Package: Invicti AppSec Enterprise (on-premise, on-demand)
Dependabot SCA integration
Invicti AppSec supports Dependabot as an SCA (Software Composition Analysis) scanner. This guide explains how to activate and use the Dependabot integration.
Dependabot is GitHub's built-in dependency management tool that automatically scans repositories for vulnerable dependencies and generates pull requests to update them. It supports a wide range of package ecosystems and integrates natively with GitHub repositories.
Prerequisites
Before starting the integration, ensure you have the following:
| Requirement | Description |
|---|---|
| GitHub repository | A GitHub repository with Dependabot alerts enabled |
| KDT CLI | Access to the Kondukto CLI tool (KDT) for importing Dependabot results |
| Dependabot alerts | Dependabot security alerts enabled in your GitHub repository settings |
Dependabot is an import-only scanner. There are no connection settings to configure in Invicti AppSec. Results are imported through the KDT CLI.
Enable Dependabot Alerts (on GitHub Side)
- Navigate to your GitHub repository.
- Go to Settings > Code security and analysis.
- Enable Dependabot alerts.
- Optionally, enable Dependabot security updates for automatic pull request creation.
Step 1: Navigate to Integrations
From the left sidebar menu, click on Integrations.
Step 2: Select the SCA Tab
On the Integrations page, you will see the Scanners section with multiple tabs. Click on the SCA tab.
Step 3: Find and Activate Dependabot
Scroll through the list of SCA scanners to find Dependabot.
- If Dependabot is not activated, you will see an "Activate" button. Click it to enable the integration.
- If Dependabot is already activated, you will see a toggle switch in the ON position and a "Deactivate" button.
Dependabot does not have a gear icon for configuration settings. The scan method badge on the Dependabot card shows KDT, which means results are imported through the Kondukto CLI tool (KDT).
Step 4: Import Scan Results
Since Dependabot is an import-only scanner, there are no connection settings to configure. Import results using the KDT CLI:
Import via KDT CLI
Use the Kondukto CLI tool to import Dependabot scan results:
kdt scan -p <project-name> -t dependabot -b <branch> -f <path-to-dependabot-report.json>
Step 5: Verify Import
After importing, verify that the scan results appear correctly:
- Check the Scans page for the newly imported scan.
- Review the Vulnerabilities tab to confirm findings were imported successfully.
- Verify severity levels and vulnerability details are accurate.
CI/CD Pipeline Example
Here is an example of integrating Dependabot results with the KDT CLI in a CI/CD pipeline:
# Example: GitHub Actions
dependabot_import:
runs-on: ubuntu-latest
steps:
- name: Export Dependabot Alerts
uses: github/codeql-action/upload-sarif@v2
# Export Dependabot alerts to a file
- name: Import to Invicti AppSec
run: |
kdt scan -p my-project -t dependabot -b ${{ github.ref_name }} -f dependabot-report.json
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the SCA tab under Scanners |
| 3 | Find Dependabot and click Activate (if not already active) |
| 4 | Import results via the KDT CLI |
| 5 | Verify imported results in the project's Scans and Vulnerabilities sections |
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center