ContextQMD
Back to Gitlabhq

Dependency scanning

doc/user/application_security/dependency_scanning/_index.md

19.0.03.2 KB
Original Source

{{< details >}}

  • Tier: Ultimate
  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

{{< /details >}}

Dependency scanning identifies known security vulnerabilities in your project's dependencies, including runtime, development, and transitive (nested) packages. GitLab offers several dependency scanning methods, each suited to a different workflow. Use the summary below to choose the method that fits your project.

Available scanning methods

Dependency Scanning using SBOM

Scans the CycloneDX SBOM artifacts produced in your pipeline by the Dependency Scanning analyzer against the GitLab Advisory Database. This is the recommended method for new projects and the long-term direction for dependency scanning in GitLab.

For details, see Dependency Scanning using SBOM.

Continuous Dependency Scanning

Continuously rescans the SBOM components from your default branch's latest successful pipeline whenever the GitLab Advisory Database is updated, so newly disclosed vulnerabilities surface without re-running a pipeline.

For details, see Continuous Dependency Scanning.

Dependency Scanning with Gemnasium

The original pipeline-based analyzer that detects dependencies and matches them against the GitLab Advisory Database in a CI/CD job.

[!warning] Dependency scanning based on the Gemnasium analyzer is deprecated in GitLab 17.9 and proposed for removal in GitLab 20.0. For migration guidance, see the migration guide. For more information, see epic 15961.

For details, see the legacy dependency scanning page.

Analyze dependencies for behaviors (Libbehave)

An experiment that analyzes the runtime behavior of your dependencies to surface suspicious or malicious activity beyond known CVEs.

For details, see Analyze dependencies for behaviors.

Comparison of scanning methods

MethodStatusTriggerBest for
Dependency Scanning using SBOMGeneral AvailabilityPipelineNew projects, SBOM-first workflows
Continuous Dependency ScanningGeneral AvailabilityAdvisory DB updateCatching newly disclosed CVEs without re-running pipelines
Dependency Scanning with GemnasiumDeprecated (17.9)PipelineExisting projects pending migration
Analyze dependencies for behaviorsExperimentPipelineDetecting malicious package behavior

Contributing to the vulnerability database

To find a vulnerability, you can search the GitLab advisory database. You can also submit new vulnerabilities.