Integrate GitLab Gemnasium dependency scanning with Vulnetix. Enable GitLab Dependency Scanning in CI/CD to generate CycloneDX SBOMs and upload artifacts to Vulnetix.
Run Gemnasium / GitLab in CI
Scan on every push and upload the results to Vulnetix:
# In GitLab CI - no separate workflow needed; use template: include: - template: Jobs/Dependency-Scanning.gitlab-ci.yml
How Vulnetix compares — better together
Vulnetix does not replace Gemnasium / GitLab. Keep running it. Vulnetix sits on top of Gemnasium / GitLab — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.
Gemnasium / GitLab is strongest at its core category and also carries features in SAST, DAST, Container & Image Scanning, Secret Scanning, License Compliance, SBOM Generation — just like Vulnetix spans categories.
| Capability | Vulnetix | Gemnasium / GitLab |
|---|---|---|
| Security coverage | ||
| SAST (static code analysis) | ✓ Built-in rules + Semgrep augmentation | ✓ GitLab SAST scans source with results inline in merge requests |
| SCA / dependencies | ✓ 40+ ecosystems, transitive graph | ✓ Gemnasium/SBOM-based dependency scanning is the core; matches lockfiles against GitLab Advisory Database |
| DAST (dynamic testing) | ~ Ingests DAST results; no native dynamic engine | ✓ DAST powered by OWASP ZAP scans running applications |
| Container & image | ✓ Image CVEs, base image, Dockerfile | ✓ Container scanning (Trivy-based) with CycloneDX license info |
| IaC / misconfiguration | ✓ Terraform, k8s, CloudFormation | ✗ |
| Secret scanning | ✓ 1,000+ rules, source + binary + git history | ✓ Secret detection in commits |
| Cloud / CSPM | ✓ Cloud-posture findings, compliance tab | ✗ |
| Mobile (MAST) | ~ Ingests mobile scanner output; no native mobile engine | ✗ |
| License compliance | ✓ SPDX, copyleft/AGPL/SSPL policy | ✓ License compliance analyzes the CycloneDX SBOM for license risk |
| SBOM generation | ✓ CycloneDX 1.7 + SPDX 2.3, cosign-signable | ✓ Generates CycloneDX SBOM (gl-sbom-report.cdx.json) as a pipeline artifact |
| Malware / supply-chain | ✓ De-duplicated corpus + install-time firewall (25+ registries) | ✗ |
| Network / infra vuln | ~ Ingests network scanner output; no native network scanner | ✗ |
| Fuzzing | ✗ Ingests fuzzing crashes; no native fuzzer | ✗ |
| Pentest / bug bounty | ✗ Ingests pentest/bug-bounty findings; not a testing service | ✗ |
| The Vulnetix orchestration layer | ||
| Cross-scanner dedup & one queue (ASPM) | ✓ Correlates every scanner into one prioritised queue with ownership routing | ✗ |
| Exploit-intel prioritisation | ✓ EPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV | ~ GitLab Advisory Database with severity plus EPSS and KEV indicators in Ultimate; not a full multi-source prioritisation engine |
| Reachability analysis | ✓ Tree-sitter + CVEAffected; direct/transitive/semantic | ✗ |
| Versioned VEX + audit trail | ✓ Immutable OpenVEX/CycloneDX, cosign-signable | ✗ |
| Safe Harbour autofix | ✓ Resolves + applies the nearest safe version | ✗ |
| End-of-life policy | ✓ Flags/blocks past-EOL runtimes & packages | ✗ |
| SSVC / risk-based policy | ✓ SSVC v2 + CISA/FedRAMP/Essential-8 presets | ✗ |
✓ full · ~ partial · ✗ not covered
What Gemnasium / GitLab does well
- Built into every GitLab project with zero extra tooling: enable in .gitlab-ci.yml and dependency scans plus CycloneDX SBOMs run natively in the pipeline
- Full DevSecOps suite in one platform: SAST, DAST (OWASP ZAP), container scanning, secret detection, and license compliance alongside dependency scanning
- SBOM-based continuous scanning re-checks components against the GitLab Advisory Database when it updates, catching new CVEs without re-running pipelines
- Findings surface inline on merge requests and in a consolidated security dashboard, with scan execution policies to enforce scanning across branches
Where Vulnetix adds to it: GitLab is a broad native DevSecOps scanner suite; Vulnetix sits above it as an ASPM layer, ingesting GitLab's SCA/SAST/DAST/container/secrets/SBOM output and deduping it with other scanners into one prioritised queue. Vulnetix adds cross-source exploit-intel (EPSS, KEV, ESS, CWSS, LEV), reachability, immutable versioned VEX with audit, EOL and SSVC policy, and an install-time package firewall. It does not run GitLab's DAST for you but consolidates its results.
No migration, no rip-and-replace. Gemnasium / GitLab keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.
Centralise Gemnasium / GitLab results in Vulnetix
Upload Gemnasium / GitLab CycloneDX output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.