Follow up work: Dependabot alert assignees (#60845)

mchammer01 · web-flow · commit 1dba805b4e43 · 2026-04-30T23:50:11.000Z
diff --git a/content/code-security/concepts/supply-chain-security/about-dependabot-alerts.md b/content/code-security/concepts/supply-chain-security/about-dependabot-alerts.md
@@ -54,9 +54,25 @@ See [AUTOTITLE](/code-security/dependabot/dependabot-alerts/configuring-dependab
 
 ## Alert ownership and assignments
 
-Users with write access or higher can assign {% data variables.product.prodname_dependabot_alerts %} to repository collaborators, teams, or {% data variables.product.prodname_copilot_short %} to establish clear ownership for vulnerability remediation. Assignments help track who's responsible for each alert and prevent vulnerabilities from being overlooked.
+Users with write access or higher can assign {% data variables.product.prodname_dependabot_alerts %} to repository collaborators, teams, or AI agents to establish clear ownership for vulnerability remediation. Assignments help track who's responsible for each alert and prevent vulnerabilities from being overlooked.
 
-When an alert is assigned, the assignee receives a notification and the alert displays their name in the alert list. You can filter alerts by assignee to track progress. Assigning an alert to {% data variables.product.prodname_copilot_short %} automatically generates a fix and opens a draft pull request for review.
+You can assign alerts to the following types of agents:
+
+* **{% data variables.product.prodname_copilot_short %}**, {% data variables.product.github %}'s built-in AI agent.
+* **Third-party agents**,such as Codex or Claude, when enabled in your repository settings.
+
+When an alert is assigned to a person or team, the assignee receives a notification and the alert displays their name in the alert list. You can filter alerts by assignee to track progress.
+
+When an alert is assigned to an agent, the agent automatically creates a session and opens a draft pull request with a proposed fix. If the agent can't generate a fix, it remains as an assignee, and you can click **View Session** on the alert timeline to review the agent's log.
+
+> [!NOTE]
+> Assignment visibility is currently scoped to the repository-level alerts view. The organization-wide security overview does not display alert assignments.
+
+When an alert's assignees change, {% data variables.product.github %} sends an `assignees_changed` webhook event. You can use this event to trigger workflows or sync assignment data with external systems. For more information, see [AUTOTITLE](/webhooks/webhook-events-and-payloads#dependabot_alert).
+
+### Automation and integrations
+
+You can manage alert assignments programmatically using the REST API. For more information, see [AUTOTITLE](/rest/dependabot/alerts).
 
 For information about assigning alerts, see [AUTOTITLE](/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/viewing-and-updating-dependabot-alerts#viewing-and-prioritizing-dependabot-alerts).
 
diff --git a/content/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/viewing-and-updating-dependabot-alerts.md b/content/code-security/how-tos/manage-security-alerts/manage-dependabot-alerts/viewing-and-updating-dependabot-alerts.md
@@ -38,6 +38,12 @@ By default, alerts are sorted by **Most important**, which helps you prioritize
 
 {% data reusables.dependabot.where-to-view-dependabot-alerts %}
 
+{% ifversion dependabot-alerts-assignees %}
+
+When you assign an alert to an AI agent, the agent automatically creates a session and opens a draft pull request with a proposed fix. If the agent can't generate a fix, it remains as an assignee of the alert. You can click **View Session** on the alert timeline to review the agent's log and understand why no pull request was created. Only a user can remove the agent as an assignee.
+
+{% endif %}
+
 {% data reusables.repositories.navigate-to-repo %}
 {% data reusables.repositories.sidebar-security %}
 {% data reusables.repositories.sidebar-dependabot-alerts %}
@@ -58,7 +64,14 @@ By default, alerts are sorted by **Most important**, which helps you prioritize
    ![Screenshot showing the "Tags" section in the alert details page.](/assets/images/help/repository/dependabot-alerts-tags-section.png)
 
 {% ifversion dependabot-alerts-assignees %}
-1. On the right panel, select an assignee by using the **Assignees** dropdown list. You can assign the alert to a user or team to establish clear ownership, or assign it to {% data variables.product.prodname_copilot_short %} to automatically generate a fix. This clearly communicates who is responsible for triaging the alert and helps you avoid repetitive analysis. It also ensures that alerts are not missed.
+1. On the right panel, assign ownership for the alert:
+   * Click the {% octicon "gear" aria-label="Show options" %} dropdown menu next to "Assignees" to select a user, team, or AI agent from the list. You can also click **Assign to Agent** to assign directly to an agent.
+
+   When you assign an alert to an agent, a dialog appears where you can optionally:
+   * Add a custom prompt with additional context about the fix.
+   * Select a different repository.
+   * Select the AI model to use.
+   * Select a custom agent you have configured (recommended for specialized tasks).
 {% endif %}
 
 1. Optionally, to suggest an improvement to the related security advisory, on the right-hand side of the alert details page, click **Suggest improvements for this advisory on the {% data variables.product.prodname_advisory_database %}**. See [AUTOTITLE](/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/editing-security-advisories-in-the-github-advisory-database).
