| title | Configuring automatic dependency submission for your repository | ||
|---|---|---|---|
| shortTitle | Submit dependencies automatically | ||
| intro | You can use automatic dependency submission to submit transitive dependency data in your repository. This enables you to analyze these transitive dependencies using the dependency graph. | ||
| permissions | {% data reusables.permissions.security-repo-enable %} | ||
| redirect_from |
|
||
| versions |
|
||
| contentType | how-tos | ||
| category |
|
Dependency graph must be enabled for the repository for you to enable automatic dependency submission.
You must also enable {% data variables.product.prodname_actions %} for the repository in order to use automatic dependency submission. For more information, see AUTOTITLE.
Note
For ecosystems that support {% data variables.product.prodname_dependabot %} graph jobs, you do not need to enable automatic dependency submission. {% data variables.product.prodname_dependabot %} graph jobs run automatically when the dependency graph is enabled for your repository, and they take precedence over automatic dependency submission. See AUTOTITLE.
Repository administrators can enable or disable automatic dependency submission for a repository by following the steps outlined in this procedure.
Organization owners can enable automatic dependency submission for multiple repositories using a security configuration. For more information, see AUTOTITLE.
{% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} {% data reusables.repositories.navigate-to-code-security-and-analysis %}
- Under "Dependency graph", click the dropdown menu next to “Automatic dependency submission”, then select Enabled.
Once you've enabled automatic dependency submission for a repository, {% data variables.product.company_short %} will:
- Watch for pushes to the repository.
- Run the dependency graph build action associated with the package ecosystem for any manifests in the repository.
- Perform an automatic dependency submission with the results.
You can view details about the automatic workflows run by viewing the Actions tab of your repository.
[!NOTE] After you enable automatic dependency submission, we'll automatically trigger a run of the action. Once enabled, it'll run each time a commit to the default branch updates a manifest.
For ecosystems that support {% data variables.product.prodname_dependabot %} graph jobs, you can configure access to private registries using {% data variables.product.prodname_dependabot %} secrets at the organization or repository level.
When {% data variables.product.prodname_dependabot %} graph jobs encounter private packages that are not accessible through configured secrets, those packages are gracefully omitted from the dependency graph without causing a failure.
For more information on configuring private registry access, see AUTOTITLE.
You can configure self-hosted runners to run automatic dependency submission jobs, instead of using the {% data variables.product.prodname_actions %} infrastructure. This is necessary to access private registries for ecosystems that do not support {% data variables.product.prodname_dependabot %} graph jobs, or when your registries are only reachable from within your network. The self-hosted runners must be running on Linux or macOS. For .NET and Python auto-submission, they must have access to the public internet in order to download the latest component-detection release.
- Provision one or more self-hosted runners, at the repository or organization level. For more information, see AUTOTITLE and AUTOTITLE.
- Assign a
dependency-submissionlabel to each runner you want automatic dependency submission to use. For more information, see AUTOTITLE. {% data reusables.repositories.navigate-to-code-security-and-analysis %} - Under "Dependency graph", click the dropdown menu next to "Automatic dependency submission", then select Enabled for labeled runners.
Once enabled, automatic dependency submission jobs will run on the self-hosted runners, unless:
- The self-hosted runners are unavailable.
- There aren't any runner groups tagged with a
dependency-submissionlabel.
[!NOTE] For Maven or Gradle projects that use self-hosted runners with private Maven registries, you need to modify the Maven server settings file to allow the dependency submission workflows to connect to the registries. For more information about the Maven server settings file, see Security and Deployment Settings in the Maven documentation.
For network allowlist URLs, larger runner configuration, troubleshooting details, and package ecosystem-specific information, see AUTOTITLE.