Dev Ops · n8n

Escalate GitHub Security Alerts to PagerDuty Instantly

An n8n workflow that catches GitHub Dependabot and code-scanning security alerts, filters for high and critical severity, and opens a PagerDuty incident with the vulnerability details — so a serious CVE in your dependencies wakes the on-call engineer instead of sitting unseen in the Security tab.

difficulty Intermediatesetup 45 minresult Critical and high-severity GitHub security alerts become PagerDuty incidents within seconds
  1. 1

    Catch the security alert

    Add a Webhook node and register it in GitHub for the dependabot_alert (and optionally code_scanning_alert) events. GitHub POSTs the alert including its severity and the affected package or rule.

  2. 2

    Read the severity

    A Set node extracts the severity, the summary, and a link to the alert. Dependabot puts severity under alert.security_advisory.severity; code scanning under alert.rule.severity — the node normalizes both into one severity field.

  3. 3

    Branch on severity

    A Switch node splits critical/high from everything else. High-severity goes to PagerDuty; the rest goes to a Slack channel so nothing is ignored, but only the serious ones page a human.

  4. 4

    Open a PagerDuty incident

    An HTTP Request POSTs to https://events.pagerduty.com/v2/enqueue with your routing key, event_action: trigger, a clear summary, and a dedup_key set to the alert ID so repeat webhooks don't spawn duplicate incidents.

  5. 5

    Log everything to Slack

    Both branches also post to a security Slack channel for an audit trail. Critical ones say 'paged on-call'; lower ones say 'review when you can'. The team always has visibility, and the pager stays meaningful.

Frequently asked questions

Which GitHub alerts does this cover?

Dependabot alerts (vulnerable dependencies), code scanning alerts (CodeQL and other SAST), and secret scanning alerts. Each has its own webhook event — `dependabot_alert`, `code_scanning_alert`, `secret_scanning_alert`. You can subscribe to all three and route them through the same severity filter.

Why filter by severity?

Paging someone for a low-severity dev-dependency advisory is how alert fatigue kills a rotation. The workflow only escalates `high` and `critical`, which are the ones worth interrupting a human for. Lower-severity alerts can be routed to a Slack channel for the next working day instead.

How does the PagerDuty incident get created?

Via PagerDuty's Events API v2 — the workflow POSTs a `trigger` event with a routing key, a summary, and a dedup key based on the alert ID so the same alert doesn't open duplicate incidents. That's the standard, well-documented integration path PagerDuty recommends for custom sources.

About this recipe. Recipes on FlowRecipesHub are written for business owners, not developers, and are tested before publishing — how recipes get made. Some ingredient links are affiliate links that cost you nothing — full disclosure.