Cloud Agent GitHub integration cannot read dependabot security advisories

I encountered the following issue with a Cloud Agent when trying to run it against dependabot. Is there a solution for this for Cloud Agents without requiring a PAT?

#############

The security-alert pipeline uses GitHub Dependabot/security alert data, which needs a different permission:

• vulnerability_alerts: read

REST confirmed the token lacks that permission:

403 Resource not accessible by integration

X-Accepted-Github-Permissions: vulnerability_alerts=read

I also checked node-shared and got the same REST 403 for Dependabot alerts. So the agent was able to see Dependabot PRs, but not Dependabot vulnerability alerts.

The confusing part is GitHub GraphQL returned:

vulnerabilityAlerts.totalCount: 0

instead of an explicit permission error. That made the run incorrectly conclude there were no alerts.

Hi Tom!
Your diagnosis is spot-on. The Cloud Agent’s GitHub installation token doesn’t include the vulnerability_alerts permission, so Dependabot security advisory data is inaccessible. The GraphQL behavior you flagged (silently returning 0 instead of an error) is a known GitHub API quirk that makes this harder to catch.

Right now, the only workaround is a Personal Access Token:

1. Create a fine-grained PAT on GitHub with the Security events (or vulnerability_alerts: read) permission for the repos you need

2. Add it as GH_TOKEN=github_pat_... in your Cloud Agent Secrets

After that, the gh CLI in the agent sandbox will authenticate with your PAT instead of the built-in token, and Dependabot alert API calls should work.

This is part of a broader gap in the Cloud Agent’s GitHub permission set that our team is aware of and tracking.

Thanks for the clarification Mohit.