> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CICD-SEC-3 — Dependabot alerts are disabled

> Known-vulnerable dependencies will not be surfaced.

| Field    | Value                                      |
| -------- | ------------------------------------------ |
| Category | `CICD-SEC-3`                               |
| Severity | MEDIUM                                     |
| Auto-fix | ✓ (via `--fix-settings` or web Fix button) |
| Source   | Repository configuration                   |

## What the check does

Calls `GET /repos/{owner}/{repo}/vulnerability-alerts`. A `204` response means alerts are enabled; `404` means they're disabled (which fires this rule).

## Why it matters

Dependabot vulnerability alerts are the lowest-effort dependency-watch you can have. With them off:

* New CVEs against your dependencies don't generate any signal.
* You won't be told you're using a vulnerable version even when one is well-known.
* This is often the root cause of CICD-SEC-3 incidents — the vulnerability was *known* before exploitation, but no one in the org saw the notification.

## How to fix

Settings → Code security → **Dependabot alerts** → **Enable**.

Then consider pairing with:

* [Dependabot security updates](/rules/cicd-sec-3-dependabot-fixes-off) — auto-generate fix PRs.
* A label/triage process so alerts don't pile up unread.
* For org-wide enforcement: Organization settings → Code security → enable for all repos.
