Article
Renovate Bot is an automated dependency update tool that helps keep your Java projects up-to-date with the latest package versions. It automatically creates pull requests for dependency updates, supports multiple package managers, and provides flexible configuration options.
Why Renovate for Java?
- Automated Updates: Automatic PR creation for dependency updates
- Multi-Platform Support: Maven, Gradle, Docker, GitHub Actions
- Flexible Scheduling: Configurable update frequency
- Security Updates: Immediate PRs for security vulnerabilities
- Grouping: Batch related updates together
- Customizable: Extensive configuration options
- CI/CD Integration: Works with all major CI systems
Basic Configuration Setup
renovate.json - Basic Configuration:
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:base",
":dependencyDashboard"
],
"platform": "github",
"autodiscover": true,
"autodiscoverFilter": ["my-org/java-*"],
"java": {
"enabled": true,
"packageRules": [
{
"matchPackagePatterns": ["*"],
"groupName": "all Java dependencies",
"groupSlug": "all-java"
}
]
},
"packageRules": [
{
"matchManagers": ["maven"],
"rangeStrategy": "auto"
},
{
"matchManagers": ["gradle"],
"rangeStrategy": "auto"
}
],
"prConcurrentLimit": 5,
"prHourlyLimit": 2
}
1. Maven-Specific Configuration
Maven-focused renovate.json:
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:base",
":dependencyDashboard",
"docker:enableMajor",
"helpers:disableTypesNode"
],
"platform": "github",
"repositoryCache": "enabled",
"maven": {
"enabled": true,
"fileMatch": [
"^(|.*[\\/])pom\\.xml$",
"^(|.*[\\/]).mvn/wrapper/maven-wrapper\\.properties$"
]
},
"packageRules": [
// Major versions for Spring Boot
{
"matchPackagePatterns": ["^org\\.springframework\\.boot:"],
"matchUpdateTypes": ["major"],
"enabled": true
},
// Group Spring dependencies
{
"matchPackagePatterns": ["^org\\.springframework:"],
"groupName": "Spring Framework",
"groupSlug": "spring-framework"
},
// Group Spring Boot starters
{
"matchPackagePatterns": ["^org\\.springframework\\.boot:spring-boot-starter"],
"groupName": "Spring Boot Starters",
"groupSlug": "spring-boot-starters"
},
// Test dependencies
{
"matchPackagePatterns": ["^org\\.junit:", "^org\\.testcontainers:", "^org\\.mockito:", "^org\\.assertj:"],
"groupName": "Test Dependencies",
"groupSlug": "test-deps",
"schedule": ["on saturday"]
},
// Database drivers
{
"matchPackagePatterns": ["^org\\.postgresql:", "^mysql:", "^com\\.oracle\\.database\\.jdbc:"],
"groupName": "Database Drivers",
"groupSlug": "db-drivers"
},
// Logging dependencies
{
"matchPackagePatterns": ["^org\\.slf4j:", "^ch\\.qos\\.logback:", "^org\\.apache\\.logging\\.log4j:"],
"groupName": "Logging Dependencies",
"groupSlug": "logging-deps"
},
// Security dependencies
{
"matchPackagePatterns": ["^org\\.springframework\\.security:", "^io\\.jsonwebtoken:"],
"groupName": "Security Dependencies",
"groupSlug": "security-deps"
},
// Apache Commons
{
"matchPackagePatterns": ["^org\\.apache\\.commons:"],
"groupName": "Apache Commons",
"groupSlug": "apache-commons"
},
// Ignore beta/RC versions
{
"matchPackagePatterns": ["*"],
"matchCurrentVersion": "/[-_](beta|rc|alpha|milestone|preview)/i",
"allowedVersions": "/^[0-9]+\\.[0-9]+\\.[0-9]+$/"
