Data Security

Source Code Access via GitHub

Dependable requires access to a user’s source code. The system integrates with hosted version control via GitHub, and requests repo-level access to a user’s profile on GitHub. Dependable stores an OAuth access token from GitHub, and uses it for all interactions with the GitHub API.

Dependable uses the GitHub OAuth access token to clone repositories through a command like this:
`git clone OAUTH_TOKEN@github.com:user/repo`

Dependable pushes branches to GitHub using a typical `git push` command from directory of the cloned repository.

Dependable uses the following GitHub API endpoints:
create pull request (for a successful update build)
get pull request (to monitor the open/closed status of system-generated pull requests)
get branch (to retrieve GitHub commit SHA)
get combined status for a specific ref (to monitor status of CI-based builds)
create issue (for an unsuccessful update build)
get issue (to monitor the open/closed status of system-generated issues)

Use of Source Code

Dependable constantly monitors for updates to application dependencies. All code operations occur within Docker containers. The source code for a given repository is only ever downloaded within an isolated container. No two repositories are downloaded within a single container. The Dockerfile is deleted immediately, removing every trace of the repository from the host server.

Dependable processes the Gemfile and Gemfile.lock files to construct a representation of application dependencies. The dependencies and their versions are stored and paired with user-configurable settings for update thresholds per dependency. No source code is persisted. 

All Docker tasks are performed through non-privileged use of the Docker client.

Meet the Team

Dependable was born out of Def Method, a software consultancy based out of NYC.
This was a tool that we always wanted and we hope it can offer similar value to other engineers and consultants looking to focus more time on building new features and less time on dependency management.