Dependabot private registry support public beta

Dependabot can now access dependencies from authenticated private registries, such as GitHub Packages, Azure Artifacts, and Artifactory. These private registries are similar to their public equivalents, but they require authentication and are only available to members of your team or company. With this release, Dependabot version updates can help keep inner source as up-to-date as open source.

To enable this feature, add a registries section to your dependabot.yml, reference your new registries in the relevant updates, and add any secrets to Dependabot’s secret store. For example, here’s how to use GitHub Packages with Dependabot:

registries:
  npm-ghp-octocat:
    type: npm-registry
    url: https://npm.pkg.github.com
    token: ${{secrets.GITHUB_PERSONAL_ACCESS_TOKEN}} # make sure to store this in your Dependabot secrets!

updates:
    package-ecosystem: npm
    directory: "/"
    registries: 
      - npm-ghp-octocat
    schedule:
      interval: daily

This complements your ability to give Dependabot version updates access to private repositories, which is common for ecosystems like go modules and npm.

Learn more about Dependabot version updates

To see what’s next for Dependabot, visit the public roadmap

The latest release of the CodeQL CLI supports uploading analysis results to GitHub. This makes it easier to run code analysis for customers who wish to use CI/CD systems other than GitHub Actions. Previously, such users had to use the separate CodeQL Runner, which will continue to be available.

To get started, first download the updated CodeQL bundle, which includes the updated CodeQL CLI, and check out your codebase at the Git reference you want to analyze. After analyzing your codebase with codeql database create ... and codeql database analyze ..., you can use the new codeql github upload-results command to upload the SARIF file with scanning results back to GitHub Code Scanning.

codeql github upload-results currently works for one language at a time and can replace the current workflow of codeql-runner init / build / codeql-runner analyze when a single language is being analyzed.

If you want to analyze more than one language at a time or integrate CodeQL as a separate step into your existing CI workflow, you may use CodeQL runner.

The new codeql github upload-results command is available starting version 2.4.5 of the CodeQL CLI. The CodeQL bundle includes both the CodeQL CLI and a compatible set of queries.

See more