Dependency review is a GitHub Advanced Security feature specifically designed to operate within the pull request workflow. It automatically scans changes to manifest or lock files in a pull request, providing a "rich diff" on the "Files Changed" tab. This diff explicitly shows which dependencies are being added, removed, or updated, and most importantly, it flags any dependencies that have known vulnerabilities, including their severity level. This allows developers and reviewers to catch and address security risks before they are merged into the main codebase.

A. Dependency graph: This is a repository-level summary of all dependencies; it does not specifically show the impact of changes within an individual pull request.

C. Dependabot alert: These are reactive notifications for vulnerabilities found in dependencies already present in the repository's default branch, not a proactive check on a pending pull request.

D. The repository's Security tab: This is a centralized dashboard for viewing all security alerts (like Dependabot and code scanning), not a feature that displays vulnerability information directly within a pull request diff.

1. GitHub Docs, "About dependency review." GitHub Enterprise Cloud Documentation. Accessed May 2024.

"Dependency review helps you understand dependency changes and the security impact of these changes at every pull request. It provides an easily understandable visualization of dependency changes with a rich diff on the "Files Changed" tab of a pull request."

"Dependency review tells you about: ... Vulnerabilities in the dependencies. For example, the severity level and if the vulnerability has been fixed in a newer version."

2. GitHub Docs, "Reviewing dependency changes in a pull request." GitHub Enterprise Cloud Documentation. Accessed May 2024.

"The dependency review allows you to "shift left". You can catch vulnerable dependencies before they hit production. ... The dependency review rich diff is displayed on the "Files Changed" tab of a pull request."

3. GitHub Docs, "About the dependency graph." GitHub Enterprise Cloud Documentation. Accessed May 2024.

"The dependency graph is a summary of the manifest and lock files stored in a repository. For each repository, it shows... dependencies..." (This describes a repository-level inventory, not a PR-specific check).

The dependabot.yml configuration file requires a minimum set of fields for each package manager entry defined under the updates key. According to the official GitHub documentation, three fields are mandatory to define a basic update check:

1. package-ecosystem: Specifies the package manager to use (e.g., npm, maven, pip).

2. directory: Defines the location of the package manifest files (e.g., / for the root directory).

3. schedule.interval: Sets the frequency for checking for new versions (e.g., daily, weekly).

Without these three fields, Dependabot cannot identify which dependencies to monitor, where to find them, or how often to check for updates.

C. milestone: This is an optional field used to automatically assign a specific milestone to all pull requests created by Dependabot for that configuration.

E. allow: This is an optional field used to explicitly specify which dependencies Dependabot should update, which is useful for limiting updates to a specific subset.

1. GitHub Docs, "Configuration options for the dependabot.yml file." This official documentation provides a comprehensive list of all available configuration options and explicitly labels which are required and which are optional.

Section: "Required properties for each package manager": This section explicitly lists package-ecosystem, directory, and schedule (which contains the required interval field) as mandatory for each entry in the updates array.

Section: "Optional properties for all updates": This section lists milestone and allow as optional configurations that provide more granular control over Dependabot's behavior.

The dependabot.yml configuration file requires a set of update configurations defined under the updates key. For each update configuration, three keys are mandatory: package-ecosystem, directory, and schedule.interval. The package-ecosystem key is essential as it specifies which package manager Dependabot should monitor for dependencies (e.g., npm, maven, pip). Without this key, Dependabot cannot identify which ecosystem to scan for outdated dependencies. The other options listed are optional parameters used for customizing Dependabot's behavior.

A. rebase-strategy: This is an optional key used to define how Dependabot handles pull request conflicts, such as by rebasing automatically.

B. commit-message: This is an optional key that allows for customization of the commit messages used in Dependabot's pull requests.

C. assignees: This is an optional key used to automatically assign specific users or teams to the pull requests created by Dependabot.

