Our team's juggling a number of microservices and dealing with a ton of security vulnerabilities. Every time a new high-severity CVE comes out, we're racing to manually check and patch each affected repository, and it's becoming a nightmare. We're looking to automate this to reduce the workload, but we want to avoid excessive pull requests at the same time.
We're considering several tools: Dependabot, which is easy to set up but tends to create a lot of low-priority PRs; Renovatebot, known for its configuration options but still generates noise by alerting on all CVEs, and lastly, Frogbot, which claims to only flag issues that are actually exploitable in our code.
I'd love to hear how others are successfully managing dependencies at scale. Has anyone tried using Frogbot's Contextual Analysis? Or for those who stick with Renovatebot, what strategies do you use to cut down on noise? We're eager to shift from manual interventions to a more reliable security patching process. What's been your go-to solution?
1 Answer
Renovatebot is a solid choice, but keep in mind it's mostly for tracking updates rather than specifically CVE patching. Make sure you have enough automated tests and deployment pipelines in place before switching to auto-merging. Start with just the minor and patch updates so you can catch any potential breakages easily. Don't group changes into a single merge request—this makes it tough to find out what broke.
Yeah, we're working towards auto-merging too, but we need to build trust first! We have decent test coverage, and we plan to group the minor and patch updates into daily PRs while handling major ones separately. The noise is definitely a concern, and we’re thinking about introducing Frogbot on top of Renovate for better security scanning.