Dependency scanning
- Tier: Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
Dependency scanning identifies known security vulnerabilities in your project's dependencies, including runtime, development, and transitive (nested) packages. GitLab offers several dependency scanning methods, each suited to a different workflow. Use the summary below to choose the method that fits your project.
Available scanning methods
Dependency Scanning using SBOM
Scans the CycloneDX SBOM artifacts produced in your pipeline by the Dependency Scanning analyzer against the GitLab Advisory Database. This is the recommended method for new projects and the long-term direction for dependency scanning in GitLab.
For details, see Dependency Scanning using SBOM.
Continuous Dependency Scanning
Continuously rescans the SBOM components from your default branch's latest successful pipeline whenever the GitLab Advisory Database is updated, so newly disclosed vulnerabilities surface without re-running a pipeline.
For details, see Continuous Dependency Scanning.
Dependency Scanning with Gemnasium
The original pipeline-based analyzer that detects dependencies and matches them against the GitLab Advisory Database in a CI/CD job.
Warning
Dependency scanning based on the Gemnasium analyzer is deprecated in GitLab 17.9 and proposed for removal in GitLab 20.0. For migration guidance, see the migration guide. For more information, see epic 15961.
For details, see the legacy dependency scanning page.
Analyze dependencies for behaviors (Libbehave)
An experiment that analyzes the runtime behavior of your dependencies to surface suspicious or malicious activity beyond known CVEs.
For details, see Analyze dependencies for behaviors.
Comparison of scanning methods
| Method | Status | Trigger | Best for |
|---|---|---|---|
| Dependency Scanning using SBOM | General Availability | Pipeline | New projects, SBOM-first workflows |
| Continuous Dependency Scanning | General Availability | Advisory DB update | Catching newly disclosed CVEs without re-running pipelines |
| Dependency Scanning with Gemnasium | Deprecated (17.9) | Pipeline | Existing projects pending migration |
| Analyze dependencies for behaviors | Experiment | Pipeline | Detecting malicious package behavior |
Contributing to the vulnerability database
To find a vulnerability, you can search the GitLab advisory database.
You can also submit new vulnerabilities.