A quick guide to GitLab Dependency Scanning

Are you curious about our Secure offerings? They are easy, and free, to try out!

I suggest you create a free demo project to check them out and see if it's something you might want.

Did you know? If you have a public project on GitLab.com you can enable our Secure scanning functionality. Please note that educational institutions and open-source projects can also request free licenses.

In this blog I will walk you through creating a new demo project, adding Dependency Scanning, and reviewing the results of the scan. Following the steps below should take you 15 minutes.

Create a test project

Let's grab a test project and enable Dependency Scanning.

1. Sign in to your GitLab account.
2. Create a new project by clicking "New project" on your project list.
3. Select the "Create from template" option.
4. Select a project template. Be sure to choose one that is written in one of our supported languages and package managers. I have chosen a Ruby on Rails template.
5. Click the "Use template" button.
6. You need to name your project. I named mine "mytestrubyonrails". Be sure to set the Visibility level to "Public".
7. You now have a new project.

Configure Dependency Scanning to run in the pipeline

Create a new file in your project

1. Click "New file".
2. You have two choices to populate the file - Template or Advanced.

Use the template to fill .gitlab-ci.yml

1. On the New file page choose "Select a template type > .gitlab-ci.yml".
2. Select "Apply a template > Dependency-Scanning".

Advanced - manually enter data into .gitlab-ci.yml

1. On the New file page name the file .gitlab-ci.yml.
2. Insert the necessary lines of code per our user documentation.

   stages:
   - test
   - qa

   include:
   - template: Dependency-Scanning.gitlab-ci.yml

   dependency_scanning:
   stage: test
   variables:
     CI_DEBUG_TRACE: "true"

Commit the file

1. Add a commit message if you want.
2. Change the "Target Branch" from "master" to something else - for example "add-ds", and leave the "Start a new merge request with these changes" box checked.
3. Click "Commit changes".
4. A "New Merge Request" page will load. Scroll to the bottom and click "Submit merge request".
5. The pipeline will now run.

View pipeline results

Now that you have your first pipeline, this and any future pipeline will run the Dependency Scanning jobs. You can review the results after a pipeline completes by:

1. View the Merge request - look at the security MR report area.
2. Click expand to see the details.
3. You can also view the Security tab in the pipeline.

Note: For this example we are going to decide not to act on the findings as part of the merge request, and we have not configured security merge request approvals so findings do not require additional approvers before you are permitted to merge.

You can see my example merge request.

View results outside of the merge request

First, merge this request in to master for your test project. The results will not show outside of the merge request until this is done.

Now you can see the findings by navigating to the Security Dashboard.

You can view just the dependencies and their found issues by viewing the Dependency List. You can see my dependency list.

You can click on a finding in the dashboard to see more details. This takes you to the vulnerability's page.

On the vulnerability's page you can decide to set the status (dismiss, confirm, resolve) after triaging. You can see my example finding.

You can create an issue from a vulnerability. You can see my example issue.

Now go on and try it yourself!

If the above blog walkthrough of creating a demo project and running Dependency Scanning got you curious you can read more about Dependency Scanning in our user documentation.

If you would rather try a different type of Secure scanner - they are all just as easy to set up read more about our Secure scanning tools in our user documentation.

Cover image by Alan Light, licensed under Attribution 2.0 Generic (CC BY 2.0)