Dependabot should use the private registry for security updates

[GuillaumeBenini]

As I see it currently, the updates are split into 2 categories: security updates and non-security updates. The security updates are configured through the Github interface and the non-security updates use the Github interface or the dependabot.yml, if present.

It seems that there is no way to configure, for example, a private registry (Artifactory) for security updates because it ignores the dependabot.yml config file. It does work for non-security updates though.

Shouldn't security updates also use the config file if it's present?

[exvuma]

Shouldn't security updates also use the config file if it's present?

Yes, you can opt into configuration through the dependabot.yml for security updates as well. see https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates

Secrets though are currently only supported for version updates We are aware of this issue and devising ways to fix it.