[{"data":1,"prerenderedAt":1076},["ShallowReactive",2],{"/en-us/blog/sbom-based-dependency-scanning":3,"navigation-en-us":301,"banner-en-us":717,"footer-en-us":725,"blog-post-authors-en-us-Mark Settle|Joel Patterson":968,"blog-related-posts-en-us-sbom-based-dependency-scanning":994,"blog-promotions-en-us":1014,"next-steps-en-us":1066},{"id":4,"title":5,"authors":6,"body":9,"category":282,"date":283,"description":284,"extension":285,"externalUrl":286,"featured":287,"heroImage":288,"meta":289,"navigation":290,"path":291,"seo":292,"slug":294,"stem":295,"tags":296,"template":299,"updatedDate":286,"__hash__":300},"blogPosts/en-us/blog/sbom-based-dependency-scanning.md","Reduce supply chain risk with SBOM-based dependency scanning",[7,8],"Mark Settle","Joel Patterson",{"type":10,"value":11,"toc":271},"minimark",[12,29,32,41,46,55,58,65,74,78,81,101,107,113,117,131,135,144,155,159,162,171,190,194,197,206,220,228,232],[13,14,15,16,22,23,28],"p",{},"Third-party code dominates most codebases, and ",[17,18,21],"a",{"href":19,"rel":20},"https://about.gitlab.com/blog/pipeline-security-lessons-from-march-supply-chain-incidents/",[],"four recent supply chain incidents"," show how a single compromised package can ripple into every project that depends on it. AI is compounding this problem: Research suggests nearly half of ",[17,24,27],{"href":25,"rel":26},"https://cset.georgetown.edu/publication/cybersecurity-risks-of-ai-generated-code/",[],"AI-generated code contains vulnerabilities",".",[13,30,31],{},"Traditional dependency scanners, including GitLab's Gemnasium analyzer, were engineered to answer one question: Which of my declared packages have known CVEs? When dependency trees weren’t as deep and release cycles weren’t as fast, that approach worked.",[13,33,34,35,40],{},"Today’s application security teams must answer harder questions: How did a vulnerable package end up in the project? What else came with it? And which dependencies does your code actually reach? With GitLab 19.0, ",[17,36,39],{"href":37,"rel":38},"https://docs.gitlab.com/user/application_security/dependency_scanning/dependency_scanning_sbom/",[],"dependency scanning using a software bill of materials (SBOM)"," becomes generally available to help answer these questions. This feature inventories every direct and transitive dependency in your project and tells you which vulnerable packages your application actually uses.",[42,43,45],"h2",{"id":44},"how-gitlab-uncovers-vulnerable-dependencies","How GitLab uncovers vulnerable dependencies",[13,47,48,49,54],{},"SBOM-based dependency scanning is a lightweight analyzer that detects vulnerabilities in your project's third-party libraries and packages. It catalogs dependencies in an SBOM and matches those components against the ",[17,50,53],{"href":51,"rel":52},"https://advisories.gitlab.com/",[],"GitLab Advisory Database"," to flag known issues.",[13,56,57],{},"GitLab surfaces findings where practitioners work. The vulnerabilities introduced by a change appear on the merge request, so developers can fix them before shipping. Findings are also shown in vulnerability dashboards and reports, so security teams can see results across every project in one place.",[13,59,60],{},[61,62],"img",{"alt":63,"src":64,"title":63},"Dependency scanning report showing software bill of materials","https://res.cloudinary.com/about-gitlab-com/image/upload/v1779470339/hqqacbegzzompikjkcij.png",[13,66,67,68,73],{},"The analyzer generates both an SBOM in ",[17,69,72],{"href":70,"rel":71},"https://cyclonedx.org/",[],"CycloneDX"," format and a dependency scanning report — machine-readable outputs you can use within GitLab, for compliance reporting, or in broader supply chain tooling.",[42,75,77],{"id":76},"whats-possible-with-sbom-based-dependency-scanning","What’s possible with SBOM-based dependency scanning",[13,79,80],{},"SBOM-based dependency scanning introduces capabilities that go beyond our Gemnasium-based analyzer:",[13,82,83,87,88,92,93,96,97,100],{},[84,85,86],"strong",{},"Trace transitive dependencies to their source."," The analyzer traces transitive dependencies, no matter how deeply nested. When the analyzer flags a vulnerable package, it shows you the chain that brought it into your project. If ",[89,90,91],"code",{},"library-a"," depends on ",[89,94,95],{},"library-b",", which depends on the vulnerable ",[89,98,99],{},"library-c",", you can trace that path and know where to intervene.",[13,102,103,106],{},[84,104,105],{},"Focus on vulnerabilities