> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CICD-SEC-3 — Dependabot security updates are disabled

> Vulnerable dependencies don't get an automatic fix PR. Humans have to write each bump by hand.

| Field    | Value                                      |
| -------- | ------------------------------------------ |
| Category | `CICD-SEC-3`                               |
| Severity | LOW                                        |
| Auto-fix | ✓ (via `--fix-settings` or web Fix button) |
| Source   | Repository configuration                   |

## What the check does

Reads `security_and_analysis.dependabot_security_updates.status` on the repository response. Fires when the field is present and not `"enabled"`. Silent when the field is absent (GitHub doesn't surface it — typically a private repo without GHAS).

## Why it matters

Alerts tell you a dependency is vulnerable. Security updates *fix it for you* — Dependabot opens a PR bumping to a patched version, with the changelog and CVE context attached.

Without auto-fix PRs:

* Someone has to manually look up the patched version, write a bump PR, run tests, etc.
* That work tends to defer indefinitely under release pressure.
* Most CICD-SEC-3 incidents in production had an open Dependabot alert for weeks before exploitation.

This is the cheapest way to actually close the loop on known vulnerabilities.

## How to fix

Settings → Code security → **Dependabot security updates** → **Enable**.

Make sure your CI is run on Dependabot PRs (see [BP-NO-STATUS-CHECKS](/rules/cicd-sec-1-bp-no-status-checks)) so the auto-bump PRs gate on the same checks as any other PR.
