Continuous dependency scanning

Continuous vulnerability scanning (CVS) for dependency scanning looks for security vulnerabilities in your project’s dependencies by comparing their component names and versions against information in the latest security advisories without requiring a new pipeline to run. A pipeline must run at least once on the default branch to register your project’s components through a CycloneDX SBOM. After that, CVS runs as advisories are published, without further pipeline executions, until your dependencies change.

New vulnerabilities may arise when continuous vulnerability scanning triggers scans on all projects that contain components with supported package types.

Vulnerabilities created by continuous vulnerability scanning for dependency scanning use GitLab SBoM Vulnerability Scanner as the scanner name and Dependency Scanning as the vulnerability type.

In contrast to CI/CD-based security scans, continuous vulnerability scanning is executed through background jobs (Sidekiq) rather than CI/CD pipelines and no Security report artifacts are generated.

Prerequisites

• A CycloneDX SBOM report.
• Security advisories synchronized to the GitLab instance.

Supported package types

Continuous vulnerability scanning supports components with the following PURL types for dependency scanning:

• cargo
• conan
• go
• maven
• npm
• nuget
• packagist
• pub
• pypi
• rubygem
• swift

Go pseudo versions are not supported. A project dependency that references a Go pseudo version is never considered as affected because this might result in false negatives.

How to generate a CycloneDX SBOM report

Use a CycloneDX SBOM report to register your project components with GitLab.

The CycloneDX reports must comply with:

• the CycloneDX specification version 1.4, 1.5, or 1.6.
• the GitLab CycloneDX property taxonomy for dependency scanning.

GitLab offers security analyzers that can generate a report compatible with GitLab:

• Dependency scanning analyzer
• Gemnasium analyzer (deprecated)

Checking new vulnerabilities

New vulnerabilities detected by continuous vulnerability scanning are visible on the vulnerability report. However, they are not listed in the pipeline where the affected SBOM component was detected.

Vulnerabilities are created after a security advisory is added or updated, it may take a few hours for the corresponding vulnerabilities to be added to your projects, provided the codebase remains unchanged. Only advisories published within the last 14 days are considered for continuous vulnerability scanning.

When vulnerabilities are no longer detected

Continuous vulnerability scanning automatically creates vulnerabilities when a new advisory is published but it is not able to tell when a vulnerability is no longer present in the project. To do so, GitLab still requires to have a dependency scanning scan executed in a pipeline for the default branch, and a corresponding security report artifact generated with the up to date information. When these reports are processed, and when they no longer contain some vulnerabilities, these are flagged as such even if they were created by continuous vulnerability scanning.

Security advisories

Continuous vulnerability scanning uses the Package Metadata Database, a service managed by GitLab which aggregates license and security advisory data, and regularly publishes updates that are used by GitLab.com and GitLab Self-Managed instances.

On GitLab.com, the synchronization is managed by GitLab and is available to all projects.

On GitLab Self-Managed, you can choose package registry metadata to synchronize in the Admin area for the GitLab instance.

Data sources

Current data sources for security advisories include:

• GitLab advisory database (hosted in the gemnasium-db repository, a legacy name)

Contributing to the vulnerability database

To find a vulnerability, you can search the GitLab advisory database. You can also submit new vulnerabilities.