}
],
"vulnerabilityAlerts": {
"enabled": true,
"schedule": ["at any time"]
},
"schedule": [
"before 5am on monday"
],
"timezone": "America/New_York",
"prCreation": "not-pending",
"dependencyDashboard": true,
"dependencyDashboardTitle": "📦 Dependency Updates Dashboard",
"rebaseWhen": "behind-base-branch",
"labels": ["dependencies", "renovate"],
"assignees": ["my-team"],
"reviewers": ["senior-devs"],
"commitMessagePrefix": "⬆️",
"commitMessageAction": "Update",
"commitMessageTopic": "{{depName}}",
"commitMessageExtra": "to {{newVersion}}"
}
2. Gradle-Specific Configuration
Gradle-focused renovate.json:
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:base",
":dependencyDashboard",
"gradle:updateTestedDependencies"
],
"platform": "github",
"gradle": {
"enabled": true,
"fileMatch": [
"^(|.*[\\/])build\\.gradle(?:\\.kts)?$",
"^(|.*[\\/])gradle\\.properties$",
"^(|.*[\\/])gradle/wrapper/gradle-wrapper\\.properties$"
]
},
"packageRules": [
// Kotlin dependencies
{
"matchPackagePatterns": ["^org\\.jetbrains\\.kotlin:"],
"groupName": "Kotlin",
"groupSlug": "kotlin"
},
// Gradle plugins
{
"matchPackagePatterns": ["^com\\.gradle\\.enterprise:", "^io\\.spring\\.dependency-management:"],
"groupName": "Gradle Plugins",
"groupSlug": "gradle-plugins"
},
// Android dependencies
{
"matchPackagePatterns": ["^com\\.android\\.tools\\.build:"],
"groupName": "Android Build Tools",
"groupSlug": "android-build-tools"
},
// Gradle wrapper
{
"matchManagers": ["gradle-wrapper"],
"groupName": "Gradle Wrapper",
"groupSlug": "gradle-wrapper"
}
],
"gradle-lite": {
"enabled": true
},
"ignoreDeps": [
{
"depName": "com.github.spotbugs",
"version": "4.0.0" // Known breaking change
}
]
}
3. Multi-Module Maven Configuration
renovate.json for Multi-module Projects:
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:base",
":dependencyDashboard",
"group:javaLibraries"
],
"platform": "github",
"maven": {
"enabled": true
},
"packageRules": [
// Parent POM updates
{
"matchFiles": ["pom.xml"],
"matchPackageNames": ["com.mycompany:parent-pom"],
"groupName": "Parent POM",
"groupSlug": "parent-pom",
"commitMessageTopic": "Parent POM",
"semanticCommitType": "build"
},
// BOM (Bill of Materials) updates
{
"matchPackagePatterns": ["^org\\.springframework\\.cloud:spring-cloud-dependencies"],
"groupName": "Spring Cloud Dependencies",
"groupSlug": "spring-cloud-deps",
"semanticCommitType": "build"
},
// Module-specific rules
{
"matchPaths": ["core-module/**"],
"matchPackagePatterns": ["^io\\.micrometer:", "^org\\.springframework\\.boot:spring-boot-actuator"],
"groupName": "Core Module Dependencies",
"groupSlug": "core-module-deps"
},
{
"matchPaths": ["web-module/**"],
"matchPackagePatterns": ["^org\\.springframework\\.boot:spring-boot-starter-web"],
"groupName": "Web Module Dependencies",
"groupSlug": "web-module-deps"
},
{
"matchPaths": ["data-module/**"],
"matchPackagePatterns": ["^org\\.springframework\\.boot:spring-boot-starter-data-"],
"groupName": "Data Module Dependencies",
"groupSlug": "data-module-deps"
},
// Shared dependencies across modules
{
"matchPackagePatterns": ["^org\\.projectlombok:lombok"],
"groupName": "Lombok",
"groupSlug": "lombok"
}
],
"ignorePaths": [
"**/target/**",
"**/build/**",
