Dependabot alerts utilize standardized identifiers to describe vulnerabilities:
* CVE (Common Vulnerabilities and Exposures):A widely recognized identifier for publicly known cybersecurity vulnerabilities.
* CWE (Common Weakness Enumeration):A category system for software weaknesses and vulnerabilities.
These identifiers help developers understand the nature of the vulnerabilities and facilitate the search for more information or remediation strategies.

For compiled languages, CodeQL performs extraction bymonitoring the normal build process. This means it watches your usual build commands (like make, javac, or dotnet build) and extracts the relevant data from the actual build steps being executed. CodeQL uses this information to construct a semantic database of the application.
This approach ensures that CodeQL captures a precise, real-world representation of the code and its behavior as it is compiled, including platform-specific configurations or conditional logic used during build.

If a secret isintentionally used in a test environmentandposes no real-world security risk, you may close the alert with the reason"used in tests". This helps reduce noise and clarify that the alert was reviewed and accepted as non-critical.
Just being in a test file isn't enough unless itspurpose is purely for testing.

The correct place to look is the SECURITY.md file. This file provides contributors and security researchers with instructions on how to responsibly report vulnerabilities. It may include contact methods, preferred communication channels (e.g., security team email), and disclosure guidelines.
This file is considered a GitHub best practice and, when present, activates a "Report a vulnerability" button in the repository'sSecuritytab.

Thesecurity-extendedquery suite includes additional CodeQL queries that detectlower severity issuesthan those in the default security-and-quality suite.
It's often used when projects want broader visibility into code hygiene and potential weak spots beyond critical vulnerabilities.
The other options listed arepaths to language packs, not query suites themselves.