Mastodawn

Dependabot security alerts have terrible signal-to-noise ratio, especially for Go vulnerabilities. That hurts security!

Just turn it off and set up a pair of scheduled GitHub Actions, one running govulncheck, and the other running CI against the latest version of your dependencies.

Less work, less risk, better results!

https://words.filippo.io/dependabot/?source=Mastodon

Turn Dependabot Off

I recommend turning Dependabot off and replacing it with a pair of scheduled GitHub Actions, one running govulncheck, and the other running CI against the latest version of your dependencies.

Show thread

Wolf480pl

@filippo
the `symbols` field in the OSV example you give looks like the biggest false-positive-reducing feature, so I'd love to see it used in other programming languages.

But couldn't find any mention of it in the OSV schema[1] and it doesn't seem like api.osv.dev propagates it[2].

Is this some golang-specific extension? Or something in the process of being added to the standard?

[1]: https://ossf.github.io/osv-schema/
[2]: https://api.osv.dev/v1/vulns/GHSA-fw7p-63qq-7hpr

Open Source Vulnerability format - Open Source Vulnerability schema

Open Source Vulnerability schema.