"**/node_modules/**",
"experimental/**"
],
"postUpdateOptions": [
"mvnClean",
"mvnCompile"
],
"prBodyNotes": [
"### 🔍 Verification Steps",
"",
"Please verify the following after merging:",
"- [ ] All tests pass (`mvn clean test`)",
"- [ ] Application starts successfully",
"- [ ] No breaking changes in API",
"- [ ] Check dependency compatibility matrix"
]
}
4. Enterprise Configuration
renovate.json for Enterprise:
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:base",
":dependencyDashboard",
":semanticCommits",
":semanticCommitTypeAll(build)",
"group:recommended",
"group:javaLibraries"
],
"platform": "github",
"autodiscover": true,
"autodiscoverFilter": ["my-company/*"],
"enabledManagers": [
"maven",
"gradle",
"dockerfile",
"github-actions",
"npm"
],
"maven": {
"enabled": true
},
"constraints": {
"java": "17"
},
"packageRules": [
// Company internal libraries
{
"matchPackagePatterns": ["^com\\.mycompany:"],
"groupName": "Internal Libraries",
"groupSlug": "internal-libs",
"schedule": ["on friday"],
"prPriority": 10
},
// Security-critical updates
{
"matchPackagePatterns": ["^org\\.springframework\\.security:", "^io\\.jsonwebtoken:"],
"matchUpdateTypes": ["patch", "minor", "major"],
"prPriority": 100,
"dependencyDashboardApproval": false
},
// Breaking changes require approval
{
"matchUpdateTypes": ["major"],
"dependencyDashboardApproval": true,
"prPriority": -1
},
// Auto-merge safe patches
{
"matchUpdateTypes": ["patch"],
"matchPackagePatterns": ["^org\\.springframework\\.boot:", "^org\\.springframework:"],
"automerge": true,
"automergeType": "branch",
"requiredStatusChecks": null
},
// Test dependencies - lower priority
{
"matchPackagePatterns": ["^org\\.junit:", "^org\\.mockito:", "^org\\.testcontainers:"],
"prPriority": -10,
"schedule": ["on weekend"]
},
// Documentation dependencies
{
"matchPackagePatterns": ["^org\\.asciidoctor:", "^io\\.github\\.java-diff-utils:"],
"prPriority": -20
}
],
"vulnerabilityAlerts": {
"enabled": true,
"schedule": ["at any time"],
"prCreation": "immediate",
"labels": ["security", "dependencies"],
"assignees": ["security-team"]
},
"schedule": [
"before 6am on weekday"
],
"timezone": "America/New_York",
"prConcurrentLimit": 10,
"prHourlyLimit": 5,
"branchConcurrentLimit": 10,
"branchHourlyLimit": 5,
"labels": ["dependencies", "renovate", "automated-pr"],
"assignees": ["platform-team"],
"reviewers": ["senior-engineers"],
"semanticCommits": "enabled",
"semanticCommitType": "fix",
"semanticCommitScope": "deps",
"commitMessageTopic": "{{depName}}",
"commitMessageExtra": "to {{newVersion}}",
"rebaseWhen": "behind-base-branch",
"rebaseLabel": "rebase",
"dependencyDashboard": true,
"dependencyDashboardTitle": "🚀 Dependency Updates",
"dependencyDashboardLabels": ["dependencies", "dashboard"],
"configMigration": true,
"prBodyNotes": [
"---",
"### 📋 Checklist",
"",
"#### For Reviewers",
"- [ ] Verify compatibility with existing code",
"- [ ] Check for breaking changes",
"- [ ] Review test results",
"- [ ] Approve if changes look good",
"",
"#### For Mergers",
"- [ ] All checks passed ✅",
"- [ ] No conflicts with base branch",
"- [ ] Approved by required reviewers",
"",
"---",
"🤖 This PR was created by [Renovate Bot](https://github.com/renovatebot/renovate)."
