Free GITHUB-ADVANCED-SECURITY Practice Questions – 2026 Updated

Dependency review is a GitHub Advanced Security feature specifically designed to operate within the pull request workflow. It automatically scans changes to manifest or lock files in a pull request, providing a "rich diff" on the "Files Changed" tab. This diff explicitly shows which dependencies are being added, removed, or updated, and most importantly, it flags any dependencies that have known vulnerabilities, including their severity level. This allows developers and reviewers to catch and address security risks before they are merged into the main codebase.

A. Dependency graph: This is a repository-level summary of all dependencies; it does not specifically show the impact of changes within an individual pull request.

C. Dependabot alert: These are reactive notifications for vulnerabilities found in dependencies already present in the repository's default branch, not a proactive check on a pending pull request.

D. The repository's Security tab: This is a centralized dashboard for viewing all security alerts (like Dependabot and code scanning), not a feature that displays vulnerability information directly within a pull request diff.

1. GitHub Docs, "About dependency review." GitHub Enterprise Cloud Documentation. Accessed May 2024.

"Dependency review helps you understand dependency changes and the security impact of these changes at every pull request. It provides an easily understandable visualization of dependency changes with a rich diff on the "Files Changed" tab of a pull request."

"Dependency review tells you about: ... Vulnerabilities in the dependencies. For example, the severity level and if the vulnerability has been fixed in a newer version."

2. GitHub Docs, "Reviewing dependency changes in a pull request." GitHub Enterprise Cloud Documentation. Accessed May 2024.

"The dependency review allows you to "shift left". You can catch vulnerable dependencies before they hit production. ... The dependency review rich diff is displayed on the "Files Changed" tab of a pull request."

3. GitHub Docs, "About the dependency graph." GitHub Enterprise Cloud Documentation. Accessed May 2024.

"The dependency graph is a summary of the manifest and lock files stored in a repository. For each repository, it shows... dependencies..." (This describes a repository-level inventory, not a PR-specific check).

The dependabot.yml configuration file requires a minimum set of fields for each package manager entry defined under the updates key. According to the official GitHub documentation, three fields are mandatory to define a basic update check:

1. package-ecosystem: Specifies the package manager to use (e.g., npm, maven, pip).

2. directory: Defines the location of the package manifest files (e.g., / for the root directory).

3. schedule.interval: Sets the frequency for checking for new versions (e.g., daily, weekly).

Without these three fields, Dependabot cannot identify which dependencies to monitor, where to find them, or how often to check for updates.

C. milestone: This is an optional field used to automatically assign a specific milestone to all pull requests created by Dependabot for that configuration.

E. allow: This is an optional field used to explicitly specify which dependencies Dependabot should update, which is useful for limiting updates to a specific subset.

1. GitHub Docs, "Configuration options for the dependabot.yml file." This official documentation provides a comprehensive list of all available configuration options and explicitly labels which are required and which are optional.

Section: "Required properties for each package manager": This section explicitly lists package-ecosystem, directory, and schedule (which contains the required interval field) as mandatory for each entry in the updates array.

Section: "Optional properties for all updates": This section lists milestone and allow as optional configurations that provide more granular control over Dependabot's behavior.

The dependabot.yml configuration file requires a set of update configurations defined under the updates key. For each update configuration, three keys are mandatory: package-ecosystem, directory, and schedule.interval. The package-ecosystem key is essential as it specifies which package manager Dependabot should monitor for dependencies (e.g., npm, maven, pip). Without this key, Dependabot cannot identify which ecosystem to scan for outdated dependencies. The other options listed are optional parameters used for customizing Dependabot's behavior.

A. rebase-strategy: This is an optional key used to define how Dependabot handles pull request conflicts, such as by rebasing automatically.

B. commit-message: This is an optional key that allows for customization of the commit messages used in Dependabot's pull requests.

C. assignees: This is an optional key used to automatically assign specific users or teams to the pull requests created by Dependabot.

1. GitHub Docs. (n.d.). Configuration options for the dependabot.yml file. GitHub. Retrieved from https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem

Reference Specifics: Under the section "Required properties for each updates entry," the documentation explicitly lists package-ecosystem as "Required" and describes its function. The same document lists rebase-strategy, commit-message, and assignees as optional parameters in their respective sections.

