u/Ok_Surround_9683

Current setup:

\- I follow a flow like: "dev → feature branch → back to dev (UAT/testing) → then merge to main (production)"

\- My "dev" branch basically acts as a UAT/staging environment

\- Once everything looks stable, I promote "dev" → "main"

Dependabot setup:

\- Currently configured to run daily scans on the "main" branch

\- It raises PRs directly against "main" when it finds vulnerabilities

\- The Dependabot alerts dashboard also reflects the status of "main" by default

Problem:

My client wants visibility into security issues before code reaches "main". Specifically:

\- They want to track vulnerability counts and fixes on the "dev" branch

\- They expect the dashboard to reflect improvements (reduced alerts) during the UAT phase

\- Basically, "main" should only ever receive “clean” code

What I’ve considered:

\- Switching Dependabot to run on "dev" instead of "main" → but that feels like a workaround, not a proper solution

\- The bigger issue is that GitHub’s Dependabot alerts/dashboard is tied to the default branch ("main")

Question:

\- How are you handling this kind of workflow?

\- Is there a way to make Dependabot alerts reflect "dev" instead of "main"?

\- Also, would changing the default branch from "main" to "dev" be a good idea or considered good practice in this scenario?

Would really appreciate insights from anyone who’s dealt with this.

Current setup:

- I follow a flow like: "dev → feature branch → back to dev (UAT/testing) → then merge to main (production)"

- My "dev" branch basically acts as a UAT/staging environment

- Once everything looks stable, I promote "dev" → "main"

Dependabot setup:

- Currently configured to run daily scans on the "main" branch

- It raises PRs directly against "main" when it finds vulnerabilities

- The Dependabot alerts dashboard also reflects the status of "main" by default

Problem:

My client wants visibility into security issues before code reaches "main". Specifically:

- They want to track vulnerability counts and fixes on the "dev" branch

- They expect the dashboard to reflect improvements (reduced alerts) during the UAT phase

- Basically, "main" should only ever receive “clean” code

What I’ve considered:

- Switching Dependabot to run on "dev" instead of "main" → but that feels like a workaround, not a proper solution

- The bigger issue is that GitHub’s Dependabot alerts/dashboard is tied to the default branch ("main")

Question:

- How are you handling this kind of workflow?

- Is there a way to make Dependabot alerts reflect "dev" instead of "main"?

- Also, would changing the default branch from "main" to "dev" be a good idea or considered good practice in this scenario?

Would really appreciate insights from anyone who’s dealt with this.