Dependabot private repo access

Summary:
Dependabot seems to have access to private repose in our organization without being granted access.

Details:
I added dependabot to one of our ruby on rails projects. As we keep our gems in vendor/cache, I configured dependabot with updates.vendor = true. We also have some gem dependencies that are hosted in both private and public git repos inside our organization. These are not stored in the vendor/cache directory (I’m not sure why and am not sure if this intentional).
After merging the dependabot.yml into master, dependabot started submitting PRs (as excpected). All of these PRs include the Gemfile.lock changes for one gem and the updated gem itself in vendor/cache (as expeced). The vendor/cache directory in these PRs also contains all gems that are included via git and were not present in this directory before (this was unexpeced). Some of these gems come from private repos (in our organization), even though I have not granted dependabot access to any other repos.

Expeced:
dependabot only adds gems to vendor/cache that it is currently updating, and it also can not access private repos.

Actual:
dependabot adds gems to vendor/cache that it is currently not updating, and it also seems to be able to access private repos without being granted access.

dependabot.yml

version: 2
updates:
  - package-ecosystem: bundler
    directory: /
    vendor: true
    schedule:
      interval: daily
    versioning-strategy: lockfile-only
    commit-message:
      prefix: "Gem update"
      include: "scope"

:wave: Welcome!

I’m afraid there’s not much we can do here without access to the repositories themselves.

Dependabot should only find declared vulnerabilities. Additionally, it should only be able to access releases of gems that are managed by one of our supported package ecosystems.

https://docs.github.com/en/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies#detection-of-vulnerable-dependencies

If you are still concerned, please open a ticket. Since it’s a private repository, it may be useful to include the list of gems in your gemfile.lock and the specific gems that you did not expect to see detected.