your code actually uses."," Not every dependency included in manifest and build files runs in your application. For Java, JavaScript/TypeScript, and Python projects, the analyzer checks whether your code directly imports or requires vulnerable packages, distinguishing dependencies that are reachable from those that are pulled in transitively but never referenced by your application. GitLab surfaces reachability status on each finding, so teams can deprioritize vulnerabilities in packages their code never imports and focus remediation effort where exposure is plausible.",[13,108,109,112],{},[84,110,111],{},"Continuously scan for new vulnerabilities."," Invoke the analyzer when new advisories are published, and for each MR and pipeline run. This matters most for projects where active development has slowed but the code is still in production.",[42,114,116],{"id":115},"see-sbom-based-dependency-scanning-in-action","See SBOM-based dependency scanning in action",[118,119,122,123],"figure",{"className":120},[121],"video_container","\n  ",[124,125,130],"iframe",{"src":126,"frameBorder":127,"allowFullScreen":128,"title":129},"https://www.youtube.com/embed/r_QjbNUqJT0?si=378NdrSve1GoFklm","0","true","\nDependency Scanning with SBOM GA - GitLab 19"," ",[42,132,134],{"id":133},"supported-languages-and-file-formats","Supported languages and file formats",[13,136,137,138,143],{},"This release ",[17,139,142],{"href":140,"rel":141},"https://docs.gitlab.com/user/application_security/dependency_scanning/dependency_scanning_sbom/#supported-languages-and-files",[],"supports 24+ package ecosystems",", with more planned in future releases. Adding support for new languages and file formats is now simpler because the analyzer parses lockfiles and dependency graphs directly, rather than replicating each package manager's build toolchain.",[13,145,146,147,150,151,154],{},"When a supported lockfile or dependency graph isn't available, the analyzer falls back to parsing manifest files such as ",[89,148,149],{},"pom.xml",", ",[89,152,153],{},"requirements.txt",", and Gradle build files. This surfaces direct dependencies but not transitive ones, so coverage is less complete than a lockfile-based scan. Lockfiles remain the recommended approach, but manifest parsing gives teams a starting point for projects that don’t have one.",[42,156,158],{"id":157},"configure-dependency-scanning-once-enforce-it-everywhere","Configure dependency scanning once, enforce it everywhere",[13,160,161],{},"As project counts grow, manually configuring scanners across every project becomes a significant operational burden. Projects get skipped, configurations drift, and audits surface gaps no one knew existed.",[13,163,164,165,170],{},"GitLab 19.0 ships with a ",[17,166,169],{"href":167,"rel":168},"https://docs.gitlab.com/user/application_security/configuration/security_configuration_profiles/",[],"security configuration profile"," for dependency scanning. Security and platform teams configure scanning once and apply it across hundreds of projects, instead of editing each pipeline by hand.",[13,172,173,174,179,180,185,186,189],{},"You can mandate these security standards using ",[17,175,178],{"href":176,"rel":177},"https://docs.gitlab.com/user/application_security/policies/scan_execution_policies/",[],"scan execution policies"," and ",[17,181,184],{"href":182,"rel":183},"https://docs.gitlab.com/user/application_security/policies/pipeline_execution_policies/",[],"pipeline execution policies",". They allow teams to enforce dependency scanning across multiple projects without touching a single ",[89,187,188],{},".gitlab-ci.yml"," file. By defining the requirement once at the group or instance level, the policy applies everywhere automatically.",[42,191,193],{"id":192},"get-started-today","Get started today",[13,195,196],{},"SBOM-based dependency scanning is available for GitLab Ultimate customers. The feature is live on GitLab.com and rolling out to GitLab Dedicated and self-managed customers on our standard release cadence.",[13,198,199,200,205],{},"Teams moving from the Gemnasium dependency scanner can run both analyzers side by side during the transition. The ",[17,201,204],{"href":202,"rel":203},"https://docs.gitlab.com/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans/",[],"migration guide"," walks you through the switch, including how to compare results between the two.",[13,207,208,209,214,215,219],{},"To start fresh, follow the step-by-step instructions in our ",[17,210,213],{"href":211,"rel":212},"https://docs.gitlab.com/tutorials/dependency_scanning_by_sbom/",[],"set-up tutorial",". Our ",[17,216,218],{"href":37,"rel":217},[],"technical documentation"," covers configuration, supported languages, and advanced options.",[13,221,222,223,28],{},"Please share your requests and ideas for dependency scanning in our ",[17,224,227],{"href":225,"rel":226},"https://gitlab.com/gitlab-org/gitlab/-/work_items/523458",[],"feedback epic",[42,229,231],{"id":230},"read-more-about-whats-in-gitlab-190","Read more about what's in GitLab 19.0",[233,234,235,243,250,257,264],"ul",{},[236,237,238],"li",{},[17,239,242],{"href":240,"rel":241},"https://about.gitlab.com/blog/secrets-manager-in-public-beta/",[],"Manage CI/CD credentials with GitLab Secrets Manager",[236,244,245],{},[17,246,249],{"href":247,"rel":248},"https://about.gitlab.com/blog/transform-mrs-to-automated-workflow/",[],"Transform MRs from manual tasks to an automated workflow",[236,251,252],{},[17,253,256],{"href":254,"rel":255},"https://about.gitlab.com/blog/track-ci-component-usage/",[],"Track CI component usage across your organization",[236,258,259],{},[17,260,263],{"href":261,"rel":262},"https://about.gitlab.com/blog/more-ai-models-for-duo-agent-platform-self-hosted/",[],"More AI models for GitLab Duo Agent Platform Self-Hosted",[236,265,266],{},[17,267,270],{"href":268,"rel":269},"https://about.gitlab.com/blog/security-configuration-profiles/",[],"Full security scanner coverage of your codebase in minutes",{"title":272,"searchDepth":273,"depth":273,"links":274},"",2,[275,276,277,278,279,280,281],{"id":44,"depth":273,"text":45},{"id":76,"depth":273,"text":77},{"id":115,"depth":273,"text":116},{"id":133,"depth":273,"text":134},{"id":157,"depth":273,"text":158},{"id":192,"depth":273,"text":193},{"id":230,"depth":273,"text":231},"security","2026-05-26","Detect transitive dependencies, trace how they entered your project, and prioritize them by real-world exposure.","md",null,false,"https://res.cloudinary.com/about-gitlab-com/image/upload/v1779189265/iqzyhhiwagxzwywvjzow.png",{},true,"/en-us/blog/sbom-based-dependency-scanning",{"config":293,"title":5,"description":284},{"noIndex":287},"sbom-based-dependency-scanning","en-us/blog/sbom-based-dependency-scanning",[282,297,298],"features","product","BlogPost","g0oQdvSCCAC32_W_t67s3aONmHoymUSz54_UwgU1dCQ",{"logo":302,"freeTrial":307,"sales":312,"login":317,"items":322,"search":637,"minimal":668,"duo":687,"switchNav":696,"pricingDeployment":707},{"config":303},{"href":304,"dataGaName":305,"dataGaLocation":306},"/","gitlab logo","header",{"text":308,"config":309},"Get free trial",{"href":310,"dataGaName":311,"dataGaLocation":306},"https://gitlab.com/-/trial_registrations/new?glm_source=about.gitlab.com&glm_content=default-saas-trial/","free trial",{"text":313,"config":314},"Talk to sales",{"href":315,"dataGaName":316,"dataGaLocation":306},"/sales/","sales",{"text":318,"config":319},"Sign in",{"href":320,"dataGaName":321,"dataGaLocation":306},"https://gitlab.com/users/sign_in/","sign in",[323,352,452,457,561,617],{"text":324,"config":325,"menu":327},"Platform",{"dataNavLevelOne":326},"platform",{"type":328,"columns":329},"cards",[330,336,344],{"title":324,"description":331,"link":332},"The intelligent orchestration platform for DevSecOps",{"text":333,"config":334},"Explore our Platform",{"href":335,"dataGaName":326,"dataGaLocation":306},"/platform/",{"title":337,"description":338,"link":339},"GitLab Duo Agent Platform","Agentic AI for the entire software lifecycle",{"text":340,"config":341},"Meet GitLab Duo",{"href":342,"dataGaName":343,"dataGaLocation":306},"/gitlab-duo-agent-platform/","gitlab duo agent platform",{"title":345,"description":346,"link":347},"Why GitLab","See the top reasons enterprises choose GitLab",{"text":348,"config":349},"Learn more",{"href":350,"dataGaName":351,"dataGaLocation":306},"/why-gitlab/","why gitlab",{"text":353,"left":290,"config":354,"menu":356},"Product",{"dataNavLevelOne":355},"solutions",{"type":357,"link":358,"columns":362,"feature":431},"lists",{"text":359,"config":360},"View all Solutions",{"href":361,"dataGaName":355,"dataGaLocation":306},"/solutions/",[363,387,410],{"title":364,"description":365,"link":366,"items":371},"Automation","CI/CD and automation to accelerate deployment",{"config":367},{"icon":368,"href":369,"dataGaName":370,"dataGaLocation":306},"AutomatedCodeAlt","/solutions/delivery-automation/","automated software