Escalate GitHub Security Alerts to PagerDuty Instantly
An n8n workflow that catches GitHub Dependabot and code-scanning security alerts, filters for high and critical severity, and opens a PagerDuty incident with the vulnerability details — so a serious CVE in your dependencies wakes the on-call engineer instead of sitting unseen in the Security tab.
- 1
Catch the security alert
Add a
Webhooknode and register it in GitHub for thedependabot_alert(and optionallycode_scanning_alert) events. GitHub POSTs the alert including its severity and the affected package or rule. - 2
Read the severity
A
Setnode extracts the severity, the summary, and a link to the alert. Dependabot puts severity underalert.security_advisory.severity; code scanning underalert.rule.severity— the node normalizes both into oneseverityfield. - 3
Branch on severity
A
Switchnode splitscritical/highfrom everything else. High-severity goes to PagerDuty; the rest goes to a Slack channel so nothing is ignored, but only the serious ones page a human. - 4
Open a PagerDuty incident
An
HTTP RequestPOSTs tohttps://events.pagerduty.com/v2/enqueuewith your routing key,event_action: trigger, a clear summary, and adedup_keyset to the alert ID so repeat webhooks don't spawn duplicate incidents. - 5
Log everything to Slack
Both branches also post to a security Slack channel for an audit trail. Critical ones say 'paged on-call'; lower ones say 'review when you can'. The team always has visibility, and the pager stays meaningful.
Frequently asked questions
Which GitHub alerts does this cover?
Dependabot alerts (vulnerable dependencies), code scanning alerts (CodeQL and other SAST), and secret scanning alerts. Each has its own webhook event — `dependabot_alert`, `code_scanning_alert`, `secret_scanning_alert`. You can subscribe to all three and route them through the same severity filter.
Why filter by severity?
Paging someone for a low-severity dev-dependency advisory is how alert fatigue kills a rotation. The workflow only escalates `high` and `critical`, which are the ones worth interrupting a human for. Lower-severity alerts can be routed to a Slack channel for the next working day instead.
How does the PagerDuty incident get created?
Via PagerDuty's Events API v2 — the workflow POSTs a `trigger` event with a routing key, a summary, and a dedup key based on the alert ID so the same alert doesn't open duplicate incidents. That's the standard, well-documented integration path PagerDuty recommends for custom sources.