Dependabot + auditdude
Dependabot keeps your libraries patched. But it never reads the code you wrote, and that's where most breaches start. Here's what slips past it, and how to cover it without dropping Dependabot.
No credit card · read-only access · keep Dependabot running
Keep using it
It watches the libraries you depend on and bumps them when a known vulnerability is published. Free, native to GitHub, set once and forget. Nothing here replaces that. Keep it running.
The gap
Dependabot reads your package.json and Gemfile.lock. It never opens app/. Every bug below is one you ship yourself, and not one of them has a CVE.
def show export = Export.find(params[:id]) send_file export.pathendDependabot
0 alerts — no dependency changed
auditdude
High · IDOR — any user can fetch any export
| Vulnerability | Dependabot | auditdude |
|---|---|---|
| Vulnerable dependency (known CVE) | — | |
| SQL injection in your queries | ||
| Broken auth & access control | ||
| IDOR / SSRF in your routes | ||
| Hardcoded secrets & keys | ||
| Unsafe deserialization | ||
| Path traversal & command injection | ||
| Business-logic flaws you wrote |
SCA covers your dependencies. SAST covers your code. You need both.
Why it matters
A published CVE is a problem everyone already knows about, including the maintainers who patched it. Dependabot's whole domain is the known. The bug in the auth check you wrote last week has no CVE and no advisory. Nothing is watching for it, and it ships with every push.
Patching dependencies is necessary. It isn't the same thing as securing your application.
Dependabot's domain
Known CVEs in third-party libraries
Published, catalogued, already patched upstream.
auditdude's domain
Unknown bugs in the code you wrote
No CVE, no advisory. Found by reading your source on every push.
Better together
Dependabot covers the code you pull in. auditdude covers the code you write. Run both and nothing falls in the gap between them.
Watches your dependency tree. Opens a PR when a library you use ships a known-vulnerable version. Keep it on.
Reads your source on every push with Claude. Comments the exact vulnerable line in your PR and opens the fix, for the bugs you wrote yourself.
Closing the gap
You already trust a bot that scans on every change and opens a PR with the fix. auditdude is that, pointed at the code you write.
auditdude reads your source with Claude on every push and pull request — not once a year before an audit.
Each verified finding lands as an inline comment on the vulnerable line in your PR, with the severity and the fix.
Just like a Dependabot bump, except it's patching the SQL injection you wrote, not a stale dependency.
FAQ
No. Dependabot is a Software Composition Analysis (SCA) tool. It reads your dependency manifests and lockfiles and flags libraries with known published CVEs. It never analyzes the code you wrote, so first-party bugs like SQL injection, broken access control, or IDOR are invisible to it.
No. Dependabot is SCA — it watches your dependencies. SAST analyzes your own source code. They cover different classes of vulnerability and are designed to run together, not as substitutes.
Yes, and you should. Dependabot keeps your dependencies patched; auditdude scans the code you write on every push. There's no overlap — together they cover both the libraries you pull in and the code you ship.
There isn't a like-for-like alternative, because Dependabot doesn't read your code in the first place. What you want is a SAST tool. auditdude scans every push with Claude, comments the exact vulnerable line in your pull request, and opens the fix as a PR — the same workflow Dependabot gave you, applied to your own source.
Get started
Connect a repo and read your first findings ten minutes from now. No credit card, read-only access, revoke anytime.