The dependency review feature in GitHub Advanced Security is implemented via the dependency-review-action. This action is primarily designed to run on the pullrequest event. This allows it to scan for dependency changes and vulnerabilities introduced in a pull request before they are merged into the main branch, displaying results directly in the pull request's "Files Changed" tab.

The action can also be triggered manually using the workflowdispatch event. This provides the flexibility to run a dependency scan on-demand against any branch, outside of the standard pull request lifecycle, for auditing or specific security checks.

C. trigger is a generic term and not a valid event keyword used in the on: section of a GitHub Actions workflow file.

D. commit is not a valid event keyword for triggering a GitHub Actions workflow. The correct event for commits being pushed to a repository is push.

1. GitHub Docs, "Configuring dependency review": The official documentation provides an example workflow that explicitly uses on: pullrequest to trigger the dependency review action.

Reference: See the "Example workflow" section.

URL: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review

2. GitHub Docs, "Events that trigger workflows": This document lists all valid events for GitHub Actions. It confirms that pullrequest and workflowdispatch are valid events, while trigger and commit are not.

Reference: The list of events on the page.

URL: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows

3. GitHub Marketplace, "Dependency Review Action": The official page for the action states, "This action scans your pull requests for dependency changes and will fail if it finds any vulnerable dependencies." This highlights pullrequest as the primary trigger.

Reference: Main description paragraph.

URL: https://github.com/marketplace/actions/dependency-review