Automating 70% of Dependency & Vulnerability Management with Renovate and CI/CD

By Sai Saketh Nakkina and Vikram Nunia.

In our “Engineering Energizers” Q&A series, we highlight the engineering minds driving innovation across Salesforce. Today, we feature Sai Saketh Nakkina, a MLOps engineer on Salesforce’s Agentforce Knowledge Foundation team. Sai and his team led the development of a responsive security automation system that transformed vulnerability management for various AI features across the Agentforce platform.

Discover how the team addressed security vulnerabilities that were exceeding SLA, coordinated across multiple repositories to manage complex Python workflows, and built an automation infrastructure that reduced manual vulnerability response by 70% while ensuring the reliability of Agentforce’s AI systems.

The Agentforce Knowledge Foundation MLOps team is an integral part of Agentforce Platform Engineering, responsible for maintaining ML pipelines, owning Einstein Bots, and delivering in-house LLMs for the Agentforce platform. We focus on automation, monitoring, and scalable infrastructure, which empowers internal Salesforce developer teams to deliver AI/ML features faster, more securely, and with confidence. This work is central to Salesforce’s AI strategy, as Einstein Bots has significant customer adoption and our ML pipeline efforts enable Agentforce to rapidly roll out new features.

Maintaining the operational foundation of these systems is crucial for ensuring platform integrity. In an AI-first company like Salesforce, dependency vulnerabilities are not just technical debt; they are serious threats to platform integrity that can erode customer trust in Agentforce. Security vulnerabilities that exceeded SLA posed a significant risk to the platform’s compliance, forcing the team to balance the need for shipping AI features with the imperative of maintaining robust security standards.

To address these challenges, the team’s mission is to achieve end-to-end automation for minor and patch dependency updates using Renovate, a powerful dependency and vulnerability management tool, and Salesforce’s CI/CD systems. Renovate automates the process of keeping software dependencies up-to-date by scanning for outdated or vulnerable packages and creating pull requests to update them. This automation forms the core of our security infrastructure, enabling Agentforce to deliver AI features quickly and securely. For major updates and critical vulnerability fixes, we maintain manual approval through Renovate’s dependency dashboard, ensuring appropriate oversight while maximizing the efficiency of our automated processes.

The most significant challenge the team faced was building comprehensive CI automation to handle multiple Python projects, each with its own unique dependency management workflows. To tackle this, the team developed a custom CI pipeline that activates whenever dependency changes are detected. This system is designed with advanced detection capabilities to identify which files have been modified, execution logic to run the appropriate custom tooling for each project’s specific needs, and automated commit functionality to push updated dependencies back to pull requests.

Figure: Streamlined dependency & vulnerability management using Renovate & CI/CD.

Here’s how the automation process works:

1. Scanning and Evaluation: Renovate continuously scans repositories and creates pull requests for outdated dependencies, following the configuration rules set by the team.
2. CI Build Execution: These pull requests trigger CI builds via webhooks, which must pass all status checks to ensure the changes are safe and reliable.
3. Custom Tooling Integration: During the build process, custom tools and repository-specific steps are executed to generate and manage transitive dependencies, ensuring that each project’s unique requirements are met.
4. Automated Commits: Once the builds are successful, the updated dependencies are automatically committed back to the pull requests.
5. Auto-Approval Process: Bots use GitHub labels to automatically approve pull requests that meet predefined criteria, streamlining the review process.
6. Automated Merge: Renovate leverages GitHub’s native auto-merge features to merge approved pull requests once all status checks are passed.
7. Artifact Generation: Merged pull requests trigger new CI builds that create and publish the necessary repository artifacts, ensuring that the latest dependencies are available.
8. Continuous Deployment: Once the artifacts are available, CD pipelines automatically deploy the latest code to lower environments, running integration tests to validate that no regressions have been introduced.

This end-to-end automation not only eliminates the need for manual intervention but also maintains strict quality controls through thorough validation at each stage. It allows the team to manage dependencies efficiently and securely, supporting the rapid and reliable delivery of AI features across the Agentforce platform.

