validate dependabot

Home › Reference › Eac › Commands › Validate › Dependabot

Validates that .github/dependabot.yml includes entries for all dependency sources in the repository.

Scans for:

• Go modules (from go.work)
• npm packages (package.json)
• Python packages (requirements.txt)
• Docker base images (Dockerfile)
• GitHub Actions workflows

Usage: validate dependabot

---

Expected Output: Shows missing and extra entries.

Exit code 0 if all covered, 1 if gaps found.

---

eac validate dependabot

What It Checks

Scans the repository for dependency sources and compares them against declared dependabot entries:

• Go modules -- Entries from go.work need gomod ecosystem entries.
• npm packages -- package.json files need npm ecosystem entries.
• Python packages -- requirements.txt files need pip ecosystem entries.
• Docker images -- Dockerfile files need docker ecosystem entries.
• GitHub Actions -- Workflows need a github-actions ecosystem entry.

Reports both missing entries (sources without coverage) and extra entries (no matching source found).

Common Errors

• Missing dependabot entries -- A dependency source has no corresponding entry. Fix with eac update dependabot.
• Extra dependabot entries -- An entry has no matching source. Fix with eac update dependabot --prune.

See Also

• validate

---

Tutorials | How-to Guides | Explanation | Reference

You are here: Reference — information-oriented technical descriptions of the system.