Post

Automating Dependabot for Docker Compose

Keep your Docker Compose dependencies secure and up to date by automating Dependabot configuration with a simple Bash script and GitHub Actions.

Posted Updated
Photo by Markus Winkler on Unsplash
Photo by Markus Winkler on Unsplash
By Sven van Ginkel
4 min read
Automating Dependabot for Docker Compose

Keeping dependencies up to date is essential for security and maintainability—but manually managing updates across multiple docker-compose.yml files in a project can be tedious. In this post, I’ll show you a small Bash script I wrote to automate the generation of a dependabot.yml file. It scans your repo for all Docker Compose files and configures Dependabot to check them for updates monthly. It’s lightweight, efficient, and ensures you never miss a patch. Let’s dive in. We will automate the updating the dependabot.yml with Github Actions.

What is dependabot?

Dependabot is a built-in GitHub tool that automatically checks your project dependencies for updates. It can open pull requests when new versions of your dependencies are available - helping you stay secure and up to date with minimal effort. For Docker Compose projects, it monitors container image tags and notifies you when a newer version is published.

Create generate-dependabot.sh

In the top level of your directory, create a script file to generate dependabot.yml:

1

nano generate-dependabot.sh

Paste the following content into the file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

#!/bin/bash
set -euo pipefail

mkdir -p .github

tmpfile=$(mktemp)
trap 'rm -f "$tmpfile"' EXIT

# Header
cat > "$tmpfile" <<'YAML'
version: 2
updates:
  - package-ecosystem: "docker-compose"
    directories:
YAML

# Find and sort all docker-compose.yml directories
find . -regex '.*/\(docker-\)?compose\(-[\w]+\)?\(?>\.[\w-]+\)?\.ya?ml' -print0 \
  | xargs -0 -n1 dirname \
  | sed 's|^\./||' \
  | sort \
  | while read -r dir; do
      echo "      - \"/$dir\"" >> "$tmpfile"
    done

# Append the schedule block
cat >> "$tmpfile" <<'YAML'
    schedule:
      interval: "monthly"
YAML

# Install if changed
if ! [ -f .github/dependabot.yml ] || ! cmp -s "$tmpfile" .github/dependabot.yml; then
  mv "$tmpfile" .github/dependabot.yml
  echo "✅ Updated .github/dependabot.yml!"
else
  echo "ℹ️ No changes to .github/dependabot.yml."
fi

Make the script executable:

1

chmod +x generate-dependabot.sh

When you run the script using ./generate-dependabot.sh, it will create (or update) the .github/dependabot.yml file with a list of all directories containing docker-compose.yml files. Commit this file to your Git repository — Dependabot will then automatically check for updated Docker image versions every month and open a pull request if any updates are found.

You can change the interval to weekly or daily if you prefer.

Github Actions

To keep your dependabot.yml up to date automatically, we can use a GitHub Action. Instead of manually running the script every time something is changed , this workflow will run the script above on every push to the repository and creates a pull request when an update is needed. It ensures your configuration always reflects the current state of your project - hands-free.

Create the workflow file

Create a file at .github/workflows/update-dependabot.yml:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

name: Update Dependabot Config

on:
  push:
    branches:
      - master
      - main
    paths-ignore:
    - '.github/dependabot.yml'

  workflow_dispatch:

permissions:
  contents: write
  pull-requests: write

jobs:
  update:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repo
        uses: actions/checkout@v4

      - name: Generate dependabot.yml
        run: ./generate-dependabot.sh

      - name: Create Pull Request
        uses: peter-evans/create-pull-request@v6
        with:
          commit-message: "chore: update dependabot.yml [automated]"
          title: "Chore: Update dependabot.yml"
          body: |
            This PR was automatically generated by a GitHub Action to update the `.github/dependabot.yml` file.
          branch: "chore/update-dependabot-config"
          delete-branch: true
          labels: |
            dependencies

Make sure GitHub Actions has permission to create pull requests. Go to Settings → Actions → General → Workflow permissions, and ensure “Read and write permissions” is selected. As well as “Allow GitHub Actions to create and approve pull requests” is checked.

You can still manually update the dependabot.yml file at any time by running the script as described above. This is useful if you want to quickly regenerate the configuration without waiting for GitHub Actions to trigger. Just remember to commit the updated file so Dependabot can pick it up.

With this setup, you can keep your Docker Compose dependencies up to date effortlessly — and ensure your dependabot.yml file stays in sync as your project evolves. It’s a small automation that saves time, prevents surprises, and helps keep your stack secure. Happy automating! 🚀

If you’re interested in more GitHub Actions tips, check out my post on Automating Cloudflare Pages deployments with GitHub Actions.

DevOps, CI/CD
dependabot docker github actions
This post is licensed under CC BY 4.0 by the author.