For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cicd/github/dependabot_execution.md. A documentation index is available at /llms.txt.

Dependabot execution

This product is not supported for your selected Datadog site. ().

Metadata

Id: f3a4b5c6-d7e8-49f0-a1b2-c3d4e5f6a7b8

Cloud Provider: GitHub

Platform: CICD

Severity: High

Category: Supply-Chain

Learn More

Description

Dependabot updates must not be configured to execute untrusted external code. Allowing install scripts or arbitrary code from dependencies can lead to supply-chain compromise and remote code execution during automated updates. The insecure-external-code-execution property under each updates entry in the Dependabot configuration (dependabot.yml) must be set to the string deny or omitted, as the default is deny. Entries with insecure-external-code-execution: allow will be flagged.

Secure configuration example:

version: 2

updates:
  - package-ecosystem: pip
    directory: /
    schedule:
      interval: daily
    insecure-external-code-execution: deny

Compliant Code Examples

version: 2
updates:
  - package-ecosystem: "pip"
    directory: "/"
    schedule:
      interval: "daily"
    insecure-external-code-execution: deny

  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    # Default is deny when omitted

Non-Compliant Code Examples

version: 2
updates:
  - package-ecosystem: "pip"
    directory: "/"
    schedule:
      interval: "daily"
    insecure-external-code-execution: allow