Dependency review is a GitHub Advanced Security feature specifically designed to operate within the pull request workflow. It automatically scans changes to manifest or lock files in a pull request, providing a "rich diff" on the "Files Changed" tab. This diff explicitly shows which dependencies are being added, removed, or updated, and most importantly, it flags any dependencies that have known vulnerabilities, including their severity level. This allows developers and reviewers to catch and address security risks before they are merged into the main codebase.

A. Dependency graph: This is a repository-level summary of all dependencies; it does not specifically show the impact of changes within an individual pull request.

C. Dependabot alert: These are reactive notifications for vulnerabilities found in dependencies already present in the repository's default branch, not a proactive check on a pending pull request.

D. The repository's Security tab: This is a centralized dashboard for viewing all security alerts (like Dependabot and code scanning), not a feature that displays vulnerability information directly within a pull request diff.

1. GitHub Docs, "About dependency review." GitHub Enterprise Cloud Documentation. Accessed May 2024.

"Dependency review helps you understand dependency changes and the security impact of these changes at every pull request. It provides an easily understandable visualization of dependency changes with a rich diff on the "Files Changed" tab of a pull request."

"Dependency review tells you about: ... Vulnerabilities in the dependencies. For example, the severity level and if the vulnerability has been fixed in a newer version."

2. GitHub Docs, "Reviewing dependency changes in a pull request." GitHub Enterprise Cloud Documentation. Accessed May 2024.

"The dependency review allows you to "shift left". You can catch vulnerable dependencies before they hit production. ... The dependency review rich diff is displayed on the "Files Changed" tab of a pull request."

3. GitHub Docs, "About the dependency graph." GitHub Enterprise Cloud Documentation. Accessed May 2024.

"The dependency graph is a summary of the manifest and lock files stored in a repository. For each repository, it shows... dependencies..." (This describes a repository-level inventory, not a PR-specific check).