Dependency Verification

Problem to solve

We would like to use GitLab to verify our dependencies amongst other things. Verifying dependencies means to us that we would like to check the integrity of those dependencies via checksum or signatures to make sure the dependency has not been tampered with. We use a Java gradle project with some JavaScript so this means we both use maven and npm public repositories but would like to switch to the GitLab “Dependency proxy for packages”.

Of course we can verify the checksum that is stored alongside the artifact in maven central but this checksum can also be tampered already. So somehow a check of checksums across repositories must be performed I assume.

So the question is whether GitLab somehow supports verifying dependencies automatically using multiple repositories or doing this as part of the vulnerability scanning process ?

We could not find anything in the docs really.


  • [ x ] Self-managed 17.1