_{Photo by Paweł Czerwiński on Unsplash}

A part of a good security is to know if your system have vulnerabilities, and if these can be patched.

Tools

Tools let you know if any of your dependencies can be updated. Dependabot can do it on Github, but only on Github.

Renovatebot can do it on multiple repository including Azure Devops.

To do that, we need to host our bot locally. For example, we can run it using the provided docker image in a daily pipeline like :

docker run renovate/renovate:latest --platform=azure --endpoint=https://dev.azure.com/YOUR_ORGANIZATION/ --token=$(RENOVATE_TOKEN) --log-level=info --git-author="YOUR_USER <YOUR_EMAIL>" --labels=["renovate"] --autodiscover=true --autodiscover-filter=MY_FILTER*

where $(RENOVATE_TOKEN) is your PAT token.

It will scan all the repository in your organisation corresponding to your filter.

You can refer to the example on the official github. The command line can use multiple options available.

Renovate file

• If no file renovate.json is found in the repository, it will first create a PR to add it with a default file.

This file is critical as it will manage the behavior of the bot (how many PR will it be created per run ? Is any update to a major version of a package will be created ? etc ...).

• If the file is found, PRs will be created according to the file

You can refer to the docs for any option in the file.

You can use preset options in order to quicken writing of the file like

{
  "extends": ["config:base"]
}

hope this help !