The Problem With Security Alerts That Aren’t Real
If you’re a technical founder or lead the engineering team at your startup, you’re likely familiar with Dependabot: that GitHub tool promising to keep you up-to-date with security vulnerabilities in your dependencies. It sounds ideal, but a growing problem is impacting technical team productivity: alert fatigue from false positives.
An article by Filippo Valsorda, a recognized security expert and former member of the security team at Go at Google, raises a strong critique: Dependabot generates too many irrelevant alerts, especially within the Go ecosystem, ultimately being counterproductive to real security.
For startups operating with lean teams and needing to optimize every minute of development, distinguishing between real threats and noise is critical. This isn’t a minor issue: false positives not only consume time, they also erode trust in security tools and can lead to genuine vulnerabilities being ignored.
Why Dependabot Fails in the Go Ecosystem
The fundamental problem lies in how Dependabot identifies vulnerabilities. The tool analyzes dependencies listed in files like go.mod and compares them against databases of known vulnerabilities. If a match is found, it generates an alert.
This seems logical, but here’s the flaw: Dependabot doesn’t verify if the vulnerable code is actually being used in your application. In the Go ecosystem, it’s common to import a large package but only utilize a small fraction of its functionality. If the vulnerability exists in a part of the package you never execute, the alert is technically irrelevant to your context.
A Real-World Case: Alerts That Shouldn’t Exist
Valsorda illustrates this with a concrete example from his experience maintaining Go repositories. Dependabot generated security alerts for vulnerabilities in dependencies that, after detailed analysis with static analysis tools, turned out to be in functions or modules completely disconnected from the running code.
The result: hours of work investigating and closing false positives, time that could be spent in a startup building real functionality or resolving genuine technical problems. For teams of 2-5 engineers, What we have is unsustainable.
The Intelligent Alternative: govulncheck
The good news is that a more precise solution exists: govulncheck, an official tool from the Go team that performs static code analysis to determine if known vulnerabilities actually affect your application.
Unlike Dependabot, govulncheck traces the execution flow of your code and only alerts on vulnerabilities in functions that can actually be invoked. This dramatically reduces false positives and allows your team to focus on real threats.
Practical Implementation with GitHub Actions
The concrete recommendation is to disable Dependabot for Go projects and replace it with an automated workflow using GitHub Actions that runs govulncheck on every push or pull request.
A basic workflow could look like this:
- Run
govulncheck ./...in the CI/CD pipeline - Configure the workflow to fail if it detects exploitable vulnerabilities
- Review the output only when verified alerts are present
This approach maintains the automation you need as an agile startup, but eliminates the noise that consumes valuable team time.
Strategies for Managing Dependencies Without Losing Security
Beyond the specific tool, the article proposes a broader approach to how to manage dependencies intelligently in high-velocity environments like tech startups.
Strategic, Not Reactive, Updating
Instead of updating every dependency immediately after each alert, the recommended approach is:
- Update dependencies in scheduled cycles (monthly or quarterly) as part of planned technical maintenance
- Prioritize updates only for exploitable vulnerabilities identified by precise tools
- Evaluate the real risk considering your architecture, exposure, and specific use cases
For B2B SaaS or fintech startups where security is critical, this discipline is especially important: your enterprise clients evaluate your security posture before signing contracts.
Protection Against Supply Chain Attacks
The article also addresses an increasingly relevant topic: software supply chain attacks, where malicious actors compromise popular packages to distribute malware.
Recommended strategies include:
- Minimize the number of dependencies: each additional package is a potential attack vector
- Audit dependencies before incorporating them: review maintainers, project activity, and reputation
- Pin specific versions instead of using open ranges that allow for unverified automatic updates
- Use integrity verification tools like checksums and cryptographic signatures
For founders without a deep security background, this may seem complex, but these practices become a natural part of the development flow with the right tools and processes.
Implications for Technical Teams in Startups
This analysis has direct practical consequences for how you structure development processes in your startup:
Accessible DevSecOps for Small Teams
Security shouldn’t require a dedicated team in early stages. Tools like govulncheck integrated into CI/CD allow a team of 3-5 engineers to maintain solid security standards without significant overhead.
A Culture of Meaningful Alerts
When every alert truly matters, your team develops respect for security signals instead of learning to ignore them. This is crucial for scaling: as you grow, you need all engineers to take security seriously.
Speed Without Sacrificing Security
The goal isn’t to choose between moving fast or being secure. It’s eliminating unnecessary friction (false positives, manual processes) while automating what really matters (detection of exploitable vulnerabilities).
Considerations for Other Ecosystems
Although the article focuses on Go, the principles apply to other languages and frameworks popular in the startup world:
- JavaScript/TypeScript: tools like
npm auditandyarn audithave similar false positive problems; consider alternatives like Snyk with scope analysis - Python:
pip-auditand Safety offer more contextual analysis than simple version comparisons - Rust:
cargo-auditbenefits from Rust’s type system to reduce false positives
The universal lesson: not all security tools are equal. It’s worth investing time in finding those that align with your stack and way of working.
Conclusion
The proposal to disable Dependabot may sound radical, but it reflects an important truth: security tools should serve your team, not become a source of frustration.
For technical founders and CTOs of startups, the message is clear: question default configurations, evaluate if the tools you use actually add value, and don’t be afraid to adjust your stack to maximize your team’s productivity without compromising security.
Specifically within the Go ecosystem, govulncheck with GitHub Actions offers a superior path: intelligent automation that respects your time and generates alerts you can actually trust.
Implementing this today could save you dozens of hours this quarter, time you can invest in achieving product-market fit, closing clients, or building the features your users really need.
