The most complete method involves two key stages. First, GitHub scans the repository's manifest and lock files (e.g., package-lock.json, pom.xml) to generate a dependency graph. This graph maps out all direct and transitive dependencies for the project. Second, Dependabot cross-references every dependency in this graph against the comprehensive list of known vulnerabilities cataloged in the GitHub Advisory Database. When a match is found between a dependency in the graph and a known vulnerability, a Dependabot alert is generated.

A. Dependabot reviews manifest files in the repository: This is only the initial step. Reviewing manifest files is how the dependency graph is built, but it does not, by itself, identify any vulnerabilities.

B. CodeQL analyzes the code and raises vulnerabilities in third-party dependencies: This is incorrect. CodeQL is a static analysis engine for finding vulnerabilities in your own source code, not for checking third-party libraries against a database of known CVEs.

D. The build tool finds the vulnerable dependencies and calls the Dependabot API: This reverses the workflow. The process is initiated and managed within GitHub; it is not dependent on an external build tool detecting a vulnerability and then calling an API.

---

1. GitHub Docs, "About Dependabot alerts": This document explicitly states the process: "When GitHub detects a vulnerability from the GitHub Advisory Database, we find every repository that uses the affected version of the dependency and we send a Dependabot alert. We generate Dependabot alerts when: A new vulnerability is added to the GitHub Advisory Database... The dependency graph for one of your repositories changes..." This confirms the use of both the dependency graph and the Advisory Database.

Source: GitHub Docs, "About security alerts for vulnerable dependencies", Section: "How Dependabot alerts are generated".

2. GitHub Docs, "About the dependency graph": This page details how the graph is generated and its purpose. "The dependency graph is a summary of the manifest and lock files stored in a repository... GitHub uses the dependency graph to identify repositories that use a vulnerable dependency when a new security advisory is published." This supports the first part of the correct answer.

Source: GitHub Docs, "About the dependency graph", Introduction.

3. GitHub Docs, "Browsing security advisories in the GitHub Advisory Database": This resource describes the database that Dependabot uses for comparison. "The GitHub Advisory Database contains a curated list of security vulnerabilities that you can view, search, and filter." This confirms the second part of the correct answer.

Source: GitHub Docs, "Browsing security advisories in the GitHub Advisory Database", Introduction.