Dependency scanning in the free tier

gmacedo · February 27, 2021, 1:06pm

Hi!

I’ve a question about dependency scanning and license. I’m not sure if this is the best place to ask about this.
Dependency scanning page mentions that it’s only available in the “ultimate” tier, however, using GitLab.com free tier I can enable the dep scanning in the pipeline and get the artefact with the result. Am I allowed to do this or this can be a violation of the license?

I enabled it with the following configuration in .gitlab-ci.yml:

stages:
  - test

variables:
  GITLAB_FEATURES: "${GITLAB_FEATURES},dependency_scanning"

include:
  - template: Dependency-Scanning.gitlab-ci.yml

snim2 · February 27, 2021, 2:50pm

My guess is that this won’t work if it’s not available in the tier that you are using.

If you don’t want to pay for the more expensive license, you could find out what tools the dependency scanner uses, and implement a CI/CD pipeline for them yourself. The advantage of paying for the GitLab tooling for this (AIUI) is that the pipeline is already written for you in the AutoDevOps template, and that GitLab scans the artifact and posts a note (comment) to your MR with the results. This cuts out a lot of work on your side, but if you can find an open source scanning tool, it should be possible to write something from scratch and use the GitLab API to post the comment.

Regards,

Sarah

gmacedo · February 27, 2021, 10:59pm

My guess is that this won’t work if it’s not available in the tier that you are using.

Actually it works using GitLab.com free tier, despite the fact that in GitLab Pricing | GitLab it says that it’s only available in the ultimate tier.

I just want to know if this is really (legally) allowed or a bug.