diff --git a/lib/config/definitions.js b/lib/config/definitions.js
index 5c177150a3d826ffff9df876097f0fa6b87260c1..498ec6d78bb8f22e699e06dab878ac36dfd37eca 100644
--- a/lib/config/definitions.js
+++ b/lib/config/definitions.js
@@ -692,6 +692,7 @@ const options = [
       'Config to apply when Renovate detects a PR is necessary due to vulnerability of existing package version.',
     type: 'object',
     default: {
+      enabled: true,
       groupName: null,
       schedule: [],
       commitMessageSuffix: '[SECURITY]',
diff --git a/lib/config/validation.js b/lib/config/validation.js
index ebd81d3b3fdd5b05ee7d0b89141c5113ee87c1c7..09e25d7cda39aaf938ec188bc2d75757849fd727 100644
--- a/lib/config/validation.js
+++ b/lib/config/validation.js
@@ -41,6 +41,7 @@ async function validateConfig(config, isPreset, parentPath) {
       'packageFile',
       'forkToken',
       'repository',
+      'vulnerabilityAlertsOnly',
     ];
     return ignoredNodes.includes(key);
   }
diff --git a/lib/workers/repository/error.js b/lib/workers/repository/error.js
index b90ea2a74ad96af39bd3ab0433d410780e748250..1cc0f277abc7fb481fa12a50026f037692cf93c5 100644
--- a/lib/workers/repository/error.js
+++ b/lib/workers/repository/error.js
@@ -50,6 +50,10 @@ async function handleError(config, err) {
     logger.info('Repository has no package files - skipping');
     return err.message;
   }
+  if (err.message === 'no-vulnerability-alerts') {
+    logger.info('Repository has no vulnerability alerts - skipping');
+    return err.message;
+  }
   if (err.message === 'repository-changed') {
     logger.info('Repository has changed during renovation - aborting');
     delete config.branchList; // eslint-disable-line no-param-reassign
diff --git a/lib/workers/repository/init/vulnerability.js b/lib/workers/repository/init/vulnerability.js
index 1b68304741703c41c2f6e5e743fdc8732b428b01..7a852ccaf4ba67e751d528d2393f4e62a2c7eaf2 100644
--- a/lib/workers/repository/init/vulnerability.js
+++ b/lib/workers/repository/init/vulnerability.js
@@ -7,10 +7,15 @@ async function detectVulnerabilityAlerts(input) {
     return input;
   }
   if (input.vulnerabilityAlerts.enabled === false) {
+    logger.debug('Vulnerability alerts are disabled');
     return input;
   }
   const alerts = await platform.getVulnerabilityAlerts();
   if (!alerts.length) {
+    logger.debug('No vulnerability alerts found');
+    if (input.vulnerabilityAlertsOnly) {
+      throw new Error('no-vulnerability-alerts');
+    }
     return input;
   }
   const config = { ...input };
diff --git a/test/workers/repository/updates/__snapshots__/flatten.spec.js.snap b/test/workers/repository/updates/__snapshots__/flatten.spec.js.snap
index 52de9513e889a98c3f0b7f5ca5564626479abd2b..84c5517342ae00ebc0277f4e343dd9dfccaf38c2 100644
--- a/test/workers/repository/updates/__snapshots__/flatten.spec.js.snap
+++ b/test/workers/repository/updates/__snapshots__/flatten.spec.js.snap
@@ -63,6 +63,7 @@ Array [
     "updateNotScheduled": true,
     "vulnerabilityAlerts": Object {
       "commitMessageSuffix": "[SECURITY]",
+      "enabled": true,
       "groupName": null,
       "schedule": Array [],
     },
@@ -129,6 +130,7 @@ Array [
     "updateNotScheduled": true,
     "vulnerabilityAlerts": Object {
       "commitMessageSuffix": "[SECURITY]",
+      "enabled": true,
       "groupName": null,
       "schedule": Array [],
     },
@@ -209,6 +211,7 @@ Array [
     "updateType": "lockFileMaintenance",
     "vulnerabilityAlerts": Object {
       "commitMessageSuffix": "[SECURITY]",
+      "enabled": true,
       "groupName": null,
       "schedule": Array [],
     },
@@ -276,6 +279,7 @@ Array [
     "updateNotScheduled": true,
     "vulnerabilityAlerts": Object {
       "commitMessageSuffix": "[SECURITY]",
+      "enabled": true,
       "groupName": null,
       "schedule": Array [],
     },