> For the complete documentation index, see [llms.txt](https://gitbook.cdxiaodong.life/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://gitbook.cdxiaodong.life/cicd-an-quan/github-an-quan/dependabot.md). # Dependabot ## 概述 Dependabot 使用 GitHub Actions 和独立环境来运行检查。有几个公共资源可以帮助审查内部实现细节: * [dependabot/updater-action](https://github.com/dependabot/updater-action) 负责运行 Dependabot 更新的 action。 * [dependabot/dependabot-core](https://github.com/dependabot/dependabot-core) 实现核心逻辑的 action。查看 `dependabot-core` 的[架构](https://github.com/dependabot/dependabot-core/#architecture)。 * [dependabot-updater](https://github.com/dependabot/updater-action/blob/627e11f59882ac2b7ac43821f5ea30c9e595888c/docker/Dockerfile.updater) 是启动扫描的 Docker 镜像(包含 `dependabot-core` 作为组件)。 * [dependabot-update-job-proxy](https://github.com/dependabot/updater-action/blob/627e11f59882ac2b7ac43821f5ea30c9e595888c/docker/Dockerfile.proxy) 带有代理的 Docker 镜像,用于认证对特定 GitHub API 端点的请求,并允许 dependabot 不泄露 GitHub API 令牌。 ## 代码执行 Dependabot 能够从清单文件中收集依赖信息,如 [setup.py](https://docs.python.org/3/distutils/setupscript.html) 或 [.gemspec](https://guides.rubygems.org/specification-reference/),这些文件可能被滥用来执行任意代码。具有 [package-ecosystem](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#package-ecosystem) 值 `bundler`、`mix` 和 `pip` 的包管理器可能被滥用,在版本更新过程中在清单文件中执行外部代码。因此,如果您能够篡改清单文件,可以在 Dependabot 运行时执行任意代码。 {% hint style="info" %} 查看如何滥用清单文件以获得代码执行的信息,请参阅[参数注入](https://github.com/cdxiaodong/cheat-sheets-cn/blob/master/Web%20Application/Command%20Injection/parameters-injection.md)页面 {% endhint %} Dependabot 允许开发者通过将 [insecure-external-code-execution](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#insecure-external-code-execution) 设置为 `deny` 来防止代码执行。此外,当在更新配置中使用 [registries](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#registries) 设置时,Dependabot 会自动将 `insecure-external-code-execution` 设置为 `deny` 并防止外部代码执行。然而,这可能导致版本更新失败,因此开发者可以通过将 `insecure-external-code-execution` 设置为 `allow` 来覆盖此行为并允许代码执行。 ## 私有仓库的发布说明和提交信息泄露 如果 Dependabot 检测到未更新的依赖,它将创建一个 PR 来提升这些依赖的版本。Dependabot 添加有关更改的附加信息,其中可能包含发布说明和带有消息的提交列表。您可以在以下屏幕截图中找到此类 PR 的示例: ![](/files/FWlmYzGTaKk6Qzp7m37C) 然而,[Dependabot 支持私有依赖](https://github.blog/2021-03-15-dependabot-private-dependencies/),它也会将这些数据添加到私有依赖的 PR 中。因此,如果公共项目有私有依赖,Dependabot 将泄露这些项目的发布说明和提交。 ## 参考资料 * [文章:深入 Dependabot 以及 npm 中的一个漏洞](https://blog.tyage.net/posts/2021-06-27-dependabot-rce/) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gitbook.cdxiaodong.life/cicd-an-quan/github-an-quan/dependabot.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.