Turn Dependabot Off
4 days ago
- #Vulnerability Management
- #Go Security
- #Dependabot
- Dependabot generates excessive noise with irrelevant security alerts, especially in the Go ecosystem.
- A case study shows Dependabot creating thousands of unnecessary PRs for a minor, non-critical update in filippo.io/edwards25519.
- Dependabot's alerts include misleading CVSS scores and compatibility warnings, causing unnecessary concern.
- The Go Vulnerability Database provides detailed metadata for vulnerabilities, enabling better filtering.
- govulncheck is recommended as a superior alternative, offering static analysis to filter out irrelevant vulnerabilities.
- A GitHub Action for govulncheck is provided, running daily checks without the noise of Dependabot.
- Alert fatigue from false positives reduces security by making proper triage impractical.
- Running tests against the latest dependency versions in CI can catch issues early without immediate updates.
- Sandboxing CI environments, like with geomys/sandboxed-step, can mitigate risks from supply chain attacks.
- The article advocates for replacing Dependabot with more precise tools and practices to improve security and reduce noise.