Configuration - Dependencies

Auto Fix

This setting controls the creation of pull requests to fix vulnerabilities in project dependencies.

To enable automatic creation of dependency fix pull requests, set dependencies.auto_fix.enabled to true. You can also set the maximum number of open pull requests per repository with the dependencies.auto_fix.max_pull_requests_open key. You can also set the maximum rate of pull request creation with the dependencies.auto_fix.max_pull_request_creation_rate key.

dependencies:
  auto_fix:
    enabled: true
    max_pull_requests_open: 2
    max_pull_request_creation_rate:
      count: 2
      days: 7

Ignore Findings

To allowlist CVEs add them to the ignore list. The dependencies.ignore[i].repositories list is only applicable in the global configuration file.

dependencies:
  ignore:
    - cve: CVE-2021-1234
      reason: This is a false positive
    - cve: CVE-2021-5678
      reason: This isn't exploitable in client applications but we should update it eventually
      # optional expiry date
      expiry: "2024-09-12T00:00:00Z"
      # optional repositories filter
      repositories:
        - dast-action
        - cli