Resources

See also snyk.io which is outside of GitHub but it works similarly - it creates PRs for vulnerabilities.

Enable and disable

Dependabot will be turned on by default for your public GitHub repos at the profile level and at the repo level, but you can disable it at either level.

Optionally turn on for private repos.

GitHub detects and alerts users to vulnerable dependencies in public repositories by default. Owners of private repositories, or people with admin access, can enable GitHub Dependabot alerts by enabling the dependency graph and GitHub Dependabot alerts for their repositories. source

Configure

Under a repo’s Insights tab and the Dependency graph section, there is a dependabot section where you can create a dependabot config if you want to.

Here is a sample:

version: 2
updates:
  - package-ecosystem: "" # See documentation for possible values
    directory: "/" # Location of package manifests
    schedule:
      interval: "daily"

Here is the help:

To get started with Dependabot version updates, you’ll need to specify which package ecosystems to update and where the package manifests are located.

Please see the documentation for all configuration options: configuration-options-for-dependency-updates.

Disclaimer

Note: GitHub’s security features do not claim to catch all vulnerabilities. Though we are always trying to update our vulnerability database and alert you with our most up-to-date information, we will not be able to catch everything or alert you to known vulnerabilities within a guaranteed time frame. These features are not substitutes for human review of each dependency for potential vulnerabilities or any other issues, and we recommend consulting with a security service or conducting a thorough vulnerability review when necessary. source