The dependency review action is a GitHub Actions workflow specifically designed to prevent the introduction of vulnerable dependencies. It runs on pull requests, scans for any changes to dependencies (additions or updates), and cross-references them with the GitHub Advisory Database. If a new dependency with a known vulnerability is detected, the action will fail. By configuring this action as a required status check in branch protection rules, you can effectively block the merging of pull requests that introduce new security risks, directly addressing the developer's need to avoid adding vulnerable dependencies.

A. Enable Dependabot alerts.

Dependabot alerts are reactive; they scan the repository's default branch for existing vulnerabilities, not new dependencies being introduced in a pull request.

B. Add Dependabot rules.

Dependabot rules are used to customize the behavior of Dependabot updates (e.g., grouping pull requests), not for scanning new dependencies within a pull request.

D. Enable Dependabot security updates.

This feature automatically creates pull requests to fix vulnerabilities already present in the repository, rather than preventing new ones from being added.

---

1. GitHub Docs, "About dependency review": "Dependency review helps you understand dependency changes and the security impact of these changes at every pull request. It provides an easily understandable visualization of dependency changes with a rich diff on the 'Files Changed' tab of a pull request. Dependency review informs you of... whether any of the new dependencies contain known vulnerabilities."

Source: GitHub, Inc. Official Documentation. Retrieved from https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review

2. GitHub Docs, "Configuring dependency review": "The dependency review action is available for all public repositories, and for private repositories that have GitHub Advanced Security enabled... The action scans for vulnerable versions of dependencies introduced in pull requests and warns you about the associated security vulnerabilities. This gives you better visibility of what's changing in a pull request, and helps prevent vulnerabilities from being added to your repository."

Source: GitHub, Inc. Official Documentation. Retrieved from https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review

3. GitHub Docs, "About Dependabot alerts": "GitHub detects vulnerable dependencies in public repositories and generates Dependabot alerts by default... For private repositories, you need to enable the dependency graph and Dependabot alerts... GitHub doesn't scan dependencies on forks." (Note: This describes scanning the repository's state, not the changes in a pull request).

Source: GitHub, Inc. Official Documentation. Retrieved from https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts