👷 add dependabot

Author: Yoan Moscatelli

.github/dependabot.yml

@@ -0,0 +1,35 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/.github/workflows"
+    schedule:
+      interval: "daily"
+    reviewers:
+      - "scality/metalk8s"
+
+  - package-ecosystem: "pip"
+    directory: "./requirements.txt"
+    schedule:
+      interval: "daily"
+    rebase-strategy: "auto"
+    ignore:
+      - dependency-name: "requests"
+        versions: ["<2.25.1"]
+    reviewers:
+      - "scality/metalk8s"
+
+  - package-ecosystem: "npm"
+    directory: "/tests"
+    schedule:
+      interval: "daily"
+    labels: [test]
+    ignore:
+      - dependency-name: "*"
+
+  - package-ecosystem: "github-actions"
+    directory: "/tests"
+    schedule:
+      interval: "daily"
+    labels: [test]
+    ignore:
+      - dependency-name: "*"

.github/scripts/update_scanners.py

@@ -0,0 +1,33 @@
+import re
+import requests
+
+# Define the scanners and their GitHub repositories
+scanners = {
+    "syft": "anchore/syft",
+    "grype": "anchore/grype",
+    "trivy": "aquasecurity/trivy"
+}
+
+def get_latest_release(repo):
+    url = f"https://api.github.com/repos/{repo}/releases/latest"
+    response = requests.get(url)
+    response.raise_for_status()
+    return response.json()["tag_name"].lstrip("v")
+
+def update_versions(file_path):
+    with open(file_path, "r") as file:
+        content = file.read()
+
+    for scanner, repo in scanners.items():
+        latest_version = get_latest_release(repo)
+        content = re.sub(
+            f'("{scanner}": ")([^"]+)',
+            lambda match: f'{match.group(1)}{latest_version}',
+            content
+        )
+
+    with open(file_path, "w") as file:
+        file.write(content)
+
+if __name__ == "__main__":
+    update_versions("src/lib/install.py")

.github/workflows/update_scanners.yml

@@ -0,0 +1,44 @@
+name: Update Scanners
+
+on:
+  schedule:
+    - cron: "0 0 * * *"  # Runs daily at midnight
+  workflow_dispatch:
+
+jobs:
+  update-scanners:
+    runs-on: ubuntu-24.04
+    steps:
+
+      - name: Create github token
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.ACTIONS_APP_ID }}
+          private-key: ${{ secrets.ACTIONS_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.12
+
+      - name: Install dependencies
+        run: pip install requests
+
+      - name: Update scanner versions
+        run: python .github/scripts/update_scanners.py
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v7
+        id: pr
+        with:
+          title: Dependency update
+          branch: feature/deps-update
+          commit-message: ":arrow_up: Update scanner versions"
+          token: ${{ steps.app-token.outputs.token }}

src/lib/install.py

@@ -7,7 +7,7 @@
 from pyunpack import Archive
 
 # Define the scanners and their versions
-scanners = {"syft": "1.8.0", "grype": "0.79.1", "trivy": "0.53.0"}
+scanners = {"syft": "1.20.0", "grype": "0.89.1", "trivy": "0.60.0"}
 
 # Define the base URLs for the scanners
 ANCHORE_BASE_URL = (