diff --git a/renovate-presets/README.md b/renovate-presets/README.md index 63f5a63..64d73be 100644 --- a/renovate-presets/README.md +++ b/renovate-presets/README.md @@ -45,6 +45,8 @@ This directory contains shareable Renovate configuration presets that can be use - Displays OSV vulnerability alerts in the Renovate dependency dashboard - Enables OSV vulnerability scanning for all dependencies (experimental feature) - Provides comprehensive vulnerability information from the [OSV database](https://osv.dev/) +- Labels PRs with the CVE severity +- suffixes commits and PR title with the CVE severity **Usage**: ```json diff --git a/renovate-presets/security.json5 b/renovate-presets/security.json5 index 8d343f0..bb8d194 100644 --- a/renovate-presets/security.json5 +++ b/renovate-presets/security.json5 @@ -2,5 +2,22 @@ // Display OSV vulnerability alerts in the dependency dashboard "dependencyDashboardOSVVulnerabilitySummary": "all", // Enable OSV vulnerability alerts for all repositories (experimental feature) - "osvVulnerabilityAlerts": true + "osvVulnerabilityAlerts": true, + // Configuration for Security updates + "vulnerabilityAlerts": { + // no grouping + "groupName": null, + // may be created at any time + "schedule": [], + // no dashboard apporval required + "dependencyDashboardApproval": false, + // specific minimum release age for security updates + "minimumReleaseAge": "5 days", + // add label indicating sverity of CVEs + "addLabels": ["SEVERITY:{{vulnerabilitySeverity}}"], + // add commitMessageSuffix indicating sverity of CVEs + "commitMessageSuffix": "[SECURITY] [SEVERITY: {{vulnerabilitySeverity}}{{#if (or (equals vulnerabilitySeverity 'MEDIUM') (equals vulnerabilitySeverity 'MODERATE'))}} 🟡{{else if (or (equals vulnerabilitySeverity 'HIGH') (equals vulnerabilitySeverity 'CRITICAL'))}} 🔴{{/if}}]", + // use the lowest possible version that fixes the vulnerability + "vulnerabilityFixStrategy": "lowest" + } } \ No newline at end of file