CI/CD Component for Dependency Scanning

Is there an official CI/CD Component for Dependency Scanning?

There is no “official” (GitLab-authored) CI/CD component for Dependency Scanning as GitLab :tm: Dependency Scanning is part of the GitLab Ultimate product.

Any third-party or “unofficial” dependency scanning components will be found in the CI/CD catalog: CI/CD Catalog · GitLab

1 Like

@glauber.ferreira, hi! :wave:

I’m the Engineering Manager for Composition Analysis. We’re responsible for the Dependency Scanning feature in GitLab.

We recently released an experimental Component for Android Dependency Scanning. It’s based on the same technology that @gitlab-greg mentioned, so the Ultimate tier also applies to it.

There’s an ongoing discussion about the user experience for Dependency Scanning, and one of the topics is about publishing a CI/CD Component for each language we support. Feel free to chime-in if you have any feedback or ideas.


Hi @thiagocsf.

I saw the Component for Android but I didn’t know the strategy about publishing a CI/CD Component for each language. It sounds to me like a good solution. By the way, my priority languages are JavaScript and TypeScript, PHP and Python.

Considering the general availability of CI/CD Components and Catalog in GitLab 17.0, I am working on developing Compliance Pipelines using Components instead of Templates. Now, I am testing Secret Detection, SAST, Code Quality and Container Scanning. If I can include Dependency Scanning it would be great.

1 Like

@glauberferreira, out of the languages that you mentioned, Python is the most likely to be the next one to have a Component: Add Dependency Scanning support for Python 3.12 (#428876) · Issues · / GitLab · GitLab.

1 Like