vet supports native GitLab Dependency Scanning. You can use vet to protect your project from malicious and vulnerable dependencies on every push and merge request to GitLab.

Prerequisites

GitLab Account

Active GitLab account with access to your project

Ultimate Plan

GitLab Group with Ultimate Plan for security scanning features

Security scanning features are only available to GitLab Ultimate plans. Free users can still use the vet CI component to find vulnerabilities and check policy violations. See the demo video for free usage.

Quick Setup

1. Enable CI on Your Project

Create a .gitlab-ci.yml file in the root of your project:

touch .gitlab-ci.yml

2. Add vet as a CI Component

Add the following to your .gitlab-ci.yml file:

include:
  - component: gitlab.com/safedep/ci-components/vet/scan@v1.5.0

That’s it! 🚀 Commit and push changes to trigger your first scan.

Viewing Results

Once configured, you’ll see the vet job in your pipeline with a security tab:

View vulnerabilities and malware findings in the security tab:

Access detailed reports at Project > Secure > Vulnerability Report:

Configuration Options

Cloud Sync Integration

Enable SafeDep Cloud synchronization:

include:
  - component: gitlab.com/safedep/ci-components/vet/scan@v1.5.0
    inputs:
      cloud: true
      cloud-key: $CLOUD_KEY
      cloud-tenant: $CLOUD_TENANT

Store CLOUD_KEY and CLOUD_TENANT as GitLab CI/CD variables for security.

Policy Configuration

Use custom policies for advanced filtering:

include:
  - component: gitlab.com/safedep/ci-components/vet/scan@v1.5.0
    inputs:
      policy: '.gitlab/vet/policy.yml'

The CI job will fail if any policy violations are found. Check the logs to identify which policies were violated.

Version Control

Specify which version of vet to use:

include:
  - component: gitlab.com/safedep/ci-components/vet/scan@v1.5.0
    inputs:
      version: v1.9.0

Trusted Registries

Configure trusted registry URLs for package verification:

include:
  - component: gitlab.com/safedep/ci-components/vet/scan@v1.5.0
    inputs:
      trusted-registries:
        - https://registry.npmjs.org
        - https://pypi.org

Artifact Access

Control who can access scan artifacts:

include:
  - component: gitlab.com/safedep/ci-components/vet/scan@v1.5.0
    inputs:
      artifact-access: 'developer'  # Options: all, developer, none

Only use all if you’re comfortable exposing security scan results publicly.

Advanced Examples

Multi-Stage Pipeline

stages:
  - security
  - build
  - deploy

include:
  - component: gitlab.com/safedep/ci-components/vet/scan@v1.5.0
    inputs:
      stage: security
      policy: '.gitlab/security-policy.yml'
      cloud: true
      cloud-key: $SAFEDEP_CLOUD_KEY
      cloud-tenant: $SAFEDEP_CLOUD_TENANT

build:
  stage: build
  script:
    - echo "Building application..."
  needs: ["vet"]

Conditional Scanning

include:
  - component: gitlab.com/safedep/ci-components/vet/scan@v1.5.0
    rules:
      - if: $CI_PIPELINE_SOURCE == "merge_request_event"
      - if: $CI_COMMIT_BRANCH == "main"

Troubleshooting

GitLab Component

View complete configuration options and examples

Report Issues

Found a bug? Report it to help us improve