],
"ignoreDeps": [
"com.sun.xml.ws:jaxws-ri", // Known compatibility issues
"javax.xml.bind:jaxb-api" // Java 11+ compatibility
]
}
5. Security-Focused Configuration
renovate-security.json:
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:base",
":dependencyDashboard",
":security"
],
"platform": "github",
"vulnerabilityAlerts": {
"enabled": true,
"schedule": ["at any time"],
"prCreation": "immediate",
"labels": ["security", "dependencies", "vulnerability"],
"assignees": ["security-team"],
"reviewers": ["security-team"],
"automerge": false,
"commitMessageSuffix": "[SECURITY]",
"prTitle": "🚨 Security update: {{depName}}"
},
"packageRules": [
// Critical security packages
{
"matchPackagePatterns": [
"^org\\.springframework\\.security:",
"^io\\.jsonwebtoken:",
"^com\\.fasterxml\\.jackson\\.core:",
"^org\\.yaml:"
],
"matchUpdateTypes": ["patch", "minor"],
"prPriority": 100,
"automerge": true,
"automergeType": "pr",
"requiredStatusChecks": null
},
// Log4j security updates
{
"matchPackagePatterns": ["^org\\.apache\\.logging\\.log4j:"],
"prPriority": 200,
"dependencyDashboardApproval": false
},
// Apache Commons security
{
"matchPackagePatterns": ["^org\\.apache\\.commons:"],
"matchUpdateTypes": ["patch"],
"prPriority": 50
}
],
"osvVulnerabilityAlerts": true,
"prCreation": "immediate",
"schedule": ["at any time"],
"labels": ["security", "dependencies"],
"ignoreTests": false,
"postUpdateOptions": [
"mvnClean",
"mvnTest"
]
}
6. Monorepo Configuration
renovate.json for Monorepo:
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:base",
":dependencyDashboard",
"group:monorepos"
],
"platform": "github",
"monorepos": {
"enabled": true
},
"packageRules": [
// Root dependencies
{
"matchFiles": ["package.json", "pom.xml", "build.gradle"],
"matchPaths": [""],
"groupName": "Root Dependencies",
"groupSlug": "root-deps"
},
// Shared library updates across services
{
"matchPackagePatterns": ["^com\\.mycompany:common-lib"],
"groupName": "Common Library",
"groupSlug": "common-lib",
"prBodyNotes": [
"### 🔄 Cross-Service Impact",
"This update affects multiple services. Please verify:",
"- [ ] Service A compatibility",
"- [ ] Service B compatibility",
"- [ ] Shared API contracts"
]
},
// Service-specific rules
{
"matchPaths": ["services/user-service/**"],
"matchPackagePatterns": ["^org\\.springframework\\.boot:spring-boot-starter-data-"],
"groupName": "User Service Dependencies",
"groupSlug": "user-service-deps"
},
{
"matchPaths": ["services/order-service/**"],
"matchPackagePatterns": ["^org\\.springframework\\.boot:spring-boot-starter-web"],
"groupName": "Order Service Dependencies",
"groupSlug": "order-service-deps"
},
// Infrastructure dependencies
{
"matchPaths": ["infrastructure/**"],
"matchPackagePatterns": ["^io\\.fabric8:kubernetes-client", "^com\\.spotify:dockerfile-maven"],
"groupName": "Infrastructure Dependencies",
"groupSlug": "infra-deps"
}
],
"ignorePaths": [
"**/node_modules/**",
"**/target/**",
"**/build/**",
"**/dist/**",
"archived/**",
"experimental/**"
],
"separateMajorMinor": true,
"separateMultipleMajor": true,
"prConcurrentLimit": 3,
"prHourlyLimit": 2,
"branchConcurrentLimit": 5,
"branchHourlyLimit": 3
}
7. GitHub Actions Configuration
renovate.json with GitHub Actions:
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:base",
":dependencyDashboard"
],
"platform": "github",
"github-actions": {
"enabled": true,
"fileMatch": [
"^\\.github/workflows/[^/]+\\.ya?ml$",
"^\\.github/workflows/[^/]+\\.yml$"
]
},
"packageRules": [
// GitHub Actions updates
{
"matchManagers": ["github-actions"],
"groupName": "GitHub Actions",
"groupSlug": "github-actions",
"schedule": ["on monday"]
},
// Java setup action
{
"matchManagers": ["github-actions"],
"matchPackagePatterns": ["actions/setup-java"],
"groupName": "Java Setup Action",
"groupSlug": "setup-java"
},
