Set up security scans and use the security dashboard
Security dashboard
GitLab can check your application for security vulnerabilities that may lead to unauthorized access, data leaks, denial of services, and more. GitLab reports vulnerabilities in the merge request so you can fix them before merging. The Security Dashboard provides a high-level view of any vulnerabilities detected in your projects, pipeline, and groups.
Different type of security scans
GitLab offers you three types of security scans:
Dependency scanning
GitLab’s Dependency Scanning feature can automatically find security vulnerabilities in your dependencies while you’re developing and testing your applications. For example, dependency scanning lets you know if your application uses an external library that is known to be vulnerable.
Container scanning
Use GitLab to audit your Docker-based apps. Your application’s Docker image may itself be based on Docker images that contain known vulnerabilities. Using GitLab, you can include an extra job in your pipeline that scans for those vulnerabilities and displays them in a merge request.
Dynamic Application Security Testing
Dynamic Application Security testing (D.A.S.T.) (note the final period) helps you automatically find security vulnerabilities in your running web applications while you’re developing and testing your applications. With DAST you can analyze your running web applications for known vulnerabilities. You can take advantage of DAST by either including the CI job in your existing .gitlab-ci.yml
file or by implicitly using Auto DAST, provided by Auto DevOps.
Next steps
-
We recommend you use GitLab pipelines to run security scans. Don't have a pipeline yet? You can quickly set one up by navigating to Project overview > Details in your project, and click Set up CI/CD. -
Add one of the security scan mentioned above in your .gitlab-ci.yml
by following the quick start template. -
Every time you push to this repository, a security scan will be triggered. -
Navigate to Security & Compliance > Security Dashboard to view your vulnerability report.