Documentation Index
Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
Use this file to discover all available pages before exploring further.
| Field | Value |
|---|---|
| Category | CICD-SEC-3 |
| Severity | MEDIUM |
| Auto-fix | ✗ |
| Source | Repository configuration |
What the check does
CallsGET /repos/{owner}/{repo}/vulnerability-alerts. A 204 response means alerts are enabled; 404 means they’re disabled (which fires this rule).
Why it matters
Dependabot vulnerability alerts are the lowest-effort dependency-watch you can have. With them off:- New CVEs against your dependencies don’t generate any signal.
- You won’t be told you’re using a vulnerable version even when one is well-known.
- This is often the root cause of CICD-SEC-3 incidents — the vulnerability was known before exploitation, but no one in the org saw the notification.
How to fix
Settings → Code security → Dependabot alerts → Enable. Then consider pairing with:- Dependabot security updates — auto-generate fix PRs.
- A label/triage process so alerts don’t pile up unread.
- For org-wide enforcement: Organization settings → Code security → enable for all repos.