How to configure Dependabot for a private monorepo using multiple private package registries (GPR/npm) and CodeQL analysis?

[Fortotest]

Select Topic Area

Question

Body

Hi Security team,

I'm trying to lock down our security posture for a large, complex monorepo, and I'm facing a very difficult configuration problem.

Our Setup:

• A single, large private monorepo.
• The monorepo contains multiple projects (Node.js, Python, Go).
• We use multiple private package registries: some Node packages are on GitHub Packages (GPR), and some are on a private npm registry (like Artifactory).
• We use GitHub Advanced Security, including Dependabot and CodeQL.

The Problem:

1. Dependabot: How do I configure dependabot.yml to authenticate against both GPR (using GITHUB_TOKEN) and the external private npm registry (using a secret) simultaneously? The documentation seems to show one or the other, not both in the same config for a single monorepo.
2. CodeQL: How do I configure the CodeQL workflow to correctly scan all projects (Node, Python, Go) in the monorepo during a single run, while also respecting the private registry configurations so it can pull dependencies for analysis? Our builds are failing at the autobuild step because it can't resolve the private packages.

This combination of Dependabot + CodeQL + Monorepo + Multiple Private Registries is proving extremely difficult. What is the best-practice dependabot.yml and codeql-analysis.yml configuration for this specific, complex scenario?

Thanks!

[Aqib121201]

Dependabot needs both registries defined in the same config and CodeQL needs a manual build with the right auth.

In your dependabot.yml, add entries for both GitHub Packages and your private npm registry using separate tokens. Dependabot will then use both when checking for updates.

For CodeQL, turn off autobuild and install your dependencies manually. Add a step before codeql-action/init that sets up .npmrc with your tokens and runs npm ci, pip install, or go mod download depending on the project.

This lets both Dependabot and CodeQL access private packages without failing.

If this works, mark the answer as helpful so others can find it.