Software composition analysis is a suite of technologies that solve a few important needs:
- Open source license validation
- Security analysis of dependencies
There are some vendors who provider this today, such as:
Many of them offer integration into CI and repository tools, as well.
We should consider adding these features into GitLab, either by internally building or potentially partnering. One area we are looking into now is:
- Clair integration with CI/registry: gitlab-ce#22963 (closed)