What is the relationship between Code Scanning and repository vulnerability advisories?

Code Scanning produces findings that live in your specific repository, reflecting issues detected in the codebase and its immediate environment. Repository vulnerability advisories, on the other hand, are records of known vulnerabilities in dependencies that affect many projects; they’re maintained in a central repository of security advisories and surfaced to you so you can remediate across your repos. The key distinction is scope and source. Code Scanning analyzes your code locally and reports its results within the repo. Vulnerability advisories come from external databases about vulnerable dependencies and are surfaced to help you fix issues across projects, not created by the scanning process itself. Code Scanning can help you see where a dependency with a known advisory is in use, but it does not generate those advisories. This separation of local findings versus centralized vulnerability records is why the described relationship is the best fit.