Comprehensive guide for configuring and managing GitHub Dependabot. Use this skill when users ask about creating or optimizing dependabot.yml files, managing Dependabot pull requests, configuring dependency update strategies, setting up grouped updates, monorepo patterns, multi-ecosystem groups, security update configuration, auto-triage rules, or any GitHub Advanced Security (GHAS) supply chain security topic related to Dependabot.
Dependabot is GitHub's built-in dependency management tool with three core capabilities:
All configuration lives in a single file: .github/dependabot.yml on the default branch. GitHub does not support multiple dependabot.yml files per repository.
Follow this process when creating or optimizing a dependabot.yml:
Scan the repository for dependency manifests. Look for:
| Ecosystem | YAML Value | Manifest Files |
|---|---|---|
| npm/pnpm/yarn | npm | package.json, package-lock.json, pnpm-lock.yaml, yarn.lock |
| pip/pipenv/poetry/uv | pip | requirements.txt, Pipfile, pyproject.toml, setup.py |
| Docker | docker | Dockerfile |
| Docker Compose | docker-compose | docker-compose.yml |
| GitHub Actions | github-actions | .github/workflows/*.yml |
| Go modules | gomod | go.mod |
| Bundler (Ruby) | bundler | Gemfile |
| Cargo (Rust) | cargo | Cargo.toml |
| Composer (PHP) | composer | composer.json |
| NuGet (.NET) | nuget | *.csproj, packages.config |
| .NET SDK | dotnet-sdk | global.json |
| Maven (Java) | maven | pom.xml |
| Gradle (Java) | gradle | build.gradle |
| Terraform | terraform | *.tf |
| OpenTofu | opentofu | *.tf |
| Helm | helm | Chart.yaml |
| Hex (Elixir) | mix | mix.exs |
| Swift | swift | Package.swift |
| Pub (Dart) |
Note: pnpm and yarn both use the npm ecosystem value.
For each ecosystem, identify where manifests live. Use directories (plural) with glob patterns for monorepos:
pubpubspec.yaml |
| Bun | bun | bun.lockb |
| Dev Containers | devcontainers | devcontainer.json |
| Git Submodules | gitsubmodule | .gitmodules |
| Pre-commit | pre-commit | .pre-commit-config.yaml |