Skip to content

Enhanced dependabot configuration for comprehensive Docker base image CVE tracking #1885

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
Copilot wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Enhanced dependabot configuration for comprehensive Docker base image CVE tracking #1885

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
eff59cf
Initial plan
Copilot Sep 19, 2025
142d6c1
Enhance dependabot configuration for comprehensive Docker base image …
Copilot Sep 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
82 changes: 79 additions & 3 deletions .github/dependabot.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,90 @@
version: 2
updates:
# Docker base image tracking - Main controller
- package-ecosystem: "docker"
directory: "/"
directory: "/controller"
schedule:
interval: "daily"
reviewers:
- "microsoft/retina"
commit-message:
prefix: "deps"
labels: ["area/infra", "area/dependencies"]
open-pull-requests-limit: 10
prefix-development: "deps"
labels: ["area/infra", "area/dependencies", "area/security"]
open-pull-requests-limit: 5
# Docker base image tracking - Shell utilities
- package-ecosystem: "docker"
directory: "/shell"
schedule:
interval: "daily"
reviewers:
- "microsoft/retina"
commit-message:
prefix: "deps"
prefix-development: "deps"
labels: ["area/infra", "area/dependencies", "area/security"]
open-pull-requests-limit: 5
# Docker base image tracking - CLI
- package-ecosystem: "docker"
directory: "/cli"
schedule:
interval: "daily"
reviewers:
- "microsoft/retina"
commit-message:
prefix: "deps"
prefix-development: "deps"
labels: ["area/infra", "area/dependencies", "area/security"]
open-pull-requests-limit: 5
# Docker base image tracking - Operator
- package-ecosystem: "docker"
directory: "/operator"
schedule:
interval: "daily"
reviewers:
- "microsoft/retina"
commit-message:
prefix: "deps"
prefix-development: "deps"
labels: ["area/infra", "area/dependencies", "area/security"]
open-pull-requests-limit: 5
# Docker base image tracking - Test images
- package-ecosystem: "docker"
directory: "/test/image"
schedule:
interval: "daily"
reviewers:
- "microsoft/retina"
commit-message:
prefix: "deps"
prefix-development: "deps"
labels: ["area/infra", "area/dependencies", "area/testing"]
open-pull-requests-limit: 3
# Docker base image tracking - Tools (kapinger)
- package-ecosystem: "docker"
directory: "/hack/tools/kapinger"
schedule:
interval: "weekly"
reviewers:
- "microsoft/retina"
commit-message:
prefix: "deps"
prefix-development: "deps"
labels: ["area/infra", "area/dependencies", "area/tools"]
open-pull-requests-limit: 3
# Docker base image tracking - Tools (toolbox)
- package-ecosystem: "docker"
directory: "/hack/tools/toolbox"
schedule:
interval: "weekly"
reviewers:
- "microsoft/retina"
commit-message:
prefix: "deps"
prefix-development: "deps"
labels: ["area/infra", "area/dependencies", "area/tools"]
open-pull-requests-limit: 3
# GitHub Actions tracking
- package-ecosystem: "github-actions"
directory: "/"
schedule:
Expand All @@ -20,6 +95,7 @@ updates:
prefix: "deps"
labels: ["area/infra", "area/dependencies"]
open-pull-requests-limit: 10
# Go modules tracking
- package-ecosystem: "gomod"
directory: "/"
schedule:
Expand Down
59 changes: 59 additions & 0 deletions docs/08-Contributing/02-development.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -185,6 +185,65 @@ Uninstall `Retina`:
make helm-uninstall
```

## Dependency and Security Management

Retina uses automated dependency management and security scanning to maintain secure and up-to-date container images and dependencies.

### Dependabot Configuration

The repository uses [Dependabot](https://github.com/dependabot) to automatically track and update dependencies:

- **Docker Base Images**: Automatically monitored for security updates and new versions
- **Go Modules**: Tracked for dependency updates
- **GitHub Actions**: Workflow dependencies are kept current

#### Docker Base Image Tracking

Retina has Dockerfiles in multiple directories, and each is tracked separately by Dependabot:
- `/controller` - Main retina controller images (daily checks)
- `/shell` - Shell utility images (daily checks)
- `/cli` - CLI tool images (daily checks)
- `/operator` - Operator images (daily checks)
- `/test/image` - Test images (daily checks)
- `/hack/tools/kapinger` - Kapinger tool images (weekly checks)
- `/hack/tools/toolbox` - Toolbox utility images (weekly checks)

When Dependabot detects a security vulnerability (CVE) in a base image, it will automatically create a pull request to update the image SHA to a patched version.

#### Validating Dependabot Coverage

To ensure all Dockerfiles are tracked by Dependabot, run the validation script:

```bash
./scripts/validate-dependabot-docker-coverage.sh
```

This script will report any Dockerfiles that are not covered by the Dependabot configuration.

### Security Scanning

In addition to Dependabot, Retina uses [Trivy](https://trivy.dev/) for comprehensive security scanning:

- **Container Images**: Scanned for vulnerabilities after building
- **Scheduled Scanning**: Weekly security scans of published images
- **CI Integration**: Security alerts are generated for critical and high severity issues

The Trivy workflow runs automatically and uploads results to GitHub Security tab for tracking.

### Adding New Dockerfiles

When adding new Dockerfiles to the repository:

1. Add the directory containing the Dockerfile to `.github/dependabot.yaml`
2. Run the validation script to ensure coverage
3. Consider the update frequency (daily for critical components, weekly for tools)

## Cleanup

Uninstall `Retina`:

```bash

## Opening a Pull Request

When you're ready to open a pull request, please ensure that your branch is up-to-date with the `main` branch, updates relevant docs and tests, and passes all tests and lints.
Expand Down
45 changes: 45 additions & 0 deletions scripts/validate-dependabot-docker-coverage.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
#!/bin/bash
# Script to validate that all directories with Dockerfiles are covered by dependabot configuration

set -e

REPO_ROOT=$(git rev-parse --show-toplevel)
cd "$REPO_ROOT"

echo "🔍 Validating dependabot Docker coverage..."

# Find all directories containing Dockerfiles
echo "📁 Directories with Dockerfiles:"
dockerfile_dirs=$(find . -name "Dockerfile*" -exec dirname {} \; | sort -u | sed 's|^\.|/|' | sed 's|^//|/|')
echo "$dockerfile_dirs"

echo ""

# Extract directories tracked by dependabot for Docker
echo "📋 Directories tracked in dependabot.yaml:"
dependabot_dirs=$(awk '/package-ecosystem.*docker/{getline; print}' .github/dependabot.yaml | sed 's/.*directory: "//' | sed 's/".*//' | sort)
echo "$dependabot_dirs"

echo ""

# Compare the two lists
missing_dirs=""
for dir in $dockerfile_dirs; do
if ! echo "$dependabot_dirs" | grep -q "^$dir$"; then
missing_dirs="$missing_dirs $dir"
fi
done

if [ -n "$missing_dirs" ]; then
echo "❌ VALIDATION FAILED: The following directories contain Dockerfiles but are not tracked by dependabot:"
for dir in $missing_dirs; do
echo " - $dir"
done
echo ""
echo "Please add these directories to .github/dependabot.yaml"
exit 1
else
echo "✅ VALIDATION PASSED: All directories with Dockerfiles are covered by dependabot configuration"
echo ""
echo "Total directories tracked: $(echo "$dependabot_dirs" | wc -l)"
fi