// Maven action
{
"matchManagers": ["github-actions"],
"matchPackagePatterns": ["actions/setup-java", "actions/cache"],
"matchUpdateTypes": ["patch", "minor"],
"automerge": true
}
],
"maven": {
"enabled": true
}
}
8. Custom Manager for Docker
renovate.json with Docker support:
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:base",
":dependencyDashboard",
"docker:enableMajor"
],
"platform": "github",
"docker": {
"enabled": true,
"fileMatch": [
"^(|.*/)(Dockerfile|Dockerfile\\.[^/]*|\\..*dockerignore)$"
]
},
"packageRules": [
// Base image updates
{
"matchManagers": ["dockerfile"],
"matchPackagePatterns": ["eclipse-temurin", "openjdk"],
"groupName": "Java Base Images",
"groupSlug": "java-base-images",
"prBodyNotes": [
"### 🐳 Base Image Update",
"Verify:",
"- [ ] Application starts with new base image",
"- [ ] No breaking changes in runtime behavior",
"- [ ] Security scan passes"
]
},
// Alpine images
{
"matchManagers": ["dockerfile"],
"matchPackagePatterns": ["alpine"],
"groupName": "Alpine Base Images",
"groupSlug": "alpine-images"
}
],
"maven": {
"enabled": true
}
}
9. Preset Configurations
Java-specific Presets:
{
"extends": [
"config:base",
":dependencyDashboard",
// Java-specific presets
"group:javaLibraries",
"group:springBoot",
"group:springCloud",
// Testing presets
"group:testNG",
"group:junit",
"group:mockito",
// Database presets
"group:postgresql",
"group:mysql",
"group:mongoDb",
// Tooling presets
"group:checkstyle",
"group:spotbugs",
"group:jacoco"
]
}
10. GitHub Workflow Integration
.github/workflows/renovate.yml:
name: Renovate
on:
workflow_dispatch:
schedule:
- cron: '0 2 * * 1' # Run every Monday at 2 AM
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run Renovate
uses: renovatebot/github-action@v36
with:
configurationFile: .github/renovate.json
token: ${{ secrets.RENOVATE_TOKEN }}
env:
LOG_LEVEL: debug
.github/renovate.json (Repository-specific):
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"local>my-org/renovate-config:java",
"local>my-org/renovate-config:security"
],
"baseBranches": ["main", "develop"],
"packageRules": [
{
"matchPackageNames": ["com.mycompany:shared-lib"],
"allowedVersions": "<=2.0.0"
}
],
"ignoreDeps": [
"org.example:legacy-lib" // Cannot be updated
]
}
11. Advanced Configuration Features
renovate-advanced.json:
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:base",
":dependencyDashboard",
":semanticCommits"
],
"platform": "github",
"maven": {
"enabled": true
},
"customManagers": [
{
"customType": "regex",
"fileMatch": ["^versions\\.properties$"],
"matchStrings": [
"^(?<depName>.*?)\\s*=\\s*\"?(?<currentValue>.*?)\"?\\s*$"
],
"datasourceTemplate": "maven"
}
],
"hostRules": [
{
"hostType": "maven",
"matchHost": "https://nexus.mycompany.com",
"username": "{{ secrets.NEXUS_USERNAME }}",
"password": "{{ secrets.NEXUS_PASSWORD }}"
}
],
"onboarding": true,
"onboardingConfig": {
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["config:base"]
},
"onboardingBranch": "renovate/configure",
"requireConfig": "optional",
"branchPrefix": "renovate/",
"branchName": "{{branchPrefix}}{{managerBranchPrefix}}{{depNameSanitized}}-{{newVersion}}",
"prTitle": "{{#if isPin}}Pin{{else}}Update{{/if}} dependency {{depName}} to version {{#if isRange}}{{newVersion}}{{else}}{{#if isMajor}}{{prettyNewMajor}}{{else}}{{newVersion}}{{/if}}{{/if}}",
"gitAuthor": "Renovate Bot <[email protected]>",
"productLinks": {
"documentation": "https://docs.mycompany.com/renovate",
"help": "https://slack.mycompany.com/renovate-support"
},
"force": {
"constraints": {
"java": "17"
}
}
}
12. Best Practices and Tips
Incremental Adoption:
{
"packageRules": [
// Phase 1: Security updates only
{
"matchUpdateTypes": ["patch"],
"matchPackagePatterns": ["*"],
"enabled": false
},
{
"matchUpdateTypes": ["minor", "major"],
"enabled": false
},
{
