Integrate Dependabot with Vulnetix by exporting your repository dependency graph SBOM from GitHub in SPDX format for centralised vulnerability management.
Run Dependabot in CI
Scan on every push and upload the results to Vulnetix:
- name: Export Dependency Graph SBOM
run: |
gh api /repos/${{ github.repository }}/dependency-graph/sbom --jq '.sbom' > dependabot-sbom.spdx.json
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Upload to Vulnetix
run: vulnetix upload --file dependabot-sbom.spdx.json
How Vulnetix compares — better together
Vulnetix does not replace Dependabot. Keep running it. Vulnetix sits on top of Dependabot — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.
Dependabot is strongest at its core category and also carries features in SBOM Generation — just like Vulnetix spans categories.
| Capability | Vulnetix | Dependabot |
|---|---|---|
| Security coverage | ||
| SAST (static code analysis) | ✓ Built-in rules + Semgrep augmentation | ✗ |
| SCA / dependencies | ✓ 40+ ecosystems, transitive graph | ✓ Core: monitors dependency graph from manifests/lockfiles for known-vuln direct+transitive deps |
| DAST (dynamic testing) | ~ Ingests DAST results; no native dynamic engine | ✗ |
| Container & image | ✓ Image CVEs, base image, Dockerfile | ✗ |
| IaC / misconfiguration | ✓ Terraform, k8s, CloudFormation | ✗ |
| Secret scanning | ✓ 1,000+ rules, source + binary + git history | ✗ |
| Cloud / CSPM | ✓ Cloud-posture findings, compliance tab | ✗ |
| Mobile (MAST) | ~ Ingests mobile scanner output; no native mobile engine | ✗ |
| License compliance | ✓ SPDX, copyleft/AGPL/SSPL policy | ✗ |
| SBOM generation | ✓ CycloneDX 1.7 + SPDX 2.3, cosign-signable | ~ Dependency graph exports as SPDX 2.3 SBOM via UI/API, but consumption not authoring of CycloneDX |
| Malware / supply-chain | ✓ De-duplicated corpus + install-time firewall (25+ registries) | ✗ |
| Network / infra vuln | ~ Ingests network scanner output; no native network scanner | ✗ |
| Fuzzing | ✗ Ingests fuzzing crashes; no native fuzzer | ✗ |
| Pentest / bug bounty | ✗ Ingests pentest/bug-bounty findings; not a testing service | ✗ |
| The Vulnetix orchestration layer | ||
| Cross-scanner dedup & one queue (ASPM) | ✓ Correlates every scanner into one prioritised queue with ownership routing | ✗ |
| Exploit-intel prioritisation | ✓ EPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV | ~ GitHub Advisory Database CVSS plus EPSS scores surfaced on alerts; no KEV/ESS/LEV blending |
| Reachability analysis | ✓ Tree-sitter + CVEAffected; direct/transitive/semantic | ✗ |
| Versioned VEX + audit trail | ✓ Immutable OpenVEX/CycloneDX, cosign-signable | ✗ |
| Safe Harbour autofix | ✓ Resolves + applies the nearest safe version | ✓ Opens automated security-update and version-bump PRs when patched versions publish |
| End-of-life policy | ✓ Flags/blocks past-EOL runtimes & packages | ✗ |
| SSVC / risk-based policy | ✓ SSVC v2 + CISA/FedRAMP/Essential-8 presets | ✗ |
✓ full · ~ partial · ✗ not covered
What Dependabot does well
- Zero-config, GitHub-native dependency alerts wired directly to the repo's dependency graph across many ecosystems (npm, pip, Maven, Gradle, Go, Cargo, NuGet, Composer, Bundler, and more)
- Automated security-fix and version-bump pull requests with grouped updates and CI-derived compatibility scores, so remediation lands as reviewable PRs
- Also raises PRs to update vulnerable GitHub Actions in workflows, extending SCA coverage into CI supply chain
- Backed by the curated GitHub Advisory Database, with EPSS scores now surfaced on alerts to help prioritise
Where Vulnetix adds to it: Vulnetix ingests Dependabot/GitHub Advisory alerts and layers cross-scanner dedup, KEV+EPSS+ESS+CWSS+LEV prioritisation, reachability, versioned VEX, and SSVC on top — turning single-ecosystem PRs into one governed queue alongside SAST, IaC, container, secrets, and cloud findings. It complements Dependabot's PR autofix rather than replacing GitHub-native remediation.
No migration, no rip-and-replace. Dependabot keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.
Centralise Dependabot results in Vulnetix
Upload Dependabot SPDX, CycloneDX output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.