GitLab (.com & self-hosted CE/EE)
Connect GitLab to import projects, scan on a schedule or in CI, and auto-create merge requests — results ingest into GitLab's native security dashboard via SARIF.
Connect
- Authenticate with a project or group access token (least-privilege scopes).
- For self-hosted CE/EE, set the integration’s base URL to your instance.
In CI
.gitlab-ci.yml
dpndncy_scan:
image: ghcr.io/dpndncy/cli:latest
script:
- dpndncy scan . --policy default --fail-on high --sarif > gl-sast-report.json
artifacts:
reports:
sast: gl-sast-report.jsonThe SARIF report lands in GitLab’s Security & Compliance dashboard and on the merge request.
Authenticate the job
Set two masked CI/CD variables:
DPNDNCY_SERVER — the URL the runner can reach (for GitLab.com SaaS runners this must be your public API host, e.g. https://api.dpndncy.com; a self-hosted runner can use your internal URL) — and DPNDNCY_TOKEN, a token created from Settings → API tokens. The CLI binary is served by your instance at $DPNDNCY_SERVER/releases/dpndncy-linux.What you get
- Project import + scheduled scanning.
- Merge-request creation for remediation, with the breaking-change analysis in the description.
- Policy gate as a pipeline job that passes/fails the pipeline.
See also
- GitHub · Auto-fix PRs · CLI