delivery",[372,376,379,383],{"text":373,"config":374},"CI/CD",{"href":375,"dataGaLocation":306,"dataGaName":373},"/solutions/continuous-integration/",{"text":337,"config":377},{"href":342,"dataGaLocation":306,"dataGaName":378},"gitlab duo agent platform - product menu",{"text":380,"config":381},"Source Code Management",{"href":382,"dataGaLocation":306,"dataGaName":380},"/solutions/source-code-management/",{"text":384,"config":385},"Automated Software Delivery",{"href":369,"dataGaLocation":306,"dataGaName":386},"Automated software delivery",{"title":388,"description":389,"link":390,"items":395},"Security","Deliver code faster without compromising security",{"config":391},{"href":392,"dataGaName":393,"dataGaLocation":306,"icon":394},"/solutions/application-security-testing/","security and compliance","ShieldCheckLight",[396,400,405],{"text":397,"config":398},"Application Security Testing",{"href":392,"dataGaName":399,"dataGaLocation":306},"Application security testing",{"text":401,"config":402},"Software Supply Chain Security",{"href":403,"dataGaLocation":306,"dataGaName":404},"/solutions/supply-chain/","Software supply chain security",{"text":406,"config":407},"Software Compliance",{"href":408,"dataGaName":409,"dataGaLocation":306},"/solutions/software-compliance/","software compliance",{"title":411,"link":412,"items":417},"Measurement",{"config":413},{"icon":414,"href":415,"dataGaName":416,"dataGaLocation":306},"DigitalTransformation","/solutions/visibility-measurement/","visibility and measurement",[418,422,426],{"text":419,"config":420},"Visibility & Measurement",{"href":415,"dataGaLocation":306,"dataGaName":421},"Visibility and Measurement",{"text":423,"config":424},"Value Stream Management",{"href":425,"dataGaLocation":306,"dataGaName":423},"/solutions/value-stream-management/",{"text":427,"config":428},"Analytics & Insights",{"href":429,"dataGaLocation":306,"dataGaName":430},"/solutions/analytics-and-insights/","Analytics and insights",{"title":432,"type":357,"items":433},"GitLab for",[434,440,446],{"text":435,"config":436},"Enterprise",{"icon":437,"href":438,"dataGaLocation":306,"dataGaName":439},"Building","/enterprise/","enterprise",{"text":441,"config":442},"Small Business",{"icon":443,"href":444,"dataGaLocation":306,"dataGaName":445},"Work","/small-business/","small business",{"text":447,"config":448},"Public Sector",{"icon":449,"href":450,"dataGaLocation":306,"dataGaName":451},"Organization","/solutions/public-sector/","public sector",{"text":453,"config":454},"Pricing",{"href":455,"dataGaName":456,"dataGaLocation":306,"dataNavLevelOne":456},"/pricing/","pricing",{"text":458,"config":459,"menu":461},"Resources",{"dataNavLevelOne":460},"resources",{"type":357,"link":462,"columns":466,"feature":550},{"text":463,"config":464},"View all resources",{"href":465,"dataGaName":460,"dataGaLocation":306},"/resources/",[467,500,522],{"title":468,"items":469},"Getting started",[470,475,480,485,490,495],{"text":471,"config":472},"Install",{"href":473,"dataGaName":474,"dataGaLocation":306},"/install/","install",{"text":476,"config":477},"Quick start guides",{"href":478,"dataGaName":479,"dataGaLocation":306},"/get-started/","quick setup checklists",{"text":481,"config":482},"Learn",{"href":483,"dataGaLocation":306,"dataGaName":484},"https://university.gitlab.com/","learn",{"text":486,"config":487},"Product documentation",{"href":488,"dataGaName":489,"dataGaLocation":306},"https://docs.gitlab.com/","product documentation",{"text":491,"config":492},"Best practice videos",{"href":493,"dataGaName":494,"dataGaLocation":306},"/getting-started-videos/","best practice videos",{"text":496,"config":497},"Integrations",{"href":498,"dataGaName":499,"dataGaLocation":306},"/integrations/","integrations",{"title":501,"items":502},"Discover",[503,508,513,517],{"text":504,"config":505},"Customer success stories",{"href":506,"dataGaName":507,"dataGaLocation":306},"/customers/","customer success stories",{"text":509,"config":510},"Blog",{"href":511,"dataGaName":512,"dataGaLocation":306},"/blog/","blog",{"text":514,"config":515},"The Source",{"href":516,"dataGaName":512,"dataGaLocation":306},"/the-source/",{"text":518,"config":519},"Remote",{"href":520,"dataGaName":521,"dataGaLocation":306},"https://handbook.gitlab.com/handbook/company/culture/all-remote/","remote",{"title":523,"items":524},"Connect",[525,530,535,540,545],{"text":526,"config":527},"GitLab