[Missing API] Add dependabot_malware_alerts to security_and_analysis on PATCH /repos/{owner}/{repo} #6251
Description
Missing dependabot_malware_alerts in security_and_analysis (PATCH /repos)
The security_and_analysis object on the Update a repository endpoint currently supports toggling:
dependabot_security_updatessecret_scanningsecret_scanning_push_protectionsecret_scanning_non_provider_patternssecret_scanning_validity_checks
However, Dependabot malware alerts - which is a separate toggle in the repository settings UI under Security → Advanced Security - has no corresponding field in the API.
Why this matters
I maintain tooling that manages GitHub security settings across ~80+ repositories. Everything else can be configured via the REST API, but malware alerts require either clicking through the UI for each repo or setting up an org-wide security configuration (which requires org admin).
Having a dependabot_malware_alerts field in security_and_analysis (both GET and PATCH) would make it possible to:
- Enable malware alerts in bulk across many repos
- Audit whether it's enabled as part of compliance checks
- Include it in IaC / GitOps workflows alongside the other security toggles
Expected behavior
// PATCH /repos/{owner}/{repo}
{
"security_and_analysis": {
"dependabot_malware_alerts": {
"status": "enabled"
}
}
}And the GET response should include the current state, same as the other fields.
Current workaround
Manual toggle per repo via the UI, or org-level security configurations (requires org admin).