Dependabot not giving any alerts with and without dependabot.yml

[OsTarek]

Select Topic Area

Question

Body

Working through two private repositories under Github Enterprise, both with dependabot alerts enabled.
One of them isn't receiving any security alerts from dependabot, where with github code scanning actions we get quite a few of alerts.

Said repo contains two maven java projects, so there are 2 pom.xml files (and 2 pom_parent.xml), so I created a dependabot.yml file that points to both, in case the default behavior wasn't able to parse the repo as below (with xyz1 and xyz2 being the 2 subprojects each containing a pair of pom.xml and pom_parent.xml).

version: 2
updates:

target-branch: "feature/dev"
    
- package-ecosystem: maven
  directory: "/abc/xyz1"
  schedule:
    interval: daily
  open-pull-requests-limit: 10 
 
- package-ecosystem: maven
  directory: "/abc/xyz2"
  schedule:
    interval: daily
  open-pull-requests-limit: 10
 
- package-ecosystem: "github-actions"
  directory: "/"
  schedule:
    interval: "daily" 

Any idea what's wrong or missing?

[jge162]

Double check your pathing. When I run Actions, typically the pathing is ./abc/xyz2

See example of my GitHub action to run a python script.

- run: |
        echo "Run, Build Application using scripts"
        python3 -c "
        # path to test.py is in a folder in called resources.
        scripts = [ './resources/test.py' ]
        for script in scripts:
            with open(script, 'r') as file:
                exec(file.read())
        "

Also Check the insight section of dependabot for clues. Without more details its hard to pinpoint exact issue.