Automate .NET Dependency Management in Azure DevOps with GitHub’s Dependabot

Photo of author

Dan Rios

4 min read

Contents

Introduction 🤖 

In this blog, I’ll detail how you can integrate GitHub Dependabot with Azure DevOps at no cost, ensuring you can proactively monitor vulnerabilities in your project dependencies and keep them up-to-date in your .NET projects!

For those unaware, Dependabot is a bot designed to help developers keep their software dependencies up-to-date by scanning the project for outdated dependencies, usually on a set schedule via an automated pipeline. This is especially useful for proactively addressing security vulnerabilities within your .NET projects. What’s not to like about that?

Dependabot has made the core library open source so that those organisations and individuals not invested into the GitHub ecosystem can still leverage the bot, and that is exactly what the awesome team at Tingle Software have done with the project for Azure DevOps users.

Whilst this blog covers Azure DevOps .NET projects via a private artifact feed, dependabot supports various feeds (and other languages) for your own workflows, check them out here.

The Azure DevOps extension is not affiliated with Microsoft or GitHub and therefore not official.

Setup

Extension install

Firstly, you’ll need to go ahead and install the Dependabot for Azure DevOps extension via the marketplace so that the task is available to call:

In Azure DevOps, go to your ‘Organization Settings > Extensions’ area and ‘Browse marketplace’ to search for and install the Azure DevOps extension:

YAML

Dependabot configuration

Next, you’ll want to configure the .azuredevops/dependabot.yml configuration file. The file path must be within the .azuredevops or .github folder in your root repository. Below is a quickstart example for a .NET NuGet feed via Azure Artifacts, but you can configure the file to your needs using the documentation here.

# see https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/working-with-dependabot/dependabot-options-reference
version: 2
registries:
azure-artifacts:
type: nuget-feed
key: "dotnet"
url: "https://pkgs.dev.azure.com/riosengineer/Dependabot/_packaging/dotnet/nuget/v3/index.json" # change to your ado artifact feed source
token: PAT:${{ MY_DEPENDABOT_ADO_PAT }} # change to your library var name
updates:
– package-ecosystem: "nuget"
target-branch: main
registries:
– azure-artifacts
commit-message:
prefix: "deps"
open-pull-requests-limit: 5
directories: [ '/' ] # amend dir scope as necessary
view raw dependabot.yml hosted with ❤ by GitHub

Azure Pipeline

Next, you’ll need to set up an Azure Pipeline to run the Dependabot scan on your desired schedule. In my example, it’s set to run weekly, but you can also manually run the pipeline on your branch whenever you want to test immediately. Create your desired pipeline file, e.g., azure-pipelines.yml, and add the YAML configuration below as a starting point. The dependabot@2 task has many settings that can be customised, see here.

trigger: none # Disable CI trigger
schedules:
– cron: '0 0 * * 0' # weekly on sunday at midnight UTC
always: true # run even when there are no code changes
branches:
include:
– main
batch: true
displayName: Weekly
pool:
vmImage: 'ubuntu-latest' # requires macos or ubuntu (windows is not supported)
variables:
– group: lib-dependabot # change to your ADO lib name
steps:
– task: dependabot@2
inputs:
mergeStrategy: 'squash'
# see more inputs https://github.com/tinglesoftware/dependabot-azure-devops/tree/main/extension#task-parameters
env:
TOKEN: $(System.AccessToken)
view raw azure-pipelines.yml hosted with ❤ by GitHub

Create your Azure Pipelines from the existing yaml file: Pipelines > New pipeline > Azure Repos Git > Repo > Existing YAML file.

Azure DevOps Permissions

If you want to lock down the permissions in which Dependabot runs as, and want to do the absolute least privileged role then you can pass through either azureDevOpsServiceConnection or azureDevOpsAccessToken instead of giving the build service access. See more: dependabot-azure-devops/extension/README.md at main · tinglesoftware/dependabot-azure-devops · GitHub

Now, you’ll need to grant the Azure DevOps Build Service user access to create a branch, push, and contribute to a pull request so the bot task can scan, create a temporary branch with the changes, and finally create the pull request for review. To do this, go to ‘Project Settings’ > Repositories > YOUR REPO > Security > Users/Build Service:

Grant:

  • Contribute: Allow
  • Contribute to pull requests: Allow
  • Create branch: Allow

This is what the token: $(System.AccessToken) is using when the Pipeline runs (as it runs under the build service account) within the Azure Pipeline.

PAT

Finally, you need to add a PAT for private Azure Artifact feed access so Dependabot can successfully check the dependencies. You’ll need a PAT with Packaging (read) access scope so Dependabot can scan the dependencies in your private artifacts feed that your project uses.

Click the profile settings icon at the top right (next to your profile circle) and select Personal access tokens (show more scopes):

Lastly, add this PAT value to your Azure DevOps library, which you will reference in the azure-pipelines.yml file as a variable group. This will expose the PAT token as an environment variable, granting access when the bot runs.

In action 🚀

Lastly, manually run the pipeline and wait for it to complete to review the scan output and pull request action. In my example, I’m deliberately using an older Azure.Identity package version that I know has vulnerabilities. My project is pulling from a private Azure Artifact feed, with the upstream feed being the public NuGet source.

When running the pipeline manually, it picks up the latest Azure.Identity version, which at the time of writing is 1.13.1.

Now that the pipeline with the bot scan has completed, you’ll notice an active pull request waiting for review. It details the dependency found, the version it will be updated to, and includes release notes about the update:

Lastly, we see the bot has modified the .csproj file to update the package reference version to the latest version 🎉

Conclusion

That’s it. It’s pretty awesome and a great proactive tool to add to your workflow, ensuring your project dependencies don’t expose you to security vulnerabilities and other issues. The bot can be heavily customised and supports many languages (e.g., Python, Java, etc.), not just .NET. It uses various feeds for updates, all of which can be reviewed in the official Dependabot documentation. You can then tweak or add further configurations in the dependabot.yml file.

Let me know your thoughts, if you’re using it, did you even know it was available to integrate to Azure DevOps?

Leave a comment


Latest Posts

ACE ADO

Get Azure cost estimates in Azure DevOps PR comments with Bicep

APIOps feature image

APIOps – A deep dive for APIM multi-environments

GitHub Bot alerts in Teams

Never miss an update: Azure Verified Modules with GitHub Bot & Teams

Get Azure posts

straight to your inbox

Let's connect

Privacy policy

© 2025 Dan Rios

Skip to content