Configure and use Dependabot and Dependency Review Questions
Practice questions for Configure and use Dependabot and Dependency Review topic in GitHub Advanced Security. 71 questions covering this domain.
A team wants dependency review to fail only for high or critical vulnerabilities and also enforce license rules. What should they customize?
Which feature shows dependency changes and vulnerability information on the Files changed tab of a pull request?
After private registries are configured, some Dependabot version updates fail because manifest processing needs external code execution. Which setting...
Which standard format does GitHub use when exporting an SBOM for a repository from the dependency graph?
Why might a new low-risk Dependabot alert produce no email notification even though repository security notifications are enabled?
What limitation applies to Dependabot alerts for GitHub Actions dependencies?
A GitHub Actions workflow uses the dependency submission API to submit a repository snapshot. Which permission is required?
Dependabot must update packages from a registry that is reachable only from an internal network. What should the team configure?
An engineer wants to know which direct package introduced a vulnerable transitive dependency. Which dependency graph feature should they use?
What must be enabled before dependency review becomes available for a repository?
Which statement about grouped security updates is correct?
A team wants control over exactly which Dependabot alerts should generate automated security-update pull requests instead of opening PRs for every ope...
When Dependabot security updates is enabled and a patch is available, what does Dependabot attempt to do?
By default, what happens when the dependency-review-action finds vulnerable packages?
A team wants Dependabot to access private registries without storing long-lived credentials. Which approach should it use where supported?
What is the purpose of the dependency submission API?
When does GitHub generate new Dependabot alerts for a repository?
A repository uses both dependency submission actions and the dependency-review-action in GitHub Actions. What is the safest way to avoid race conditio...
After private registries are configured for Dependabot, what is the default behavior for external code execution during version updates?
Which dependency data is a good candidate for the dependency submission API because static analysis often does not capture it?
Sign in to see all 71 questions
Create a free account to browse all questions — completely free during our launch phase.