GitHub Dependabot
By GitHub
GitHub's automatic dependency-update bot, opening pull requests to bump vulnerable or outdated packages and free on every repository, public or private. It stayed free through GitHub's April 2025 unbundling of Advanced Security, which moved code and secret scanning onto separate paid SKUs but left Dependabot untouched.
Verified Source: 1
- Product type
- Software
- Deployment
- SaaS
- Organization size
- IndividualSMBMid-marketEnterprise
- Pricing tier
- Free
Capability checklist
SCAHow GitHub Dependabot measures up against the full Software Composition Analysis & Supply Chain Security taxonomy.
- Dependency vulnerability scanning — supported
- Flags known CVEs in direct and transitive open-source dependencies.
- License compliance — not supported
- Detects and enforces policy on open-source license obligations.
- SBOM generation — not supported
- Produces standardized SPDX or CycloneDX software bills of materials.
- Malicious package detection — not supported
- Flags typosquatting and known-malicious packages in the dependency chain.
- CI/CD gating — supported
- Blocks builds or pull requests that introduce new vulnerable or noncompliant packages.
- Reachability analysis — not supported
- Determines whether a vulnerable code path is actually invoked, to cut noise from unused code.
- IaC & container config scanning — not supported
- Scans infrastructure-as-code templates and container configurations for misconfigurations alongside application code.
Alternatives
Other Software Composition Analysis & Supply Chain Security tools with overlapping capabilities, sized for similar teams.
Appears in stacks
Real-world stacks that include GitHub Dependabot.