GitHub automatically closes a code scanning alert when the underlying issue in the code is resolved. This process involves a developer committing a fix to the branch where the alert was detected. When the branch is re-scanned (typically after the commit is pushed, often within a pull request), the CodeQL analysis will no longer detect the vulnerability. Upon confirming the absence of the issue in the latest analysis for that branch, GitHub marks the alert as fixed and closes it.

A. Triaging an alert involves manually reviewing and dismissing it (e.g., as a false positive or acceptable risk), which is a different action from fixing the code to resolve it.

B. Data-flow analysis is a technique used by CodeQL to find potential security issues; it is part of the detection process, not the resolution or closure process.

C. Clicking an alert within a pull request is a navigational action for viewing its details; it does not alter the code or the status of the alert.

1. GitHub Docs

"Managing code scanning alerts for your repository." Under the section "Fixing an alert

" the documentation states

"GitHub automatically closes an alert if you fix the code in a pull request... GitHub closes an alert when code scanning determines that the code with the potential vulnerability is no longer present in the latest analysis for a branch."

2. Microsoft Learn

"Manage code scanning alerts in GitHub." In the "Fix code scanning alerts" unit

it is specified that "GitHub closes an alert automatically when you fix the code that triggered it. To fix an alert

you need to commit your changes to the branch where the alert was found."

3. GitHub Docs

"About code scanning alerts." In the section "About the status and details of alerts

" it clarifies the lifecycle: "An alert is usually closed when a user fixes the code that triggered the alert and pushes their changes to the branch that is being scanned."