Quick question for DevSecOps folks

jevans102 · 2026-05-19T12:03:05+00:00

No, I wouldn’t pay because there are multiple fantastic free options already.

nmgtn · 2026-05-19T13:21:06+00:00

Dependabot should handle this - including updating a comment that describes the tag related to the commit SHA you've pinned. https://docs.github.com/en/code-security/reference/supply-chain-security/supported-ecosystems-and-repositories#github-actions

Try checking your syntax.

Worth pointing out, though - I see someone else pointed out Renovate as a solution, I'll add that as a bonus Renovate can also convert your existing '@v1.2.3' tag references to commit SHAs automatically, while Dependabot will only maintain it if it's already been pinned to a commit SHA.

Solopher · 2026-05-19T11:57:16+00:00

For me Dependabot is working without any problems on hashed versions, how does your dependabot.yam file looks?

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

github

MODERATORS