The GitHub Dependabot API lets you manage Dependabot alerts and secrets for repositories and organizations. It provides endpoints to list, get, and update Dependabot alerts for vulnerable dependencies, as well as create, update, and delete encrypted secrets that Dependabot uses to access private registries during version updates.
openapi: 3.1.0
info:
version: 1.1.4
title: github-repos-api
description: |-
Use the REST API to create, manage and control the workflow of public and
private GitHub repositories.
license:
name: MIT
url: https://spdx.org/licenses/MIT
termsOfService: https://docs.github.com/articles/github-terms-of-service
contact:
name: Support
url: https://support.github.com/contact
servers:
- url: '{protocol}://{hostname}'
variables:
hostname:
description: Self-hosted Enterprise Server hostname
default: api.github.com
protocol:
description: Self-hosted Enterprise Server protocol
default: https
externalDocs:
description: GitHub Enterprise Developer Docs
url: https://docs.github.com/[email protected]/rest/
tags:
- name: Alerts
- name: Create
- name: Delete
- name: Dependabot
- name: Get
- name: Keys
- name: Lists
- name: Public
- name: Repositories
description: Source control repositories.
- name: Secrets
- name: Update
paths:
/repos/{owner}/{repo}/dependabot/alerts:
get:
summary: GitHub List Dependabot Alerts for Repository
description: |-
OAuth app tokens and personal access tokens (classic) need the `security_events` scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the `public_repo` scope instead.
tags:
- Alerts
- Dependabot
- Lists
- Repositories
operationId: listDependabotAlertsForRepository
externalDocs:
description: API method documentation
url: |-
https://docs.github.com/[email protected]/rest/dependabot/alerts#list-dependabot-alerts-for-a-repository
parameters:
- $ref: '#/components/parameters/owner'
- $ref: '#/components/parameters/repo'
- $ref: '#/components/parameters/dependabot-alert-comma-separated-states'
- $ref: '#/components/parameters/dependabot-alert-comma-separated-severities'
- $ref: '#/components/parameters/dependabot-alert-comma-separated-ecosystems'
- $ref: '#/components/parameters/dependabot-alert-comma-separated-packages'
- $ref: '#/components/parameters/dependabot-alert-comma-separated-manifests'
- $ref: '#/components/parameters/dependabot-alert-scope'
- $ref: '#/components/parameters/dependabot-alert-sort'
- $ref: '#/components/parameters/direction'
- name: page
description: |-
**Deprecated**. Page number of the results to fetch. Use cursor-based pagination with `before` or `after` instead.
deprecated: true
in: query
schema:
type: integer
default: 1
example: 42
- name: per_page
description: |-
The number of results per page (max 100). For more information, see "[Using pagination in the REST API](https://docs.github.com/[email protected]/rest/using-the-rest-api/using-pagination-in-the-rest-api)."
deprecated: true
in: query
schema:
type: integer
default: 30
example: 42
- $ref: '#/components/parameters/pagination-before'
- $ref: '#/components/parameters/pagination-after'
- $ref: '#/components/parameters/pagination-first'
- $ref: '#/components/parameters/pagination-last'
- in: header
name: Authorization
schema:
type: string
example: example_value
- in: header
name: X-GitHub-Api-Version
schema:
type: string
default: '2022-11-28'
example: example_value
- in: header
name: Accept
schema:
type: string
default: application/vnd.github+json
example: example_value
responses:
'200':
description: Response
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/dependabot-alert'
examples:
default:
$ref: '#/components/examples/dependabot-alerts-for-repository'
'304':
$ref: '#/components/responses/not_modified'
'400':
$ref: '#/components/responses/bad_request'
'403':
$ref: '#/components/responses/forbidden'
'404':
$ref: '#/components/responses/not_found'
'422':
$ref: '#/components/responses/validation_failed_simple'
x-github:
githubCloudOnly: false
enabledForGitHubApps: true
previews: []
category: dependabot
subcategory: alerts
x-api-evangelist-certified: '2025-07-16'
x-api-naftiko-published: '2025-07-25'
security:
- bearerHttpAuthentication: []
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
/repos/{owner}/{repo}/dependabot/alerts/{alert_number}:
get:
summary: GitHub Get Dependabot Alert
description: |-
OAuth app tokens and personal access tokens (classic) need the `security_events` scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the `public_repo` scope instead.
