Fix Dependabot Security Alerts That Don't Open Pull Requests

January 10, 2026 • Alex Smolen

Dependabot catches security vulnerabilities and opens pull requests to fix them. Except when it doesn’t. If Dependabot can’t create a PR for a security alert, dependabot-wolf automatically sends the details to Copilot to figure it out. It’s a GitHub Action that monitors Dependabot security alerts and automatically sends any without PRs to GitHub Copilot for resolution.

How it works:

1. Checks for Dependabot security alerts that don’t have pull requests
2. Extracts the vulnerability details and dependency conflict information
3. Sends the context to an issue and assigns Copilot

You need to create a fine-grained PAT and put it as an Action secret with perms to create an issue and assign to Copilot.

Installation

Add the action to your repository’s workflow:

name: Dependabot Wolf
on:
  schedule:
    - cron: '0 0 * * *'  # Daily check
  workflow_dispatch:

jobs:
  check-dependabot:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: read
      issues: write
    steps:
      - uses: engseclabs/dependabot-wolf@v1

---

Found this useful? Check out the repo or let me know if you run into issues.

Back to Blog