Continuous Vulnerability Scanning

Tier: Ultimate Offering: GitLab.com, Self-managed, GitLab Dedicated
History
  • Continuous dependency scanning introduced with feature flags dependency_scanning_on_advisory_ingestion and package_metadata_advisory_scans enabled by default.
  • Generally available in GitLab 16.10. Feature flags dependency_scanning_on_advisory_ingestion and package_metadata_advisory_scans removed.
  • Continuous container scanning introduced in GitLab 16.8 with a flag named container_scanning_continuous_vulnerability_scans. Disabled by default.
  • Continuous container scanning enabled on self-managed, and GitLab Dedicated in GitLab 16.10.
  • Generally available in GitLab 17.0. Feature flag container_scanning_continuous_vulnerability_scans removed.

When advisories are added to either the GitLab Advisory Database or the Trivy Database, Continuous Vulnerability Scanning triggers a scan on all projects where either Container Scanning, Dependency Scanning, or both, are enabled. If a new advisory affects an application or operating system dependency, it creates a vulnerability in the project with the scanner value set to GitLab SBoM Vulnerability Scanner.

In contrast to the CI-based Container Scanning and Dependency Scanning security scans, Continuous Vulnerability Scanning is executed through background jobs (Sidekiq) rather than CI pipelines and no Security report artifacts are generated.

note
If a new operating system package is added to either the GitLab Advisory Database or Trivy Database, and an advisory for it already exists, a vulnerability is not created. Support for improvements is proposed in epic 11219 and epic 8026.

Supported package types

Continuous Vulnerability Scanning supports components with the following PURL types:

  • composer
  • conan
  • deb
  • gem
  • golang
  • maven
  • npm
  • nuget
  • pypi

Work to support apk and rpm package URL types is tracked in issue 428703.

Go pseudo versions are not supported. A project dependency that references a Go pseudo version is never considered as affected because this might result in false negatives.

Configuration

To enable Continuous Vulnerability Scanning:

Running in an offline environment

For self-managed GitLab instances in an environment with limited, restricted, or intermittent access to external resources through the internet, some adjustments are required to successfully scan CycloneDX reports for vulnerabilities. For more information, see the offline quick start guide.

Checking new vulnerabilities

New vulnerabilities detected by Continuous Vulnerability Scanning are visible on the Vulnerability Report. However, they are not listed on the Dependency List or in the pipeline where the affected SBOM component was detected.

After an advisory is added to the GitLab Advisory Database or Trivy DB, it might take a few hours before the corresponding vulnerabilities are added to your projects.

Contributing to the vulnerability database

To find a vulnerability, you can search the GitLab Advisory Database. You can also submit new vulnerabilities.