DigiNews

Summary

The article argues that Dependabot creates a lot of noise in the Go ecosystem and should be turned off in favor of scheduled GitHub Actions that run govulncheck and the test suite against the latest dependencies. It includes a case study about a security fix for filippo.io/edwards25519 and explains how Dependabot-generated alerts can be noisy and sometimes misleading. The author recommends using the Go Vulnerability Database and govulncheck with static analysis filtering to reduce false positives, and provides example GitHub Actions workflows to replace Dependabot with daily scans. The piece also discusses the importance of alert triage, updating strategy aligned with development cycles, and measures to limit CI risk via sandboxed steps.