Renovate


Supply Chain Security

Supply chain - all libraries and tools used to develop, build and publish

Supply chain security - enhance the security within the supply chain

Supply chain attack - exploit of a vulnerability in the supply chain

Your responsibilities

Make sure you are not part of the problem

Ship a secure product

Check where you get stuff from

Your risk

Unable to solve supply chain security recursively


Renovate

Automated updates of dependencies

Container image available

No integration with GitLab

Options

Pipeline job - optionally with official template

Process running separate from GitLab instance

Self-hosted Renovate (formerly paid product)

Hands-On

See chapter Renovate


Pro tip: Automerge

Renovate can automatically merge updates

Prerequisites

The merge request must have completed a pipeline successfully

The configuration must allow automerge

Slow start

Do not enable automerge globally

Start with specific dependencies…

…or patchlevel updates


Pro tip: Use slim image

Image is smaller and loads faster

Tools are not pre-installed…

…but installed on-demand…

…natively or using container sidecars

renovate:
  image: renovate/renovate:slim
  script: |
    renovate --platform gitlab \
        --endpoint ${CI_API_V4_URL} \
        --token ${RENOVATE_TOKEN} \
        ${CI_PROJECT_PATH}
  #...

Request tools version using constraints

Or use tool specific directives like engine for npm