CICD-SEC-3 — Dependabot security updates are disabled

Field	Value
Category	`CICD-SEC-3`
Severity	LOW
Auto-fix	✗
Source	Repository configuration

What the check does

Reads security_and_analysis.dependabot_security_updates.status on the repository response. Fires when the field is present and not "enabled". Silent when the field is absent (GitHub doesn’t surface it — typically a private repo without GHAS).

Why it matters

Alerts tell you a dependency is vulnerable. Security updates fix it for you — Dependabot opens a PR bumping to a patched version, with the changelog and CVE context attached. Without auto-fix PRs:

Someone has to manually look up the patched version, write a bump PR, run tests, etc.
That work tends to defer indefinitely under release pressure.
Most CICD-SEC-3 incidents in production had an open Dependabot alert for weeks before exploitation.

This is the cheapest way to actually close the loop on known vulnerabilities.

How to fix

Settings → Code security → Dependabot security updates → Enable. Make sure your CI is run on Dependabot PRs (see BP-NO-STATUS-CHECKS) so the auto-bump PRs gate on the same checks as any other PR.

CICD-SEC-3 — Dependabot alerts are disabled CICD-SEC-6 — Secret scanning is disabled

⌘I

Documentation Index

​What the check does

​Why it matters

​How to fix

What the check does

Why it matters

How to fix