Dependabot pull requests for security updates are managed like any other pull request within a repository. The ability to merge a pull request is determined by the repository's access permissions. The standard permission level required to merge pull requests is 'write' access. Users with this level of access can push changes to the repository and manage pull requests, including those automatically generated by Dependabot. Since the question specifies no custom configurations, these default GitHub permissions apply.

A. An enterprise administrator can merge pull requests, but this is not the minimum required permission. The 'write access' role is the more precise and fundamental requirement.

C. A user with 'read' access can only view repository content and open issues. They do not have the necessary permissions to merge pull requests or modify the repository's code.

D. Membership in an enterprise organization does not inherently grant merge permissions. A member must be assigned a specific role with at least 'write' access to the repository in question.

---

1. GitHub Docs, "Repository roles for an organization." This document explicitly lists the abilities associated with each permission level. For the "Write" role, it includes the ability to "Merge pull requests."

Reference: In the table under the "Permissions" section, the row for "Merge pull requests" has a checkmark for the "Write," "Maintain," and "Admin" roles.

2. GitHub Docs, "Managing pull requests for dependency updates." This page clarifies that Dependabot pull requests are handled similarly to user-created ones.

Reference: Under the section "Viewing Dependabot pull requests," it states, "You can manage Dependabot pull requests in the same way as any other pull request..." This confirms that standard repository permissions apply.

3. GitHub Docs, "About Dependabot security updates." This document describes the process of Dependabot creating a pull request to fix a vulnerability, which is then reviewed and merged by repository maintainers.

Reference: Under the section "About pull requests for Dependabot security updates," it describes the pull request creation, implying it follows the standard workflow for review and merging by authorized users.

To prevent a GitHub Actions workflow from running when a pull request contains changes only to specific file paths or types, the paths-ignore key is used within the event trigger configuration. The paths-ignore: key (D) defines a filter that accepts a list of patterns. The options - '/.md' (A) and - '/.txt' (B) are the list items specifying the patterns to be ignored. When combined, the workflow trigger is configured to execute for pull requests targeting the main branch, unless all the changed files in the pull request match the ignored patterns (i.e., are .md or .txt files in the root directory).

C. paths:: This key is used to include paths, causing the workflow to run only when specified files change, which is the opposite of the requirement.

E. - 'docs/.md': This pattern is too specific. It only ignores markdown files within the docs directory, failing to meet the broader requirement of ignoring any markdown file.

1. GitHub Docs. (2023). Workflow syntax for GitHub Actions. GitHub. Retrieved from https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onpullrequestpullrequesttargetpaths-ignore.

Reference Details: The section on.. explicitly states: "When you use paths-ignore, the workflow runs only if at least one file changed is outside of the paths-ignore list." This directly supports the use of paths-ignore: (D) with a list of patterns (A, B) to achieve the desired exclusion.

2. GitHub Docs. (2023). Workflow syntax for GitHub Actions - Filter pattern cheat sheet. GitHub. Retrieved from https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet.

Reference Details: This section explains the glob patterns used for path filtering. The pattern .md matches any file with the .md extension in the root directory, confirming the syntax and behavior of options A and B. It also shows that paths and paths-ignore are mutually exclusive alternatives.

The "Custom" notification setting provides granular control over which events trigger a notification for a specific repository. This allows a user to subscribe to particular categories of events, such as "Security alerts," while ignoring others like "Issues" or "Pull Requests." This is the only option that directly addresses the need to receive specific notifications that explicitly include security alerts without subscribing to all repository activity.

A. Ignore: This setting mutes all notifications for the repository, which is the opposite of the user's requirement.

B. Participating and @mentions: This only sends notifications for conversations the user is directly involved in or mentioned in, and would not guarantee alerts for all security events.

C. All Activity: This option is too broad, as it sends notifications for every update in the repository, not just the specific security alerts the user wants.

1. GitHub Docs, "Configuring your watch settings for a single repository." This official documentation details the available notification levels for a repository. It explicitly states that under the "Custom" option, a user can "select the types of events you want to be notified of," and lists "Security alerts" as one of the selectable event types.

