Security scan for post-build packages

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Proposal

The application security features (SAST, Dependency Scanning, etc.) can scan and find vulnerabilities in applications during the build phase. However, there is no mechanism to scan applications that have been built in the past.

A customer who is using the package registry has a request to monitor post-build packages. A similar feature is requested in #320979, but this request is not limited to the Generic Packages Repository.

What proposed is a feature to periodically run security scans based on the latest ruleset/vulnerability database for commits targeted by previous build jobs.

Link to request (internal)

Edited Aug 14, 2025 by 🤖 GitLab Bot 🤖