/Dependabot-for-Azure-DevOps-at-Scale

This project allows you to run GitHub Dependabot against Azure DevOps repositories at scale, via Azure Pipelines and Azure Functions

Primary LanguageC#

Dependabot for Azure DevOps at Scale

Functions CI Test Docker Image CI Prod Docker Image CI

This project allows you to run GitHub Dependabot to scan Azure DevOps repositories, via Azure Pipelines, thanks to Azure Functions.

Current Status: Development In Progress

Component Status Notes
Orchestrator Trigger 100%
Main Orchestrator 90%
ACI Orchestrator 90%
ACI - Creation 100% Currently pulling only from public registry
ACI - Check Status 0%
ACI - Event Handler 80% Missing: should report differently between success and failure
ACI - Deletion 100%
In-container event handler 50%
Container Image - Test image 100%
Container Image - Production Image 95% Huge size
Deployment Scripts 0%

How it works

[Description TBC]

Main Flow

[Description TBC]

ACI Orchestrator Flow

Note: because of the container image size, it currently takes about 3 to 4 minutes for the ACI Container Group to pull it and start

Prerequisites

  • PAT on Azure DevOps
  • PAT on GitHub
  • Service Principal in Azure to create ACI
  • Resource Group in Azure

Container

To support the flow above, a modified version of the Dependabot Script container is used.

It takes the original, and add the components needed to check the execution of the job and report back to the orchestrator.

Main Flow

The container image is hosted in Docker Hub and it's called dependabot-azuredevops-atscale

If you want to test it out manually:

docker pull n3wt0n/dependabot-azuredevops-atscale

docker run --rm \
  --env "PROJECT_PATH=organization/project/_git/repo-name" \
  --env "DIRECTORY_PATH=folder/containing/dependencies" \
  --env "BRANCH=branch_to_scan" \
  --env "AZURE_ACCESS_TOKEN=XXX_PAT_XXX" \
  --env "PULL_REQUEST_ASSIGNEE=username" \
  --env "GITHUB_ACCESS_TOKEN=xxx_PAT_xxx" \
  --env "PACKAGE_MANAGER=bundler" \
  n3wt0n/dependabot-azuredevops-atscale

Environment Variables

Variable Name Default Notes
DIRECTORY_PATH / Directory where the base dependency files are.
PACKAGE_MANAGER bundler Valid values: bundler, cargo, composer, dep, docker, elm, go_modules, gradle, hex, maven, npm_and_yarn, nuget, pip (includes pipenv), submodules, terraform
PROJECT_PATH N/A (Required) Path to repository. Format <organization>/<project>/_git/<repo-name>.
BRANCH N/A (Optional) Branch to fetch manifest from and open pull requests against.
PULL_REQUESTS_ASSIGNEE N/A (Optional) User to assign to the created pull request.
AZURE_ACCESS_TOKEN N/A (Required) Personal Access Token (PAT) with access to Azure DevOps, with permissions to read the repo content and create pull requests
GITHUB_ACCESS_TOKEN N/A (Optional) Personal Access Token (PAT) used just for Authentication purposes *

* without this token, you may receive errors of request throttling or blocked requests when checking against dependencies hosted on GitHub.