惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

AI
AI
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Google DeepMind News
Google DeepMind News
T
Tenable Blog
博客园_首页
S
Securelist
Spread Privacy
Spread Privacy
Google Online Security Blog
Google Online Security Blog
Forbes - Security
Forbes - Security
Engineering at Meta
Engineering at Meta
U
Unit 42
L
LINUX DO - 热门话题
量子位
T
Threat Research - Cisco Blogs
博客园 - 【当耐特】
C
Cyber Attacks, Cyber Crime and Cyber Security
K
Kaspersky official blog
MyScale Blog
MyScale Blog
P
Proofpoint News Feed
The Last Watchdog
The Last Watchdog
Google DeepMind News
Google DeepMind News
GbyAI
GbyAI
Martin Fowler
Martin Fowler
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Security Latest
Security Latest
Scott Helme
Scott Helme
V
Vulnerabilities – Threatpost
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
I
InfoQ
Know Your Adversary
Know Your Adversary
Cisco Talos Blog
Cisco Talos Blog
The Register - Security
The Register - Security
T
The Blog of Author Tim Ferriss
aimingoo的专栏
aimingoo的专栏
V2EX - 技术
V2EX - 技术
T
Tailwind CSS Blog
月光博客
月光博客
Recent Announcements
Recent Announcements
G
Google Developers Blog
F
Full Disclosure
W
WeLiveSecurity
宝玉的分享
宝玉的分享
腾讯CDC
G
GRAHAM CLULEY
Vercel News
Vercel News
Simon Willison's Weblog
Simon Willison's Weblog
美团技术团队
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Help Net Security
Help Net Security

GitLab

Turn multi-step software delivery into agentic flows you can trust GitLab Duo Security Review spots logic flaws scanners miss Bring GitLab Duo Agent Platform to your terminal Forrester Consulting: GitLab Duo Agent Platform delivers 400% ROI GitLab 19.2 release notes | GitLab Docs When a version bump breaks your build, GitLab fixes it Green DevOps: Why carbon measurement belongs in your CI/CD pipeline GitLab Patch Release: 19.1.2, 19.0.4, 18.11.7 How we used AI agents to migrate GitLab rate limiting Keep your GitLab seats in check with restricted access GitLab Patch Release: 18.8.11 | GitLab Docs Claude Sonnet 5 on GitLab: More reliable, more efficient What Google Antigravity agents get full context with GitLab Orbit GitLab Patch Release: 19.1.1, 19.0.3, 18.11.6 GitLab 19.1 release notes | GitLab Docs AI Catalog updates for governance and operations One vulnerability view: From scanner coverage to AI governance GitLab named a Leader in the 2026 Gartner® Magic Quadrant™ for DevSecOps Platforms GitLab and Capgemini accelerate DevSecOps transformation Introducing the 2026 EMEA GitLab Partner Award winners GitLab Patch Release: 19.0.2, 18.11.5, 18.10.8 Introducing GitLab Orbit GitLab Flex: Commit once, reshape your seats and AI spend GitLab: Built for the agentic engineering era GitLab on Google Cloud: Fully managed, compliant, and AI-ready Shai-Hulud copycat campaign targets Python developers through PyPI typosquatting Mythos-class Claude Fable 5 arrives on GitLab Duo Agent Platform GitLab Patch Release: 19.0.1, 18.11.4, 18.10.7 Claude Opus 4.8 on GitLab: Complex agentic work, less disruption Agentic coding is only as good as its context GitLab Patch Release: 18.9.8, 18.8.10, 18.7.7, 18.6.8, 18.5.7 Full security scanner coverage of your codebase in minutes Transform MRs from manual tasks to an automated workflow Track CI component usage across your organization Manage CI/CD credentials with GitLab Secrets Manager More AI models for GitLab Duo Agent Platform Self-Hosted GitLab 19.0 | GitLab Docs GitLab Dedicated for Government now GovRAMP-authorized Beyond BYOK: Why governance matters for AI agents Fix bugs with Codex and GitLab 5 ways to fix misleading vulnerability severities with policy Harden your pipeline perimeter for the era of AI-assisted coding GitLab Patch Release: 18.11.3, 18.10.6, 18.9.7 GitLab Act 2 Consolidate your GitLab stack with Gitaly on Kubernetes Limit token exposure with fine-grained PATs Automate deployment processes with GitLab Duo Agent Platform Claude Code and GitLab: Three workflows that ship 8 Agentic AI patterns reshaping team collaboration How to detect and prevent Contagious Interview IDE attacks Atlassian will train on your data: Opt out with GitLab Automate detection testing with GitLab CI/CD and Duo
Reduce supply chain risk with SBOM-based dependency scanning
Mark Settle · 2026-05-26 · via GitLab

Third-party code dominates most codebases, and four recent supply chain incidents show how a single compromised package can ripple into every project that depends on it. AI is compounding this problem: Research suggests nearly half of AI-generated code contains vulnerabilities.

