step-security
diff --git a/‎remediation/dependabot/dependabotconfig.go‎
Lines changed: 547 additions & 106 deletions b/‎remediation/dependabot/dependabotconfig.go‎
Lines changed: 547 additions & 106 deletions
diff --git a/‎remediation/dependabot/dependabotconfig_test.go‎
Lines changed: 133 additions & 0 deletions b/‎remediation/dependabot/dependabotconfig_test.go‎
Lines changed: 133 additions & 0 deletions
diff --git a/‎testfiles/dependabotfiles/input/complex-multi-ecosystem.yml‎
Lines changed: 128 additions & 0 deletions b/‎testfiles/dependabotfiles/input/complex-multi-ecosystem.yml‎
Lines changed: 128 additions & 0 deletions
diff --git a/‎testfiles/dependabotfiles/input/flow-sequence-syntax.yml‎
Lines changed: 20 additions & 0 deletions b/‎testfiles/dependabotfiles/input/flow-sequence-syntax.yml‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎testfiles/dependabotfiles/input/subtractive-jumbled-cooldown.yml‎
Lines changed: 16 additions & 0 deletions b/‎testfiles/dependabotfiles/input/subtractive-jumbled-cooldown.yml‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎testfiles/dependabotfiles/input/subtractive-rich-update.yml‎
Lines changed: 69 additions & 0 deletions b/‎testfiles/dependabotfiles/input/subtractive-rich-update.yml‎
Lines changed: 69 additions & 0 deletions
@@ -159,6 +159,22 @@ func TestGroups(t *testing.T) {
 			subtractive: true,
 			isChanged:   true,
 		},
+		{
+			// Additive (non-subtractive) — complex real-world file with registries, comments, labels, etc.;
+			// adding a new npm ecosystem preserves original content exactly and appends the new entry.
+			inputFileName:  "complex-multi-ecosystem.yml",
+			outputFileName: "complex-multi-ecosystem-additive.yml",
+			ecosystems: []Ecosystem{
+				{
+					PackageEcosystem: "npm",
+					Directory:        "/frontend",
+					Interval:         "daily",
+					CoolDown:         &CoolDown{DefaultDays: 7, SemverMajorDays: 30},
+				},
+			},
+			subtractive: false,
+			isChanged:   true,
+		},
 		{
 			// Additive (non-subtractive) — ecosystem already exists, groups not applied, output unchanged.
 			inputFileName:  "group-prs-modify-patterns-only.yml",
@@ -291,6 +307,103 @@ func TestUpdateSubtractiveFields(t *testing.T) {
 			},
 			isChanged: true,
 		},
+		{
+			// Subtractive — input uses flow sequence syntax patterns: ["*"];
+			// verifies that flow style is preserved when patterns are updated and
+			// cooldown is added.
+			fileName: "flow-sequence-syntax.yml",
+			ecosystems: []Ecosystem{
+				{
+					PackageEcosystem: "npm",
+					Directory:        "/",
+					Interval:         "weekly",
+					CoolDown:         &CoolDown{DefaultDays: 5},
+					Groups: map[string]Group{
+						"all": {Patterns: []string{"lodash", "axios"}},
+					},
+				},
+				{
+					PackageEcosystem: "pip",
+					Directory:        "/backend",
+					Groups: map[string]Group{
+						"all": {Patterns: []string{"requests", "flask"}},
+					},
+				},
+			},
+			isChanged: true,
+		},
+		{
+			// Subtractive — rich file with registries, comments, cooldown (semver + include/exclude),
+			// and groups with multiple slice fields. Updates npm cooldown semver days, replaces
+			// include/exclude lists, updates group patterns/exclude-patterns/update-types,
+			// and adds a new group. Verifies comments, registries, labels are all preserved.
