doc/user/application_security/remediate/dependency_scanning_auto_remediation.md
{{< details >}}
{{< /details >}}
{{< history >}}
dependency_management_auto_remediation. Disabled by default.dependency_management_auto_remediation feature flag is enabled by default.enable_dependency_bump_breaking_changes. Disabled by default.{{< /history >}}
Dependency scanning auto-remediation opens a merge request to bump a vulnerable dependency to a non-vulnerable version when one is available. A service account creates the merge request without any human input, which then goes through the standard review and approval process.
In beta, dependency scanning auto-remediation supports two independently configurable capabilities:
For the generally available roadmap, see epic 19244.
Prerequisites:
dependency_management_auto_remediation
feature flag must be enabled for the project.
This flag is enabled by default in GitLab 19.2.To trigger vulnerability detection and auto-remediation, run a pipeline. Dependency scanning auto-remediation triggers automatically when GitLab detects vulnerabilities with available fixes.
The dependency scanning auto-remediation profile controls this behavior. With the default profile:
high severity.After each pipeline, GitLab checks dependency scan results against these values. For each eligible vulnerability:
During beta, GitLab processes three vulnerabilities at a time, starting with the highest severity finding.
When a version bump causes a pipeline failure because of a breaking change, GitLab Duo can attempt to resolve the breaking change automatically. This capability is separate from the dependency version bump capability and has its own toggle.
Prerequisites:
enable_dependency_bump_breaking_changes
feature flag must be enabled for the
project's root namespace.To enable agentic breaking-change resolution, use the
Projects API to set
duo_dependency_bump_breaking_changes_enabled to true for the project.
Administrators can limit how many auto-remediation scheduler jobs
run concurrently across the Sidekiq fleet. Use the
security_update_scheduler_max_concurrency
application setting to set the cap. The default is 30,
and the value is capped at 200. Set the value to 0 to pause scheduling.
Dependency scanning auto-remediation supports the following package managers:
| Language | Package Manager | Files |
|---|---|---|
| Ruby | Bundler | Gemfile, Gemfile.lock |
| Java | Maven | pom.xml |
| Java | Gradle | build.gradle, build.gradle.kts |
| Python | pip, pipenv, poetry, setuptools, uv | requirements.txt, Pipfile, pyproject.toml, setup.py, uv.lock |
| JavaScript / TypeScript | npm, yarn, pnpm, bun | package.json, package-lock.json, yarn.lock, pnpm-lock.yaml, bun.lock |
Support for additional ecosystems is proposed in epic 19244.
During the beta phase: