Skip to content
Latchkey

How to Run SAST and Dependency Scanning in GitLab CI

GitLab ships SAST and dependency-scanning templates you include to add scanner jobs and an MR security widget.

Add the security templates with include: template:. They inject hidden scanner jobs that produce reports:sast/dependency_scanning artifacts GitLab renders on the merge request.

Include the security templates

Including the templates adds the scanners automatically; you only declare stages and any overrides.

.gitlab-ci.yml
stages: [test]

include:
  - template: Jobs/SAST.gitlab-ci.yml
  - template: Jobs/Dependency-Scanning.gitlab-ci.yml

variables:
  SAST_EXCLUDED_PATHS: 'spec, test, tests'

Gotchas

  • The scanner jobs run in the test stage by default - define that stage or override stage: for the included jobs.
  • The MR security widget and the full vulnerability report require GitLab Ultimate; Free shows the artifact but not the dashboard.
  • Scanners run in Docker - they need a runner with the Docker (or Kubernetes) executor and privileged access for some analyzers.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →