ci: stop scanning test/ directory with dependabot#5651
ci: stop scanning test/ directory with dependabot#5651nancysangani wants to merge 1 commit intoossf:mainfrom
Conversation
Signed-off-by: Nancy <9d.24.nancy.sangani@gmail.com>
There was a problem hiding this comment.
Pull request overview
Updates Dependabot configuration to prevent pip dependency scanning from flagging test-fixture requirement files under test/, reducing false-positive vulnerability alerts while keeping Dependabot enabled for real project dependencies.
Changes:
- Removes previously commented-out ecosystem entries intended to suppress
/test/scanning. - Adds an
ignorerule to the pip update configuration intended to excludetest/**.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ignore: | ||
| - dependency-name: "*" | ||
| paths: | ||
| - "test/**" |
There was a problem hiding this comment.
The new ignore rule uses dependency-name: "*" with a paths: filter. Dependabot's ignore entries are evaluated by dependency name/version/update-type; if paths is not a supported key (and gets ignored), this will effectively ignore all pip dependency updates for the repo, disabling the intended weekly pip updates. Please verify Dependabot supports paths here; if not, a safer approach is to scope the pip update directory to only the folder(s) containing real project manifests, or rename/move the test fixture requirement files so they are not detected as pip manifests.
| ignore: | |
| - dependency-name: "*" | |
| paths: | |
| - "test/**" |
Closes #5253
The pip ecosystem entry with
directory: "/"would scan any requirements files found undertest/, generating false positivealerts for packages that are only used as test fixtures for the vulnerability scanner itself — they are never installed or run.
Add an
ignoreblock with apathsfilter to exclude everything undertest/**from dependabot's pip scanning, while keeping dependabot active for the actual project dependencies.