Describe the need
GitHub allows enabling Grouped security updates on a per-repository basis (Settings > Advanced Security > Grouped security updates). When enabled, Dependabot consolidates multiple security update alerts into a single pull request per package manager and directory, reducing PR noise.
Currently there is no Terraform resource or attribute to manage this setting. It can only be toggled through the GitHub UI. A previous request (#2444) was closed as not planned, but the need remains.
A new resource (similar to github_repository_dependabot_security_updates) would allow teams to enforce this setting via IaC:
resource "github_repository_dependabot_grouped_security_updates" "example" {
repository = github_repository.my_repo.name
enabled = true
}Why this matters
- Organizations managing security settings as Infrastructure as Code have no way to enforce or detect drift on this setting
- The GitHub REST API does not expose a per-repository endpoint to read or write grouped security update status, so even workarounds using
null_resource + API calls are not possible
- Without grouping, repositories with many dependencies can receive dozens of individual security PRs, creating significant review overhead
- The org-level code security configurations API (
/orgs/{org}/code-security/configurations) also does not include a field for this setting
Difference from #2444
Issue #2444 was closed as not planned. This issue provides additional context on why the feature is needed — specifically that there is no API-level workaround and that the org-level security configurations API also lacks this capability, making it impossible to manage at any layer of automation.
Workaround
None. The setting can only be managed through the GitHub UI. There is no REST API endpoint to read or write it at the repository level or organization level.
SDK Version
N/A
API Version
N/A
Relevant log output
Code of Conduct
Describe the need
GitHub allows enabling Grouped security updates on a per-repository basis (Settings > Advanced Security > Grouped security updates). When enabled, Dependabot consolidates multiple security update alerts into a single pull request per package manager and directory, reducing PR noise.
Currently there is no Terraform resource or attribute to manage this setting. It can only be toggled through the GitHub UI. A previous request (#2444) was closed as not planned, but the need remains.
A new resource (similar to
github_repository_dependabot_security_updates) would allow teams to enforce this setting via IaC:Why this matters
null_resource+ API calls are not possible/orgs/{org}/code-security/configurations) also does not include a field for this settingDifference from #2444
Issue #2444 was closed as not planned. This issue provides additional context on why the feature is needed — specifically that there is no API-level workaround and that the org-level security configurations API also lacks this capability, making it impossible to manage at any layer of automation.
Workaround
None. The setting can only be managed through the GitHub UI. There is no REST API endpoint to read or write it at the repository level or organization level.
SDK Version
N/A
API Version
N/A
Relevant log output
Code of Conduct