Add Dependabot ecosystem support for helm - [GA] [GA] #17730 (#55235)

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Joe Clark <31087804+jc-clark@users.noreply.github.com>
2025-12-19 09:57:42 -05:00 · 2025-04-11 17:18:30 +01:00
parent 2ba14cc23a
commit bc2b152dd5
5 changed files with 85 additions and 1 deletions
--- a/content/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot.md
+++ b/content/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot.md
@@ -256,6 +256,31 @@ registries:

 {% endraw %}

+{% ifversion dependabot-helm-support %}
+
+### `helm-registry`
+
+{% data variables.product.prodname_dependabot %} works with any OCI-compliant registries that implement the Open Container Initiative (OCI) Distribution Specification. For more information, see [Open Container Initiative Distribution Specification](https://github.com/opencontainers/distribution-spec/blob/main/spec.md) in the `opencontainers/distribution-spec` repository. {% data variables.product.prodname_dependabot %} supports authentication to private registries via a central token service or HTTP Basic Auth. For further details, see [Token Authentication Specification](https://helm.sh/docs/helm/helm_registry_login/) in the Docker documentation and [Basic access authentication](https://en.wikipedia.org/wiki/Basic_access_authentication) on Wikipedia.
+
+The `helm-registry` type supports username and password. {% data reusables.dependabot.password-definition %}
+
+{% data reusables.dependabot.dependabot-updates-path-match %}
+
+{% raw %}
+
+```yaml copy
+registries:
+  helm_registry:
+    type: helm-registry
+    url: https://registry.example.com
+    username: octocat
+    password: ${{secrets.MY_REGISTRY_PASSWORD}}
+```
+
+{% endraw %}
+
+{% endif %}
+
 ### `hex-organization`

 The `hex-organization` type supports organization and key.
--- a/content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md
+++ b/content/code-security/dependabot/working-with-dependabot/dependabot-options-reference.md
@@ -382,6 +382,9 @@ Package manager | YAML value      | Supported versions |
 | {% ifversion dependabot-dotnet-sdk %} |
 | .NET SDK       | `dotnet-sdk`         | >=.NET Core 3.1           |
 | {% endif %} |
+| {% ifversion dependabot-helm-support %} |
+| Helm Charts            | `helm`            | v3               |
+| {% endif %} |
 | Hex            | `mix`            | v1               |
 | elm-package    | `elm`            | v0.19            |
 | git submodule  | `gitsubmodule`   | Not applicable |
--- a/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md
+++ b/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md
@@ -34,7 +34,8 @@ You'll find detailed guidance for the setup of the following package managers:
 * [Cargo](#cargo){% endif %}
 * [Docker](#docker){% ifversion dependabot-docker-compose-support %}
 * [Docker Compose](#docker-compose){% endif %}
-* [Gradle](#gradle)
+* [Gradle](#gradle){% ifversion dependabot-helm-support %}
+* [Helm Charts](#helm-charts){% endif %}
 * [Maven](#maven)
 * [npm](#npm)
 * [NuGet](#nuget){% ifversion dependabot-updates-pub-private-registry %}
@@ -169,6 +170,46 @@ Docker Compose adheres to the same configuration guidelines as Docker. For more

