Security Advisories and Vulnerabilities

Configure security-only updates and provide custom security advisories for dependencies.

Security-only updates allow you to create pull requests only for dependencies with known vulnerabilities, updating them to the earliest available non-vulnerable version. This is particularly useful when you want to focus on security fixes without receiving updates for every new package version.

Enabling Security-Only Updates

To enable security-only updates, set open-pull-requests-limit: 0 in your dependabot.yml configuration:

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"
    open-pull-requests-limit: 0  # Only create PRs for security updates

This configuration mirrors the GitHub-hosted Dependabot security updates behavior.

GitHub Access Token Required

Security-only updates require a GitHub access token to query the GitHub Advisory Database for vulnerability information.

For Azure DevOps Extension

Provide a GitHub token using one of these task inputs:

- task: dependabot@2
  inputs:
    gitHubAccessToken: '$(GITHUB_TOKEN)'
    # OR use a service connection
    gitHubConnection: 'github-connection-name'

The GitHub token must have public_repo scope (or full repo scope for private repositories).

For CLI

Provide the GitHub token via command-line option:

paklo run \
  --organization-url https://dev.azure.com/my-org \
  --project my-project \
  --repository my-repo \
  --git-token $AZDO_TOKEN \
  --github-token $GITHUB_TOKEN

Creating a GitHub Token

Go to GitHub Settings → Developer settings → Personal access tokens
Generate a new token (classic or fine-grained)
For classic tokens, select the public_repo scope
Copy the token and store it securely as a pipeline variable or environment variable

Performance Considerations

Security-only updates incur a slight performance overhead compared to regular updates due to limitations in the Dependabot CLI (dependabot/cli#360).

How It Works

The process involves three steps:

Discovery: Run an "ignore everything" update job to discover all dependencies
Vulnerability Check: Check discovered dependencies against the GitHub Advisory Database
Update: Perform security-only updates for vulnerable dependencies

This extra discovery step adds processing time, but ensures accurate vulnerability detection.

Custom Security Advisories

You can provide custom security advisories for internal or private dependencies that aren't in the public GitHub Advisory Database. This is useful for:

Internal libraries with known vulnerabilities
Private packages your organization maintains
Security issues discovered through internal security scans

Advisory File Format

Create a JSON file with your custom security advisories:

[
  {
    "package": {
      "name": "Contoso.Utils"
    },
    "advisory": {
      "summary": "Contoso.Utils versions before 3.0.1 are vulnerable to input validation issues",
      "identifiers": [
        {
          "type": "CVE",
          "value": "CVE-2023-12345"
        }
      ]
    },
    "vulnerableVersionRange": "< 3.0.1",
    "firstPatchedVersion": {
      "identifier": "3.0.1"
    }
  }
]

A complete example is available in the repository: advisories-example.json

Field Descriptions

package.name (required): The package name as it appears in your dependency file
advisory.summary (required): Description of the vulnerability
advisory.identifiers (optional): CVE or other identifiers
vulnerableVersionRange (required): Version range affected (use semantic version ranges)
firstPatchedVersion.identifier (required): First version that fixes the vulnerability

Using Custom Advisories with Extension

Specify the file path in your pipeline:

- task: dependabot@2
  inputs:
    securityAdvisoriesFile: '$(Pipeline.Workspace)/advisories.json'
    gitHubAccessToken: '$(GITHUB_TOKEN)'

Using Custom Advisories with CLI

Use the --security-advisories-file option:

paklo run \
  --organization-url https://dev.azure.com/my-org \
  --project my-project \
  --repository my-repo \
  --git-token $AZDO_TOKEN \
  --github-token $GITHUB_TOKEN \
  --security-advisories-file ./advisories.json

Version Range Syntax

Use standard semantic versioning ranges in your advisories:

Range	Meaning
`< 2.0.0`	Versions less than 2.0.0
`<= 2.0.0`	Versions less than or equal to 2.0.0
`> 1.0.0`	Versions greater than 1.0.0
`>= 1.0.0`	Versions greater than or equal to 1.0.0
`>= 1.0.0, < 2.0.0`	Versions 1.0.0 or higher, but less than 2.0.0
`~> 2.1.0`	Versions 2.1.0 or higher, but less than 2.2.0 (pessimistic operator)

You can combine multiple ranges with commas.

Troubleshooting

No Security Updates Created

If security-only mode is enabled but no PRs are created:

Verify GitHub token - Ensure it has public_repo scope
Check for vulnerabilities - Use GitHub's interface to check if known vulnerabilities exist for your dependencies
Review logs - Enable debug logging to see vulnerability check results
Validate advisory file - If using custom advisories, ensure the JSON is valid

Error: "GitHub token required"

Security-only updates require a GitHub token. Make sure you've provided either:

gitHubAccessToken input (extension)
--github-token option (CLI)

Advisory Not Triggering Updates

If your custom advisory isn't triggering updates:

Verify the dependency-name matches exactly (case-sensitive)
Check the version range syntax
Ensure current dependency version is in affected-versions
Verify the advisory file is being loaded (check logs)

How is this guide?

Last updated on

Enabling Security-Only Updates

To enable security-only updates, set open-pull-requests-limit: 0 in your dependabot.yml configuration:

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"
    open-pull-requests-limit: 0  # Only create PRs for security updates

This configuration mirrors the GitHub-hosted Dependabot security updates behavior.

