Dependabot-core: Ip-addresses used to access nuget

Created on 12 Oct 2018  路  17Comments  路  Source: dependabot/dependabot-core

Can we get the ip-addresses that are used to access custom nuget feeds?

picture Leh2
👍1

Most helpful comment

Hey @sorenhansendk we've added the IPs for the GitHub native version to the meta endpoint, thanks for suggesting it! The dependabot-preview IPs are not expected to change before the service will be shut down (there will be a full migration etc available before that happens), so those IPs will not be available in an API.

picture jurre on 15 Jan 2021
🎉2

All 17 comments

Hi @Leh2,

Unfortunately not at the moment, sorry. We're hosted on Heroku, and spin up a new dyno for each update run. As such , the best guarantee that Heroku give us on IP address of each dyno is that it will be "somewhere in the AWS IP range", which probably isn't something you want to whitelist.

As an alternative, would it be possible for you to issue Dependabot credentials for your nuget feeds, and only allow access if it uses them? You can enter the credentials for Dependabot to use in the "config variables" section of your Dependabot dashboard (drop down in the top right).

greysteil picture greysteil on 12 Oct 2018

+1 for making this possible in the future if possible. I'm seeing the same issue when investigating using Dependabot for my organization; our maven and npm repositories are currently hosted on internal-only networks for security reasons and if I open it up to the Internet, being able to use an IP whitelist to increase security beyond just using the registry's password feature would be ideal.

patrick-webs picture patrick-webs on 9 Jul 2019

@patrick-webs understood - thanks for the feedback. The infrastructure we're using to host is changing a bunch as part of the GitHub integration so we can't focus on this right now, but it's something we'd like to work on in future.

greysteil picture greysteil on 9 Jul 2019
👍1

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within seven days. Thank you for your contributions.

stale[bot] picture stale[bot] on 23 Oct 2019

Now that this is integrated with GitHub, is there a way to achieve this?

GaboFDC picture GaboFDC on 9 Jun 2020

Please see this page for details on GitHub's IP address: https://docs.github.com/en/github/authenticating-to-github/about-githubs-ip-addresses

infin8x picture infin8x on 2 Jul 2020

Hi @infin8x! We have tried to configure our NuGet feed to allow traffic from all CIDRs mentioned in the meta endpoint (https://api.github.com/meta) - but the NuGet runner is still not able to access our feed. The IP addresses dependabot uses right now is 3.94.32.93 and that is not in any range from the meta endpoint. Do you have any ideas?

sorenhansendk picture sorenhansendk on 20 Nov 2020
👍2

Are you perhaps using dependabot-preview?

jurre picture jurre on 23 Nov 2020

@jurre Hi. We configure it via https://app.dependabot.com - is that the preview?

sorenhansendk picture sorenhansendk on 23 Nov 2020

@jurre Hi. We configure it via https://app.dependabot.com - is that the preview?

Yes, dependabot.com is the pre-acquisition product, and we're working on phasing it out and moving all functionality natively into github

If possible, I'd look into migrating to the github native version, but there are still some features (mainly private package registry support) that are not available yet.

The dependabot-preview IPs are: ~18.213.123.130, 3.217.79.163 and 3.217.93.44~

Edit: I posted the wrong IPs 馃槺 please see thepwagners post below for the right ones

jurre picture jurre on 23 Nov 2020

@jurre Oh, cool! I didn't know that. We will open for that IPs. Thank you! 馃帀

sorenhansendk picture sorenhansendk on 23 Nov 2020

@jurre Do you have more IP addresses in the pool? Right now we get hitted by 3.94.32.93

sorenhansendk picture sorenhansendk on 23 Nov 2020

The latest IPs for Dependabot Preview, https://app.dependabot.com/, are:

3.209.160.83
3.93.159.41
3.94.32.93

The latest IPs for GitHub's Security Updates / Version Updates (i.e. Dependabot built into GitHub.com) are:

18.213.123.130
3.217.79.163
3.217.93.44
thepwagner picture thepwagner on 13 Jan 2021
👍1

@thepwagner Ok, thank you 馃憤 Will these IP addresses change or be available in a API?

sorenhansendk picture sorenhansendk on 13 Jan 2021

Hey @sorenhansendk we've added the IPs for the GitHub native version to the meta endpoint, thanks for suggesting it! The dependabot-preview IPs are not expected to change before the service will be shut down (there will be a full migration etc available before that happens), so those IPs will not be available in an API.

jurre picture jurre on 15 Jan 2021
🎉2

@jurre Thank you! That is pretty cool. Will these IPs also be exposed though the GitHub Terraform provider?

https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/ip_ranges

sorenhansendk picture sorenhansendk on 15 Jan 2021
🎉1

@jurre Thank you! That is pretty cool. Will these IPs also be exposed though the GitHub Terraform provider?

https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/ip_ranges

I would think so, yes, since that seems to use the meta API underneath: https://github.com/integrations/terraform-provider-github/blob/405dc41822596572a752f704dd62b6fb49508948/github/data_source_github_ip_ranges.go#L39

jurre picture jurre on 15 Jan 2021
Was this page helpful?
0 / 5 - 0 ratings

Related issues

cscherrer picture cscherrer  路  4Comments
LankyLou picture LankyLou  路  4Comments
glenn-jocher picture glenn-jocher  路  3Comments
tjwallace picture tjwallace  路  3Comments
kubawerlos picture kubawerlos  路  3Comments