geek programming security tips

using dependabot without uploading code to GitHub

Photo by Aideal Hwa on Unsplash

GitHub has a cool feature called Dependabot. It automatically checks any repositories for potential security problems with the dependencies it’s using. For .NET projects, that means it will check if you have any NuGet project references that should be updated, because of security issues.
This is all great and awesome, but what if you have this huge in-house project that isn’t on GitHub, and you would like to run Dependabot on it?
Uploading the whole codebase to GitHub is one option, but that might not be what you want to do, or are even allowed to do. If anything, you don’t want to get involved with the legal department, right?

Well, there is a little hack you can try. Dependabot simply checks the packages listed in packages.config of your projects, so if you create a new .NET project, and add all dependencies of your big project to the new project’s packages.config, you are set.

If you have a lot of projects, you can use this PowerShell script to merge all packages.config files in your sub folders into a single one.
Paste the lines below into a .ps1 script, and run it from your project’s root folder to merge all packages.config files.

# Get all package lines from the packages.config files
$lines = ls packages.config -r | get-content | where { $_ -like "*<package id=*" } | sort | unique
# Group them by package, and take only the first entry per package, to avoid the same package being listed with different version numbers. The lowest version will the the first.
$lines = $lines | % { new-object -type psobject -property @{ package=($_ -split '"')[1]; line=$_ } } | group -property package | % { $[0].line }

# Write the merged packages.config file.
'<?xml version="1.0" encoding="utf-8"?>',
'</packages>' | set-content all-packages.config

Afterwards, copy the all-packages.config file over the package.config of your new project, and upload that to GitHub.
Then configure Dependabot on your fresh repository (see Settings > Security & Analysis), and pretty soon you’ll be getting a report on any potential issues with the packages you’re using.

I’m sure the same trick can be used for other types of projects, like JavaScript and Python, as long as you have some sort of configuration file that lists the package you are using.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.