2. GitHub Docs, "Configuring notifications." This document provides a comprehensive overview of notification settings. In the section "Choosing your watch settings," it describes the "Custom" level as the method to "choose to be notified of specific events," reinforcing its suitability for the scenario.

Dependabot alerts are generated the moment GitHub's security scanner detects a vulnerable dependency within a repository's dependency graph. This detection occurs when new vulnerability information is added to the GitHub Advisory Database that matches a component in your project, or when a change to a dependency manifest file (e.g., via a push to the default branch) introduces a known vulnerability. The alert is the initial notification of the detected risk, serving as the primary trigger for any subsequent remediation actions, such as automated pull requests.

A. This describes the "dependency review" feature, which proactively checks for vulnerabilities in pull requests before they are merged, a distinct process from Dependabot alerts for existing dependencies.

C. Alerts are not triggered by every pull request. They are specifically generated only when a security vulnerability in a dependency is identified.

D. The Dependabot alert is the trigger for Dependabot to open a pull request. The alert must exist first; the pull request is a configurable, automated response to the alert.

1. GitHub Docs, "About Dependabot alerts." This document states, "GitHub generates Dependabot alerts when a new vulnerability is added to the GitHub Advisory Database... [or] The dependency graph for a repository changes...". This confirms that the alert is tied directly to the detection event.

Source: https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts, Section: "Detection of vulnerable dependencies".

2. GitHub Docs, "Configuring Dependabot security updates." This page clarifies the sequence of events: "You can enable Dependabot security updates for any repository that uses Dependabot alerts... When you receive a Dependabot alert for a vulnerable dependency... Dependabot automatically creates a pull request...". This shows the alert precedes the pull request.

Source: https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates, Introduction and Section: "About Dependabot security updates".

3. GitHub Docs, "About dependency review." This source distinguishes dependency review from Dependabot alerts, stating, "Dependency review helps you understand dependency changes and the security impact of these changes at every pull request. It provides an easily understandable visualization of dependency changes... on the 'Files Changed' tab of a pull request."

Source: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review, Introduction.

The GitHub REST API for Code Scanning provides specific endpoints to manage security alerts. The API includes an endpoint to list all code scanning alerts for a repository, which can be filtered by parameters such as the branch (ref) and state (open), thereby allowing a user to list all open alerts for the default branch. Additionally, there is a dedicated endpoint to retrieve the full details of a single alert using its unique alert number. These endpoints are fundamental for integrating code scanning results into external tools and custom workflows.

B. The API allows for updating an alert's state (e.g., dismissing it) but does not permit modification of the severity field, which is defined by the CodeQL query.

D. The Code Scanning API does not provide an endpoint to delete alerts. Alerts are part of the security history and can be dismissed or fixed, but not permanently deleted.

1. GitHub Docs, REST API, Code scanning, "List code scanning alerts for a repository": This official documentation page describes the GET /repos/{owner}/{repo}/code-scanning/alerts endpoint. The parameters table shows that you can filter results by ref (e.g., refs/heads/main for the default branch) and state (e.g., open), confirming option A.

2. GitHub Docs, REST API, Code scanning, "Get a code scanning alert": This page details the GET /repos/{owner}/{repo}/code-scanning/alerts/{alertnumber} endpoint, which directly corresponds to the action described in option C.

3. GitHub Docs, REST API, Code scanning, "Update a code scanning alert": This documentation for the PATCH /repos/{owner}/{repo}/code-scanning/alerts/{alertnumber} endpoint lists the updatable parameters. The list includes state and dismissedreason but explicitly omits severity, confirming that option B is incorrect. The documentation also lacks any mention of a "delete" operation, invalidating option D.

The dependency review action is a GitHub Actions workflow specifically designed to prevent the introduction of vulnerable dependencies. It runs on pull requests, scans for any changes to dependencies (additions or updates), and cross-references them with the GitHub Advisory Database. If a new dependency with a known vulnerability is detected, the action will fail. By configuring this action as a required status check in branch protection rules, you can effectively block the merging of pull requests that introduce new security risks, directly addressing the developer's need to avoid adding vulnerable dependencies.

A. Enable Dependabot alerts.

Dependabot alerts are reactive; they scan the repository's default branch for existing vulnerabilities, not new dependencies being introduced in a pull request.

B. Add Dependabot rules.

Dependabot rules are used to customize the behavior of Dependabot updates (e.g., grouping pull requests), not for scanning new dependencies within a pull request.

D. Enable Dependabot security updates.

This feature automatically creates pull requests to fix vulnerabilities already present in the repository, rather than preventing new ones from being added.

---

1. GitHub Docs, "About dependency review": "Dependency review helps you understand dependency changes and the security impact of these changes at every pull request. It provides an easily understandable visualization of dependency changes with a rich diff on the 'Files Changed' tab of a pull request. Dependency review informs you of... whether any of the new dependencies contain known vulnerabilities."

Source: GitHub, Inc. Official Documentation. Retrieved from https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review

2. GitHub Docs, "Configuring dependency review": "The dependency review action is available for all public repositories, and for private repositories that have GitHub Advanced Security enabled... The action scans for vulnerable versions of dependencies introduced in pull requests and warns you about the associated security vulnerabilities. This gives you better visibility of what's changing in a pull request, and helps prevent vulnerabilities from being added to your repository."

Source: GitHub, Inc. Official Documentation. Retrieved from https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review

3. GitHub Docs, "About Dependabot alerts": "GitHub detects vulnerable dependencies in public repositories and generates Dependabot alerts by default... For private repositories, you need to enable the dependency graph and Dependabot alerts... GitHub doesn't scan dependencies on forks." (Note: This describes scanning the repository's state, not the changes in a pull request).

Source: GitHub, Inc. Official Documentation. Retrieved from https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts

GitHub Advanced Security's secret scanning feature is designed to minimize alert fatigue by consolidating findings. When the same secret value is detected in multiple locations within a single repository, GitHub generates only one alert. This single alert will then track all instances of that unique secret across all branches and files in the repository, providing a centralized view for remediation. This ensures that developers address the compromised secret itself, rather than chasing down duplicate notifications for the same underlying issue.

B. 2: This is incorrect because GitHub consolidates alerts for the same unique secret within a repository, rather than creating a new alert for each instance.

C. 3: This is an arbitrary number and does not align with the documented behavior of secret scanning, which groups alerts by unique secret.

D. 4: This is also an arbitrary number and is inconsistent with the one-alert-per-unique-secret model used by GitHub.

1. GitHub Docs, "Managing alerts from secret scanning." Under the section "About secret scanning alerts," the documentation states: "GitHub generates one alert per unique secret, per repository. If a secret is present in multiple branches in a repository, this will not generate any new alerts. Each alert lists all of the branches that contain the secret." This directly confirms that multiple instances of the same secret result in a single alert.

Source: https://docs.github.com/en/code-security/secret-scanning/managing-alerts-from-secret-scanning#about-secret-scanning-alerts

2. GitHub Docs, "About secret scanning." This document provides a foundational overview, explaining that when a secret is detected, "GitHub generates an alert." The logic for how these alerts are grouped (one per unique secret) is detailed in the "Managing alerts" documentation, reinforcing the principle of consolidation.

Source: https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning

The dependency review feature in GitHub Advanced Security is implemented via the dependency-review-action. This action is primarily designed to run on the pullrequest event. This allows it to scan for dependency changes and vulnerabilities introduced in a pull request before they are merged into the main branch, displaying results directly in the pull request's "Files Changed" tab.

The action can also be triggered manually using the workflowdispatch event. This provides the flexibility to run a dependency scan on-demand against any branch, outside of the standard pull request lifecycle, for auditing or specific security checks.

C. trigger is a generic term and not a valid event keyword used in the on: section of a GitHub Actions workflow file.

D. commit is not a valid event keyword for triggering a GitHub Actions workflow. The correct event for commits being pushed to a repository is push.

1. GitHub Docs, "Configuring dependency review": The official documentation provides an example workflow that explicitly uses on: pullrequest to trigger the dependency review action.

