From c188e1debde5c6d30730c08b0717b4bc446b63b8 Mon Sep 17 00:00:00 2001
From: Robin Lungwitz <robin.lungwitz@sap.com>
Date: Tue, 13 Jan 2026 18:32:01 +0100
Subject: [PATCH] feat: enable renovate osv.dev integration

**WHAT**
Enable renovate's integration with osv.dev database (alerts + dashboard insights)

**WHY**
Renovate integrates with OSV, an open-source vulnerability database, to check if extracted dependencies have known vulnerabilities. Set osvVulnerabilityAlerts to true to get pull requests with vulnerability fixes (once they are available). You will only get OSV-based vulnerability alerts for *direct* dependencies.
---
 default.json                    | 3 ++-
 renovate-presets/security.json5 | 6 ++++++
 2 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 renovate-presets/security.json5

diff --git a/default.json b/default.json
index e405f7a..cccebab 100644
--- a/default.json
+++ b/default.json
@@ -2,7 +2,8 @@
   "enabled": true,
   "extends": [
     "config:best-practices",
-    ":pinAllExceptPeerDependencies"
+    ":pinAllExceptPeerDependencies",
+    "github>leanix/.github//renovate-presets/security.json5"
   ],
   "internalChecksFilter": "strict",
   "minimumReleaseAge": "5 days",
diff --git a/renovate-presets/security.json5 b/renovate-presets/security.json5
new file mode 100644
index 0000000..8d343f0
--- /dev/null
+++ b/renovate-presets/security.json5
@@ -0,0 +1,6 @@
+{
+    // Display OSV vulnerability alerts in the dependency dashboard
+    "dependencyDashboardOSVVulnerabilitySummary": "all",
+    // Enable OSV vulnerability alerts for all repositories (experimental feature)
+    "osvVulnerabilityAlerts": true
+}
\ No newline at end of file