"vulnerabilityAlerts": {
"enabled": true
}
}
]
}
Performance Optimization:
{
"prConcurrentLimit": 3,
"prHourlyLimit": 2,
"branchConcurrentLimit": 5,
"rebaseWhen": "behind-base-branch",
"rebaseLabel": "rebase",
"platform": "github",
"repositoryCache": "enabled",
"ignorePaths": [
"**/node_modules/**",
"**/bower_components/**",
"**/vendor/**",
"**/examples/**",
"**/test/**"
]
}
Conclusion
Renovate Bot provides powerful, flexible dependency management for Java projects. Key benefits include:
- Automated Updates: Automatic PR creation for dependency updates
- Security Focus: Immediate updates for vulnerable dependencies
- Flexible Grouping: Batch related dependencies together
- Multi-Platform: Support for Maven, Gradle, Docker, GitHub Actions
- Enterprise Ready: Scalable for large organizations with custom rules
- CI/CD Integration: Seamless integration with existing workflows
By implementing the configurations shown above, you can establish a robust dependency management system that keeps your Java projects secure, up-to-date, and maintainable with minimal manual effort.
Secure Java Dependency Management, Vulnerability Scanning & Software Supply Chain Protection (SBOM, SCA, CI Security & License Compliance)
https://macronepal.com/blog/github-code-scanning-in-java-complete-guide/
Explains GitHub Code Scanning for Java using tools like CodeQL to automatically analyze source code and detect security vulnerabilities directly inside CI/CD pipelines before deployment.
https://macronepal.com/blog/license-compliance-in-java-comprehensive-guide/
Explains software license compliance in Java projects, ensuring dependencies follow legal requirements (MIT, Apache, GPL, etc.) and preventing license violations in enterprise software.
https://macronepal.com/blog/container-security-for-java-uncovering-vulnerabilities-with-grype/
Explains using Grype to scan Java container images and filesystems for known CVEs in OS packages and application dependencies to improve container security.
https://macronepal.com/blog/syft-sbom-generation-in-java-comprehensive-software-bill-of-materials-for-jvm-applications/
Explains using Syft to generate SBOMs (Software Bill of Materials) for Java applications, listing all dependencies, libraries, and components for supply chain transparency.
https://macronepal.com/blog/comprehensive-dependency-analysis-generating-and-scanning-sboms-with-trivy-for-java/
Explains using Trivy to generate SBOMs and scan Java dependencies and container images for vulnerabilities, integrating security checks into CI/CD pipelines.
https://macronepal.com/blog/dependabot-for-java-in-java/
Explains GitHub Dependabot for Java projects, which automatically detects vulnerable dependencies and creates pull requests to update them securely.
https://macronepal.com/blog/parasoft-jtest-in-java-comprehensive-guide-to-code-analysis-and-testing/
Explains Parasoft Jtest, a static analysis and testing tool for Java that helps detect bugs, security issues, and code quality problems early in development.
https://macronepal.com/blog/snyk-open-source-in-java-comprehensive-dependency-vulnerability-management-2/
Explains Snyk Open Source for Java, which continuously scans dependencies for vulnerabilities and provides automated fix suggestions and monitoring.
https://macronepal.com/blog/owasp-dependency-check-in-java-complete-vulnerability-scanning-guide/
Explains OWASP Dependency-Check, which scans Java dependencies against the National Vulnerability Database (NVD) to detect known security vulnerabilities.
https://macronepal.com/blog/securing-your-dependencies-a-java-developers-guide-to-whitesource-mend-bolt/
Explains Mend (WhiteSource) Bolt for Java, a dependency management and SCA tool that provides vulnerability detection, license compliance, and security policy enforcement in enterprise environments.