 {% endif %}

+{% ifversion dependabot-helm-support %}
+
+### Helm Charts
+
+Helm supports using a username and password for registries. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#helm-registry).
+
+Snippet of `dependabot.yml` file using a username and password.
+
+{% raw %}
+
+```yaml copy
+registries:
+  helm_registry:
+    type: helm-registry
+    url: https://registry.example.com
+    username: octocat
+    password: ${{secrets.MY_REGISTRY_PASSWORD}}
+```
+
+{% endraw %}
+
+#### Notes
+
+{% data variables.product.prodname_dependabot %} works with any OCI-compliant registries that implement the Open Container Initiative (OCI) Distribution Specification. For more information, see [Helm Registry Login](https://helm.sh/docs/helm/helm_registry_login/) in the Helm docs.
+
+{% data variables.product.prodname_dependabot %} supports authentication to private registries via a central token service or HTTP Basic Auth. For more information, see [Token Authentication Specification](https://docs.docker.com/registry/spec/auth/token/) in the Docker documentation and [Basic access authentication](https://en.wikipedia.org/wiki/Basic_access_authentication) on Wikipedia.
+
+When configuring Dependabot for Helm charts, it will also automatically update the Docker images referenced within those charts, ensuring that both the chart versions and their contained images stay up to date.
+
+#### Limitations and workarounds
+
+* {% data variables.product.prodname_dependabot %} only updates dependencies in `Chart.yaml` files.
+* Images in `values.yaml` files and `Chart.yaml` files are updated.
+* Helm dependency updates are first attempted via the Helm CLI, with fallback to searching `index.yaml`.
+* Images that have an array of versions in the YAML cannot be updated.
+* Image names may not always be detected in Helm files or YAML files.
+* For Helm v2 updates, use the [Docker ecosystem](#docker).
+
+{% endif %}
+
 ### Gradle

 {% data variables.product.prodname_dependabot %} doesn't run Gradle but supports updates to certain Gradle files. For more information, see "Gradle" in [AUTOTITLE](/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories#gradle).
--- a/data/features/dependabot-helm-support.yml
+++ b/data/features/dependabot-helm-support.yml
@@ -0,0 +1,6 @@
+# Reference: #17730
+# Helm Charts support for Dependabot
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '> 3.17'
--- a/data/reusables/dependabot/supported-package-managers.md
+++ b/data/reusables/dependabot/supported-package-managers.md
@@ -18,6 +18,7 @@ Composer       | `composer`       | {% ifversion dependabot-updates-composerv1-c
 | {% ifversion dependabot-dotnet-sdk %} |
 .NET SDK       | `dotnet-sdk`         | >=.NET Core 3.1           | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | Not applicable | Not applicable | Not applicable |
 | {% endif %} |
+[Helm Charts](#helm-charts)    | `helm`         | {% ifversion dependabot-helm-support %}v3{% else %}Not supported{% endif %} | {% ifversion dependabot-helm-support %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Not supported" %}{% endif %} | {% octicon "x" aria-label="Not supported" %} | {% ifversion dependabot-helm-support %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Not supported" %}{% endif %} | {% ifversion dependabot-helm-support %}{% octicon "check" aria-label="Supported" %}{% else %}{% octicon "x" aria-label="Not supported" %}{% endif %} | Not applicable |
 Hex            | `mix`            | v1               | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} |
 elm-package    | `elm`            | v0.19            | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} |
 git submodule  | `gitsubmodule`   | Not applicable | {% octicon "check" aria-label="Supported" %} | {% octicon "x" aria-label="Not supported" %} | {% octicon "check" aria-label="Supported" %} | {% octicon "check" aria-label="Supported" %} | Not applicable |
@@ -112,6 +113,14 @@ For {% data variables.product.prodname_dependabot_security_updates %}, Gradle su
 > * When you upload Gradle dependencies to the dependency graph using the {% data variables.dependency-submission-api.name %}, all project dependencies are uploaded, even transitive dependencies that aren't explicitly mentioned in any dependency file. When an alert is detected in a transitive dependency, {% data variables.product.prodname_dependabot %} isn't able to find the vulnerable dependency in the repository, and therefore won't create a security update for that alert.
 > * {% data variables.product.prodname_dependabot_version_updates %} will, however, create pull requests when the parent dependency is explicitly declared as a direct dependency in the project's manifest file.

+#### Helm Charts
+
+{% data variables.product.prodname_dependabot %} supports using a username and password for registries. For more information, see [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#helm-registry).
+
+{% data variables.product.prodname_dependabot %} works with any OCI-compliant registries that implement the Open Container Initiative (OCI) Distribution Specification.
+
+When configuring Dependabot for Helm charts, it will also automatically update the Docker images referenced within those charts, ensuring that both the chart versions and their contained images stay up to date.
+
 #### Maven

 {% data variables.product.prodname_dependabot %} doesn't run Maven but supports updates to `pom.xml` files.