1. GitHub Docs. (n.d.). Configuration options for the dependabot.yml file. GitHub. Retrieved from https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem

Reference Specifics: Under the section "Required properties for each updates entry," the documentation explicitly lists package-ecosystem as "Required" and describes its function. The same document lists rebase-strategy, commit-message, and assignees as optional parameters in their respective sections.

Dependabot pull requests for security updates are managed like any other pull request within a repository. The ability to merge a pull request is determined by the repository's access permissions. The standard permission level required to merge pull requests is 'write' access. Users with this level of access can push changes to the repository and manage pull requests, including those automatically generated by Dependabot. Since the question specifies no custom configurations, these default GitHub permissions apply.

A. An enterprise administrator can merge pull requests, but this is not the minimum required permission. The 'write access' role is the more precise and fundamental requirement.

C. A user with 'read' access can only view repository content and open issues. They do not have the necessary permissions to merge pull requests or modify the repository's code.

D. Membership in an enterprise organization does not inherently grant merge permissions. A member must be assigned a specific role with at least 'write' access to the repository in question.

---

1. GitHub Docs, "Repository roles for an organization." This document explicitly lists the abilities associated with each permission level. For the "Write" role, it includes the ability to "Merge pull requests."

Reference: In the table under the "Permissions" section, the row for "Merge pull requests" has a checkmark for the "Write," "Maintain," and "Admin" roles.

2. GitHub Docs, "Managing pull requests for dependency updates." This page clarifies that Dependabot pull requests are handled similarly to user-created ones.

Reference: Under the section "Viewing Dependabot pull requests," it states, "You can manage Dependabot pull requests in the same way as any other pull request..." This confirms that standard repository permissions apply.

3. GitHub Docs, "About Dependabot security updates." This document describes the process of Dependabot creating a pull request to fix a vulnerability, which is then reviewed and merged by repository maintainers.

Reference: Under the section "About pull requests for Dependabot security updates," it describes the pull request creation, implying it follows the standard workflow for review and merging by authorized users.

To prevent a GitHub Actions workflow from running when a pull request contains changes only to specific file paths or types, the paths-ignore key is used within the event trigger configuration. The paths-ignore: key (D) defines a filter that accepts a list of patterns. The options - '/.md' (A) and - '/.txt' (B) are the list items specifying the patterns to be ignored. When combined, the workflow trigger is configured to execute for pull requests targeting the main branch, unless all the changed files in the pull request match the ignored patterns (i.e., are .md or .txt files in the root directory).

C. paths:: This key is used to include paths, causing the workflow to run only when specified files change, which is the opposite of the requirement.

E. - 'docs/.md': This pattern is too specific. It only ignores markdown files within the docs directory, failing to meet the broader requirement of ignoring any markdown file.

1. GitHub Docs. (2023). Workflow syntax for GitHub Actions. GitHub. Retrieved from https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onpullrequestpullrequesttargetpaths-ignore.

Reference Details: The section on.. explicitly states: "When you use paths-ignore, the workflow runs only if at least one file changed is outside of the paths-ignore list." This directly supports the use of paths-ignore: (D) with a list of patterns (A, B) to achieve the desired exclusion.

2. GitHub Docs. (2023). Workflow syntax for GitHub Actions - Filter pattern cheat sheet. GitHub. Retrieved from https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet.

Reference Details: This section explains the glob patterns used for path filtering. The pattern .md matches any file with the .md extension in the root directory, confirming the syntax and behavior of options A and B. It also shows that paths and paths-ignore are mutually exclusive alternatives.

The "Custom" notification setting provides granular control over which events trigger a notification for a specific repository. This allows a user to subscribe to particular categories of events, such as "Security alerts," while ignoring others like "Issues" or "Pull Requests." This is the only option that directly addresses the need to receive specific notifications that explicitly include security alerts without subscribing to all repository activity.

