Move and update TRG dependabot

docs/release/trg-2/trg-2-6.md

@@ -2,21 +2,16 @@
 title: TRG 2.06 - Dependabot
 ---
 
-| Status | Created      | Post-History    |
-|--------|--------------|-----------------|
-| Active | 12-Feb-2024  | Publish TRG     |
-| Draft  | 4-Jan-2024   | Initial release |
+| Status | Created      | Post-History          |
+|--------|--------------|-----------------------|
+| Update | 04-Mar-2024  | Move & update TRG     |
+| Active | 12-Feb-2024  | Publish TRG           |
+| Draft  | 4-Jan-2024   | Initial release       |
 
 ## Why
 
 GitHub Dependabot is a powerful tool designed to help keep your project's dependencies up to date. By automating the process of checking for updates and creating pull requests when new versions are available, Dependabot ensures that your project benefits from the latest features, bug fixes, and security patches.
 
-Key Benefits:
-
-- Security: Receive timely updates for security vulnerabilities in your project's dependencies.
-- Stability: Keep your project stable by staying current with the latest releases.
-- Efficiency: Automate the time consuming task of manually checking for updates and creating pull requests.
-
 ## Description
 
 Dependabot is an excellent fit for application dependencies/vulnerabilities. By regularly checking for updates, it allows you to seamlessly integrate the latest improvements into your application.

docs/release/trg-8/trg-8-02.md

@@ -0,0 +1,74 @@
+---
+title: TRG 8.02 - Dependabot
+---
+
+| Status | Created      | Post-History          |
+|--------|--------------|-----------------------|
+| Update | 04-Mar-2024  | Move & update TRG     |
+| Active | 12-Feb-2024  | Publish TRG           |
+| Draft  | 4-Jan-2024   | Initial release       |
+
+## Why
+
+Dependabot automates dependency updates, generating PRs for new versions to keep your project current with latest features, bug fixes, and security patches.
+
+## Description
+
+Dependabot can be used for repositories with dependencies managed by package managers for languages like [JavaScript, Python, Ruby, Java, etc., and for applications using Docker images or GitHub Actions](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem).
+
+To enable Dependabot for version updates, create a `dependabot.yml` file in `.github` directory the root of your repository.
+
+Schedule Dependabot to run at least once a week with `interval: "weekly"`.
+
+When configured, Dependabot automatically opens PRs with updates. Customize the open-pull-requests-limit according to your preference.
+
+:::caution[Keep the dependencies file up to date]
+Be careful, Dependabot PR merge can lead to out of date `DEPENDENCIES` file.
+Make sure `DEPENDENCIES` file is updated by DASH tool.
+:::
+
+Dependabot alerts are displayed in the GitHub Security Alerts section. Mark vulnerabilities as non-exploitable or false positives with required justification directly within the alert.
+
+:::caution
+
+Address high severity findings; it is recommended to also address medium severity findings.
+
+:::
+
+Adjust the workflow example below to match the [dependencies](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem) in your repository.
+
+Example Dependabot workflow:
+
+```yaml
+version: 2
+updates:
+    # Maintain dependencies for Maven
+  - package-ecosystem: "maven"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+
+    # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+
+    # Maintain dependencies for Docker
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+```
+
+More information:  
+<https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates>  
+<https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file>
+
+:::info[Importance of Implemented Tests]
+
+Ensure that your project has comprehensive test coverage. Automated tests are crucial for quickly validating that updates do not introduce regressions or break existing functionality.
+:::