---
title: Dependabot execution
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Dependabot execution
---

# Dependabot execution

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `f3a4b5c6-d7e8-49f0-a1b2-c3d4e5f6a7b8`

**Cloud Provider:** GitHub

**Platform:** CICD

**Severity:** High

**Category:** Supply-Chain

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#insecure-external-code-execution)

### Description{% #description %}

Dependabot updates must not be configured to execute untrusted external code. Allowing install scripts or arbitrary code from dependencies can lead to supply-chain compromise and remote code execution during automated updates. The `insecure-external-code-execution` property under each `updates` entry in the Dependabot configuration (dependabot.yml) must be set to the string `deny` or omitted, as the default is `deny`. Entries with `insecure-external-code-execution: allow` will be flagged.

Secure configuration example:

```yaml
version: 2

updates:
  - package-ecosystem: pip
    directory: /
    schedule:
      interval: daily
    insecure-external-code-execution: deny
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
version: 2
updates:
  - package-ecosystem: "pip"
    directory: "/"
    schedule:
      interval: "daily"
    insecure-external-code-execution: deny

  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    # Default is deny when omitted
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
version: 2
updates:
  - package-ecosystem: "pip"
    directory: "/"
    schedule:
      interval: "daily"
    insecure-external-code-execution: allow
```