A security health dashboard for GitHub organizations. It pulls Dependabot and code scanning alerts from every repo in your org into a single view with severity rankings, trend charts, and one-click commands to investigate vulnerabilities with Claude Code.
On each fetch cycle, DependaWatch automatically enables free GitHub security features (Dependabot alerts, security updates, secret scanning) on all your repos -- so nothing slips through the cracks.
Note: These screenshots are from an earlier version of the app (then called "CodeHealth") before the rebrand to DependaWatch. The current version uses updated branding and purple accent colors.
- Unified alert view -- Dependabot and code scanning alerts from every org repo in one dashboard
- Auto-enable security -- Free security features are turned on automatically each cycle:
- All repos: Dependabot alerts, Dependabot security updates
- Public repos: Secret scanning, secret scanning push protection
- Severity-ranked views -- Repos and alerts sorted by severity (critical > high > medium > low)
- Trend tracking -- Daily snapshots stored for up to a year, rendered as interactive charts
- Rate-limit aware -- Repos with critical/high alerts are fetched first; lower-priority repos are skipped when API quota runs low
- Claude Code integration -- Generate ready-to-run commands that send vulnerability context straight to Claude for investigation and fixes
- Zero frontend dependencies -- The entire UI is a single HTML file with inline CSS/JS. No build step, no npm.
cp .env.example .envEdit .env with your values:
GITHUB_TOKEN=ghp_your_token_here
GITHUB_OWNER=your-org-nameDocker (recommended):
docker compose up --build -d
# Open http://localhost:8501Local development:
./dev.sh
# Open http://localhost:8000 (with hot-reload)pip install -r requirements-dev.txt
python -m pytest tests/ -vAll configuration is done through environment variables (or a .env file).
| Variable | Description | Default |
|---|---|---|
GITHUB_TOKEN |
Classic PAT with repo scope |
(required) |
GITHUB_OWNER |
GitHub organization to monitor | (required) |
POLL_INTERVAL_HOURS |
Hours between automatic fetch cycles | 6 |
DB_PATH |
Path to the SQLite database file | ./data/dependawatch.db |
LOCAL_REPOS_PATH |
Root path where repos are cloned locally (used for Claude commands) | (empty) |
API_KEY |
Secret key to protect the dashboard (see below) | (empty — auth disabled) |
By default the dashboard is unauthenticated. If you're running it on a shared or reachable network, set API_KEY in your .env:
API_KEY=your-secret-key-hereWhen set, all requests require the key. The dashboard uses HTTP Basic Auth in the browser -- on first visit the browser will prompt for a password (enter the key), then cache it for that session. For scripts or curl, pass an X-API-Key header instead:
curl -H "X-API-Key: your-secret-key-here" http://localhost:8501/api/healthCreate a token that can both read security alerts and, if you want the app to auto-enable features, update repository security settings.
Recommended setup:
- Classic PAT: include
security_eventsto read Dependabot and code scanning alerts. Addrepoif you want DependaWatch to auto-enable security features. - Public repositories only:
public_repois sufficient for alert reads if you do not need private repo access. - Fine-grained PAT: grant Dependabot alerts: Read and Code scanning alerts: Read. If you want auto-enable behavior, also grant the repository administration permissions required by GitHub's security settings endpoints.
This grants access to:
- Repository metadata and settings
- Dependabot alerts (all repos)
- Code scanning alerts (public repos, or private repos with a GitHub Advanced Security license)
- Enabling/disabling security features via the API
Every POLL_INTERVAL_HOURS, DependaWatch:
- Fetches all repos from your GitHub org
- Enables free security features on each non-archived repo (idempotent)
- Pulls Dependabot and code scanning alerts, prioritizing repos with critical/high findings
- Stores everything in a local SQLite database and records daily trend snapshots
The frontend polls the API and renders an overview with severity cards, a trend chart, a repo table, and per-repo drill-down views with alert details.
Each alert has a "Send to Claude" button that generates a context-rich command you can paste into your terminal. For example:
claude 'In repo ExampleOrg/example-project, Dependabot has flagged a HIGH vulnerability: Python-Multipart has Arbitrary File Write via Non-Default Configuration. python-multipart versions < 0.0.22 are affected. CVE: CVE-2026-24486. Fix: upgrade to 0.0.22. Ecosystem: pip. Investigate this dependency in the repo, check if the vulnerable version is actively used, and propose a fix.'If LOCAL_REPOS_PATH is set, the command includes a cd into the repo directory so Claude operates directly on your local clone.
| Method | Path | Description |
|---|---|---|
GET |
/api/health |
Health check, fetch status, rate limits |
GET |
/api/repos |
All repos with open alert counts and feature flags |
GET |
/api/alerts |
Paginated alerts (filter by type, state, severity, repo_id) |
GET |
/api/alerts/{type}/{id} |
Full detail for a single alert |
GET |
/api/stats |
Aggregate open alert counts by severity |
GET |
/api/stats/trends |
Time-series snapshots (filter by period, repo_id) |
POST |
/api/refresh |
Trigger a manual fetch cycle (60s cooldown) |
GET |
/api/claude-command/{type}/{id} |
Generate a Claude Code command for an alert |
| Feature | Private repos | Public repos |
|---|---|---|
| Dependabot alerts | Yes | Yes |
| Dependabot security updates | Yes | Yes |
| Secret scanning | Requires GHAS | Yes |
| Secret scanning push protection | Requires GHAS | Yes |
| Code scanning (CodeQL) | Requires GHAS | Needs manual workflow setup |
When a private repo is made public, the next fetch cycle automatically enables secret scanning and push protection.
- Backend: Python 3.12, FastAPI, aiosqlite (WAL mode), APScheduler
- Frontend: Vanilla JS single-page app (no framework, no npm, no build step)
- Infrastructure: Docker Compose, SQLite
- GitHub API: httpx async client with rate-limit tracking
MIT