Services",{"href":528,"dataGaName":529,"dataGaLocation":306},"/services/","services",{"text":531,"config":532},"Community",{"href":533,"dataGaName":534,"dataGaLocation":306},"/community/","community",{"text":536,"config":537},"Forum",{"href":538,"dataGaName":539,"dataGaLocation":306},"https://forum.gitlab.com/","forum",{"text":541,"config":542},"Events",{"href":543,"dataGaName":544,"dataGaLocation":306},"/events/","events",{"text":546,"config":547},"Partners",{"href":548,"dataGaName":549,"dataGaLocation":306},"/partners/","partners",{"config":551,"title":554,"text":555,"link":556},{"background":552,"textColor":553},"url('https://res.cloudinary.com/about-gitlab-com/image/upload/v1777322348/qpq8yrgn8knii57omj0c.png')","#000","What’s new in GitLab","Stay updated with our latest features and improvements.",{"text":557,"config":558},"Read the latest",{"href":559,"dataGaName":560,"dataGaLocation":306},"/whats-new/","whats new",{"text":562,"config":563,"menu":565},"Company",{"dataNavLevelOne":564},"company",{"type":357,"columns":566},[567],{"items":568},[569,574,580,582,587,592,597,602,607,612],{"text":570,"config":571},"About",{"href":572,"dataGaName":573,"dataGaLocation":306},"/company/","about",{"text":575,"config":576,"footerGa":579},"Jobs",{"href":577,"dataGaName":578,"dataGaLocation":306},"/jobs/","jobs",{"dataGaName":578},{"text":541,"config":581},{"href":543,"dataGaName":544,"dataGaLocation":306},{"text":583,"config":584},"Leadership",{"href":585,"dataGaName":586,"dataGaLocation":306},"/company/team/e-group/","leadership",{"text":588,"config":589},"Handbook",{"href":590,"dataGaName":591,"dataGaLocation":306},"https://handbook.gitlab.com/","handbook",{"text":593,"config":594},"Investor relations",{"href":595,"dataGaName":596,"dataGaLocation":306},"https://ir.gitlab.com/","investor relations",{"text":598,"config":599},"Trust Center",{"href":600,"dataGaName":601,"dataGaLocation":306},"/security/","trust center",{"text":603,"config":604},"AI Transparency Center",{"href":605,"dataGaName":606,"dataGaLocation":306},"/ai-transparency-center/","ai transparency center",{"text":608,"config":609},"Newsletter",{"href":610,"dataGaName":611,"dataGaLocation":306},"/company/contact/#contact-forms","newsletter",{"text":613,"config":614},"Press",{"href":615,"dataGaName":616,"dataGaLocation":306},"/press/","press",{"text":618,"config":619,"menu":620},"Contact us",{"dataNavLevelOne":564},{"type":357,"columns":621},[622],{"items":623},[624,627,632],{"text":313,"config":625},{"href":315,"dataGaName":626,"dataGaLocation":306},"talk to sales",{"text":628,"config":629},"Support portal",{"href":630,"dataGaName":631,"dataGaLocation":306},"https://support.gitlab.com","support portal",{"text":633,"config":634},"Customer portal",{"href":635,"dataGaName":636,"dataGaLocation":306},"https://customers.gitlab.com/customers/sign_in/","customer portal",{"close":638,"login":639,"suggestions":646},"Close",{"text":640,"link":641},"To search repositories and projects, login to",{"text":642,"config":643},"gitlab.com",{"href":320,"dataGaName":644,"dataGaLocation":645},"search login","search",{"text":647,"default":648},"Suggestions",[649,651,655,657,661,665],{"text":337,"config":650},{"href":342,"dataGaName":337,"dataGaLocation":645},{"text":652,"config":653},"Code Suggestions (AI)",{"href":654,"dataGaName":652,"dataGaLocation":645},"/solutions/code-suggestions/",{"text":373,"config":656},{"href":375,"dataGaName":373,"dataGaLocation":645},{"text":658,"config":659},"GitLab on AWS",{"href":660,"dataGaName":658,"dataGaLocation":645},"/partners/technology-partners/aws/",{"text":662,"config":663},"GitLab on Google Cloud",{"href":664,"dataGaName":662,"dataGaLocation":645},"/partners/technology-partners/google-cloud-platform/",{"text":666,"config":667},"Why GitLab?",{"href":350,"dataGaName":666,"dataGaLocation":645},{"freeTrial":669,"mobileIcon":674,"desktopIcon":679,"secondaryButton":682},{"text":670,"config":671},"Start free trial",{"href":672,"dataGaName":311,"dataGaLocation":673},"https://gitlab.com/-/trials/new/","nav",{"altText":675,"config":676},"Gitlab Icon",{"src":677,"dataGaName":678,"dataGaLocation":673},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758203874/jypbw1jx72aexsoohd7x.svg","gitlab icon",{"altText":675,"config":680},{"src":681,"dataGaName":678,"dataGaLocation":673},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758203875/gs4c8p8opsgvflgkswz9.svg",{"text":683,"config":684},"Get Started",{"href":685,"dataGaName":686,"dataGaLocation":673},"https://gitlab.com/-/trial_registrations/new?glm_source=about.gitlab.com/get-started/","get started",{"freeTrial":688,"mobileIcon":692,"desktopIcon":694},{"text":689,"config":690},"Learn