According to GitHub, the new security alerts feature is designed to be on the top of the dependency graph functionality, which was recently introduced.Here, GitHub automatically performs the required scanning operation of a project. The purpose is to fetch all the dependencies and then displays them to the user.
The aim of the GitHub is to automate vulnerability identification including the ability to generate alerts as and when a new vulnerability is found. This is being done by cross-referencing dependency data with security vulnerability data via machine learning.
After a vulnerability is identified, the required severity level is allocated based on the CVE record. The user can apply the patch and issue a fix after the identification of the security vulnerability. GitHub will scan all the public repositories and can be activated for private code bases. That being said, the results of the scanning process are never disclosed.
As of writing this, GitHub only provides support for JavaScript and Ruby. Going forward, the code repository will also provide support for Python by the end of 2018.