Skip to main content
vet integrates with GitLab Dependency Scanning to detect malicious and vulnerable dependencies on every push and merge request.

Prerequisites

GitLab Account

Active GitLab account with access to your project

Ultimate Plan

GitLab Group with Ultimate Plan for security scanning features
Security scanning features are only available to GitLab Ultimate plans. Free users can still use the Vet CI component to find vulnerabilities and check policy violations. See the demo video for free usage.

Quick Setup

1. Enable CI on Your Project

Create a .gitlab-ci.yml file in the root of your project: 
touch .gitlab-ci.yml

2. Add Vet as a CI Component

Add the following to your .gitlab-ci.yml file: 
include:
  - component: gitlab.com/safedep/ci-components/vet/[email protected]
Commit and push to trigger your first scan.

Viewing Results

Once configured, the vet job appears in your pipeline with a security tab: GitLab Pipeline with vet View vulnerabilities and malware findings in the security tab: GitLab Security Vulnerabilities Access detailed reports at Project > Secure > Vulnerability Report: GitLab Vulnerability Dashboard

Configuration Options

Cloud Sync Integration

Enable SafeDep Cloud synchronization: 
include:
  - component: gitlab.com/safedep/ci-components/vet/[email protected]
    inputs:
      cloud: true
      cloud-key: $SAFEDEP_CLOUD_API_KEY
      cloud-tenant: $SAFEDEP_CLOUD_TENANT_DOMAIN
Store SAFEDEP_CLOUD_API_KEY and SAFEDEP_CLOUD_TENANT_DOMAIN as GitLab CI/CD variables for security.

Policy Configuration

Use custom policies for advanced filtering: 
include:
  - component: gitlab.com/safedep/ci-components/vet/[email protected]
    inputs:
      policy: '.gitlab/vet/policy.yml'
The CI job fails if any policy violations are found. Check the logs to identify which policies were violated.

Version Control

Specify which version of vet to use: 
include:
  - component: gitlab.com/safedep/ci-components/vet/[email protected]
    inputs:
      version: v1.9.0
These are two independent versions: the component tag (@v1.5.1) pins the GitLab CI component, and the version input pins the vet binary the component downloads and runs.

Trusted Registries

Configure trusted registry URLs for package verification: 
include:
  - component: gitlab.com/safedep/ci-components/vet/[email protected]
    inputs:
      trusted-registries:
        - https://registry.npmjs.org
        - https://pypi.org

Artifact Access

Control who can access scan artifacts: 
include:
  - component: gitlab.com/safedep/ci-components/vet/[email protected]
    inputs:
      artifact-access: 'developer'  # Options: all, developer, none
Only use all if you are comfortable exposing security scan results publicly.

Advanced Examples

Multi-Stage Pipeline

stages:
  - security
  - build
  - deploy

include:
  - component: gitlab.com/safedep/ci-components/vet/[email protected]
    inputs:
      stage: security
      policy: '.gitlab/security-policy.yml'
      cloud: true
      cloud-key: $SAFEDEP_CLOUD_API_KEY
      cloud-tenant: $SAFEDEP_CLOUD_TENANT_DOMAIN

build:
  stage: build
  script:
    - echo "Building application..."
  needs: ["vet"]

Conditional Scanning

include:
  - component: gitlab.com/safedep/ci-components/vet/[email protected]
    rules:
      - if: $CI_PIPELINE_SOURCE == "merge_request_event"
      - if: $CI_COMMIT_BRANCH == "main"

Troubleshooting

Ensure your GitLab plan includes security scanning features. Ultimate plan is required for the security dashboard.
Verify you’re using the correct component path and version. Check the GitLab Component Catalog for the latest version.
This is expected behavior when violations are found. Review the job logs to see which policies were violated, then fix the issues or adjust your policy configuration.

GitLab Component

View complete configuration options and examples

Report Issues

Report bugs or request improvements