There are multiple ways to scan projects for vulnerabilities.
Dependabot can be configured to check repositories for issues, and automatically submits pull requests to resolve.
NPM Audit will scan the packages used in an NPM solution for known vulnerabilities.
We’re trying to work out whether, if Dependabot is enabled, there’s any added value to using
NPM Audit in our pipelines. I’m asking this solely from the perspective of what’s detected; not how the tools work (i.e. whether they can cause a pipeline to block/fail).
The actual question
Do both tools base their decisions on some common known-issue database, or is it common to see each tool detect different sets of problems?
Go to Source