Add the Ability of GitLab to Provide Dependency Scanning of the Repository and Alert Users of Detected Vulnerabilities

Problem to solve

Customer wants the ability to have a security scan performed on the git repository at some frequency to identify dependency vulnerabilities and then be notified of those vulnerabilities. Currently GitLab performs security scanning only as part of a CI pipeline run. This would be helpful to minimize some risks for customers who are not currently able to scan code because they have not yet migrated to GitLab CI at this time.

Intended users

Information on who would receive notification regarding scan failures should be configurable. The list could include owners, maintainer, and developers of the project and potentially GitLab administrators (self-managed) and members of the security team.

Further details

Proposal

Permissions and Security

Documentation

Testing

What does success look like, and how can we measure that?

What is the type of buyer?

This would probably fit in one of the lower level tiers such as starter or bronze.

Links / references