{"meta":{"title":"Error: 403 \"Resource not accessible by integration\"","intro":"This error may be seen on pull requests created by Dependabot and can be resolved in a couple of different ways.","product":"Security and code quality","breadcrumbs":[{"href":"/en/code-security","title":"Security and code quality"},{"href":"/en/code-security/reference","title":"Reference"},{"href":"/en/code-security/reference/code-scanning","title":"Code scanning"},{"href":"/en/code-security/reference/code-scanning/troubleshoot-analysis-errors","title":"Troubleshoot analysis errors"},{"href":"/en/code-security/reference/code-scanning/troubleshoot-analysis-errors/resource-not-accessible","title":"Resource not accessible"}],"documentType":"article"},"body":"# Error: 403 \"Resource not accessible by integration\"\n\nThis error may be seen on pull requests created by Dependabot and can be resolved in a couple of different ways.\n\n> \\[!NOTE]\n> This troubleshooting article is *only* relevant if you're seeing this error with Dependabot. If you see this error with other GitHub products and have difficulty troubleshooting it, you can contact GitHub Support. For more information, see [Contacting GitHub Support](/en/support/contacting-github-support).\n\n## About this error\n\n```text\n403: Resource not accessible by integration\n```\n\nDependabot is considered untrusted when it triggers a workflow run, if the workflow will run with read-only scopes.\n\n## Confirming the cause of the error\n\nIf you're using Dependabot in your code scanning workflow, investigate the scope it's using.\n\nUploading code scanning results for a branch usually requires the `security-events: write` scope. However, code scanning always allows the uploading of results when the `pull_request` event triggers the action run. This is why, for Dependabot branches, we recommend you use the `pull_request` event instead of the `push` event.\n\n## Fixing the problem\n\nYou can run on pushes to the default branch and any other important long-running branches, as well as pull requests opened against this set of branches:\n\n```yaml\non:\n  push:\n    branches:\n      - main\n  pull_request:\n    branches:\n      - main\n```\n\nAlternatively, you can run on all pushes except for Dependabot branches:\n\n```yaml\non:\n  push:\n    branches-ignore:\n      - 'dependabot/**'\n  pull_request:\n```\n\n### Analysis still failing on the default branch\n\nIf the CodeQL analysis workflow still fails on a commit made on the default branch, you need to check:\n\n* Whether Dependabot authored the commit\n* Whether the pull request that includes the commit has been merged using `@dependabot squash and merge`\n\nThis type of merge commit is authored by Dependabot and therefore, any workflows running on the commit will have read-only permissions. If you enabled code scanning and Dependabot security updates or version updates on your repository, we recommend you avoid using the Dependabot `@dependabot squash and merge` command. Instead, you can enable auto-merge for your repository. This means that pull requests will be automatically merged when all required reviews are met and status checks have passed. For more information about enabling auto-merge, see [Automatically merging a pull request](/en/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/automatically-merging-a-pull-request#enabling-auto-merge)."}