Dependabot alerts are generated the moment GitHub's security scanner detects a vulnerable dependency within a repository's dependency graph. This detection occurs when new vulnerability information is added to the GitHub Advisory Database that matches a component in your project, or when a change to a dependency manifest file (e.g., via a push to the default branch) introduces a known vulnerability. The alert is the initial notification of the detected risk, serving as the primary trigger for any subsequent remediation actions, such as automated pull requests.

A. This describes the "dependency review" feature, which proactively checks for vulnerabilities in pull requests before they are merged, a distinct process from Dependabot alerts for existing dependencies.

C. Alerts are not triggered by every pull request. They are specifically generated only when a security vulnerability in a dependency is identified.

D. The Dependabot alert is the trigger for Dependabot to open a pull request. The alert must exist first; the pull request is a configurable, automated response to the alert.

1. GitHub Docs, "About Dependabot alerts." This document states, "GitHub generates Dependabot alerts when a new vulnerability is added to the GitHub Advisory Database... [or] The dependency graph for a repository changes...". This confirms that the alert is tied directly to the detection event.

Source: https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts, Section: "Detection of vulnerable dependencies".

2. GitHub Docs, "Configuring Dependabot security updates." This page clarifies the sequence of events: "You can enable Dependabot security updates for any repository that uses Dependabot alerts... When you receive a Dependabot alert for a vulnerable dependency... Dependabot automatically creates a pull request...". This shows the alert precedes the pull request.

Source: https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates, Introduction and Section: "About Dependabot security updates".

3. GitHub Docs, "About dependency review." This source distinguishes dependency review from Dependabot alerts, stating, "Dependency review helps you understand dependency changes and the security impact of these changes at every pull request. It provides an easily understandable visualization of dependency changes... on the 'Files Changed' tab of a pull request."

Source: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review, Introduction.