Right now it is possible to security alerts and automated security fixes via the API.
However, it doesn’t actually work in most circumstances for private repositories. This is because private repositories have to have the “Allow GitHub to perform read-only analysis of this repository” option enabled before these API endpoints actually work.
If it isn’t possible to enable this via the API, it would be nice if it could be enabled on an organization level so we could default all repositories to allowing github to do the scans, rather than requiring it on each repository individual (an individual override is fine, but a default would be so nice).