+			fileName: "subtractive-rich-update.yml",
+			ecosystems: []Ecosystem{
+				{
+					PackageEcosystem: "npm",
+					Directory:        "/",
+					Interval:         "weekly",
+					CoolDown: &CoolDown{
+						SemverMajorDays: 30,
+						SemverMinorDays: 14,
+						SemverPatchDays: 7,
+						Include:         []string{"lodash", "axios", "react"},
+						Exclude:         []string{"express", "webpack"},
+					},
+					Groups: map[string]Group{
+						"production": {
+							Patterns:        []string{"react", "react-dom", "redux"},
+							ExcludePatterns: []string{"lodash", "axios"},
+							UpdateTypes:     []string{"minor", "patch"},
+						},
+						"dev-tools": {
+							Patterns:    []string{"jest", "eslint", "prettier"},
+							UpdateTypes: []string{"minor", "patch"},
+						},
+						"new-group": {
+							AppliesTo:      "version-updates",
+							DependencyType: "production",
+							Patterns:       []string{"typescript", "ts-node"},
+						},
+					},
+				},
+			},
+			isChanged: true,
+		},
+		{
+			// Subtractive — complex file with bundler, docker, github-actions;
+			// update bundler cooldown and interval, and github-actions interval + add cooldown + group.
+			// Docker entry is untouched.
+			fileName: "complex-multi-ecosystem.yml",
+			ecosystems: []Ecosystem{
+				{
+					PackageEcosystem: "bundler",
+					Directory:        "/manager",
+					Interval:         "weekly",
+					CoolDown: &CoolDown{
+						DefaultDays:     3,
+						SemverMajorDays: 14,
+						SemverPatchDays: 2,
+					},
+					Groups: map[string]Group{
+						"rubocop": {Patterns: []string{"rubocop", "rubocop-rspec", "rubocop-rails", "rubocop-performance", "rubocop-minitest"}},
+					},
+				},
+				{
+					PackageEcosystem: "github-actions",
+					Directory:        "/",
+					Interval:         "monthly",
+					CoolDown: &CoolDown{
+						DefaultDays:     14,
+						SemverMajorDays: 60,
+					},
+					Groups: map[string]Group{
+						"actions": {Patterns: []string{"*"}},
+					},
+				},
+			},
+			isChanged: true,
+		},
 		{
 			fileName: "subtractive-modify-interval-and-major.yml",
 			ecosystems: []Ecosystem{
@@ -360,6 +473,26 @@ func TestUpdateSubtractiveFields(t *testing.T) {
 			},
 			isChanged: true,
 		},
+		{
+			// Subtractive — cooldown fields appear in non-standard order (jumbled);
+			// verifies that values are updated at the correct lines regardless of field order.
+			fileName: "subtractive-jumbled-cooldown.yml",
+			ecosystems: []Ecosystem{
+				{
+					PackageEcosystem: "npm",
+					Directory:        "/",
+					Interval:         "weekly",
+					CoolDown: &CoolDown{
+						SemverMajorDays: 30,
+						SemverMinorDays: 14,
+						SemverPatchDays: 7,
+						Include:         []string{"lodash", "axios", "react"},
+						Exclude:         []string{"express", "webpack"},
+					},
+				},
+			},
+			isChanged: true,
+		},
 	}
 
 	for _, test := range tests {
 
@@ -0,0 +1,128 @@
+version: 2
+
+registries:
+  artifactory:
+    type: rubygems-server
+    url: https://artifactory.example.com/api/gems/rubygems/
+    replaces-base: true
+    username: "xxx"
+    password: "xxx"
+
+  # For submodules and private gems
+  github:
+    type: git
+    url: https://github.com
+    username: x-access-token
+    password: ${{ secrets.GH_API_TOKEN }}
+
+updates:
+  # Ruby/Bundler dependencies
+  - package-ecosystem: bundler
+    directory: /manager/
+    schedule:
+      interval: daily
+    # How long to wait before updating a package
+    cooldown:
+      default-days: 5
+      semver-major-days: 30
+      semver-minor-days: 7
+    # Required for private gem resolution
+    insecure-external-code-execution: allow
+    registries:
+      - artifactory
+      - github
+    labels:
+      - dependabot-gem-upgrade
+    open-pull-requests-limit: 2
+    commit-message:
+      prefix: "[PROJ-1234] "
+      include: scope
+    # Update only gems listed in Gemfile
+    allow:
+      - dependency-type: direct
+    # Group gems that release together as part of the same project
+    groups:
+      # RSpec ecosystem - all RSpec gems coordinate releases
+      rspec:
+        patterns:
+          - rspec
+          - rspec-rails
+          - rspec-mocks
+          - rspec-its
