Passive dependency vulnerability scanning and alerting

Problem to solve

Be confident that all our repos are using dependencies without known vulnerabilities.

Target audience

Security analysts and development leads. (Sam and Delaney, in your personas)

Further details

Since the acquisition of Gemnasium about a year ago, I've been waiting for GitLab to add passive dependency vulnerability like Gemnasium was doing.

The idea is to get all repos scanned for vulnerability daily and alert us when there are security issues. Ideally, creating a MR with the proposed upgrades and fixes.

It should be passive, so even projects that are not super active would get alerts, and not tie this only to MRs.

Proposal

The former Gemnasium team should be able to guide on you pretty well on this 😉

What does success look like, and how can we measure that?

If everyone can be confident that their important code is using safee depency and get alerts as soon as one is published (or at most a few hours later), then I think we are successful.

Links / references