tags:
- Alerts
- Dependabot
- Get
operationId: getDependabotAlert
externalDocs:
description: API method documentation
url: |-
https://docs.github.com/[email protected]/rest/dependabot/alerts#get-a-dependabot-alert
parameters:
- $ref: '#/components/parameters/owner'
- $ref: '#/components/parameters/repo'
- $ref: '#/components/parameters/dependabot-alert-number'
- in: header
name: Authorization
schema:
type: string
example: example_value
- in: header
name: X-GitHub-Api-Version
schema:
type: string
default: '2022-11-28'
example: example_value
- in: header
name: Accept
schema:
type: string
default: application/vnd.github+json
example: example_value
responses:
'200':
description: Response
content:
application/json:
schema:
$ref: '#/components/schemas/dependabot-alert'
examples:
default:
$ref: '#/components/examples/dependabot-alert-open'
'304':
$ref: '#/components/responses/not_modified'
'403':
$ref: '#/components/responses/forbidden'
'404':
$ref: '#/components/responses/not_found'
x-github:
githubCloudOnly: false
enabledForGitHubApps: true
previews: []
category: dependabot
subcategory: alerts
security:
- bearerHttpAuthentication: []
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
patch:
summary: GitHub Update Dependabot Alert
description: |-
The authenticated user must have access to security alerts for the repository to use this endpoint. For more information, see "[Granting access to security alerts](https://docs.github.com/[email protected]/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts)."
OAuth app tokens and personal access tokens (classic) need the `security_events` scope to use this endpoint. If this endpoint is only used with public repositories, the token can use the `public_repo` scope instead.
tags:
- Alerts
- Dependabot
- Update
operationId: updateDependabotAlert
externalDocs:
description: API method documentation
url: |-
https://docs.github.com/[email protected]/rest/dependabot/alerts#update-a-dependabot-alert
parameters:
- $ref: '#/components/parameters/owner'
- $ref: '#/components/parameters/repo'
- $ref: '#/components/parameters/dependabot-alert-number'
- in: header
name: Authorization
schema:
type: string
example: example_value
- in: header
name: X-GitHub-Api-Version
schema:
type: string
default: '2022-11-28'
example: example_value
- in: header
name: Accept
schema:
type: string
default: application/vnd.github+json
example: example_value
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
state:
type: string
description: |-
The state of the Dependabot alert.
`dismissed_reason` must be provided when setting the state to `dismissed`.
enum:
- dismissed
- open
dismissed_reason:
type: string
description: |-
**Required when `state` is `dismissed`.** reason for dismissing the alert.
enum:
- fix_started
- inaccurate
- no_bandwidth
- not_used
- tolerable_risk
dismissed_comment:
type: string
description: An optional comment associated with dismissing the alert.
maxLength: 280
required:
- state
additionalProperties: false
examples:
default:
value:
state: dismissed
dismissed_reason: tolerable_risk
dismissed_comment: This alert is accurate but we use a sanitizer.
responses:
'200':
description: Response
content:
application/json:
schema:
$ref: '#/components/schemas/dependabot-alert'
examples:
default:
$ref: '#/components/examples/dependabot-alert-dismissed'
'400':
$ref: '#/components/responses/bad_request'
'403':
$ref: '#/components/responses/forbidden'
'404':
$ref: '#/components/responses/not_found'
'409':
$ref: '#/components/responses/conflict'
'422':
$ref: '#/components/responses/validation_failed_simple'
x-github:
githubCloudOnly: false
enabledForGitHubApps: true
previews: []
category: dependabot
subcategory: alerts
security:
- bearerHttpAuthentication: []
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
/repos/{owner}/{repo}/dependabot/secrets:
get:
summary: GitHub List Repository Secrets
description: |-
Lists all secrets available in a repository without revealing their encrypted
values.
OAuth app tokens and personal access tokens (classic) need the `repo` scope to use this endpoint.
tags:
- Lists
- Repositories
- Secrets
operationId: listRepositoryDependabotSecrets
externalDocs:
description: API method documentation
url: |-
https://docs.github.com/[email protected]/rest/dependabot/secrets#list-repository-secrets
parameters:
- $ref: '#/components/parameters/owner'
- $ref: '#/components/parameters/repo'
- $ref: '#/components/parameters/per-page'
- $ref: '#/components/parameters/page'
- in: header
name: Authorization
schema:
type: string
example: example_value
- in: header
name: X-GitHub-Api-Version
schema:
type: string
default: '2022-11-28'
example: example_value
- in: header
name: Accept
schema:
type: string
default: application/vnd.github+json
example: example_value
responses:
'200':
description: Response
content:
application/json:
schema:
type: object
required:
- total_count
- secrets
properties:
total_count:
type: integer
secrets:
type: array
items:
$ref: '#/components/schemas/dependabot-secret'
examples:
default:
$ref: '#/components/examples/dependabot-secret-paginated'
headers:
Link:
$ref: '#/components/headers/link'
x-github:
githubCloudOnly: false
enabledForGitHubApps: true
category: dependabot
subcategory: secrets
security:
- bearerHttpAuthentication: []
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
/repos/{owner}/{repo}/dependabot/secrets/public-key:
get:
summary: GitHub Get Repository Public Key
description: |-
Gets your public key, which you need to encrypt secrets. You need to
encrypt a secret before you can create or update secrets. Anyone with read access
to the repository can use this endpoint.
