# Problem to solve Dependency Scanning is a critical security scan that identifies vulnerabilities in project dependencies, but its current enablement experience requires manual CI/CD configuration. Security managers need a streamlined way to enable Dependency Scanning across multiple projects without requiring developers to modify `.gitlab-ci.yml` files. This epic delivers the **Dependency Scanning implementation** of the basic scan configuration profiles framework, following the patterns established by Secret Push Protection and Secret Detection pipeline scanning profiles. # :chart_with_upwards_trend: Target Metrics 1. **Overall Target: 70% of Ultimate tier active projects adopting 2+ security scanners** ([Tableau](https://10az.online.tableau.com/#/site/gitlab/views/High-LevelSecurityMetricCharts/ofGitLab_comUltimateProjectswith2SecurityScannersRunning?:iid=1)) 1. Incremental target: Increase usage (% of active Ultimate projects with Dependency Scanning enabled to X% within 3 months following release) (TBD) # Success Criteria 1. Security managers can enable Dependency Scanning for multiple projects simultaneously through the Security Inventory interface 2. Projects receive Dependency Scanning without developers needing to modify `.gitlab-ci.yml` files 3. Development teams can disable Dependency Scanning at the project level if they experience negative impacts 4. Dependency Scanning automatically detects supported package managers and runs appropriate analyzers 5. Uses identical interaction patterns as other scan profiles # Intended users - [Amy, Application Security Engineer](/handbook/product/personas/#amy-application-security-engineer) - Primary - [Alex, Security Operations Engineer](/handbook/product/personas/#alex-security-operations-engineer) - Secondary - [Sasha, Software Developer](/handbook/product/personas/#sasha-software-developer) - Affected # Proposal ## Profile Structure - **Profile Name**: "Dependency Scanning - Default" - **Configuration**: Uses latest Dependency Scanning template with default analyzer configurations - **Versioning**: Tied to `latest` analyzer versions - **Enablement**: Backend security policy injects Dependency Scanning template into project pipelines - **Trigger Strategy**: One-time scan on default branch, then automatic on MR pipelines ## Key Features 1. Auto-detection of package managers (npm, pip, bundler, maven, gradle, composer, etc.) 2. Scans lock files and manifest files for known vulnerabilities 3. Group-level management via Security Configuration and Inventory 4. Project-level control for developers to remove if needed 5. Additive behavior - won't conflict with existing Dependency Scanning configurations ## Supported Package Managers - **JavaScript/Node.js**: npm, yarn, pnpm - **Python**: pip, pipenv, poetry - **Ruby**: bundler - **Java**: maven, gradle - **PHP**: composer - **Go**: go modules - **.NET**: NuGet - **And more**: See [Dependency Scanning documentation](https://docs.gitlab.com/ee/user/application_security/dependency_scanning/) # What does success look like? - 45% of Ultimate customers with 10+ projects have Dependency Scanning profile applied within 3 months - Average of 75% of eligible projects per group have Dependency Scanning enabled via profiles - 30% increase in dependency vulnerabilities detected across customer base - Reduction in time-to-remediation for dependency vulnerabilities # Dependencies - Secret Push Protection profile (establishes patterns) - Secret Detection pipeline scanning profile (establishes pipeline injection) - Security Inventory - Policy engine for CI injection - Dependency Scanning templates and analyzers --- > [!important] > > This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.