A. Ignore: This setting mutes all notifications for the repository, which is the opposite of the user's requirement.

B. Participating and @mentions: This only sends notifications for conversations the user is directly involved in or mentioned in, and would not guarantee alerts for all security events.

C. All Activity: This option is too broad, as it sends notifications for every update in the repository, not just the specific security alerts the user wants.

1. GitHub Docs, "Configuring your watch settings for a single repository." This official documentation details the available notification levels for a repository. It explicitly states that under the "Custom" option, a user can "select the types of events you want to be notified of," and lists "Security alerts" as one of the selectable event types.

2. GitHub Docs, "Configuring notifications." This document provides a comprehensive overview of notification settings. In the section "Choosing your watch settings," it describes the "Custom" level as the method to "choose to be notified of specific events," reinforcing its suitability for the scenario.

Dependabot alerts are generated the moment GitHub's security scanner detects a vulnerable dependency within a repository's dependency graph. This detection occurs when new vulnerability information is added to the GitHub Advisory Database that matches a component in your project, or when a change to a dependency manifest file (e.g., via a push to the default branch) introduces a known vulnerability. The alert is the initial notification of the detected risk, serving as the primary trigger for any subsequent remediation actions, such as automated pull requests.

A. This describes the "dependency review" feature, which proactively checks for vulnerabilities in pull requests before they are merged, a distinct process from Dependabot alerts for existing dependencies.

C. Alerts are not triggered by every pull request. They are specifically generated only when a security vulnerability in a dependency is identified.

D. The Dependabot alert is the trigger for Dependabot to open a pull request. The alert must exist first; the pull request is a configurable, automated response to the alert.

1. GitHub Docs, "About Dependabot alerts." This document states, "GitHub generates Dependabot alerts when a new vulnerability is added to the GitHub Advisory Database... [or] The dependency graph for a repository changes...". This confirms that the alert is tied directly to the detection event.

Source: https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts, Section: "Detection of vulnerable dependencies".

2. GitHub Docs, "Configuring Dependabot security updates." This page clarifies the sequence of events: "You can enable Dependabot security updates for any repository that uses Dependabot alerts... When you receive a Dependabot alert for a vulnerable dependency... Dependabot automatically creates a pull request...". This shows the alert precedes the pull request.

Source: https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates, Introduction and Section: "About Dependabot security updates".

3. GitHub Docs, "About dependency review." This source distinguishes dependency review from Dependabot alerts, stating, "Dependency review helps you understand dependency changes and the security impact of these changes at every pull request. It provides an easily understandable visualization of dependency changes... on the 'Files Changed' tab of a pull request."

Source: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review, Introduction.

The GitHub REST API for Code Scanning provides specific endpoints to manage security alerts. The API includes an endpoint to list all code scanning alerts for a repository, which can be filtered by parameters such as the branch (ref) and state (open), thereby allowing a user to list all open alerts for the default branch. Additionally, there is a dedicated endpoint to retrieve the full details of a single alert using its unique alert number. These endpoints are fundamental for integrating code scanning results into external tools and custom workflows.

B. The API allows for updating an alert's state (e.g., dismissing it) but does not permit modification of the severity field, which is defined by the CodeQL query.

D. The Code Scanning API does not provide an endpoint to delete alerts. Alerts are part of the security history and can be dismissed or fixed, but not permanently deleted.

1. GitHub Docs, REST API, Code scanning, "List code scanning alerts for a repository": This official documentation page describes the GET /repos/{owner}/{repo}/code-scanning/alerts endpoint. The parameters table shows that you can filter results by ref (e.g., refs/heads/main for the default branch) and state (e.g., open), confirming option A.

2. GitHub Docs, REST API, Code scanning, "Get a code scanning alert": This page details the GET /repos/{owner}/{repo}/code-scanning/alerts/{alertnumber} endpoint, which directly corresponds to the action described in option C.

