// Scan org repos for open Dependabot alerts at or above a severity threshold and build notification messages for maintainers. Use when the user wants to check or nudge about Dependabot vulnerabilities.
| name | dependabot-nudge |
| description | Scan org repos for open Dependabot alerts at or above a severity threshold and build notification messages for maintainers. Use when the user wants to check or nudge about Dependabot vulnerabilities. |
| argument-hint | [org] |
| allowed-tools | Bash(node *) |
Scan all repositories in a GitHub organization for open Dependabot alerts and build formatted notification messages for maintainers.
Run from the project root:
# Scan an org with default settings (high+ severity)
node run.js ./src/dependabotNudge.js --org=brave
# Custom severity threshold
node run.js ./src/dependabotNudge.js --org=brave --minlevel=critical
# Debug mode (verbose + dry-run for assignee patching)
node run.js ./src/dependabotNudge.js --org=brave --debug=true
# Skip specific repos
node run.js ./src/dependabotNudge.js --org=brave --skipRepositories=chromium,large-repo
# Single output message (joined string instead of array)
node run.js ./src/dependabotNudge.js --org=brave --singleOutputMessage=true
| Parameter | Required | Default | Description |
|---|---|---|---|
--org | Yes | - | GitHub organization name |
--githubToken | No | $GITHUB_TOKEN | GitHub PAT |
--minlevel | No | high | Minimum severity: low, medium, high, critical |
--debug | No | false | Verbose logging and dry-run |
--skipRepositories | No | chromium | Comma-separated repo names to skip |
--skipHotwords | No | DoS-related terms | Comma-separated advisory keywords to skip |
--defaultContact | No | yan | Comma-separated fallback GitHub usernames |
--singleOutputMessage | No | false | Return a single joined string |
Returns an array of { repo, message } objects (one per repo with alerts), or a single joined Markdown string if singleOutputMessage or debug is true.
.env file with GITHUB_TOKEN (needs repo + org read permissions)GH_TO_SLACK_USER_MAP for Slack handle resolutionrun.js entry point automatically loads .env credentials--skipHotwords)Auto-detect top maintainers for each repo in an org and set the maintainers custom property via the GitHub API. Use when the user wants to populate or update maintainer metadata.
Validate metadata fields (author, source, category) in opengrep/semgrep YAML rule files. Use when the user wants to lint or check rule quality.
Clean up stale security-action Slack messages based on review signals (reactions, label removal, resolved threads). Use when the user wants to clean old notifications from a Slack channel.
Delete Slack messages from a channel filtered by bot username and repository names. Use when the user wants to bulk-delete bot messages for specific repos.
Auto-dismiss Dependabot alerts matching configurable hotwords (e.g. DoS) or a GHSA/CVE dismiss list. Use when the user wants to bulk-dismiss low-priority Dependabot alerts.
Fetch and parse a JSON config file from a GitHub repository. Use when the user wants to read a configuration file from a remote repo.