Supply chain - all libraries and tools used to develop, build and publish
Supply chain security - enhance the security within the supply chain
Supply chain attack - exploit of a vulnerability in the supply chain
Make sure you are not part of the problem
Ship a secure product
Check where you get stuff from
Unable to solve supply chain security recursively
Automated updates of dependencies
No integration with GitLab
Pipeline job - optionally with official template
Process running separate from GitLab instance
Self-hosted Renovate (formerly paid product)
See chapter Renovate
Renovate can automatically merge updates
The merge request must have completed a pipeline successfully
The configuration must allow automerge
Do not enable automerge globally
Start with specific dependencies…
…or patchlevel updates
Image is smaller and loads faster
Tools are not pre-installed…
…but installed on-demand…
…natively or using container sidecars
renovate:
image: renovate/renovate:slim
script: |
renovate --platform gitlab \
--endpoint ${CI_API_V4_URL} \
--token ${RENOVATE_TOKEN} \
${CI_PROJECT_PATH}
#...