Create a GitHub personal access token or GitHub App installation token with the security_events scope (for code scanning) and the dependabot_alerts scope (for Dependabot); use fine-grained tokens scoped to the target repository
List code scanning alerts with GET /repos/OWNER/REPO/code-scanning/alerts; filter by state (open, dismissed, fixed), severity, and tool name query parameters
Retrieve alert details including the most_recent_instance field which contains the file path, line number, and rule description; use the html_url field to link directly to the alert in the GitHub UI
List Dependabot alerts with GET /repos/OWNER/REPO/dependabot/alerts; filter by severity (critical, high, medium, low) and ecosystem; each alert contains a security_vulnerability object with the CVE identifier and affected version range
Dismiss alerts programmatically with PATCH requests providing a dismissed_reason and dismissed_comment when a vulnerability is not applicable or has an accepted risk
For organization-wide aggregation, use the organization-level endpoints GET /orgs/ORG/code-scanning/alerts and GET /orgs/ORG/dependabot/alerts with appropriate pagination via the Link header
Known gotchas
Code scanning alerts are only available after at least one code scanning workflow run has completed; querying before any run returns an empty list, not an error
The Dependabot alerts API requires Dependabot to be enabled on the repository; private repositories may require GitHub Advanced Security licenses depending on your plan
Pagination uses cursor-based Link headers, not page number parameters; follow the rel=next URL in the Link header rather than incrementing a page query parameter
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp