Dependabot generates an alert as soon as it detects a vulnerable dependency in your repository. It performs this detection by scanning the dependency manifest files in the default branch and comparing them against the known vulnerabilities listed in the GitHub Advisory Database. This process is continuous; an alert is created either when a scan identifies a pre-existing vulnerability or when a new vulnerability affecting one of your dependencies is published to the database.

A. This describes the "dependency review" feature, which checks pull requests, but the primary Dependabot alert system scans the repository's default branch, not just incoming changes.

C. Alerts are triggered by the presence of vulnerable dependencies, not by the general action of a contributor opening any pull request.

D. The Dependabot pull request is a remediation step that occurs after an alert has been generated, assuming security updates are enabled. The alert itself is the initial trigger.

---

1. GitHub Docs

"About Dependabot alerts." This document states

"GitHub detects vulnerable dependencies in your repository and generates Dependabot alerts... When a new vulnerability is added to the GitHub Advisory Database

Dependabot scans all active repositories and generates an alert for any repository that is affected." This directly supports that detection is the trigger.

Source: GitHub Documentation

Code security > Dependabot > Dependabot alerts > About Dependabot alerts.

2. GitHub Docs

"Viewing and updating Dependabot alerts." This page clarifies the trigger mechanism: "GitHub generates Dependabot alerts when it detects that your codebase is using a dependency with a known vulnerability."

Source: GitHub Documentation

Code security > Dependabot > Dependabot alerts > Viewing and updating Dependabot alerts.

3. GitHub Docs

"Configuring Dependabot security updates." This source explains the sequence of events

showing the alert precedes the pull request: "When Dependabot finds a vulnerability in one of your dependencies

it creates a Dependabot alert... If Dependabot security updates are enabled for the repository

the alert includes a link to a pull request to fix the vulnerability."

Source: GitHub Documentation

Code security > Dependabot > Dependabot security updates > Configuring Dependabot security updates.

4. GitHub Docs

"About dependency review." This document distinguishes the feature described in option A from general Dependabot alerts: "Dependency review allows you to visualize dependency changes in pull requests before they are merged into your repository."

Source: GitHub Documentation

Code security > Supply chain security > Understanding your software supply chain > About dependency review.