more about GitLab Duo",{"href":342,"dataGaName":691,"dataGaLocation":673},"gitlab duo",{"altText":675,"config":693},{"src":677,"dataGaName":678,"dataGaLocation":673},{"altText":675,"config":695},{"src":681,"dataGaName":678,"dataGaLocation":673},{"button":697,"mobileIcon":702,"desktopIcon":704},{"text":698,"config":699},"/switch",{"href":700,"dataGaName":701,"dataGaLocation":673},"#contact","switch",{"altText":675,"config":703},{"src":677,"dataGaName":678,"dataGaLocation":673},{"altText":675,"config":705},{"src":706,"dataGaName":678,"dataGaLocation":673},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1773335277/ohhpiuoxoldryzrnhfrh.png",{"freeTrial":708,"mobileIcon":713,"desktopIcon":715},{"text":709,"config":710},"Back to pricing",{"href":455,"dataGaName":711,"dataGaLocation":673,"icon":712},"back to pricing","GoBack",{"altText":675,"config":714},{"src":677,"dataGaName":678,"dataGaLocation":673},{"altText":675,"config":716},{"src":681,"dataGaName":678,"dataGaLocation":673},{"title":718,"button":719,"config":723},"GitLab Orbit is here: The context layer for AI agents.",{"text":348,"config":720},{"href":721,"dataGaName":722,"dataGaLocation":306},"/gitlab-orbit/","orbit",{"layout":724,"disabled":287},"release",{"data":726},{"text":727,"source":728,"edit":734,"contribute":739,"config":744,"items":749,"minimal":957},"Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license",{"text":729,"config":730},"View page source",{"href":731,"dataGaName":732,"dataGaLocation":733},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/","page source","footer",{"text":735,"config":736},"Edit this page",{"href":737,"dataGaName":738,"dataGaLocation":733},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/content/","web ide",{"text":740,"config":741},"Please contribute",{"href":742,"dataGaName":743,"dataGaLocation":733},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/CONTRIBUTING.md/","please contribute",{"twitter":745,"facebook":746,"youtube":747,"linkedin":748},"https://twitter.com/gitlab","https://www.facebook.com/gitlab","https://www.youtube.com/channel/UCnMGQ8QHMAnVIsI3xJrihhg","https://www.linkedin.com/company/gitlab-com",[750,797,851,895,925],{"title":453,"links":751,"subMenu":766},[752,756,761],{"text":753,"config":754},"View plans",{"href":455,"dataGaName":755,"dataGaLocation":733},"view plans",{"text":757,"config":758},"Why Premium?",{"href":759,"dataGaName":760,"dataGaLocation":733},"/pricing/premium/","why premium",{"text":762,"config":763},"Why Ultimate?",{"href":764,"dataGaName":765,"dataGaLocation":733},"/pricing/ultimate/","why ultimate",[767],{"title":768,"links":769},"Contact Us",[770,773,775,777,782,787,792],{"text":771,"config":772},"Contact sales",{"href":315,"dataGaName":316,"dataGaLocation":733},{"text":628,"config":774},{"href":630,"dataGaName":631,"dataGaLocation":733},{"text":633,"config":776},{"href":635,"dataGaName":636,"dataGaLocation":733},{"text":778,"config":779},"Status",{"href":780,"dataGaName":781,"dataGaLocation":733},"https://status.gitlab.com/","status",{"text":783,"config":784},"Terms of use",{"href":785,"dataGaName":786,"dataGaLocation":733},"/terms/","terms of use",{"text":788,"config":789},"Privacy statement",{"href":790,"dataGaName":791,"dataGaLocation":733},"/privacy/","privacy statement",{"text":793,"config":794},"Cookie preferences",{"dataGaName":795,"dataGaLocation":733,"id":796,"isOneTrustButton":290},"cookie preferences","ot-sdk-btn",{"title":353,"links":798,"subMenu":807},[799,803],{"text":800,"config":801},"DevSecOps platform",{"href":335,"dataGaName":802,"dataGaLocation":733},"devsecops platform",{"text":804,"config":805},"AI-Assisted Development",{"href":342,"dataGaName":806,"dataGaLocation":733},"ai-assisted development",[808],{"title":809,"links":810},"Topics",[811,816,821,826,831,836,841,846],{"text":812,"config":813},"CICD",{"href":814,"dataGaName":815,"dataGaLocation":733},"/topics/ci-cd/","cicd",{"text":817,"config":818},"GitOps",{"href":819,"dataGaName":820,"dataGaLocation":733},"/topics/gitops/","gitops",{"text":822,"config":823},"DevOps",{"href":824,"dataGaName":825,"dataGaLocation":733},"/topics/devops/","devops",{"text":827,"config":828},"Version Control",{"href":829,"dataGaName":830,"dataGaLocation":733},"/topics/version-control/","version control",{"text":832,"config":833},"DevSecOps",{"href":834,"dataGaName":835,"dataGaLocation":733},"/topics/devsecops/","devsecops",{"text":837,"config":838},"Cloud