step-security/secure-repo

Change suggested to add Dependabot config for a subfolder even though that exists already

afranken opened this issue · 1 comments

See https://github.com/adobe/S3Mock/pull/1235/files

The dependabot action already configures:

  - package-ecosystem: "docker"
    # Look for `Dockerfile` in the `/docker` directory, that's where all versions are managed
    directory: "/docker/"
    # Open up to 10 PRs per run
    open-pull-requests-limit: 10
    # Add assignees
    assignees:
      - "afranken"
    # Check for updates once per day, Github defaults to random time every day.
    schedule:
      interval: "daily"

step security recommends to add:

  - package-ecosystem: docker
    directory: /docker
    schedule:
      interval: daily

I'm guessing it may be the quotes that throw off the scan, but more likely it's the trailing slash in the directory name?
Step security does not recommend to add configuration for the other package-ecosystem configs, and they contain quotes too.

Thanks, @afranken, for creating the issue! I will investigate and get back soon.