Add Dependabot ecosystem support for docker-compose - [GA] [GA] #16913 (#54496)

2025-12-19 09:57:42 -05:00 · 2025-02-25 17:05:25 +00:00
parent 9c3ea63faa
commit 02c3b476ea
4 changed files with 30 additions and 1 deletions
--- a/content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md
+++ b/content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md
@@ -374,6 +374,9 @@ Package manager | YAML value      | Supported versions |
 | Dev containers | `devcontainers`         | Not applicable               |
 | {% endif %} |
 | Docker         | `docker`         | v1               |
+| {% ifversion dependabot-docker-compose-support %} |
+| Docker Compose | `docker-compose`         | v2, v3               |
+| {% endif %} |
 | {% ifversion dependabot-dotnet-sdk %} |
 | .NET SDK       | `dotnet-sdk`         | >=.NET Core 3.1           |
 | {% endif %} |
--- a/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md
+++ b/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md
@@ -32,7 +32,8 @@ You'll find detailed guidance for the setup of the following package managers:
 * [Bun](#bun){% endif %}
 * [Bundler](#bundler){% ifversion dependabot-updates-cargo-private-registry-support %}
 * [Cargo](#cargo){% endif %}
-* [Docker](#docker)
+* [Docker](#docker){% ifversion dependabot-docker-compose-support %}
+* [Docker Compose](#docker-compose){% endif %}
 * [Gradle](#gradle)
 * [Maven](#maven)
 * [npm](#npm)
@@ -162,6 +163,14 @@ registries:
 * Dockerfiles do not receive updates to images specified with the `ARG` directive. There is a workaround available for the `COPY` directive. For more information, see [{% data variables.product.prodname_dependabot %} ignores image references in COPY Dockerfile statement](https://github.com/dependabot/dependabot-core/issues/5103#issuecomment-1692420920) in the `dependabot/dependabot-core` repository.
 * {% data variables.product.prodname_dependabot %} doesn't support multi-stage Docker builds. For more information, see [Support for Docker multi-stage builds](https://github.com/dependabot/dependabot-core/issues/7640) in the `dependabot/dependabot-core` repository.

+{% ifversion dependabot-docker-compose-support %}
+
+### Docker Compose
+
+Docker Compose adheres to the same configuration guidelines as Docker. For more information, see [Docker](#docker).
+
+{% endif %}
+
 ### Gradle

 {% data variables.product.prodname_dependabot %} doesn't run Gradle but supports updates to certain Gradle files. For more information, see "Gradle" in [AUTOTITLE](/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories#gradle).
--- a/data/features/dependabot-docker-compose-support.yml
+++ b/data/features/dependabot-docker-compose-support.yml
@@ -0,0 +1,6 @@
+# Reference: #16913
+# Docker compose support for Dependabot
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '> 3.16'
--- a/data/reusables/dependabot/supported-package-managers.md
+++ b/data/reusables/dependabot/supported-package-managers.md
@@ -10,6 +10,9 @@ Composer       | `composer`       | {% ifversion dependabot-updates-composerv1-c
 [Dev containers](#dev-containers) | `devcontainers`         | Not applicable               | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} |
 | {% endif %} |
 [Docker](#docker)    | `docker`         | v1               | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Not applicable |
+| {% ifversion dependabot-docker-compose-support %} |
+[Docker Compose](#docker-compose)    | `docker-compose`         | v2, v3              | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Not applicable |
+| {% endif %} |
 | {% ifversion dependabot-dotnet-sdk %} |
 .NET SDK       | `dotnet-sdk`         | >=.NET Core 3.1           | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | Not applicable | Not applicable | Not applicable |
 | {% endif %} |
@@ -75,6 +78,14 @@ In order for {% data variables.product.prodname_dependabot %} to fetch Docker me

 {% data variables.product.prodname_dependabot %} parses Docker image tags for Semantic Versioning ([SemVer](https://semver.org/)). If {% data variables.product.prodname_dependabot %} detects a tag with a pre-release, then it will only suggest an update to the latest version with a matching pre-release, and it will not suggest a newer version that use a different pre-release label. For more information, see the `dependabot-docker` [README.md](https://github.com/dependabot/dependabot-core/blob/main/docker/README.md) file in the `dependabot/dependabot-core` repository.

+{% ifversion dependabot-docker-compose-support %}
+
+#### Docker Compose
+
+{% data variables.product.prodname_dependabot %} supports Docker Compose in a similar way to Docker. For more information, see [Docker](#docker).
+
+{% endif %}
+
 #### {% data variables.product.prodname_actions %}

 {% data variables.product.prodname_dependabot %} supports version updates for {% data variables.product.prodname_actions %} with the following caveats.