Security
Security settings correspond to the Advanced Security section of the GitHub repository settings UI. They are grouped under the security key on the repository spec:
spec: security: vulnerability_alerts: true automated_security_fixes: true private_vulnerability_reporting: true| Field | Type | Description |
|---|---|---|
vulnerability_alerts | bool | Enable Dependabot vulnerability alerts |
automated_security_fixes | bool | Enable Dependabot security updates (auto-PRs that fix vulnerabilities). Requires vulnerability_alerts: true on GitHub side |
private_vulnerability_reporting | bool | Allow security researchers to privately report vulnerabilities |
Field dependencies
Section titled “Field dependencies”automated_security_fixes requires vulnerability_alerts to be effectively enabled (per GitHub’s API). gh-infra evaluates this at plan time using both the manifest and the current GitHub state, and rejects the plan if the dependency cannot be satisfied:
- If
vulnerability_alerts: trueis set in the same manifest, the plan succeeds andapplyenables alerts before fixes (ordering is guaranteed). - If
vulnerability_alertsis omitted from the manifest, gh-infra falls back to the repository’s current GitHub state (omission means “leave as-is”). The plan succeeds only when alerts are already enabled on GitHub. - If
vulnerability_alerts: falseis set explicitly, the plan fails with a clear error.
private_vulnerability_reporting has no dependency on the other fields and can be toggled independently.
Vulnerability Alerts
Section titled “Vulnerability Alerts”Enable or disable Dependabot vulnerability alerts:
spec: security: vulnerability_alerts: trueRequired for tools like Renovate’s osvVulnerabilityAlerts that integrate with Dependabot.
Automated Security Fixes
Section titled “Automated Security Fixes”Enable or disable Dependabot security updates — automated pull requests that resolve open Dependabot alerts:
spec: security: automated_security_fixes: trueRequires vulnerability_alerts to be effectively enabled — see Field dependencies above.
Private Vulnerability Reporting
Section titled “Private Vulnerability Reporting”Allow security researchers to privately report vulnerabilities through GitHub’s security advisory workflow:
spec: security: private_vulnerability_reporting: true