dependabot vs. dependabot-preview - detecting security vulnerabilities


I’ve enabled “dependabot-preview” for security fixes only on my private repo.

However it detects only some vulnerable packages, compared to Security Alerts tab. Also, I can trigger the Automated security fixes (aka “dependabot”) which creates PR for issues missed by the “dependabot-preview”.

Is it possible that dependabot-preview does not detect issues detected by Security Alerts (dependabot)? What is the recommened way to handle security audit? I would like to use the dependabot-preview because of the configuration options via config.yaml (PR customization), but it does not seems to be reliable.

Thank you.

The dependabot-preview product isn’t related to the vulnerability alerts system. It’s used specifically to keep dependencies up-to-date, whether for security reasons or not. Since it isn’t hooked in to GitHub’s vulnerability alerts system, you are correct that it won’t catch some things that the vulnerability alerts system will.

As for what’s recommended for a security audit, GitHub’s security features, such as security alerts, do not claim to catch all vulnerabilities. Though we are always trying to update our vulnerability database and alert you with our most up-to-date information, we will not be able to catch everything or alert you to known vulnerabilities within a guaranteed time frame. These features are not substitutes for human review of each dependency for potential vulnerabilities or any other issues, and we recommend consulting with a security service or conducting a thorough vulnerability review when necessary.

I hope that helps! Let us know if you have more questions.