Cyber Tool Stack
All tools

GitHub Dependabot

By GitHub

GitHub's automatic dependency-update bot, opening pull requests to bump vulnerable or outdated packages and free on every repository, public or private. It stayed free through GitHub's April 2025 unbundling of Advanced Security, which moved code and secret scanning onto separate paid SKUs but left Dependabot untouched.

Verified Source: 1

Product type
Software
Deployment
SaaS
Organization size
IndividualSMBMid-marketEnterprise
Pricing tier
Free

Capability checklist

SCA

How GitHub Dependabot measures up against the full Software Composition Analysis & Supply Chain Security taxonomy.

Dependency vulnerability scanning — supported
Flags known CVEs in direct and transitive open-source dependencies.
License compliance — not supported
Detects and enforces policy on open-source license obligations.
SBOM generation — not supported
Produces standardized SPDX or CycloneDX software bills of materials.
Malicious package detection — not supported
Flags typosquatting and known-malicious packages in the dependency chain.
CI/CD gating — supported
Blocks builds or pull requests that introduce new vulnerable or noncompliant packages.
Reachability analysis — not supported
Determines whether a vulnerable code path is actually invoked, to cut noise from unused code.
IaC & container config scanning — not supported
Scans infrastructure-as-code templates and container configurations for misconfigurations alongside application code.

Alternatives

Other Software Composition Analysis & Supply Chain Security tools with overlapping capabilities, sized for similar teams.

Appears in stacks

Real-world stacks that include GitHub Dependabot.

Search Cyber Tool Stack

Jump to any tool, vendor, category, or glossary term.