What's the difference between all the ways to use Dependabot?

I’m getting overwhelmed lately when it comes to using Dependabot. When I started using it before it was acquired by GitHub, it was simple to use. I’d log into the Dependabot website via my GitHub account and enable it on whichever repos I wanted it enabled on. That was it.

Now, I see three distinct ways to use it:

  1. YAML file in .github directory


  1. “Dependabot alerts” under Settings tab

  1. “Dependabot security updates” under Settings tab

How are these meant to be used? Is the idea that you would set it up with the YAML file instead of enabling it via the button in Settings, or vice versa? Or are they meant to be used all together?