How to Run SAST and Dependency Scanning in GitLab CI
GitLab ships SAST and dependency-scanning templates you include to add scanner jobs and an MR security widget.
Add the security templates with include: template:. They inject hidden scanner jobs that produce reports:sast/dependency_scanning artifacts GitLab renders on the merge request.
Include the security templates
Including the templates adds the scanners automatically; you only declare stages and any overrides.
.gitlab-ci.yml
stages: [test]
include:
- template: Jobs/SAST.gitlab-ci.yml
- template: Jobs/Dependency-Scanning.gitlab-ci.yml
variables:
SAST_EXCLUDED_PATHS: 'spec, test, tests'Gotchas
- The scanner jobs run in the
teststage by default - define that stage or overridestage:for the included jobs. - The MR security widget and the full vulnerability report require GitLab Ultimate; Free shows the artifact but not the dashboard.
- Scanners run in Docker - they need a runner with the Docker (or Kubernetes) executor and privileged access for some analyzers.
Related guides
How to Run a Security Scan (CodeQL + Dependencies) in GitHub ActionsRun a SAST and dependency security scan in GitHub Actions with CodeQL and a dependency audit, uploading SARIF…
How to Run a Dependency Security Scan in CircleCIRun a dependency and SAST security scan in CircleCI with the Snyk orb or a plain npm audit step, failing the…