I'm not an expert, but my understanding of the space is that Dependabot shows vulnerabilities in direct dependencies of a repo.
After reading greysteil's sibling comment, though, I wonder if something like Snyk does everything I mentioned. Operate at the level of container images and also detect vulnerabilities in indirect dependencies.
Dependabot and Dependency Graph do detect indirect dependencies in repos (and create alerts and PRs for them) if they’re specified in a lockfile. So if you’re using bundler, npm, yarn, pipenv, composer, etc., and are committing your lockfile, you’re already covered. It’s cases we can’t scan (complicated cases like Gradle, where we really need to execute code to understand the dependencies) that the new API will help with.
After reading greysteil's sibling comment, though, I wonder if something like Snyk does everything I mentioned. Operate at the level of container images and also detect vulnerabilities in indirect dependencies.