Please enable API-based permission management to dependabot vulnerability alerts

We wrote our own declarative tool (shameless plug: GitHub - optile/ghconf: A tool to configure a Github org, its users and its repos through the GitHub API (under development)) for repository management and have since turned off most manual access to repository settings. One side effect is that the vulnerability detection on our 700+ repositories is completely and utterly useless as nobody who can actually do anything about them, can see them.

Dear GitHub, can we please get API access to manage the permissions that are currently already available via the website?

1 Like

Hey there @jdelic :wave:

Thanks so much for joining the Community, and for your post, here! Since Dependabot is listed publicly, I would recommend submitting your idea directly in a new issue, here:

Though I certainly understand why this programmability is valuable!


Since Dependabot is listed publicly, I would recommend submitting your idea directly in a new issue

Just to make sure: The dependabot repo covers the GitHub repo permission REST APIs?

Hey @jdelic that’s a great distinction to call out. Dependabot has it’s own API functionality:

…which is unique from our REST and GraphQL APIs.

It might be legitimate to question my idea, since maybe the API improvement wouldn’t come from Dependabot itself, but available on our underlying platform that Dependabot would leverage later.

So with that in mind, the issue in the Dependabot repo isn’t a bad idea but perhaps submitting via our generic form, here:

…is preferrable.

Beyond that, I did do a bit of research and found that we have an internal issue tracking a number of user requests. I’ve now added this thread to that internal issue as well, to help bump the convo, and add your +1.

So I’d say from here? It’s up to you whether you want to submit via our form, or an issue in Dependabot. If you’re satisfied that I’ve added this thread to our existing internal issue, that’s cool too!

Thanks again for calling out that distinction.

Wrote a simple shell script to automate this: Grant Security Alert Permission on GitHub Org Script · GitHub

It is very surprising that this isn’t a org-wide setting (The security team at most orgs should have visibility into this org-wide)