+          - rspec-collection_matchers
+          - rspec_junit_formatter
+          - rspec-retry
+      # RuboCop ecosystem - RuboCop and its official extensions
+      rubocop:
+        patterns:
+          - rubocop
+          - rubocop-rspec
+          - rubocop-rails
+          - rubocop-performance
+      # SimpleCov ecosystem - code coverage reporting
+      simplecov:
+        patterns:
+          - simplecov
+          - simplecov-cobertura
+          - simplecov-console
+          - simplecov-rcov
+      # Pry ecosystem - Pry debugger and its extensions
+      pry:
+        patterns:
+          - pry
+          - pry-rails
+          - pry-byebug
+          - pry-doc
+      # Ruby stdlib networking gems - released together with Ruby
+      ruby-net:
+        patterns:
+          - net-ssh
+          - net-scp
+          - net-smtp
+          - net-ftp
+          - net-pop
+          - net-imap
+    ignore:
+      # Rails major and minor upgrades should be updated manually
+      - dependency-name: rails
+        update-types:
+          - version-update:semver-major
+          - version-update:semver-minor
+      # Internal dependency managed separately
+      - dependency-name: net-ldap
+        update-types:
+          - version-update:semver-major
+          - version-update:semver-minor
+          - version-update:semver-patch
+      # Maintained by our team
+      - dependency-name: rubyntlm
+        update-types:
+          - version-update:semver-major
+          - version-update:semver-minor
+          - version-update:semver-patch
+
+  # Docker dependencies
+  - package-ecosystem: docker
+    directory: /.github
+    schedule:
+      interval: daily
+    labels:
+      - dependabot-docker-upgrade
+    open-pull-requests-limit: 2
+    commit-message:
+      prefix: "[PROJ-1234] "
+      include: scope
+
+  # GitHub Actions dependencies
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+    registries:
+      - github
+    labels:
+      - dependabot-gh-actions-upgrade
+    open-pull-requests-limit: 2
+    commit-message:
+      prefix: "[PROJ-1234] "
+      include: scope
@@ -0,0 +1,20 @@
+version: 2
+
+updates:
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: daily
+    groups:
+      all:
+        applies-to: version-updates
+        patterns: ["*"]
+
+  - package-ecosystem: pip
+    directory: /backend
+    schedule:
+      interval: weekly
+    groups:
+      all:
+        patterns:
+          - "*"
@@ -0,0 +1,16 @@
+version: 2
+updates:
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: daily
+    cooldown:
+      semver-patch-days: 2
+      semver-major-days: 10
+      default-days: 3
+      exclude:
+        - express
+      semver-minor-days: 5
+      include:
+        - lodash
+        - axios
@@ -0,0 +1,69 @@
+version: 2
+
+registries:
+  artifactory:
+    type: npm-registry
+    url: https://artifactory.example.com/api/npm/npm/
+    token: ${{ secrets.ARTIFACTORY_TOKEN }}
+    replaces-base: true
+
+updates:
+  # npm dependencies
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: daily
+    # Cooldown to avoid too many PRs
+    cooldown:
+      default-days: 3
+      semver-major-days: 10
+      semver-minor-days: 5
+      semver-patch-days: 2
+      include:
+        - lodash
+        - axios
+      exclude:
+        - express
+    registries:
+      - artifactory
+    labels:
+      - dependencies
+    # Group related packages together
+    groups:
+      # Production dependencies
+      production:
+        applies-to: version-updates
+        dependency-type: production
+        patterns:
+          - react
+          - react-dom
+        exclude-patterns:
+          - lodash
+        update-types:
+          - minor
+          - patch
+      # Dev tools
+      dev-tools:
+        applies-to: version-updates
+        dependency-type: development
+        patterns:
+          - jest
+          - eslint
+        update-types:
+          - patch
+
+  # pip dependencies
+  - package-ecosystem: pip
+    directory: /backend
+    schedule:
+      interval: weekly
+    labels:
+      - python-deps
+
+  # GitHub Actions
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    labels:
+      - ci