Native",{"href":839,"dataGaName":840,"dataGaLocation":733},"/topics/cloud-native/","cloud native",{"text":842,"config":843},"AI for Coding",{"href":844,"dataGaName":845,"dataGaLocation":733},"/topics/devops/ai-for-coding/","ai for coding",{"text":847,"config":848},"Agentic AI",{"href":849,"dataGaName":850,"dataGaLocation":733},"/topics/agentic-ai/","agentic ai",{"title":852,"links":853},"Solutions",[854,856,858,863,867,870,874,877,879,882,885,890],{"text":397,"config":855},{"href":392,"dataGaName":397,"dataGaLocation":733},{"text":386,"config":857},{"href":369,"dataGaName":370,"dataGaLocation":733},{"text":859,"config":860},"Agile development",{"href":861,"dataGaName":862,"dataGaLocation":733},"/solutions/agile-delivery/","agile delivery",{"text":864,"config":865},"SCM",{"href":382,"dataGaName":866,"dataGaLocation":733},"source code management",{"text":812,"config":868},{"href":375,"dataGaName":869,"dataGaLocation":733},"continuous integration & delivery",{"text":871,"config":872},"Value stream management",{"href":425,"dataGaName":873,"dataGaLocation":733},"value stream management",{"text":817,"config":875},{"href":876,"dataGaName":820,"dataGaLocation":733},"/solutions/gitops/",{"text":435,"config":878},{"href":438,"dataGaName":439,"dataGaLocation":733},{"text":880,"config":881},"Small business",{"href":444,"dataGaName":445,"dataGaLocation":733},{"text":883,"config":884},"Public sector",{"href":450,"dataGaName":451,"dataGaLocation":733},{"text":886,"config":887},"Education",{"href":888,"dataGaName":889,"dataGaLocation":733},"/solutions/education/","education",{"text":891,"config":892},"Financial services",{"href":893,"dataGaName":894,"dataGaLocation":733},"/solutions/finance/","financial services",{"title":458,"links":896},[897,899,901,903,906,908,911,913,915,917,919,921,923],{"text":471,"config":898},{"href":473,"dataGaName":474,"dataGaLocation":733},{"text":476,"config":900},{"href":478,"dataGaName":479,"dataGaLocation":733},{"text":481,"config":902},{"href":483,"dataGaName":484,"dataGaLocation":733},{"text":486,"config":904},{"href":488,"dataGaName":905,"dataGaLocation":733},"docs",{"text":509,"config":907},{"href":511,"dataGaName":512,"dataGaLocation":733},{"text":909,"config":910},"What's new",{"href":559,"dataGaName":560,"dataGaLocation":733},{"text":504,"config":912},{"href":506,"dataGaName":507,"dataGaLocation":733},{"text":518,"config":914},{"href":520,"dataGaName":521,"dataGaLocation":733},{"text":526,"config":916},{"href":528,"dataGaName":529,"dataGaLocation":733},{"text":531,"config":918},{"href":533,"dataGaName":534,"dataGaLocation":733},{"text":536,"config":920},{"href":538,"dataGaName":539,"dataGaLocation":733},{"text":541,"config":922},{"href":543,"dataGaName":544,"dataGaLocation":733},{"text":546,"config":924},{"href":548,"dataGaName":549,"dataGaLocation":733},{"title":562,"links":926},[927,929,931,933,935,937,941,946,948,950,952],{"text":570,"config":928},{"href":572,"dataGaName":564,"dataGaLocation":733},{"text":575,"config":930},{"href":577,"dataGaName":578,"dataGaLocation":733},{"text":583,"config":932},{"href":585,"dataGaName":586,"dataGaLocation":733},{"text":588,"config":934},{"href":590,"dataGaName":591,"dataGaLocation":733},{"text":593,"config":936},{"href":595,"dataGaName":596,"dataGaLocation":733},{"text":938,"config":939},"Sustainability",{"href":940,"dataGaName":938,"dataGaLocation":733},"/sustainability/",{"text":942,"config":943},"Diversity, inclusion and belonging (DIB)",{"href":944,"dataGaName":945,"dataGaLocation":733},"/diversity-inclusion-belonging/","Diversity, inclusion and belonging",{"text":598,"config":947},{"href":600,"dataGaName":601,"dataGaLocation":733},{"text":608,"config":949},{"href":610,"dataGaName":611,"dataGaLocation":733},{"text":613,"config":951},{"href":615,"dataGaName":616,"dataGaLocation":733},{"text":953,"config":954},"Modern Slavery Transparency Statement",{"href":955,"dataGaName":956,"dataGaLocation":733},"https://handbook.gitlab.com/handbook/legal/modern-slavery-act-transparency-statement/","modern slavery transparency