Dependabot is complementary to CodeQL. While CodeQL detects security issues in your own code, Dependabot detects vulnerabilities that originate from your project’s dependencies. A recent example was Log4j, which introduced a number of upstream impacts for package registries and dependencies. Since Log4j is widely used across apps and websites to help log activity in applications and websites, this incident meant a lot of people were suddenly forced to quickly update their Log4j versions to avoid any potential issues.
Source: https://github.blog/2022-04-22-5-simple-things-every-developer-can-do-to-ship-more-secure-code/#:~:text=Dependabot%20is%20complementary%20to%20CodeQL,for%20package%20registries%20and%20dependencies.
Dependabot also automatically checks dependencies for vulnerabilities in your code. It is designed to monitor and notify of package and dependency updates, including information about known vulnerabilities. Therefore, Dependabot is a valid option to check dependencies in your repository for vulnerabilities. However, if you want to check all parts of the code, including vulnerabilities in the source code itself, "CodeQL actions" can provide a more comprehensive analysis.
The correct answer is C. CodeQL actions scans your code for vulnerability usually as a workflow process you setup while Dependabots which is often automatic set by GitHub scans only your dependencies.
GitHub sends Dependabot alerts when we detect that your repository uses a vulnerable dependency or malware.
https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts
C. CodeQL actions
Static analysis tool to your code for potential security vulnerabilities and other code-related issues.
>Dependabot alerts, focused on dependencies to detect security vulnerabilities.
>Branch protection rules, enforce certain checks and restrictions before allowing changes to be merged, e.g. Require an code review, ensure that all tests pass, specify number of approving reviews.
>GitHub Advisory Database, Central repository of known vulnerabilities that can be accessed by various security-related tools, e.g. Dependabot.
Discover vulnerabilities across the entire code base.
https://codeql.github.com/docs/
upvoted 4 times
...
This section is not available anymore. Please use the main Exam Page.AZ-400 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
vsvaid
Highly Voted 11 months agoyana_b
Most Recent 1 year agoflafernan
1 year, 3 months agoMcelona
1 year, 3 months agoSukon_Desknot
1 year, 3 months agomaster9
1 year, 3 months agocatfood
1 year, 3 months agorenzoku
1 year, 4 months agodgcc97
1 year, 4 months ago