Tool integration

Gemnasium / GitLab Integration Guide

GitLab built-in dependency scanning powered by the Gemnasium engine

Get a Free API Key

Integrate GitLab Gemnasium dependency scanning with Vulnetix. Enable GitLab Dependency Scanning in CI/CD to generate CycloneDX SBOMs and upload artifacts to Vulnetix.

SaaS platformCycloneDX

Run Gemnasium / GitLab in CI

Scan on every push and upload the results to Vulnetix:

# In GitLab CI - no separate workflow needed; use template:
include:
  - template: Jobs/Dependency-Scanning.gitlab-ci.yml

How Vulnetix compares — better together

Vulnetix does not replace Gemnasium / GitLab. Keep running it. Vulnetix sits on top of Gemnasium / GitLab — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.

Gemnasium / GitLab is strongest at its core category and also carries features in SAST, DAST, Container & Image Scanning, Secret Scanning, License Compliance, SBOM Generation — just like Vulnetix spans categories.

CapabilityVulnetixGemnasium / GitLab
Security coverage
SAST (static code analysis)Built-in rules + Semgrep augmentationGitLab SAST scans source with results inline in merge requests
SCA / dependencies40+ ecosystems, transitive graphGemnasium/SBOM-based dependency scanning is the core; matches lockfiles against GitLab Advisory Database
DAST (dynamic testing)~ Ingests DAST results; no native dynamic engineDAST powered by OWASP ZAP scans running applications
Container & imageImage CVEs, base image, DockerfileContainer scanning (Trivy-based) with CycloneDX license info
IaC / misconfigurationTerraform, k8s, CloudFormation
Secret scanning1,000+ rules, source + binary + git historySecret detection in commits
Cloud / CSPMCloud-posture findings, compliance tab
Mobile (MAST)~ Ingests mobile scanner output; no native mobile engine
License complianceSPDX, copyleft/AGPL/SSPL policyLicense compliance analyzes the CycloneDX SBOM for license risk
SBOM generationCycloneDX 1.7 + SPDX 2.3, cosign-signableGenerates CycloneDX SBOM (gl-sbom-report.cdx.json) as a pipeline artifact
Malware / supply-chainDe-duplicated corpus + install-time firewall (25+ registries)
Network / infra vuln~ Ingests network scanner output; no native network scanner
FuzzingIngests fuzzing crashes; no native fuzzer
Pentest / bug bountyIngests pentest/bug-bounty findings; not a testing service
The Vulnetix orchestration layer
Cross-scanner dedup & one queue (ASPM)Correlates every scanner into one prioritised queue with ownership routing
Exploit-intel prioritisationEPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV~ GitLab Advisory Database with severity plus EPSS and KEV indicators in Ultimate; not a full multi-source prioritisation engine
Reachability analysisTree-sitter + CVEAffected; direct/transitive/semantic
Versioned VEX + audit trailImmutable OpenVEX/CycloneDX, cosign-signable
Safe Harbour autofixResolves + applies the nearest safe version
End-of-life policyFlags/blocks past-EOL runtimes & packages
SSVC / risk-based policySSVC v2 + CISA/FedRAMP/Essential-8 presets

✓ full · ~ partial · ✗ not covered

What Gemnasium / GitLab does well

Where Vulnetix adds to it: GitLab is a broad native DevSecOps scanner suite; Vulnetix sits above it as an ASPM layer, ingesting GitLab's SCA/SAST/DAST/container/secrets/SBOM output and deduping it with other scanners into one prioritised queue. Vulnetix adds cross-source exploit-intel (EPSS, KEV, ESS, CWSS, LEV), reachability, immutable versioned VEX with audit, EOL and SSVC policy, and an install-time package firewall. It does not run GitLab's DAST for you but consolidates its results.

No migration, no rip-and-replace. Gemnasium / GitLab keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.

Centralise Gemnasium / GitLab results in Vulnetix

Upload Gemnasium / GitLab CycloneDX output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.

Gemnasium / GitLab documentation ↗

Wire Gemnasium / GitLab into your CI/CD pipeline →