Enabling delegated alert dismissal for Dependabot

Increase your governance over your Dependabot alerts with delegated alert dismissal.

Who can use this feature?

Organization owners, security managers, and repository administrators can enable delegated alert dismissals. Once enabled, organization owners and security managers can dismiss alerts.

In this article

Note

The implementation of this approval process can potentially cause some friction, so it's important to ensure that the team of security managers has adequate coverage to review dismissal requests regularly before proceeding.

Configuring delegated dismissal for a repository

Note

If an organization owner configures delegated alert dismissal via an enforced security configuration, the settings can't be changed at the repository level.

  1. On GitHub, navigate to the main page of the repository.

  2. Under your repository name, click Settings. If you cannot see the "Settings" tab, select the dropdown menu, then click Settings.

    Screenshot of a repository header showing the tabs. The "Settings" tab is highlighted by a dark orange outline.

  3. In the "Security" section of the sidebar, click Advanced Security.

  4. In the "Dependabot" section, next to "Prevent direct alert dismissals", click Enable.

Configuring delegated dismissal for an organization

You must configure delegated dismissal for your organization using a custom security configuration. You can then apply the security configuration to all (or selected) repositories in your organization.

  1. Start creating or editing a custom security configuration. See Creating a custom security configuration.
  2. In the "Dependency scanning" section of your security configuration, set "Prevent direct alert dismissals" to Enabled.
  3. Click Save configuration.
  4. Apply the security configuration to repositories in your organization. See Applying a custom security configuration.

Configuring delegated dismissal for an enterprise

You must configure delegated dismissal for your enterprise using a custom security configuration. You can then apply the security configuration to all (or selected) repositories in your enterprise.

  1. Start creating or editing a custom security configuration. See Creating a custom security configuration for your enterprise.
  2. In the "Dependency scanning" section of your security configuration, set "Prevent direct alert dismissals" to Enabled.
  3. Click Save configuration.
  4. Apply the security configuration to repositories in your enterprise. See Applying a custom security configuration to your enterprise.

Next steps

Now that you have enabled delegated alert dismissal for Dependabot, you should regularly review alert dismissal requests to maintain an accurate alert count and unblock your developers. See Reviewing alert dismissal requests.