My team is using Renovatebot for automatic dependency management and is quite happy with it.

Renovate can manage a bunch of dependencies out of the box:

• Tags and Digests of Docker images
• Refs of GitLab Include directives
• Ansible Collections / Roles
• Helm Charts
• Python packages
• and more…

However, we have some versions in a Dockerfile which we use for downloading packages during the build process:

FROM alpine:3.14.0@sha256:234cb88d3020898631af0ccbbcca9a66ae7306ecd30c9720690858c1b007d2a0

ARG KUBECTL_VERSION=1.21.1

RUN wget -q -O /usr/local/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl && \
    chmod 0755 /usr/local/bin/kubectl

The KUBECTL_VERSION variable isn’t picked up by Renovatebot automatically, as it has no way of knowing which package this variable references. However you can use the regex manager in the .renovate.json file to provide some context.