Add a grype.yaml File to Cut Vulnerability Scan Noise in Your Projects

·1 views

Security teams and developers often clash over excessive vulnerability alerts generated by Grype, a container and filesystem scanning tool. A practical solution involves adding a .grype.yaml configuration file to the root directory of a project. This file allows teams to explicitly ignore CVEs that are non-applicable or platform-specific, such as Windows-only vulnerabilities flagged inside Linux-based images. The approach was identified while deploying Bookstack in a local environment and reflects a broader challenge faced by organizations managing software supply chain security. By filtering out false positives, teams can reduce alert fatigue and improve collaboration between development and security functions.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Anthropic: Over 80% of Its Code Now Written by Claude, Output Up Eightfold

Anthropic has published an essay titled 'When AI Builds Itself,' describing how AI is already deeply embedded in its own software development process. The company reports that more than 80% of its production code is now written by Claude, with engineers shipping roughly eight times more code than they were in 2024. Unlike many online discussions, the essay focuses on changes already observed internally rather than speculative future predictions. A developer who read the full essay noted that AI is accelerating code execution, but that human judgment — deciding what to build and whether results make sense — remains a distinct and irreplaceable skill. The essay has prompted renewed debate about what makes software engineers valuable as AI takes over more routine coding tasks.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Researcher Explains How Structured Data Transformed 2000+ GitHub Issues Into Insights

A developer experience researcher initially collected thousands of GitHub issues using a simple spreadsheet with basic fields like title, link, and a brief summary. After months of work, they found they could not answer fundamental research questions about failure patterns, user pain points, or recurring problems. The core issue was that raw information had been gathered without a structure that supported analysis or could be understood by engineers and UX designers. The researcher redesigned the process by breaking each issue into granular research categories — covering metadata, user personas inferred from context, workflow stages, and resolution details. This shift from information collection to structured qualitative and quantitative datasets made the data actionable and meaningful for cross-functional teams.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Cloud Run, GKE, or GCE: A Practical Guide to Picking the Right Google Compute

Developers new to Google Cloud often struggle to choose between Cloud Run, Google Kubernetes Engine (GKE), and Google Compute Engine (GCE), three compute options with distinct trade-offs. GCE offers full control over virtual machines but demands heavy manual management, making it suitable for custom, low-level infrastructure needs. GKE uses Kubernetes to orchestrate containers across a managed cluster, ideal for complex microservice architectures that require advanced scaling, networking, and scheduling. Cloud Run is a fully managed, serverless option that scales to zero when idle, making it the recommended starting point for stateless HTTP APIs, microservices, and web frontends. Rather than rivals, the three services serve different complexity levels, and teams can mix them as application requirements evolve.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Developer Built Offline-First Web App on Rio Staircase During Carnival 2012

In 2012, a developer working remotely in Rio de Janeiro during Carnival was forced onto a building staircase to avoid waking a sleeping roommate. The task was to build a quoting tool for an equipment rental client in Bogotá whose sales reps needed to generate quotes at venues without internet access. To solve this, all catalog data, pricing logic, and quote state were stored locally in the browser, with no server calls required per calculation. The app was hosted on Heroku for syncing when connectivity was available, and the developer tested it with WiFi disabled before delivering it to the client. Reflecting on the experience, the developer notes that local-first architecture, once a manual engineering challenge, is now a standard feature in many modern frameworks.

0 comments Read more at DEV Community