OAuth app tokens and personal access tokens (classic) need the `repo` scope to use this endpoint if the repository is private.
tags:
- Get
- Keys
- Public
- Repositories
operationId: getRepositoryDependabotSecretsPublicKey
externalDocs:
description: API method documentation
url: |-
https://docs.github.com/[email protected]/rest/dependabot/secrets#get-a-repository-public-key
parameters:
- $ref: '#/components/parameters/owner'
- $ref: '#/components/parameters/repo'
- in: header
name: Authorization
schema:
type: string
example: example_value
- in: header
name: X-GitHub-Api-Version
schema:
type: string
default: '2022-11-28'
example: example_value
- in: header
name: Accept
schema:
type: string
default: application/vnd.github+json
example: example_value
responses:
'200':
description: Response
content:
application/json:
schema:
$ref: '#/components/schemas/dependabot-public-key'
examples:
default:
$ref: '#/components/examples/dependabot-public-key'
x-github:
githubCloudOnly: false
enabledForGitHubApps: true
category: dependabot
subcategory: secrets
security:
- bearerHttpAuthentication: []
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
/repos/{owner}/{repo}/dependabot/secrets/{secret_name}:
get:
summary: GitHub Get Repository Secret
description: |-
Gets a single repository secret without revealing its encrypted value.
OAuth app tokens and personal access tokens (classic) need the `repo` scope to use this endpoint.
tags:
- Get
- Repositories
- Secrets
operationId: getRepositoryDependabotSecret
externalDocs:
description: API method documentation
url: |-
https://docs.github.com/[email protected]/rest/dependabot/secrets#get-a-repository-secret
parameters:
- $ref: '#/components/parameters/owner'
- $ref: '#/components/parameters/repo'
- $ref: '#/components/parameters/secret-name'
- in: header
name: Authorization
schema:
type: string
example: example_value
- in: header
name: X-GitHub-Api-Version
schema:
type: string
default: '2022-11-28'
example: example_value
- in: header
name: Accept
schema:
type: string
default: application/vnd.github+json
example: example_value
responses:
'200':
description: Response
content:
application/json:
schema:
$ref: '#/components/schemas/dependabot-secret'
examples:
default:
$ref: '#/components/examples/dependabot-secret'
x-github:
githubCloudOnly: false
enabledForGitHubApps: true
category: dependabot
subcategory: secrets
security:
- bearerHttpAuthentication: []
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
put:
summary: GitHub Create or Update Repository Secret
description: |-
Creates or updates a repository secret with an encrypted value. Encrypt your secret using
[LibSodium](https://libsodium.gitbook.io/doc/bindings_for_other_languages). For more information, see "[Encrypting secrets for the REST API](https://docs.github.com/[email protected]/rest/guides/encrypting-secrets-for-the-rest-api)."
OAuth app tokens and personal access tokens (classic) need the `repo` scope to use this endpoint.
tags:
- Create
- Repositories
- Secrets
- Update
operationId: createOrUpdateRepositoryDependabotSecret
externalDocs:
description: API method documentation
url: |-
https://docs.github.com/[email protected]/rest/dependabot/secrets#create-or-update-a-repository-secret
parameters:
- $ref: '#/components/parameters/owner'
- $ref: '#/components/parameters/repo'
- $ref: '#/components/parameters/secret-name'
- in: header
name: Authorization
schema:
type: string
example: example_value
- in: header
name: X-GitHub-Api-Version
schema:
type: string
default: '2022-11-28'
example: example_value
- in: header
name: Accept
schema:
type: string
default: application/vnd.github+json
example: example_value
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
encrypted_value:
type: string
description: |-
Value for your secret, encrypted with [LibSodium](https://libsodium.gitbook.io/doc/bindings_for_other_languages) using the public key retrieved from the [Get repository public key](https://docs.github.com/[email protected]/rest/dependabot/secrets#get-a-repository-public-key) endpoint.
pattern: |-
^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$
key_id:
type: string
description: ID of the key you used to encrypt the secret.
examples:
default:
value:
encrypted_value: c2VjcmV0
key_id: '012345678912345678'
responses:
'201':
description: Response when creating a secret
content:
application/json:
schema:
$ref: '#/components/schemas/empty-object'
examples:
default:
value: {}
'204':
description: Response when updating a secret
x-github:
githubCloudOnly: false
enabledForGitHubApps: true
category: dependabot
subcategory: secrets
security:
- bearerHttpAuthentication: []
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
delete:
summary: GitHub Delete Repository Secret
description: |-
Deletes a secret in a repository using the secret name.