The team worked through an important learning with Renovate, which supports standard Python dependency tools but didn’t fully align with the team’s specific package-locking requirements needed for Agentforce platform stability. Established projects highlighted this gap most clearly, as they required a more tailored approach than what the latest community dependencies provided. Renovate’s default update behavior surfaced opportunities to refine how we safeguard platform integrity, ensuring reliable AI feature delivery.

This learning surfaced during early automation attempts, where Renovate generated numerous pull requests. Some established projects required more stability than the latest community dependencies could provide, while Renovate’s default behavior aimed to update everything. The team already had strong manual processes to manage these dependencies, but these weren’t yet fully compatible with Renovate. This highlighted an opportunity to evolve those processes for better automation and ensure Agentforce’s security posture remains resilient.

To address this challenge, the team developed a dependency conflict resolution pipeline with three core capabilities:

1. Context-Aware Detection: This feature identifies changed dependency files across diverse project architectures, ensuring that the system understands the specific context of each project.
2. Targeted Execution: The pipeline regenerates only the necessary transitive dependencies triggered by detected changes, ensuring efficient, precise and project-specific updates.
3. Secure Automated Commits: Updates are pushed back to repositories through secure automated commits, maintaining platform resilience and integrity.

Instead of creating a one-size-fits-all solution, the team built a repository-agnostic automation framework. This framework allows project-specific scripts to live within each repository, providing the flexibility to customize automation for individual project requirements while maintaining consistency across the broader ecosystem. This approach supports current tools like pip-compile and PDM and remains extensible for future dependency management tools as the Agentforce technology stack evolves.

By implementing this automation, the team has ensured that dependency updates are handled efficiently and securely, without compromising the stability and integrity of the Agentforce platform.

Manual dependency management highlighted an area where automation could unlock greater speed for Agentforce’s AI development cycles. Repository updates averaged about 6 hours each, with roughly 3 repositories to manage every month, representing a meaningful investment of engineering time. Streamlining this work creates an opportunity to reduce overhead and free up focus for innovation.

The introduction of a responsive automation infrastructure has delivered transformative productivity gains across Knowledge Foundations engineering. Now, approximately 70% of vulnerabilities are processed automatically, requiring zero engineer intervention as they update, deploy, and test independently through the coordinated automation system. This represents a 3.3x improvement in processing capacity: where the team previously handled 10 vulnerabilities manually, they now process around 33 vulnerabilities in the same timeframe through automation.

The automation saves about 15 development hours each month, allowing engineers to focus on feature development and strategic improvements in Agentforce’s AI capabilities. All vulnerabilities get addressed within SLA boundaries which were previously frequently outside of SLA compliance due to the manual processing delays. The automated security infrastructure built on top of Renovate enabled sustained AI feature velocity while maintaining the platform integrity essential for customer trust in Agentforce.

Ensuring reliable and responsive automation across Agentforce’s diverse repository ecosystem requires sophisticated failure management and coordinated conflict resolution. When dependency updates fail unit tests, pull requests (PRs) become stale with failing builds, which can compromise platform security. Renovate limits concurrent dependencies to 10 per project, and if more than 5 PRs fail, the automation capability drops by 50%. Currently, the team handles failed PRs through manual intervention while developing improved automated recovery solutions.

The team experienced this limitation firsthand when a major Python library update broke compatibility across multiple repositories simultaneously. Eight failed PRs out of the ten-PR limit essentially cut automation capability in half until the team manually closed the failures and resolved the compatibility issues.

Managing concurrent PR conflicts necessitates strategic coordination across Agentforce’s multi-repository architecture.
The team configured GitHub and Renovate to allow only one PR creation at a time, with automated merging once builds complete successfully. After each merge, Renovate’s next scheduled run — typically daily or every 12 hours — creates new PRs, rebases existing PRs and evaluates them against the updated codebase.

While this sequential approach prevents conflicts, it can extend merge timelines. For example, five concurrent PRs might require several days to complete fully. To address this bottleneck, the team implemented coordinated dependency grouping strategies. By consolidating related packages, such as boto3 and botocore, into single PRs rather than separate updates, they reduce overall PR volume and improve processing efficiency across the repository ecosystem.

This strategic approach ensures that the automation remains robust and efficient, supporting the rapid and reliable delivery of AI features while maintaining the platform’s integrity and security.