Why
Security vulnerabilities in watched repos need timely attention, but hub surfaces nothing about them today — they're only visible if you check GitHub's security tab directly.
Current state
hub status shows PRs awaiting review and open/assigned GitHub issues. There is no section for security alerts. Dependabot alert data is available via the GitHub REST API but is not fetched or displayed.
Ideal state
hub status includes a "security alerts" section listing open Dependabot alerts across configured repos- Each alert shows: repo, package name, severity, and URL
- Alerts are sorted by severity (critical → high → medium → low)
- The section is omitted when there are no open alerts
- The workflow is configurable per-repo in
hub.toml using a github-dependabot workflow name
Starting points
clients/src/github.rs — existing GitHub client pattern to followconfig/src/toml.rs — where WorkflowConfig variants are definedworkflows/src/status.rs — where new workflow calls should be added
QA plan
- Add a
github-dependabot workflow entry to hub.toml for a repo with known open Dependabot alerts
- Run
hub status — expect a "security alerts" section listing each alert with severity and URL
- Dismiss an alert in GitHub, re-run
hub status — expect that alert no longer appears
- Add the workflow for a repo with no open alerts — expect the section is omitted from output
- Remove all
github-dependabot entries from hub.toml — expect no security alerts section appears
Done when
hub status shows open Dependabot security alerts for configured repos, sorted by severity.
Why
Security vulnerabilities in watched repos need timely attention, but hub surfaces nothing about them today — they're only visible if you check GitHub's security tab directly.
Current state
hub statusshows PRs awaiting review and open/assigned GitHub issues. There is no section for security alerts. Dependabot alert data is available via the GitHub REST API but is not fetched or displayed.Ideal state
hub statusincludes a "security alerts" section listing open Dependabot alerts across configured reposhub.tomlusing agithub-dependabotworkflow nameStarting points
clients/src/github.rs— existing GitHub client pattern to followconfig/src/toml.rs— whereWorkflowConfigvariants are definedworkflows/src/status.rs— where new workflow calls should be addedQA plan
github-dependabotworkflow entry tohub.tomlfor a repo with known open Dependabot alertshub status— expect a "security alerts" section listing each alert with severity and URLhub status— expect that alert no longer appearsgithub-dependabotentries fromhub.toml— expect no security alerts section appearsDone when
hub statusshows open Dependabot security alerts for configured repos, sorted by severity.