Blog Unfiltered A quick guide to GitLab Dependency Scanning
January 14, 2021
4 min read

A quick guide to GitLab Dependency Scanning

A walk through of creating a quick example project in order to see Dependency Scanning in action.

iceberg_header.jpg

Are you curious about our Secure offerings? They are easy, and free, to try out!

I suggest you create a free demo project to check them out and see if it's something you might want.

Did you know? If you have a public project on GitLab.com you can enable our Secure scanning functionality. Please note that educational institutions and open-source projects can also request free licenses.

In this blog I will walk you through creating a new demo project, adding Dependency Scanning, and reviewing the results of the scan. Following the steps below should take you 15 minutes.

Create a test project

Let's grab a test project and enable Dependency Scanning.

  1. Sign in to your GitLab account.
  2. Create a new project by clicking "New project" on your project list.
    New project
  3. Select the "Create from template" option.
  4. Select a project template. Be sure to choose one that is written in one of our supported languages and package managers. I have chosen a Ruby on Rails template.
    Project from template
  5. Click the "Use template" button.
  6. You need to name your project. I named mine "mytestrubyonrails". Be sure to set the Visibility level to "Public".
    Template settings
  7. You now have a new project.
    Your new project

Configure Dependency Scanning to run in the pipeline

Create a new file in your project

  1. Click "New file".
    Add a new file
  2. You have two choices to populate the file - Template or Advanced.

Use the template to fill .gitlab-ci.yml

  1. On the New file page choose "Select a template type > .gitlab-ci.yml".
    pick yml as file template
  2. Select "Apply a template > Dependency-Scanning".
    dependency scanning template yml

Advanced - manually enter data into .gitlab-ci.yml

  1. On the New file page name the file .gitlab-ci.yml.
  2. Insert the necessary lines of code per our user documentation.
   stages:
   - test
   - qa

   include:
   - template: Dependency-Scanning.gitlab-ci.yml

   dependency_scanning:
   stage: test
   variables:
     CI_DEBUG_TRACE: "true"

advanced yml

Commit the file

  1. Add a commit message if you want.
  2. Change the "Target Branch" from "master" to something else - for example "add-ds", and leave the "Start a new merge request with these changes" box checked.
    dependency scanning template rename target
  3. Click "Commit changes".
  4. A "New Merge Request" page will load. Scroll to the bottom and click "Submit merge request".
    dependency scanning template merge request part 1
    dependency scanning template merge request part 2
  5. The pipeline will now run.

View pipeline results

Now that you have your first pipeline, this and any future pipeline will run the Dependency Scanning jobs. You can review the results after a pipeline completes by:

  1. View the Merge request - look at the security MR report area.
    merge request security report
  2. Click expand to see the details.
    expanded merge request security report
  3. You can also view the Security tab in the pipeline.
    security tab in the pipeline

Note: For this example we are going to decide not to act on the findings as part of the merge request, and we have not configured security merge request approvals so findings do not require additional approvers before you are permitted to merge.

You can see my example merge request.

View results outside of the merge request

First, merge this request in to master for your test project. The results will not show outside of the merge request until this is done.

Now you can see the findings by navigating to the Security Dashboard.
navigate to the security dashboard
the security dashboard

You can view just the dependencies and their found issues by viewing the Dependency List.
navigate to the dependency list
the dependency list
expand a row in the dependency list
You can see my dependency list.

You can click on a finding in the dashboard to see more details. This takes you to the vulnerability's page.
stand alone vulnerability's page

On the vulnerability's page you can decide to set the status (dismiss, confirm, resolve) after triaging.
stand alone vulnerabilities status
You can see my example finding.

You can create an issue from a vulnerability.
stand alone vulnerabilities created issue
You can see my example issue.

Now go on and try it yourself!

If the above blog walkthrough of creating a demo project and running Dependency Scanning got you curious you can read more about Dependency Scanning in our user documentation.

If you would rather try a different type of Secure scanner - they are all just as easy to set up read more about our Secure scanning tools in our user documentation.

Cover image by Alan Light, licensed under Attribution 2.0 Generic (CC BY 2.0)

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

New to GitLab and not sure where to start?

Get started guide

Learn about what GitLab can do for your team

Talk to an expert