GitLab Documentation

Dependency Scanning with GitLab CI/CD

Dependency Scanning with GitLab CI/CD

This example shows how to run Dependency Scanning on your project's dependencies by using GitLab CI/CD.

First, you need GitLab Runner with docker-in-docker executor. You can then add a new job to .gitlab-ci.yml, called dependency_scanning:

dependency_scanning:
  image: docker:stable
  variables:
    DOCKER_DRIVER: overlay2
  allow_failure: true
  services:
    - docker:stable-dind
  script:
    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
    - docker run
        --env DEP_SCAN_DISABLE_REMOTE_CHECKS="${DEP_SCAN_DISABLE_REMOTE_CHECKS:-false}"
        --volume "$PWD:/code"
        --volume /var/run/docker.sock:/var/run/docker.sock
        "registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$SP_VERSION" /code
  artifacts:
    paths: [gl-dependency-scanning-report.json]

The above example will create a dependency_scanning job in the test stage and will create the required report artifact. Check the Auto-DevOps template for a full reference.

The results are sorted by the priority of the vulnerability:

  1. High
  2. Medium
  3. Low
  4. Unknown
  5. Everything else

Behind the scenes, the GitLab Dependency Scanning Docker image is used to detect the languages/package managers and in turn runs the matching scan tools.

Some security scanners require to send a list of project dependencies to GitLab central servers to check for vulnerabilities. To learn more about this or to disable it, check the GitLab Dependency Scanning documentation.

Tip: Starting with GitLab Ultimate 10.7, this information will be automatically extracted and shown right in the merge request widget. To do so, the CI job must be named dependency_scanning and the artifact path must be gl-dependency-scanning-report.json. Make sure your pipeline has a stage nammed test, or specify another existing stage inside the dependency_scanning job. Learn more on dependency scanning results shown in merge requests.

Supported languages and package managers

See the full list of supported languages and package managers.

Was this helpful? Do you think that something is unclear? Use the comments area below and leave your feedback. For support and other enquiries, see getting help.