> ## Documentation Index
> Fetch the complete documentation index at: https://help.dsalta.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Dependabot alerts should be resolved

> Checks that Dependabot vulnerability alerts are resolved.

Checks that Dependabot vulnerability alerts are resolved.

## About

When you connect GitHub to DSALTA, the platform retrieves the current security findings using read-only API access. DSALTA tracks their status and activates this check when action is required.

## Why This Matters

Known vulnerabilities in your code and dependencies are publicly catalogued and actively exploited, often within hours of disclosure. Detecting and remediating them within a defined SLA is required by SOC 2 and ISO 27001.

## How to Fix

**Before you begin**

* Ensure you have **admin** access to the GitHub repository or organization.

**Enable and resolve Dependabot alerts**

1. In **GitHub**, open the repository **Settings → Code security and analysis**.
2. Enable **Dependabot alerts** and **Dependabot security updates**.
3. Open the **Security → Dependabot alerts** tab and review each open alert by severity.
4. Apply the suggested fix (update the dependency) and merge it. Define an SLA — Critical within 24 hours, High within 7 days.

Once the alerts are resolved, DSALTA retrieves the change on the next sync and sets the check status to **Passing**.

## Frequently Asked Questions

<AccordionGroup>
  <Accordion title="How often does this check run?">
    This check runs automatically every 24 hours while the GitHub integration is connected. You can also trigger a manual sync from **Integrations** in the sidebar.
  </Accordion>

  <Accordion title="What happens if it keeps failing?">
    A failing check appears in your **Data Library → Tests** dashboard. Work through the steps above; once the underlying configuration is fixed, the status updates automatically on the next sync.
  </Accordion>

  <Accordion title="Can I exclude this check?">
    Yes. If it does not apply to your environment, mark it as **Not Applicable** with a justification. The exclusion is documented for auditors.
  </Accordion>

  <Accordion title="Does DSALTA change my GitHub configuration?">
    No. DSALTA uses **read-only API access** and never modifies, creates, or deletes resources. All remediation is performed by your team directly in GitHub.
  </Accordion>
</AccordionGroup>