diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 1b52049975..eedb2b905c 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -9,3 +9,30 @@ updates:
         applies-to: version-updates
         patterns:
         - "*"
+  - package-ecosystem: "gradle"
+    directory: "/"
+    exclude-paths:
+      - "buildSrc"
+    schedule:
+      interval: "weekly"
+    groups:
+      gradle:
+        applies-to: version-updates
+        patterns:
+        - "*"
+    ignore:
+      # network add-on dependencies are managed manually
+      - dependency-name: "io.netty:*"
+      - dependency-name: "org.bouncycastle:*"
+      - dependency-name: "com.aayushatharva.brotli4j:*"
+      - dependency-name: "org.apache.httpcomponents.client5:httpclient5"
+      - dependency-name: "org.jitsi:ice4j"
+      - dependency-name: "com.diffplug.spotless*" # newer versions lead to runtime error, will need to update common plugin first
+      - dependency-name: "org.apache.logging.log4j:*" # provided by core
+      - dependency-name: "org.jruby:jruby-complete"
+        versions: [ ">= 10" ] # versions 10.x and later require Java 21
+      - dependency-name: "org.xhtmlrenderer:flying-saucer-pdf"
+        versions: [ ">= 10" ] # versions 10.x and later require Java 21
+      - dependency-name: "org.seleniumhq.selenium:htmlunit3-driver" # dependabot uses the wrong version when updating
+      - dependency-name: "com.google.inject.extensions:guice-assistedinject" # updating this leads to errors and this is transitive dependency
+      - dependency-name: "org.zaproxy:zap" # core versions are manually updated when targeting a new core
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4cd6d1c467..3828fc2951 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -27,7 +27,7 @@ jobs:
         with:
           distribution: 'temurin'
           java-version: ${{ matrix.java }}
-      - uses: gradle/actions/setup-gradle@748248ddd2a24f49513d8f472f81c3a07d4d50e1 # v4.4.4
+      - uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
         with:
           gradle-home-cache-includes: |
             caches
diff --git a/.github/workflows/ci_remote.yml b/.github/workflows/ci_remote.yml
index 07e2dd7831..2e8751fdb9 100644
--- a/.github/workflows/ci_remote.yml
+++ b/.github/workflows/ci_remote.yml
@@ -16,7 +16,7 @@ jobs:
         with:
           distribution: 'temurin'
           java-version: 17
-      - uses: gradle/actions/setup-gradle@748248ddd2a24f49513d8f472f81c3a07d4d50e1 # v4.4.4
+      - uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
         with:
           gradle-home-cache-includes: |
             caches
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 171fa3d534..bc40592c02 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -35,7 +35,7 @@ jobs:
         uses: github/codeql-action/autobuild@v3
 
       - if: matrix.language == 'java'
-        uses: gradle/actions/setup-gradle@748248ddd2a24f49513d8f472f81c3a07d4d50e1 # v4.4.4
+        uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
         with:
           cache-read-only: true
           gradle-home-cache-includes: |