AI Is Your Dependabot Janitor
How I automated dependency remediation and got CVE lifespans down to under a day.
One of the sad truths about security is that, most of the time, real security isn’t particularly sexy.
Stop writing your passwords on sticky notes.
Don’t use the same password for your bank account that you used for that beanie baby collector website you joined when you were 14 (am I dating myself?).
Don’t download and run random software from the Internet.
Double check that the identity of who you’re talking to is accurate / real.
Boo. We’re supposed to be more advanced than that. Cooler than that. I want lasers and robots and digital ninjas keeping me safe.
Inherent to the world of information security is the maxim that there is a hard trade off between complexity and security; the more complex a system is, the less secure it is. Which is why “advanced super AI ML security bot” product offerings get 1-2 skeptically raised eyebrows from yours truly.
Ok so now that I’ve thoroughly convinced you that a lack of sexiness is endemic to the industry and is not my personal problem, are you ready to hear about something that’s a pretty cool, simple, and decidedly tame application of AI that ratchets forward your software’s security posture?
You can use Claude to close the loop on addressing Dependabot vulnerability alerts!
Wow!! Ooooo!! Ahhhhh!! Stunning.
For those of you that want to cut to the chase and see the solution in action, head on over to Blink Build’s dependabot-remediator repository.
For those of you still here, Dependabot is a GitHub-based handy nag-bot that will review your software dependencies and let you know when one or more of those dependencies has a publicly-reported vulnerability (ie: CVE) in it. It will also open pull requests that bump the version of the vulnerable dependency to upgrade it out of its vulnerable state.
Anyone that has had to maintain a codebase hosted on GitHub before was probably both (1) aware that there were vulnerabilities in some of their dependencies via Dependabot and (2) couldn’t be bothered to bump the dependency versions because they had other pressing work to accomplish. The “ah your dependencies may be vulnerable” work falls pretty squarely into the “important but not urgent” quadrant of the Eisenhower Matrix which is the eternal dust bin of work that will get done “some day.” That day tends to perpetually be in the future.
The annoying part of bumping dependency versions comes from the fact that sometimes upgrading a dependency breaks something. Maybe dependency X is no longer compatible with dependency Y. Maybe the upgrade bumped up past a major version number and the calling convention changed. Whatever the cause, the outcome is that an engineer must now dedicate time to figuring out why this third-party dependency that they do not have deep context on broke things. It’s frustrating janitorial software engineering work, which means it’s the perfect candidate for automation via AI.
If your codebase has continuous integration (CI) checks that, with high confidence, can determine that new code is not breaking old code (ie: comprehensive unit tests and linting), then you can put Claude on the job to great effect.
My codebase, fortunately, does have some pretty strong CI guarantees. Thus I put together a Claude worker inside GitHub actions that does the following every 24 hours:
- Review the state of Dependabot alerts for the repository
- Attempt to fix all of the alerts in the repository (including actual code changes)
- Cut a new PR with a description of all the changes applied
- Ensure that CI passes (and continue to iterate if it does not)
I have been happily running this in my codebase for a month or so now, and every morning I have a nice little PR that I can quickly review and merge. As a result, public CVEs for dependencies in my codebase have a typical lifespan of <1 day at this point. I am also spending just about zero time maintaining and managing the process, which is exactly the amount of time I want to be spending on this sort of work.
This felt like an easy application of AI to improve my software’s security posture and make my life easier at the same time. It’s open source so give it a whirl and let me know what you think! You should be able to point your own agent at the repository and tell it to implement the pattern in your own:
Happy hacking, and if you ever need additional support with AI security and/or engineering you know where to find us.
