README.md 2.38 KB
Newer Older
Olivier Gonzalez's avatar
Olivier Gonzalez committed
1 2
# GitLab Dependency Scanning

Fabien Catteau's avatar
Fabien Catteau committed
3 4
**As of GitLab %13.4, Docker-in-Docker (DinD) for Dependency Scanning is not supported anymore, and this project is no longer in use.**

5 6
[![pipeline status](https://gitlab.com/gitlab-org/security-products/dependency-scanning/badges/master/pipeline.svg)](https://gitlab.com/gitlab-org/security-products/dependency-scanning/commits/master)
[![coverage report](https://gitlab.com/gitlab-org/security-products/dependency-scanning/badges/master/coverage.svg)](https://gitlab.com/gitlab-org/security-products/dependency-scanning/commits/master)
Olivier Gonzalez's avatar
Olivier Gonzalez committed
7

8 9 10 11
GitLab tool for running Dependency Security Scanning on given project.
It's written in Go using
the [common library](https://gitlab.com/gitlab-org/security-products/analyzers/common)
shared by SAST, Dependency Scanning and their analyzers.
Olivier Gonzalez's avatar
Olivier Gonzalez committed
12 13 14 15 16 17 18 19 20 21 22 23 24

## How to use

1. `cd` into the directory of the application you want to scan
1. Run the Docker image:

    ```sh
    docker run \
      --interactive --tty --rm \
      --volume "$PWD":/code \
      --volume /var/run/docker.sock:/var/run/docker.sock \
      registry.gitlab.com/gitlab-org/security-products/dependency-scanning:${VERSION:-latest} /code
    ```
25 26

    `VERSION` can be replaced with the latest available release matching your GitLab version. See [Versioning](#versioning-and-release-process) for more details.
Olivier Gonzalez's avatar
Olivier Gonzalez committed
27 28 29 30 31 32 33

1. The results will be displayed and also stored in `gl-dependency-scanning-report.json`

**Why mounting the Docker socket?**

Some tools require to be able to launch Docker containers to scan your application. You can skip this but you won't benefit from all scanners.

34 35
## Settings

Achilleas Pipinellis's avatar
Achilleas Pipinellis committed
36
The settings are documented in [GitLab CE](https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html).
Olivier Gonzalez's avatar
Olivier Gonzalez committed
37

38
## Development
Olivier Gonzalez's avatar
Olivier Gonzalez committed
39

40
### Build project
Olivier Gonzalez's avatar
Olivier Gonzalez committed
41

42
Go 1.11 or higher is required to build Dependency Scanning. Go modules must be enabled.
Olivier Gonzalez's avatar
Olivier Gonzalez committed
43 44

```sh
45
GO111MODULE=on go build
Olivier Gonzalez's avatar
Olivier Gonzalez committed
46 47
```

48 49 50
### Run locally

To run the command locally and perform the scan on `/tmp/code`:
Olivier Gonzalez's avatar
Olivier Gonzalez committed
51 52

```sh
53
CI_PROJECT_DIR=/tmp/code ./dependency-scanning
Olivier Gonzalez's avatar
Olivier Gonzalez committed
54 55
```

56 57 58
### Integration tests

To run the integration tests:
Olivier Gonzalez's avatar
Olivier Gonzalez committed
59 60

```sh
61
./test.sh
Olivier Gonzalez's avatar
Olivier Gonzalez committed
62 63 64 65
```

## Versioning and release process

66
Please check the [Release Process documentation](https://gitlab.com/gitlab-org/security-products/release/blob/master/docs/release_process.md).
Olivier Gonzalez's avatar
Olivier Gonzalez committed
67 68 69 70 71

# Contributing

If you want to help and extend the list of supported scanners, read the
[contribution guidelines](CONTRIBUTING.md).