When Dependabot detects vulnerable dependencies in your repositories, we generate a Dependabot alert and display it on the Security tab for the repository. GitHub notifies the maintainers of affected repositories about the new alert according to their notification preferences.
Dependabot is enabled by default on all public repositories, and needs to be enabled on private repositories.
Note:
By default, no repositories receive Dependabot alerts unless configuration is explicitly enabled.
GitHub does not enable Dependabot alerts automatically for any repositories unless:
The feature is turned on manually
It's configured at the organization or enterprise level via security policies This includes public, private, and enterprise-owned repositories -manual activation is required.

You can override the default behavior in your repository settings, by specifying the level of severities and security severities that will cause a pull request check failure.
Customizing your advanced setup for code scanning
You can customize how your advanced setup scans the code in your project for vulnerabilities and errors.
Who can use this feature?
Users with write access if advanced setup is already enabled
Example:
Defining the alert severities that cause a check failure for a pull request You can use rulesets to prevent pull requests from being merged when one of the following conditions is met:
A required tool found a code scanning alert of a severity that is defined in a ruleset.
A required code scanning tool's analysis is still in progress.
A required code scanning tool is not configured for the repository.

Configuring the dependency graph
[D] To generate a dependency graph, GitHub needs read-only access to the dependency manifest and lock files for a repository.
[B] Enabling and disabling the dependency graph
Repository administrators can enable or disable the dependency graph for all repositories owned by your user account, regardless of their visibility.
When the dependency graph is first enabled, any manifest and lock files for supported ecosystems are parsed immediately. The graph is usually populated within minutes but this may take longer for repositories with many dependencies. Once enabled, the graph is automatically updated with every push to the repository and every push to other repositories in the graph.

Dismissing alerts
There are two ways of closing an alert. You can fix the problem in the code, or you can dismiss the alert.
Dismissing an alert is a way of closing an alert that you don't think needs to be fixed. For example, an error in code that's used only for testing, or when the effort of fixing the error is greater than the potential benefit of improving the code. You can dismiss alerts from code scanning annotations in code, or from the summary list within the Security tab.
If you dismiss a CodeQL alert as a false positive result, for example because the code uses a sanitization library that isn't supported, consider contributing to the CodeQL repository and improving the analysis.

You can find security alerts from Dependabot, Secret scanning, and Code scanning under your repository's Security tab.