Reference: See the "Example workflow" section.

URL: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review

2. GitHub Docs, "Events that trigger workflows": This document lists all valid events for GitHub Actions. It confirms that pullrequest and workflowdispatch are valid events, while trigger and commit are not.

Reference: The list of events on the page.

URL: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows

3. GitHub Marketplace, "Dependency Review Action": The official page for the action states, "This action scans your pull requests for dependency changes and will fail if it finds any vulnerable dependencies." This highlights pullrequest as the primary trigger.

Reference: Main description paragraph.

URL: https://github.com/marketplace/actions/dependency-review

When GitHub Dependabot identifies a vulnerable dependency in a repository where alerts are enabled, it initiates a standard, automated workflow. First, it generates a Dependabot alert, which is a formal record of the vulnerability. This alert is then made visible within the repository's "Security" tab, providing a centralized location for maintainers to review and manage security issues. Concurrently, assuming default notification settings are in place, GitHub automatically sends notifications to users with admin permissions for the repository, ensuring that those responsible for security are promptly informed and can take action.

C. This option describes the default enablement state for repositories, not the action taken when a vulnerability is found. Also, alerts are not enabled by default for all private repositories; this requires enabling GitHub Advanced Security.

D. The process is automated against the GitHub Advisory Database. There is no real-time consultation or a new, thorough review conducted for each individual alert generated.

1. GitHub Docs, "About Dependabot alerts." This document states, "When your code depends on a package that has a security vulnerability, we'll generate a Dependabot alert and you can see it on the Security tab of the repository." This directly supports option A.

2. GitHub Docs, "Configuring notifications for Dependabot alerts." Under the section "About notifications for Dependabot alerts," the documentation specifies, "By default, we notify people with admin permissions in the affected repositories..." This directly supports option B.

3. GitHub Docs, "About the GitHub Advisory Database." This page explains that Dependabot uses the GitHub Advisory Database as its source for vulnerabilities, which refutes the idea of a real-time consultation as suggested in option D.

4. GitHub Docs, "Quickstart for Dependabot alerts." This guide confirms that for private repositories, you must "enable the dependency graph and Dependabot alerts for your repository," which contradicts the claim in option C that it is on by default for all private repositories.

When a pull request introduces a dependency that triggers a Dependabot alert, it signifies a known vulnerability. The primary security principle is to prevent this vulnerability from being merged into the main codebase. The correct procedure is to update the dependency to a secure version within the feature branch itself. This action resolves the security risk before the code is integrated, aligning with the "shift left" security practice of addressing vulnerabilities early in the development lifecycle. Merging the pull request without this update would knowingly introduce a security flaw into the default branch.

A. Disable Dependabot alerts for all repositories owned by your organization: This action ignores the identified risk and weakens the overall security posture of the organization, leaving all repositories vulnerable.

B. Fork the branch and deploy the new fork: Forking the branch does not resolve the underlying vulnerability. Deploying code with a known vulnerability is insecure and counterproductive.

D. Deploy the code to your default branch: This is equivalent to merging the pull request with the known vulnerability, which directly contradicts the purpose of security scanning and introduces risk.

---

1. GitHub Docs, "About Dependabot security updates." This document explains that Dependabot's purpose is to fix vulnerable dependencies. It states, "Dependabot security updates make it easier for you to fix vulnerable dependencies in your repository. If you enable this feature, when a Dependabot alert is raised for a vulnerable dependency in the dependency graph of your repository, Dependabot automatically tries to fix it by creating a pull request." This supports the principle of updating dependencies as the primary remediation step.

Source: GitHub Docs, Code security > Dependabot > Dependabot security updates > "About Dependabot security updates."

2. GitHub Docs, "About dependency review." This document describes how dependency review works on pull requests to prevent vulnerabilities from being introduced. It states, "Dependency review helps you understand dependency changes and the security impact of these changes at every pull request... you can prevent vulnerable dependencies from being added to your project." This directly supports resolving the issue within the pull request (Option C) before merging.

Source: GitHub Docs, Code security > Supply chain security > Understanding your software supply chain > "About dependency review."

