When GitHub identifies a vulnerable dependency in a repository with Dependabot alerts enabled, it performs the following actions:
[A] Geneates a Dependabot alert: The alert is displayed on the repository's Security tab, providing details about the vulnerability and affected dependency.
[D] Notifies repository maintainers: By default, GitHub notifies users with write, maintain, or admin permissions about new Dependabot alerts.
These actions ensure that responsible parties are informed promptly to address the vulnerability.

About SARIF file uploads for code scanning
GitHub creates code scanning alerts in a repository using information from Static Analysis Results Interchange Format (SARIF) files. SARIF files can be uploaded to a repository using the API or GitHub Actions.
You can upload the results using GitHub Actions, the code scanning API, or the CodeQL CLI.
The best upload method will depend on how you generate the SARIF file, for example, if you use:
* GitHub Actions to run the CodeQL action, there is no further action required. The CodeQL action uploads the SARIF file automatically when it completes analysis.
* GitHub Actions to run a SARIF-compatible analysis tool, you could update the workflow to include a final step that uploads the results.
Uploading a code scanning analysis with GitHub Actions
To use GitHub Actions to upload a third-party SARIF file to a repository, you'll need a workflow.
Your workflow will need to use the upload-sarif action, which is part of the github/codeql-action repository. It has input parameters that you can use to configure the upload.
* The CodeQL CLI to run code scanning in your CI system, you can use the CLI to upload results to GitHub

Enabling Dependabot version updates
You enable Dependabot version updates by committing a dependabot.yml configuration file to your repository. If you enable the feature in your settings page, GitHub creates a basic file which you can edit, otherwise you can create the file using any file editor.
1. On GitHub, navigate to the main page of the repository.
[Steps omitted. See step 8 below]
...
7. Add an updates section, with an entry for each package manager you want Dependabot to monitor. This key is mandatory. You use it to configure how Dependabot updates the versions or your project's dependencies. Each entry configures the update settings for a particular package manager.
8. For each package manager, use:
*-> package-ecosystem to specify the package manager.
directories or directory to specify the location of multiple manifest or other definition files.
chedule.interval to specify how often to check for new versions.
9. Check the dependabot.yml configuration file in to the .github directory of the repository.

We [Microsoft] automatically run secret scanning for partner patterns on all public repositories and public npm packages.

Anyone with admin permissions to a security advisory can request a CVE identification number.