GitHub
GitHub Dependabot Alerts
Retrieves Dependabot vulnerability alerts from GitHub repositories, organizations, or enterprises.
Sync Type: Incremental
Requirements
Before configuring this input, you need to:
-
Create a Personal Access Token (PAT) — GitHub docs.
- Go to your GitHub settings
- Navigate to Developer settings > Personal access tokens > Tokens (classic)
- Click "Generate new token (classic)"
- Select the
security_eventsscope - Copy and securely store the generated token
-
Required Permissions:
- The PAT must have the
security_eventsscope to access Dependabot alerts - For enterprise scope: You must be an enterprise admin
- For organization scope: You must have admin access to the organization
- For repository scope: You must have admin access to the repository
- The PAT must have the
-
GitHub Version:
- This input uses GitHub API v2026-03-10
- Minimum GitHub Enterprise Server version: GHES 3.5+
Configuration
Settings
| Setting | Type | Required | Description |
|---|---|---|---|
| source | string | Yes | Scope for fetching alerts: enterprise, organization, or repository |
| enterprise | string | Conditional* | Enterprise slug (required when source=enterprise) |
| organization | string | Conditional* | Organization name (required when source=organization) |
| owner | string | Conditional* | Repository owner login (required when source=repository) |
| repository | string | Conditional* | Repository name (required when source=repository) |
| state | array | No | Filter alerts by state: open, fixed, dismissed, auto_dismissed |
| severity | array | No | Filter alerts by severity: low, medium, high, critical |
| backfill_start_time | string | No | Date to start fetching data from in RFC3339 format. If not specified, no past records will be fetched. |
| use_synthetic_data | boolean | No | Generate synthetic demo data instead of connecting to the real data source |
| API Rate Limit | object | No | Optional limit on the connector's outbound request rate to the source API. Leave blank to use the connector's default behavior. See API Rate Limiting for the field format, limits, and how to choose a value. |
*Conditional: Required based on the selected source
Secrets
| Secret | Type | Required | Description |
|---|---|---|---|
| personal_access_token | string | Yes | GitHub Personal Access Token with security_events scope |
Filtering Behavior
When using state or severity filters:
- Multiple values in the same filter are combined with OR logic (e.g.,
state: ["open", "fixed"]returns open OR fixed alerts) - If you filter by a state or severity that has no matching alerts, no records are sent for that batch
Alert States and Severity Levels
Alert States
- open — The alert is currently active and unresolved
- fixed — The vulnerability has been fixed (typically by updating the dependency)
- dismissed — The alert was manually dismissed by a user
- auto_dismissed — The alert was automatically dismissed (e.g., dependency removed or updated)
Severity Levels
- low — Minor vulnerabilities with limited impact
- medium — Moderate vulnerabilities requiring attention
- high — Serious vulnerabilities that should be prioritized
- critical — Critical vulnerabilities requiring immediate action
Common Configuration Scenarios
Monitor All Alerts in an Organization
Code
Track Only High-Risk Vulnerabilities
Code
Repository-Specific Monitoring
Code
Enterprise-Wide Coverage
Code
Troubleshooting
Rate Limit Errors
Error: "rate limited by GitHub API: retry after X seconds"
Solution:
- The input automatically handles rate limiting by respecting GitHub's retry-after headers
- If you're hitting limits, consider:
- Using more specific filters (e.g., filter by severity or state)
- Running syncs at off-peak hours
- Checking if other integrations are using the same token
Authentication Errors
Error: "invalid credentials - please verify your personal access token"
Solution:
- Verify the PAT hasn't expired
- Ensure the PAT has the
security_eventsscope - Confirm the PAT is valid and properly formatted
Error: "insufficient permissions - token requires security_events scope"
Solution:
- Regenerate the PAT with the
security_eventsscope enabled - Verify the token has appropriate access to the selected enterprise, organization, or repository
No Data Retrieved
Error: No alerts are synced despite configuration appearing correct
Solutions:
- Verify the enterprise slug, organization name, owner, or repository name is correct
- Check if there are actually alerts in the selected scope
- Confirm you have appropriate permissions (admin access required)
- If using filters, verify the filter criteria match existing alerts
- Check if alerts are outside your backfill_start_time window
Connection Test Failures
Error: "not found - verify your [scope] name and access permissions"
Solution:
- For enterprise: Verify you are an enterprise admin and the slug is correct
- For organization: Verify the organization exists and you have admin access
- For repository: Verify the owner/repo combination is correct and you have admin access
- Ensure your PAT grants access to the specified resource
Related Articles
- GitHub Dependabot Documentation
- GitHub REST API Rate Limits
- GitHub Personal Access Tokens
- Dependabot Alerts API Reference
Sample Record
Code
Last modified on