Working with Security alerts

The GitHub Links macro can display GitHub security alerts directly in Confluence, making it easy to reference vulnerabilities in incident reports, retrospectives, or security documentation.

Supported security link types

Dependabot alerts

Dependabot alerts work with the default GitHub App permissions - no extra setup required. Paste the alert URL directly onto a Confluence page.

Code Scanning alerts

Code Scanning alerts require the Code scanning alerts (read) permission. Without it the macro displays: "Additional GitHub App permission required - grant 'Code scanning alerts' (read) and re-approve the app to display this alert."

How to grant the Code Scanning permission

1. Go to your GitHub organisation settings → Integrations → GitHub Apps.

2. Locate Links for Confluence and click Configure.

3. Under Permissions, find Code scanning alerts and set it to Read.

4. Save and approve the updated permissions when prompted.

For a full overview of GitHub App permissions and how to manage organisation access, see Managing GitHub App permissions and organisation access.

Security Advisories

Security Advisories require the Repository security advisories (read) permission. Without it the macro displays: "Additional GitHub App permission required - grant 'Repository security advisories' (read) and re-approve the app to display this advisory."

Follow the same steps as Code Scanning above, but grant Repository security advisories → Read.

Use cases

• Incident documentation - embed a specific Dependabot or Code Scanning alert in your incident report to link the vulnerability directly to the response timeline

• Sprint retrospectives - reference unresolved security alerts alongside PR and issue data in your retro page

• Security runbooks - embed advisory details in your response playbooks so the team has full context without leaving Confluence