aibaars
commented
1 month ago CodeQL and other static analysis tools tend to produce a higher volume of alerts than Dependabot, and sending out email notifications for all of them is probably not a good idea. However, it would make sense to allow a user to configure notifications for example for critical security alerts. I don't think that is currently possible, I'll let the product team know so they can consider this idea.
Thanks a lot for your feedback!
Unlike Dependabot, I don't appear to receive any email notifications for CodeQL.
CodeQL shows various warnings and security findings on individual repo pages. But neither of these results trigger followup emails.
This reduces the visibility of security alerts.