Is it possible to assign a GitHub Team to receive Dependabot Alerts?

[Rod-at-DOH]

Select Topic Area

Question

Body

We're working on using Dependabot more where I work. I've used Dependabot a little on some personal projects I have, but not on a work-related repos in our Enterprise Organization. I enabled Dependency Graph for an active repo. Then I went to enable Dependabot Alerts but found it would only allow me to assign myself to receive Dependabot Alerts. This leads me to ask some questions.

First, is it possible to assign a GitHub Team to receive Dependabot Alerts? If so, how is that done?

Second, is it possible to enable Dependabot Alerts, but not assign anyone to receive them? So, each person would have to look at the Security tab in their browser, to see what alerts there may be? (I am not involved in actively development on this repo, so I believe it is appropriate that developers actively working on the repo, receive Dependabot Alerts.)

Third, have I misunderstood how Dependabot Alerts are to be received? Is it the case that Dependabot Alerts are something that each person who wants to receive them, should opt-in to receive them?

[DumbNoxx]

Yes, it's possible to assign dependabot alerts to a team.

According to what I have read in some forums these would be the steps:

1. Assigning a Team for Notifications

Yes, you can assign a team to receive Dependabot notifications instead of an individual user. This is often the recommended approach
for managing responsibilities within a group.

To do this, follow these steps:

1. Navigate to the repository in question.
2. Go to Settings.
3. In the left-hand menu, under the "Security" section, click on Code security and analysis.
4. Locate the "Dependabot alerts" section.
5. In the notification delivery field, you can remove any individual users and begin typing the name of a team that has write access
   to the repository. GitHub will auto-complete it. Select the team and save your changes.

Using teams ensures that the appropriate group is notified and can collectively manage the alerts.

2. Enabling Alerts Without Proactive Notifications

You can enable Dependabot alerts without designating anyone to receive notifications. In this scenario, alerts will still be
generated and will be visible to anyone with the appropriate permissions on the repository's Security tab.

However, no one will receive proactive notifications (e.g., emails or UI alerts). This approach relies on developers having the
discipline to regularly check the Security tab for potential issues.

3. Understanding How the Notification System Works

The system is not exclusively opt-in; it combines two different models:

• Direct Assignment (A "Push" System): This is the primary notification method configured in the repository's settings, as explained
  in the first point. It allows you to explicitly assign responsibility to a specific team or individual who will be actively
  notified when a new alert is created.

• Individual Subscription (A "Pull" / Opt-in System): Any user with access to the repository can personally choose to "Watch" it. By
  adjusting their personal notification settings (github.com/settings/notifications), they can opt-in to receive security alerts for
  all repositories they are watching. This is a personal choice for staying informed and does not imply direct responsibility for
  resolving the alerts.

In summary, you have a central configuration for assigning direct responsibility and a separate, individual option for anyone who
wishes to stay informed.

Maybe someone can correct me if I'm wrong...

[Rod-at-DOH]

Thank you! This is exactly what I was looking for and I am very glad that GitHub Dependabot Alerts will work this way! Although I will make some changes to what you wrote. I went to the "Security" section on the left-hand menu, but there is not Code security and analysis. Instead, I selected "Advanced Security". I'm wondering if I happen to have a different view.