3. GitHub Docs, REST API, Code scanning, "Update a code scanning alert": This documentation for the PATCH /repos/{owner}/{repo}/code-scanning/alerts/{alertnumber} endpoint lists the updatable parameters. The list includes state and dismissedreason but explicitly omits severity, confirming that option B is incorrect. The documentation also lacks any mention of a "delete" operation, invalidating option D.

The dependency review action is a GitHub Actions workflow specifically designed to prevent the introduction of vulnerable dependencies. It runs on pull requests, scans for any changes to dependencies (additions or updates), and cross-references them with the GitHub Advisory Database. If a new dependency with a known vulnerability is detected, the action will fail. By configuring this action as a required status check in branch protection rules, you can effectively block the merging of pull requests that introduce new security risks, directly addressing the developer's need to avoid adding vulnerable dependencies.

A. Enable Dependabot alerts.

Dependabot alerts are reactive; they scan the repository's default branch for existing vulnerabilities, not new dependencies being introduced in a pull request.

B. Add Dependabot rules.

Dependabot rules are used to customize the behavior of Dependabot updates (e.g., grouping pull requests), not for scanning new dependencies within a pull request.

D. Enable Dependabot security updates.

This feature automatically creates pull requests to fix vulnerabilities already present in the repository, rather than preventing new ones from being added.

---

1. GitHub Docs, "About dependency review": "Dependency review helps you understand dependency changes and the security impact of these changes at every pull request. It provides an easily understandable visualization of dependency changes with a rich diff on the 'Files Changed' tab of a pull request. Dependency review informs you of... whether any of the new dependencies contain known vulnerabilities."

Source: GitHub, Inc. Official Documentation. Retrieved from https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review

2. GitHub Docs, "Configuring dependency review": "The dependency review action is available for all public repositories, and for private repositories that have GitHub Advanced Security enabled... The action scans for vulnerable versions of dependencies introduced in pull requests and warns you about the associated security vulnerabilities. This gives you better visibility of what's changing in a pull request, and helps prevent vulnerabilities from being added to your repository."

Source: GitHub, Inc. Official Documentation. Retrieved from https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review

3. GitHub Docs, "About Dependabot alerts": "GitHub detects vulnerable dependencies in public repositories and generates Dependabot alerts by default... For private repositories, you need to enable the dependency graph and Dependabot alerts... GitHub doesn't scan dependencies on forks." (Note: This describes scanning the repository's state, not the changes in a pull request).

Source: GitHub, Inc. Official Documentation. Retrieved from https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts

GitHub Advanced Security's secret scanning feature is designed to minimize alert fatigue by consolidating findings. When the same secret value is detected in multiple locations within a single repository, GitHub generates only one alert. This single alert will then track all instances of that unique secret across all branches and files in the repository, providing a centralized view for remediation. This ensures that developers address the compromised secret itself, rather than chasing down duplicate notifications for the same underlying issue.

B. 2: This is incorrect because GitHub consolidates alerts for the same unique secret within a repository, rather than creating a new alert for each instance.

C. 3: This is an arbitrary number and does not align with the documented behavior of secret scanning, which groups alerts by unique secret.

D. 4: This is also an arbitrary number and is inconsistent with the one-alert-per-unique-secret model used by GitHub.

1. GitHub Docs, "Managing alerts from secret scanning." Under the section "About secret scanning alerts," the documentation states: "GitHub generates one alert per unique secret, per repository. If a secret is present in multiple branches in a repository, this will not generate any new alerts. Each alert lists all of the branches that contain the secret." This directly confirms that multiple instances of the same secret result in a single alert.

Source: https://docs.github.com/en/code-security/secret-scanning/managing-alerts-from-secret-scanning#about-secret-scanning-alerts

2. GitHub Docs, "About secret scanning." This document provides a foundational overview, explaining that when a secret is detected, "GitHub generates an alert." The logic for how these alerts are grouped (one per unique secret) is detailed in the "Managing alerts" documentation, reinforcing the principle of consolidation.

Source: https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning