Continuous vulnerability scanning
- Tier: Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
Continuous vulnerability scanning (CVS) is the capability that lets GitLab create vulnerability records without requiring a new CI/CD pipeline to run. When a new security advisory is published or updated, GitLab compares the advisory against the components already recorded for your projects and creates vulnerability records for any matches.
CVS relies on a CycloneDX SBOM report stored on the default branch to know which components your project uses. To produce this SBOM, a dependency scanning job must run at least once on the default branch. From then on, CVS detects newly published advisories against those components automatically, with no further pipeline runs required. When your application dependencies change, a new pipeline must run on the default branch to refresh the SBOM so CVS can evaluate the updated set of components. In most projects this happens as part of the regular workflow, because changing dependencies typically involves a code change that already triggers a pipeline.
In contrast to CI-based security scans, continuous vulnerability scanning is executed through background jobs (Sidekiq) rather than CI pipelines and no Security report artifacts are generated.
Supported features
Continuous vulnerability scanning is available for the following security scans:
- Continuous dependency scanning for application dependencies.
- Continuous container scanning for container image packages.