GH-500 Question #48: Real Exam Question with Answer & Explanation

Question

You have enabled Dependabot alerts on your repository. If Dependabot detects a vulnerable dependency, it sends an alert when:

Options

• Aa contributor adds the vulnerable dependency to a manifest in the repository.
• Ba contributor makes a change to a function in the code.
• Cmanifests and lock files are out of date and a version needs to be updated.
• Dthe vulnerability is removed from the GitHub Advisory Database.

Explanation

Detection of insecure dependencies Dependabot performs a scan of the default branch of your repository to detect insecure dependencies, and sends Dependabot alerts when: * A new advisory is added to the GitHub Advisory Database. * The dependency graph for a repository changes. For example, when a contributor pushes a commit to change the packages or versions it depends on, or when the code of one of the dependencies changes. Additionally, GitHub can review any dependencies added, updated, or removed in a pull request made against the default branch of a repository, and flag any changes that would reduce the security of your project. This allows you to spot and deal with vulnerable dependencies before, rather than after, they reach your codebase. Note: When you push a commit to GitHub that changes or adds a supported manifest or lock file to the default branch, the dependency graph is automatically updated. In addition, the graph is updated when anyone pushes a change to the repository of one of your dependencies.

No community discussion yet for this question.