DEV.co
Open-Source DevOps · updatecli

updatecli

Updatecli is a declarative engine that automatically detects and applies updates to files, configurations, and dependencies across your infrastructure. It works with 30+ integrations (Docker, Helm, npm, PyPI, Terraform, etc.) and can open pull requests on GitHub, GitLab, Bitbucket, and other Git platforms. You define policies in YAML; Updatecli handles detection, validation, and automated updates.

Source: GitHub — github.com/updatecli/updatecli
936
GitHub stars
135
Forks
Go
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryupdatecli/updatecli
Ownerupdatecli
Primary languageGo
LicenseApache-2.0 — OSI-approved
Stars936
Forks135
Open issues116
Latest releasev0.118.0 (2026-06-02)
Last updated2026-07-08
Sourcehttps://github.com/updatecli/updatecli

What updatecli is

Written in Go, Updatecli operates as a single binary that runs in any CI/CD pipeline (GitHub Actions, Jenkins, GitLab CI). It follows a three-stage model: Sources (fetch new values), Conditions (validate prerequisites), and Targets (apply changes). It supports 30+ source integrations (Docker registries, package managers, releases) and 8+ SCM platforms with full PR/MR creation capabilities.

Quickstart

Get the updatecli source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/updatecli/updatecli.gitcd updatecli# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Automated Dependency Updates in CI/CD Pipelines

Detect new Docker image tags, Helm chart versions, or npm package releases and automatically open pull requests. Ideal for organizations running scheduled update jobs in GitHub Actions, Jenkins, or GitLab CI without adopting a new SaaS platform.

Multi-Format Configuration Management

Manage updates across diverse file types (YAML, JSON, TOML, XML, Dockerfiles, HCL) and registries in one declarative policy. Useful for teams with heterogeneous infrastructure (Kubernetes + Terraform + custom scripts) needing consistent update workflows.

Policy-Driven Platform Security Patching

Define and enforce organization-wide update policies (e.g., 'always update critical CVE fixes within 48 hours'). Conditions prevent premature updates; safe dry-run mode allows preview before merge.

Implementation considerations

  • All updates are triggered by explicit policy definitions in YAML; there are no default auto-update behaviors. You must author and version-control policies alongside your infrastructure code.
  • Dry-run mode (--dry-run flag) is essential for validation. Always test policies in isolation before deploying to production pipelines to avoid unintended mass updates.
  • Authentication (GitHub tokens, Docker registry credentials, etc.) must be injected via environment variables or secrets management in your CI/CD platform; no built-in secret store.
  • Conditions are optional but strongly recommended. Skipping validation (e.g., checking if a Docker image exists before updating) can lead to PRs with broken references.
  • Custom logic is added via shell scripts or HTTP endpoints; complex integrations not covered by the 30+ built-in plugins require custom plugin development in Go.

When to avoid it — and what to weigh

  • Need Built-In Vulnerability Scanning — Updatecli detects new versions but does not natively scan for known CVEs or vulnerabilities. For deep security analysis, integrate with separate tools (Snyk, Trivy) via custom shell targets.
  • Seeking Full SaaS Multi-Tenancy & Managed Hosting — Updatecli is self-hosted only. If your team requires a fully managed platform with centralized dashboards, user management, and multi-org support out-of-the-box, consider Dependabot or Renovate.
  • Complex Version Resolution & Transitive Dependency Logic — Updatecli is designed for declarative policies, not for complex dependency graph analysis or transitive upgrade strategies. For intricate monorepo or polyglot dependency resolution, language-specific tools may be more suitable.
  • Team Without Go or YAML Expertise — Configuration is YAML; extensibility requires Go or shell scripting. Teams unfamiliar with Go templates or CLI-driven workflows may face a steeper learning curve than UI-centric alternatives.

License & commercial use

Licensed under Apache License 2.0, a permissive OSI-approved license. Allows commercial use, modification, and redistribution with attribution and liability disclaimers.

Apache-2.0 is a permissive license that permits commercial use without fee. However, you must include the original license notice and any modified source in distributions. No warranties are provided by the project. If you fork or modify Updatecli, you must disclose those changes. Consult your legal team for internal vs. distribution scenarios.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityLow
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

Updatecli runs as a local binary with access to credentials (Git tokens, registry auth). Ensure CI/CD secrets are isolated and rotated regularly. Dry-run and condition validation help prevent accidental breaking changes. Release assets are signed with cosign and checksums are verified. No input sanitization or network filtering is built-in; malicious policy YAML could execute arbitrary shell scripts. Apply the principle of least privilege to service accounts and policy repositories. Review custom shell/HTTP targets for injection risks.

Alternatives to consider

Dependabot (GitHub native)

GitHub-only, fully managed, integrated security scanning and CVE detection. Simpler for single-platform users but lacks flexibility for multi-SCM or custom integrations.

Renovate (Mend)

Multi-platform SaaS or self-hosted; more sophisticated dependency graph resolution and monorepo support. Heavier overhead and learning curve; Renovate.json config can be verbose.

Flux/ArgoCD + Kustomize/Helm Operator

GitOps-native, declarative Kubernetes-first. Best if your entire stack is Kubernetes; not suitable for non-K8s infrastructure or polyglot dependency management.

Software development agency

Build on updatecli with DEV.co software developers

Start with the Updatecli quick-start guide. Define your first policy, test with --dry-run, and integrate into your CI/CD pipeline—no platform lock-in required.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

updatecli FAQ

Can Updatecli work offline or behind a firewall?
No. Updatecli must reach source registries (Docker, npm, PyPI) and target SCM platforms to detect and apply changes. Proxy configuration is not explicitly documented; review firewall egress rules.
Does Updatecli scan for security vulnerabilities?
No. Updatecli detects new versions only. For CVE awareness, integrate external tools (Snyk, Trivy) via custom shell targets or separate CI/CD jobs.
How do I extend Updatecli with custom logic?
Use shell scripts or HTTP endpoints as custom targets/sources in policy YAML. For production integrations, contribute a Go plugin to the main repository.
What happens if a condition fails?
The target is skipped, and no PR is opened. This is by design to prevent broken updates. Conditions are optional but recommended for safety.

Custom software development services

Need help beyond evaluating updatecli? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source devops integrations — and maintain them long-term.

Ready to Automate Your Dependency Updates?

Start with the Updatecli quick-start guide. Define your first policy, test with --dry-run, and integrate into your CI/CD pipeline—no platform lock-in required.