latest version or patch version to fix bugs
  • you need update to get a better security, because many updates have security fixes

To reduce the manual effort, this tools help to reduce the effort

DOCS

https://docs.renovatebot.com/

https://docs.github.com/de/code-security/dependabot

Integration

For both solution exists different integrations, as actions, as standlone instance or as gitlab runner.

The Renovate has also a dependency dashboard as issue. So the differents are in the integration. The Dependabot can integrate over settings in github, in gitlab it is necessary to use it as runner - same for renovat in gitlab.

Gitlab integration for Renovate

  1. Fork Runner - https://gitlab.com/renovate-bot/renovate-runner => it easier by forking
  2. Edit the renovate.json and add
  ],
    "extends": [
    "config:base",
    ":preserveSemverRanges",
    ":dependencyDashboard",
    ":rebaseStalePrs",
    ":enableVulnerabilityAlertsWithLabel('security')",
    "group:recommended"
  ],
  1. Add the CI Variables RENOVATE_EXTRA_FLAGS with "--autodiscover=true --onboarding=true --autodiscover-filter=groupusernamehere/*" - to add all you repos from username or group groupusernamehere. The runner create the necessary pullrequest with the renovate.json
  2. Add the CI Varaible RENOVATE_TOKEN with a gitlab token to get access to the repository (scopes: api, read_user, write_repository)
  3. Optional GITHUB_COM_TOKEN as Variable in CI to get the Information from github packages
  4. Start the scheduler in your Gitlab CI to run the runner
  5. Check the result

More information: https://gastaud.io/en/article/gitlab-renovatebot/ and https://blog.jdriven.com/2022/08/running-renovate-on-gitlab-com/

Gitlab integration dependabot

see https://blog.jdriven.com/2021/03/running-dependabot-on-gitlab/

Github integration for Renovate

The best way, is to use the app : https://github.com/apps/renovate