updatecli
Updatecli is a declarative engine that automatically detects and applies updates to files, configurations, and dependencies across your infrastructure. It works with 30+ integrations (Docker, Helm, npm, PyPI, Terraform, etc.) and can open pull requests on GitHub, GitLab, Bitbucket, and other Git platforms. You define policies in YAML; Updatecli handles detection, validation, and automated updates.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | updatecli/updatecli |
| Owner | updatecli |
| Primary language | Go |
| License | Apache-2.0 — OSI-approved |
| Stars | 936 |
| Forks | 135 |
| Open issues | 116 |
| Latest release | v0.118.0 (2026-06-02) |
| Last updated | 2026-07-08 |
| Source | https://github.com/updatecli/updatecli |
What updatecli is
Written in Go, Updatecli operates as a single binary that runs in any CI/CD pipeline (GitHub Actions, Jenkins, GitLab CI). It follows a three-stage model: Sources (fetch new values), Conditions (validate prerequisites), and Targets (apply changes). It supports 30+ source integrations (Docker registries, package managers, releases) and 8+ SCM platforms with full PR/MR creation capabilities.
Get the updatecli source
Clone the repository and explore it locally.
git clone https://github.com/updatecli/updatecli.gitcd updatecli# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- All updates are triggered by explicit policy definitions in YAML; there are no default auto-update behaviors. You must author and version-control policies alongside your infrastructure code.
- Dry-run mode (--dry-run flag) is essential for validation. Always test policies in isolation before deploying to production pipelines to avoid unintended mass updates.
- Authentication (GitHub tokens, Docker registry credentials, etc.) must be injected via environment variables or secrets management in your CI/CD platform; no built-in secret store.
- Conditions are optional but strongly recommended. Skipping validation (e.g., checking if a Docker image exists before updating) can lead to PRs with broken references.
- Custom logic is added via shell scripts or HTTP endpoints; complex integrations not covered by the 30+ built-in plugins require custom plugin development in Go.
When to avoid it — and what to weigh
- Need Built-In Vulnerability Scanning — Updatecli detects new versions but does not natively scan for known CVEs or vulnerabilities. For deep security analysis, integrate with separate tools (Snyk, Trivy) via custom shell targets.
- Seeking Full SaaS Multi-Tenancy & Managed Hosting — Updatecli is self-hosted only. If your team requires a fully managed platform with centralized dashboards, user management, and multi-org support out-of-the-box, consider Dependabot or Renovate.
- Complex Version Resolution & Transitive Dependency Logic — Updatecli is designed for declarative policies, not for complex dependency graph analysis or transitive upgrade strategies. For intricate monorepo or polyglot dependency resolution, language-specific tools may be more suitable.
- Team Without Go or YAML Expertise — Configuration is YAML; extensibility requires Go or shell scripting. Teams unfamiliar with Go templates or CLI-driven workflows may face a steeper learning curve than UI-centric alternatives.
License & commercial use
Licensed under Apache License 2.0, a permissive OSI-approved license. Allows commercial use, modification, and redistribution with attribution and liability disclaimers.
Apache-2.0 is a permissive license that permits commercial use without fee. However, you must include the original license notice and any modified source in distributions. No warranties are provided by the project. If you fork or modify Updatecli, you must disclose those changes. Consult your legal team for internal vs. distribution scenarios.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Strong |
| Assessment confidence | High |
Updatecli runs as a local binary with access to credentials (Git tokens, registry auth). Ensure CI/CD secrets are isolated and rotated regularly. Dry-run and condition validation help prevent accidental breaking changes. Release assets are signed with cosign and checksums are verified. No input sanitization or network filtering is built-in; malicious policy YAML could execute arbitrary shell scripts. Apply the principle of least privilege to service accounts and policy repositories. Review custom shell/HTTP targets for injection risks.
Alternatives to consider
Dependabot (GitHub native)
GitHub-only, fully managed, integrated security scanning and CVE detection. Simpler for single-platform users but lacks flexibility for multi-SCM or custom integrations.
Renovate (Mend)
Multi-platform SaaS or self-hosted; more sophisticated dependency graph resolution and monorepo support. Heavier overhead and learning curve; Renovate.json config can be verbose.
Flux/ArgoCD + Kustomize/Helm Operator
GitOps-native, declarative Kubernetes-first. Best if your entire stack is Kubernetes; not suitable for non-K8s infrastructure or polyglot dependency management.
Build on updatecli with DEV.co software developers
Start with the Updatecli quick-start guide. Define your first policy, test with --dry-run, and integrate into your CI/CD pipeline—no platform lock-in required.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
updatecli FAQ
Can Updatecli work offline or behind a firewall?
Does Updatecli scan for security vulnerabilities?
How do I extend Updatecli with custom logic?
What happens if a condition fails?
Custom software development services
Need help beyond evaluating updatecli? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source devops integrations — and maintain them long-term.
Ready to Automate Your Dependency Updates?
Start with the Updatecli quick-start guide. Define your first policy, test with --dry-run, and integrate into your CI/CD pipeline—no platform lock-in required.