Traditional dependency scanners, including GitLab's Gemnasium analyzer, were engineered to answer one question: Which of my declared packages have known CVEs? When dependency trees weren’t as deep and release cycles weren’t as fast, that approach worked.

Today’s application security teams must answer harder questions: How did a vulnerable package end up in the project? What else came with it? And which dependencies does your code actually reach? With GitLab 19.0, dependency scanning using a software bill of materials (SBOM) becomes generally available to help answer these questions. This feature inventories every direct and transitive dependency in your project and tells you which vulnerable packages your application actually uses.

How GitLab uncovers vulnerable dependencies

SBOM-based dependency scanning is a lightweight analyzer that detects vulnerabilities in your project's third-party libraries and packages. It catalogs dependencies in an SBOM and matches those components against the GitLab Advisory Database to flag known issues.

GitLab surfaces findings where practitioners work. The vulnerabilities introduced by a change appear on the merge request, so developers can fix them before shipping. Findings are also shown in vulnerability dashboards and reports, so security teams can see results across every project in one place.

Dependency scanning report showing software bill of materialsDependency scanning report showing software bill of materials

The analyzer generates both an SBOM in CycloneDX format and a dependency scanning report — machine-readable outputs you can use within GitLab, for compliance reporting, or in broader supply chain tooling.

What’s possible with SBOM-based dependency scanning

SBOM-based dependency scanning introduces capabilities that go beyond our Gemnasium-based analyzer:

Trace transitive dependencies to their source. The analyzer traces transitive dependencies, no matter how deeply nested. When the analyzer flags a vulnerable package, it shows you the chain that brought it into your project. If library-a depends on library-b, which depends on the vulnerable library-c, you can trace that path and know where to intervene.

Focus on vulnerabilities your code actually uses. Not every dependency included in manifest and build files runs in your application. For Java, JavaScript/TypeScript, and Python projects, the analyzer checks whether your code directly imports or requires vulnerable packages, distinguishing dependencies that are reachable from those that are pulled in transitively but never referenced by your application. GitLab surfaces reachability status on each finding, so teams can deprioritize vulnerabilities in packages their code never imports and focus remediation effort where exposure is plausible.

Continuously scan for new vulnerabilities. Invoke the analyzer when new advisories are published, and for each MR and pipeline run. This matters most for projects where active development has slowed but the code is still in production.

See SBOM-based dependency scanning in action

Supported languages and file formats

This release supports 24+ package ecosystems, with more planned in future releases. Adding support for new languages and file formats is now simpler because the analyzer parses lockfiles and dependency graphs directly, rather than replicating each package manager's build toolchain.

When a supported lockfile or dependency graph isn't available, the analyzer falls back to parsing manifest files such as pom.xml, requirements.txt, and Gradle build files. This surfaces direct dependencies but not transitive ones, so coverage is less complete than a lockfile-based scan. Lockfiles remain the recommended approach, but manifest parsing gives teams a starting point for projects that don’t have one.

Configure dependency scanning once, enforce it everywhere

As project counts grow, manually configuring scanners across every project becomes a significant operational burden. Projects get skipped, configurations drift, and audits surface gaps no one knew existed.

GitLab 19.0 ships with a security configuration profile for dependency scanning. Security and platform teams configure scanning once and apply it across hundreds of projects, instead of editing each pipeline by hand.

You can mandate these security standards using scan execution policies and pipeline execution policies. They allow teams to enforce dependency scanning across multiple projects without touching a single .gitlab-ci.yml file. By defining the requirement once at the group or instance level, the policy applies everywhere automatically.

Get started today

SBOM-based dependency scanning is available for GitLab Ultimate customers. The feature is live on GitLab.com and rolling out to GitLab Dedicated and self-managed customers on our standard release cadence.

Teams moving from the Gemnasium dependency scanner can run both analyzers side by side during the transition. The migration guide walks you through the switch, including how to compare results between the two.

To start fresh, follow the step-by-step instructions in our set-up tutorial. Our technical documentation covers configuration, supported languages, and advanced options.

Please share your requests and ideas for dependency scanning in our feedback epic.

Read more about what's in GitLab 19.0