OAuth app tokens and personal access tokens (classic) need the `repo` scope to use this endpoint.
tags:
- Delete
- Repositories
- Secrets
operationId: deleteRepositoryDependabotSecret
externalDocs:
description: API method documentation
url: |-
https://docs.github.com/[email protected]/rest/dependabot/secrets#delete-a-repository-secret
parameters:
- $ref: '#/components/parameters/owner'
- $ref: '#/components/parameters/repo'
- $ref: '#/components/parameters/secret-name'
- in: header
name: Authorization
schema:
type: string
example: example_value
- in: header
name: X-GitHub-Api-Version
schema:
type: string
default: '2022-11-28'
example: example_value
- in: header
name: Accept
schema:
type: string
default: application/vnd.github+json
example: example_value
responses:
'204':
description: Response
x-github:
githubCloudOnly: false
enabledForGitHubApps: true
category: dependabot
subcategory: secrets
security:
- bearerHttpAuthentication: []
x-microcks-operation:
delay: 0
dispatcher: FALLBACK
components:
schemas:
nullable-simple-user:
title: Simple User
description: GitHub user.
type: object
properties:
name:
type: string
example: octocat
email:
type: string
example: [email protected]
login:
type: string
example: octocat
id:
type: integer
format: int64
example: 1
node_id:
type: string
example: MDQ6VXNlcjE=
avatar_url:
type: string
format: uri
example: https://github.com/images/error/octocat_happy.gif
gravatar_id:
type: string
example: 41d064eb2195891e12d0413f63227ea7
url:
type: string
format: uri
example: https://api.github.com/users/octocat
html_url:
type: string
format: uri
example: https://github.com/octocat
followers_url:
type: string
format: uri
example: https://api.github.com/users/octocat/followers
following_url:
type: string
example: https://api.github.com/users/octocat/following{/other_user}
gists_url:
type: string
example: https://api.github.com/users/octocat/gists{/gist_id}
starred_url:
type: string
example: https://api.github.com/users/octocat/starred{/owner}{/repo}
subscriptions_url:
type: string
format: uri
example: https://api.github.com/users/octocat/subscriptions
organizations_url:
type: string
format: uri
example: https://api.github.com/users/octocat/orgs
repos_url:
type: string
format: uri
example: https://api.github.com/users/octocat/repos
events_url:
type: string
example: https://api.github.com/users/octocat/events{/privacy}
received_events_url:
type: string
format: uri
example: https://api.github.com/users/octocat/received_events
type:
type: string
example: User
site_admin:
type: boolean
example: true
starred_at:
type: string
example: '"2020-07-09T00:17:55Z"'
required:
- avatar_url
- events_url
- followers_url
- following_url
- gists_url
- gravatar_id
- html_url
- id
- node_id
- login
- organizations_url
- received_events_url
- repos_url
- site_admin
- starred_url
- subscriptions_url
- type
- url
basic-error:
title: Basic Error
description: Basic Error
type: object
properties:
message:
type: string
example: Example body text
documentation_url:
type: string
example: https://api.github.com/repos/octocat/Hello-World
url:
type: string
example: https://api.github.com/repos/octocat/Hello-World
status:
type: string
example: open
validation-error-simple:
title: Validation Error Simple
description: Validation Error Simple
type: object
required:
- message
- documentation_url
properties:
message:
type: string
example: Example body text
documentation_url:
type: string
example: https://api.github.com/repos/octocat/Hello-World
errors:
type: array
items:
type: string
scim-error:
title: Scim Error
description: Scim Error
type: object
properties:
message:
type: string
example: Example body text
documentation_url:
type: string
example: https://api.github.com/repos/octocat/Hello-World
detail:
type: string
example: example_value
status:
type: integer
example: 42
scimType:
type: string
example: User
schemas:
type: array
items:
type: string
alert-number:
type: integer
description: The security alert number.
readOnly: true
alert-created-at:
type: string
description: |-
The time that the alert was created in ISO 8601 format: `YYYY-MM-DDTHH:MM:SSZ`.
