[Missing API] Add dependabot_malware_alerts to security_and_analysis on PATCH /repos/{owner}/{repo}

[OriginalMHV]

Missing dependabot_malware_alerts in security_and_analysis (PATCH /repos)

The security_and_analysis object on the Update a repository endpoint currently supports toggling:

• dependabot_security_updates
• secret_scanning
• secret_scanning_push_protection
• secret_scanning_non_provider_patterns
• secret_scanning_validity_checks

However, Dependabot malware alerts - which is a separate toggle in the repository settings UI under Security → Advanced Security - has no corresponding field in the API.

Why this matters

I maintain tooling that manages GitHub security settings across ~80+ repositories. Everything else can be configured via the REST API, but malware alerts require either clicking through the UI for each repo or setting up an org-wide security configuration (which requires org admin).

Having a dependabot_malware_alerts field in security_and_analysis (both GET and PATCH) would make it possible to:

• Enable malware alerts in bulk across many repos
• Audit whether it's enabled as part of compliance checks
• Include it in IaC / GitOps workflows alongside the other security toggles

Expected behavior

// PATCH /repos/{owner}/{repo}
{
  "security_and_analysis": {
    "dependabot_malware_alerts": {
      "status": "enabled"
    }
  }
}

And the GET response should include the current state, same as the other fields.

Current workaround

Manual toggle per repo via the UI, or org-level security configurations (requires org admin).