GitHub Access Token Required

Security-only updates require a GitHub access token to query the GitHub Advisory Database for vulnerability information.

For Azure DevOps Extension

Provide a GitHub token using one of these task inputs:

- task: dependabot@2
  inputs:
    gitHubAccessToken: '$(GITHUB_TOKEN)'
    # OR use a service connection
    gitHubConnection: 'github-connection-name'

The GitHub token must have public_repo scope (or full repo scope for private repositories).

For CLI

Provide the GitHub token via command-line option:

paklo run \
  --organization-url https://dev.azure.com/my-org \
  --project my-project \
  --repository my-repo \
  --git-token $AZDO_TOKEN \
  --github-token $GITHUB_TOKEN

Creating a GitHub Token

Go to GitHub Settings → Developer settings → Personal access tokens
Generate a new token (classic or fine-grained)
For classic tokens, select the public_repo scope
Copy the token and store it securely as a pipeline variable or environment variable

Performance Considerations

Security-only updates incur a slight performance overhead compared to regular updates due to limitations in the Dependabot CLI (dependabot/cli#360).

How It Works

The process involves three steps:

Discovery: Run an "ignore everything" update job to discover all dependencies
Vulnerability Check: Check discovered dependencies against the GitHub Advisory Database
Update: Perform security-only updates for vulnerable dependencies

This extra discovery step adds processing time, but ensures accurate vulnerability detection.

Custom Security Advisories

You can provide custom security advisories for internal or private dependencies that aren't in the public GitHub Advisory Database. This is useful for:

Internal libraries with known vulnerabilities
Private packages your organization maintains
Security issues discovered through internal security scans

Advisory File Format

Create a JSON file with your custom security advisories:

[
  {
    "package": {
      "name": "Contoso.Utils"
    },
    "advisory": {
      "summary": "Contoso.Utils versions before 3.0.1 are vulnerable to input validation issues",
      "identifiers": [
        {
          "type": "CVE",
          "value": "CVE-2023-12345"
        }
      ]
    },
    "vulnerableVersionRange": "< 3.0.1",
    "firstPatchedVersion": {
      "identifier": "3.0.1"
    }
  }
]

A complete example is available in the repository: advisories-example.json

Field Descriptions

package.name (required): The package name as it appears in your dependency file
advisory.summary (required): Description of the vulnerability
advisory.identifiers (optional): CVE or other identifiers
vulnerableVersionRange (required): Version range affected (use semantic version ranges)
firstPatchedVersion.identifier (required): First version that fixes the vulnerability

Using Custom Advisories with Extension

Specify the file path in your pipeline:

- task: dependabot@2
  inputs:
    securityAdvisoriesFile: '$(Pipeline.Workspace)/advisories.json'
    gitHubAccessToken: '$(GITHUB_TOKEN)'

Using Custom Advisories with CLI

Use the --security-advisories-file option:

paklo run \
  --organization-url https://dev.azure.com/my-org \
  --project my-project \
  --repository my-repo \
  --git-token $AZDO_TOKEN \
  --github-token $GITHUB_TOKEN \
  --security-advisories-file ./advisories.json

Version Range Syntax

Use standard semantic versioning ranges in your advisories:

Range	Meaning
`< 2.0.0`	Versions less than 2.0.0
`<= 2.0.0`	Versions less than or equal to 2.0.0
`> 1.0.0`	Versions greater than 1.0.0
`>= 1.0.0`	Versions greater than or equal to 1.0.0
`>= 1.0.0, < 2.0.0`	Versions 1.0.0 or higher, but less than 2.0.0
`~> 2.1.0`	Versions 2.1.0 or higher, but less than 2.2.0 (pessimistic operator)

You can combine multiple ranges with commas.

Troubleshooting

No Security Updates Created

If security-only mode is enabled but no PRs are created:

Verify GitHub token - Ensure it has public_repo scope
Check for vulnerabilities - Use GitHub's interface to check if known vulnerabilities exist for your dependencies
Review logs - Enable debug logging to see vulnerability check results
Validate advisory file - If using custom advisories, ensure the JSON is valid

Error: "GitHub token required"

Security-only updates require a GitHub token. Make sure you've provided either:

gitHubAccessToken input (extension)
--github-token option (CLI)

Advisory Not Triggering Updates

If your custom advisory isn't triggering updates:

Verify the dependency-name matches exactly (case-sensitive)
Check the version range syntax
Ensure current dependency version is in affected-versions
Verify the advisory file is being loaded (check logs)

How is this guide?

Last updated on

Security Advisories and Vulnerabilities

Enabling Security-Only Updates

GitHub Access Token Required

For Azure DevOps Extension

For CLI

Creating a GitHub Token

Performance Considerations

How It Works

Custom Security Advisories

Advisory File Format

Field Descriptions

Using Custom Advisories with Extension

Using Custom Advisories with CLI

Version Range Syntax

Troubleshooting

No Security Updates Created

Error: "GitHub token required"

Advisory Not Triggering Updates

On this page

Security Advisories and Vulnerabilities

Enabling Security-Only Updates

GitHub Access Token Required

For Azure DevOps Extension

For CLI

Creating a GitHub Token

Performance Considerations

How It Works

Custom Security Advisories

Advisory File Format

Field Descriptions

Using Custom Advisories with Extension

Using Custom Advisories with CLI

Version Range Syntax

Troubleshooting

No Security Updates Created

Error: "GitHub token required"

Advisory Not Triggering Updates

On this page