Alert fatigue from security scanner false positives
7/10 HighSecurity scanning tools generate excessive false positives and low-value warnings that make it difficult for developers to identify genuine security threats. Developers report that 99% of reported "vulnerabilities" are irrelevant, causing alert fatigue and diverting attention from meaningful security work.
Sources
- Understanding npm Developers' Practices, Challenges, ...
- Understanding npm Developers' Practices, Challenges, and ...
- Understanding npm Developers' Practices, Challenges ...
- Sentry Review: Features, Pricing & Alternatives [2025] - DevDepth
- Understanding npm Developers' Practices, Challenges, and Recommendations for Secure Package Development
- Sentry Review 2026: Problems, Pricing & Honest Analysis | Try or Bye
- Sentry Review 2025 - Features, Pricing & Alternatives
- Manage npm Packages in Your Organization in 2025
Collection History
Out of the box, Sentry's default alert configuration generates too much noise for most teams. The default of alerting on every new issue sounds reasonable in theory, but in practice, many new issues are low-priority edge cases, expected errors from bots and crawlers, or transient network issues that resolve themselves.
Respondents complained that security scanners generate too many false positives or contextually irrelevant warnings, as one respondent noted, "The security scanning system in npm is a complete joke and more of a nuisance than anything. 99% of the "vulnerabilities" are idiotic and not worthy of a real CVE."