| Field | Value |
|---|---|
| Category | CICD-SEC-3 |
| Severity | MEDIUM |
| Auto-fix | ✓ (via --fix-settings or web Fix button) |
| Source | Repository configuration |
What the check does
CallsGET /repos/{owner}/{repo}/vulnerability-alerts. A 204 response means alerts are enabled; 404 means they’re disabled (which fires this rule).
Why it matters
Dependabot vulnerability alerts are the lowest-effort dependency-watch you can have. With them off:- New CVEs against your dependencies don’t generate any signal.
- You won’t be told you’re using a vulnerable version even when one is well-known.
- This is often the root cause of CICD-SEC-3 incidents — the vulnerability was known before exploitation, but no one in the org saw the notification.
How to fix
Settings → Code security → Dependabot alerts → Enable. Then consider pairing with:- Dependabot security updates — auto-generate fix PRs.
- A label/triage process so alerts don’t pile up unread.
- For org-wide enforcement: Organization settings → Code security → enable for all repos.