Vulnerability scanner maintenance
- Tier: Free, Premium, Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
The following vulnerability scanners and their databases are regularly updated:
| Secure scanning tool | Vulnerabilities database updates |
|---|---|
| Container Scanning | A job runs on a daily basis to build new images with the latest vulnerability database updates from the upstream scanner. GitLab monitors this job through an internal alert that tells the engineering team when the database becomes more than 48 hours old. For more information, see the Vulnerabilities database update. |
| Dependency Scanning | Relies on the GitLab Advisory Database which is updated on a daily basis using data from the National Vulnerability Database (NVD) and the GitHub Advisory Database. |
| Dynamic Application Security Testing (DAST) | DAST analyzer is updated on a periodic basis. |
| Secret Detection | GitLab maintains the detection rules and accepts community contributions. The scanning engine is updated at least once per month if a relevant update is available. |
| Static Application Security Testing (SAST) | The source of scan rules depends on which analyzer is used for each supported programming language. GitLab maintains a ruleset for the Semgrep-based analyzer and updates it regularly based on internal research and user feedback. For other analyzers, the ruleset is sourced from the upstream open-source scanner. Each analyzer is updated at least once per month if a relevant update is available. |
In versions of GitLab that use the same major version of the analyzer, you do not have to update them to benefit from the latest vulnerabilities definitions. The security tools are released as Docker images. The vendored job definitions that enable them use major release tags according to semantic versioning. Each new release of the tools overrides these tags. Although in a major analyzer version you automatically get the latest versions of the scanning tools, there are some known issues with this approach.
To get the most updated vulnerability information on existing vulnerabilities you may need to re-run the default branch’s pipeline.
Docs
Edit this page to fix an error or add an improvement in a merge request.
Create an issue to suggest an improvement to this page.
Product
Create an issue if there's something you don't like about this feature.
Propose functionality by submitting a feature request.
Feature availability and product trials
View pricing to see all GitLab tiers and features, or to upgrade.
Try GitLab for free with access to all features for 30 days.
Get help
If you didn't find what you were looking for, search the docs.
If you want help with something specific and could use community support, post on the GitLab forum.
For problems setting up or using this feature (depending on your GitLab subscription).
Request support