3. GitHub Docs, "Viewing and updating vulnerable dependencies in your repository." This guide details the process for handling alerts, emphasizing that the resolution involves updating the package. It notes, "When you're ready to update the dependency... you can click the Dependabot alert to open the pull request that Dependabot has created to fix the vulnerability." This reinforces that the correct action is to update the dependency.

Source: GitHub Docs, Code security > Dependabot > Dependabot alerts > "Viewing and updating vulnerable dependencies in your repository."

The most complete method involves two key stages. First, GitHub scans the repository's manifest and lock files (e.g., package-lock.json, pom.xml) to generate a dependency graph. This graph maps out all direct and transitive dependencies for the project. Second, Dependabot cross-references every dependency in this graph against the comprehensive list of known vulnerabilities cataloged in the GitHub Advisory Database. When a match is found between a dependency in the graph and a known vulnerability, a Dependabot alert is generated.

A. Dependabot reviews manifest files in the repository: This is only the initial step. Reviewing manifest files is how the dependency graph is built, but it does not, by itself, identify any vulnerabilities.

B. CodeQL analyzes the code and raises vulnerabilities in third-party dependencies: This is incorrect. CodeQL is a static analysis engine for finding vulnerabilities in your own source code, not for checking third-party libraries against a database of known CVEs.

D. The build tool finds the vulnerable dependencies and calls the Dependabot API: This reverses the workflow. The process is initiated and managed within GitHub; it is not dependent on an external build tool detecting a vulnerability and then calling an API.

---

1. GitHub Docs, "About Dependabot alerts": This document explicitly states the process: "When GitHub detects a vulnerability from the GitHub Advisory Database, we find every repository that uses the affected version of the dependency and we send a Dependabot alert. We generate Dependabot alerts when: A new vulnerability is added to the GitHub Advisory Database... The dependency graph for one of your repositories changes..." This confirms the use of both the dependency graph and the Advisory Database.

Source: GitHub Docs, "About security alerts for vulnerable dependencies", Section: "How Dependabot alerts are generated".

2. GitHub Docs, "About the dependency graph": This page details how the graph is generated and its purpose. "The dependency graph is a summary of the manifest and lock files stored in a repository... GitHub uses the dependency graph to identify repositories that use a vulnerable dependency when a new security advisory is published." This supports the first part of the correct answer.

Source: GitHub Docs, "About the dependency graph", Introduction.

3. GitHub Docs, "Browsing security advisories in the GitHub Advisory Database": This resource describes the database that Dependabot uses for comparison. "The GitHub Advisory Database contains a curated list of security vulnerabilities that you can view, search, and filter." This confirms the second part of the correct answer.

Source: GitHub Docs, "Browsing security advisories in the GitHub Advisory Database", Introduction.

Dismissing a code scanning alert is the appropriate action when the alert is not relevant to the security of the production application. A common reason for dismissal is when the flagged code is part of a test suite, documentation, or another non-production context. In such cases, the alert is considered a false positive or an acceptable risk. By dismissing it with a specific reason (e.g., "Used in tests"), teams can clean up their security backlog and focus on alerts that represent genuine vulnerabilities in their deployable codebase.

A. If you fix the code that triggered the alert, the alert will be closed automatically after the branch is rescanned; you do not need to dismiss it manually.

B. Dismissing an alert hides a potential issue and does not serve as a preventative measure against developers introducing new problems.

D. An alert for a production error indicates a real vulnerability that must be addressed and fixed, not dismissed and ignored.

1. GitHub Docs, "Managing code scanning alerts for your repository." This document explicitly lists valid reasons for dismissing an alert. It states, "You may want to dismiss an alert for a reason such as... The code is only used in tests." This directly supports the correct answer (C). It also explains that fixing an alert results in it being automatically closed, which invalidates option A.

Reference Section: "Dismissing or deleting alerts" -> "Dismissing an alert"

2. GitHub Docs, "About code scanning alerts." This page describes the lifecycle of an alert. It clarifies that when code that caused an alert is fixed, the alert's status changes to "Fixed" and it is closed automatically on the next scan. This reinforces why option A is an incorrect action.

Reference Section: "About the status and details of alerts"