statement",{"items":958},[959,962,965],{"text":960,"config":961},"Terms",{"href":785,"dataGaName":786,"dataGaLocation":733},{"text":963,"config":964},"Cookies",{"dataGaName":795,"dataGaLocation":733,"id":796,"isOneTrustButton":290},{"text":966,"config":967},"Privacy",{"href":790,"dataGaName":791,"dataGaLocation":733},[969,983],{"id":970,"title":7,"body":286,"config":971,"content":973,"description":286,"extension":977,"meta":978,"navigation":290,"path":979,"seo":980,"stem":981,"__hash__":982},"blogAuthors/en-us/blog/authors/mark-settle.yml",{"template":972},"BlogAuthor",{"name":7,"config":974},{"headshot":975,"ctfId":976},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1779215794/fw131xublkzdvjdadd4q.png","marksettle","yml",{},"/en-us/blog/authors/mark-settle",{},"en-us/blog/authors/mark-settle","aur3jcqDyhashUtyXhd1W7N3ZrN09waCQv135AABEt4",{"id":984,"title":8,"body":286,"config":985,"content":986,"description":286,"extension":977,"meta":989,"navigation":290,"path":990,"seo":991,"stem":992,"__hash__":993},"blogAuthors/en-us/blog/authors/joel-patterson.yml",{"template":972},{"name":8,"config":987},{"headshot":988},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1779470299/ogjvh6vwl4jv6g69mjzl.jpg",{},"/en-us/blog/authors/joel-patterson",{},"en-us/blog/authors/joel-patterson","d20r_vnYvJS-Lm4joe8-19EJbQDBUfE59dcCRokaeA4",[995,1000,1006],{"title":270,"description":996,"heroImage":288,"category":282,"date":283,"authors":997,"slug":999,"externalUrl":286},"Security configuration profiles lead to faster scanner rollouts. Learn how this new capability in GitLab 19.0 covers thousands of projects in minutes, no gaps.",[998],"Michael Omokoh","security-configuration-profiles",{"title":242,"description":1001,"heroImage":288,"category":282,"date":1002,"authors":1003,"slug":1005,"externalUrl":286},"Each secret is scoped to its environment or branch and governed by the same controls you use for code. Join the public beta in GitLab 19.0.","2026-05-21",[1004,7],"Joe Randazzo","secrets-manager-in-public-beta",{"title":1007,"description":1008,"heroImage":1009,"category":282,"date":1010,"authors":1011,"slug":1013,"externalUrl":286},"5 ways to fix misleading vulnerability severities with policy","Default CVSS scores don't reflect your actual risk. Use GitLab severity override policies to automate adjustments based on CVE, CWE, file path, and directory.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1772630163/akp8ly2mrsfrhsb0liyb.png","2026-05-13",[1012],"Grant Hickman","severity-override-vulnerability-management-policy",{"promotions":1015},[1016,1030,1041,1052],{"id":1017,"categories":1018,"header":1020,"text":1021,"button":1022,"image":1027},"ai-modernization",[1019],"ai","Is AI achieving its promise at scale?","Quiz will take 5 minutes or less",{"text":1023,"config":1024},"Get your AI maturity score",{"href":1025,"dataGaName":1026,"dataGaLocation":512},"/assessments/ai-modernization-assessment/","modernization assessment",{"config":1028},{"src":1029},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1772138786/qix0m7kwnd8x2fh1zq49.png",{"id":1031,"categories":1032,"header":1033,"text":1021,"button":1034,"image":1038},"devops-modernization",[298,835],"Are you just managing tools or shipping innovation?",{"text":1035,"config":1036},"Get your DevOps maturity score",{"href":1037,"dataGaName":1026,"dataGaLocation":512},"/assessments/devops-modernization-assessment/",{"config":1039},{"src":1040},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1772138785/eg818fmakweyuznttgid.png",{"id":1042,"categories":1043,"header":1044,"text":1021,"button":1045,"image":1049},"security-modernization",[282],"Are you trading speed for security?",{"text":1046,"config":1047},"Get your security maturity score",{"href":1048,"dataGaName":1026,"dataGaLocation":512},"/assessments/security-modernization-assessment/",{"config":1050},{"src":1051},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1772138786/p4pbqd9nnjejg5ds6mdk.png",{"id":1053,"paths":1054,"header":1057,"text":1058,"button":1059,"image":1064},"github-azure-migration",[1055,1056],"migration-from-azure-devops-to-gitlab","integrating-azure-devops-scm-and-gitlab","Is your team ready for GitHub's Azure move?","GitHub is already rebuilding around Azure. Find out what it means for you.",{"text":1060,"config":1061},"See how GitLab compares to GitHub",{"href":1062,"dataGaName":1063,"dataGaLocation":512},"/compare/gitlab-vs-github/github-azure-migration/","github azure migration",{"config":1065},{"src":1040},{"header":1067,"blurb":1068,"button":1069,"secondaryButton":1074},"Start building faster today","See what your team can do with the intelligent orchestration platform for DevSecOps.\n",{"text":1070,"config":1071},"Get your free trial",{"href":1072,"dataGaName":311,"dataGaLocation":1073},"https://gitlab.com/-/trial_registrations/new?glm_content=default-saas-trial&glm_source=about.gitlab.com/","feature",{"text":771,"config":1075},{"href":315,"dataGaName":316,"dataGaLocation":1073},1781392683132]