> ## Documentation Index
> Fetch the complete documentation index at: https://docs.safedep.io/llms.txt
> Use this file to discover all available pages before exploring further.
# GitLab Dependency Scanning
> Native GitLab integration for dependency security scanning with Vet.
`vet` integrates with GitLab Dependency Scanning to detect malicious and vulnerable dependencies on every push and merge request.
## Prerequisites
Active GitLab account with access to your project
GitLab Group with Ultimate Plan for security scanning features
Security scanning features are only available to GitLab Ultimate plans. Free users can still use the **Vet CI component** to find vulnerabilities and check policy violations. See the [demo video](https://www.youtube.com/watch?v=QJfSRc4p-z4) for free usage.
## Quick Setup
### 1. Enable CI on Your Project
Create a `.gitlab-ci.yml` file in the root of your project:
```bash theme={null}
touch .gitlab-ci.yml
```
### 2. Add Vet as a CI Component
Add the following to your `.gitlab-ci.yml` file:
```yaml theme={null}
include:
- component: gitlab.com/safedep/ci-components/vet/scan@v1.5.1
```
Commit and push to trigger your first scan.
## Viewing Results
Once configured, the `vet` job appears in your pipeline with a security tab:
View vulnerabilities and malware findings in the security tab:
Access detailed reports at **Project > Secure > Vulnerability Report**:
## Configuration Options
### Cloud Sync Integration
Enable [SafeDep Cloud](/governance/cloud/quickstart) synchronization:
```yaml theme={null}
include:
- component: gitlab.com/safedep/ci-components/vet/scan@v1.5.1
inputs:
cloud: true
cloud-key: $SAFEDEP_CLOUD_API_KEY
cloud-tenant: $SAFEDEP_CLOUD_TENANT_DOMAIN
```
Store `SAFEDEP_CLOUD_API_KEY` and `SAFEDEP_CLOUD_TENANT_DOMAIN` as GitLab CI/CD variables for security.
### Policy Configuration
Use custom policies for advanced filtering:
```yaml theme={null}
include:
- component: gitlab.com/safedep/ci-components/vet/scan@v1.5.1
inputs:
policy: '.gitlab/vet/policy.yml'
```
The CI job fails if any policy violations are found. Check the logs to identify which policies were violated.
### Version Control
Specify which version of `vet` to use:
```yaml theme={null}
include:
- component: gitlab.com/safedep/ci-components/vet/scan@v1.5.1
inputs:
version: v1.9.0
```
These are two independent versions: the component tag (`@v1.5.1`) pins the GitLab CI component, and the `version` input pins the `vet` binary the component downloads and runs.
### Trusted Registries
Configure trusted registry URLs for package verification:
```yaml theme={null}
include:
- component: gitlab.com/safedep/ci-components/vet/scan@v1.5.1
inputs:
trusted-registries:
- https://registry.npmjs.org
- https://pypi.org
```
### Artifact Access
Control who can access scan artifacts:
```yaml theme={null}
include:
- component: gitlab.com/safedep/ci-components/vet/scan@v1.5.1
inputs:
artifact-access: 'developer' # Options: all, developer, none
```
Only use `all` if you are comfortable exposing security scan results publicly.
## Advanced Examples
### Multi-Stage Pipeline
```yaml theme={null}
stages:
- security
- build
- deploy
include:
- component: gitlab.com/safedep/ci-components/vet/scan@v1.5.1
inputs:
stage: security
policy: '.gitlab/security-policy.yml'
cloud: true
cloud-key: $SAFEDEP_CLOUD_API_KEY
cloud-tenant: $SAFEDEP_CLOUD_TENANT_DOMAIN
build:
stage: build
script:
- echo "Building application..."
needs: ["vet"]
```
### Conditional Scanning
```yaml theme={null}
include:
- component: gitlab.com/safedep/ci-components/vet/scan@v1.5.1
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_COMMIT_BRANCH == "main"
```
## Troubleshooting
Ensure your GitLab plan includes security scanning features. Ultimate plan is required for the security dashboard.
Verify you're using the correct component path and version. Check the [GitLab Component Catalog](https://gitlab.com/explore/catalog/safedep/ci-components/vet) for the latest version.
This is expected behavior when violations are found. Review the job logs to see which policies were violated, then fix the issues or adjust your policy configuration.
View complete configuration options and examples
Report bugs or request improvements
View vulnerabilities and malware findings in the security tab:
Access detailed reports at **Project > Secure > Vulnerability Report**:
## Configuration Options
### Cloud Sync Integration
Enable [SafeDep Cloud](/governance/cloud/quickstart) synchronization:
```yaml theme={null}
include:
- component: gitlab.com/safedep/ci-components/vet/scan@v1.5.1
inputs:
cloud: true
cloud-key: $SAFEDEP_CLOUD_API_KEY
cloud-tenant: $SAFEDEP_CLOUD_TENANT_DOMAIN
```