Detection of insecure dependencies
Dependabot performs a scan of the default branch of your repository to detect insecure dependencies, and sends Dependabot alerts when:
* A new advisory is added to the GitHub Advisory Database.
* The dependency graph for a repository changes. For example, when a contributor pushes a commit to change the packages or versions it depends on, or when the code of one of the dependencies changes.
Additionally, GitHub can review any dependencies added, updated, or removed in a pull request made against the default branch of a repository, and flag any changes that would reduce the security of your project. This allows you to spot and deal with vulnerable dependencies before, rather than after, they reach your codebase.
Note: When you push a commit to GitHub that changes or adds a supported manifest or lock file to the default branch, the dependency graph is automatically updated. In addition, the graph is updated when anyone pushes a change to the repository of one of your dependencies.

If you configure code scanning using CodeQL, you can also find data-flow problems in your code.
Data-flow analysis finds potential security issues in code, such as: using data insecurely[C], passing dangerous arguments to functions [D], and leaking sensitive information[B].
When code scanning reports data-flow alerts, GitHub shows you how data moves through the code. Code scanning allows you to identify the areas of your code that leak sensitive information, and that could be the entry point for attacks by malicious users.

[CE]
For enterprise organizations, GitHub's auto-triage rules help provide consistent management of security alerts at scale across multiple teams and repositories.
Auto-triage rules allow you to create custom criteria for automatically handling alerts based on factors like severity, EPSS [C], scope, package name, CVE[E], ecosystem, and manifest location.
You can create your own custom rules to control how Dependabot auto-dismisses and reopens alerts, so you can focus on the alerts that matter.
[D]
Common Weakness Enumeration (CWE) is used by CodeQL to describe the vulnerabilities it detects in code scanning alerts. CodeQL's queries are designed to identify a wide range of weaknesses, and each security query is associated with one or more specific CWEs, providing developers with standardized identifiers for the types of vulnerabilities found.
By associating alerts with CWEs, CodeQL provides a structured and informative approach to vulnerability management, making it easier for development teams to understand, address, and prevent security issues.
Note: The Common Weakness Enumeration (CWE) system is an industry-standard way of cataloging insecure software development patterns. CodeQL runs hundreds of queries out of the box that are able to detect an even greater number of CWEs. We went back through our existing queries, and aligned dozens of them with updated CWE IDs to give users better insight into the potential impact of a security issue when an alert is flagged up by code scanning.
Incorrect:
[Not A]
GitHub Advisories (GHSA) is a database of CVEs and GitHub-originated security advisories affecting the open source world. Advisories may or may not be documented in the National Vulnerability Database. Dependency-Track integrates with GHSA by mirroring advisories via GitHub's public GraphQL API.

Secret scanning automatically scans your repository's contents for sensitive data, such as API keys, passwords, tokens, and other secrets. It looks for patterns and heuristics that match known types of secrets.
Secret scanning is available for the following repository types:
Public repositories on GitHub.com
Organization-owned repositories on GitHub Team with GitHub Secret Protection enabled

Before defining a custom pattern, you must ensure that you enable secret scanning for the repositories that you want to scan in your organization. You can use security configurations to enable secret scanning on all repositories in your organization.