format: date-time
readOnly: true
alert-updated-at:
type: string
description: |-
The time that the alert was last updated in ISO 8601 format: `YYYY-MM-DDTHH:MM:SSZ`.
format: date-time
readOnly: true
alert-url:
type: string
description: The REST API URL of the alert resource.
format: uri
readOnly: true
alert-html-url:
type: string
description: The GitHub URL of the alert resource.
format: uri
readOnly: true
alert-fixed-at:
type: string
description: |-
The time that the alert was no longer detected and was considered fixed in ISO 8601 format: `YYYY-MM-DDTHH:MM:SSZ`.
format: date-time
readOnly: true
alert-dismissed-at:
type: string
description: |-
The time that the alert was dismissed in ISO 8601 format: `YYYY-MM-DDTHH:MM:SSZ`.
format: date-time
readOnly: true
dependabot-alert-package:
type: object
description: Details for the vulnerable package.
readOnly: true
properties:
ecosystem:
type: string
description: The package's language or package management ecosystem.
readOnly: true
example: example_value
name:
type: string
description: The unique package name within its ecosystem.
readOnly: true
example: octocat
required:
- ecosystem
- name
additionalProperties: false
dependabot-alert-security-vulnerability:
type: object
description: Details pertaining to one vulnerable version range for the advisory.
readOnly: true
properties:
package:
$ref: '#/components/schemas/dependabot-alert-package'
severity:
type: string
description: The severity of the vulnerability.
readOnly: true
enum:
- low
- medium
- high
- critical
example: low
vulnerable_version_range:
type: string
description: |-
Conditions that identify vulnerable versions of this vulnerability's package.
readOnly: true
example: example_value
first_patched_version:
type: object
description: |-
Details pertaining to the package version that patches this vulnerability.
readOnly: true
properties:
identifier:
type: string
description: The package version that patches this vulnerability.
readOnly: true
required:
- identifier
additionalProperties: false
required:
- package
- severity
- vulnerable_version_range
- first_patched_version
additionalProperties: false
dependabot-alert-security-advisory:
type: object
description: Details for the GitHub Security Advisory.
readOnly: true
properties:
ghsa_id:
type: string
description: The unique GitHub Security Advisory ID assigned to the advisory.
readOnly: true
example: '12345678'
cve_id:
type: string
description: The unique CVE ID assigned to the advisory.
readOnly: true
example: '12345678'
summary:
type: string
description: short, plain text summary of the advisory.
readOnly: true
maxLength: 1024
example: example_value
description:
type: string
description: long-form Markdown-supported description of the advisory.
readOnly: true
example: This is an example repository
vulnerabilities:
type: array
description: Vulnerable version range information for the advisory.
readOnly: true
items:
$ref: '#/components/schemas/dependabot-alert-security-vulnerability'
severity:
type: string
description: The severity of the advisory.
readOnly: true
enum:
- low
- medium
- high
- critical
example: low
cvss:
type: object
description: |-
Details for the advisory pertaining to the Common Vulnerability Scoring System.
readOnly: true
properties:
score:
type: number
description: The overall CVSS score of the advisory.
minimum: 0
maximum: 10
readOnly: true
vector_string:
type: string
description: The full CVSS vector string for the advisory.
readOnly: true
required:
- score
- vector_string
additionalProperties: false
cwes:
type: array
description: Details for the advisory pertaining to Common Weakness Enumeration.
readOnly: true
items:
type: object
description: CWE weakness assigned to the advisory.
readOnly: true
properties:
cwe_id:
type: string
description: The unique CWE ID.
readOnly: true
name:
type: string
description: The short, plain text name of the CWE.
readOnly: true
required:
- cwe_id
- name
additionalProperties: false
identifiers:
type: array
description: |-
Values that identify this advisory among security information sources.
readOnly: true
items:
type: object
description: An advisory identifier.
readOnly: true
properties:
type:
type: string
description: The type of advisory identifier.
readOnly: true
enum:
- CVE
- GHSA
value:
type: string
description: The value of the advisory identifer.
readOnly: true
required:
- value
- type
additionalProperties: false
references:
type: array
description: Links to additional advisory information.
readOnly: true
items:
type: object
description: link to additional advisory information.
readOnly: true
properties:
url:
type: string
description: The URL of the reference.
format: uri
readOnly: true
required:
- url
additionalProperties: false
published_at:
type: string
description: |-
The
# --- truncated at 32 KB (60 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/github/refs/heads/main/openapi/github-repo-dependabot-api-openapi.yml