dpndncY

GitLab (.com & self-hosted CE/EE)

Connect GitLab to import projects, scan on a schedule or in CI, and auto-create merge requests — results ingest into GitLab's native security dashboard via SARIF.

Connect

  • Authenticate with a project or group access token (least-privilege scopes).
  • For self-hosted CE/EE, set the integration’s base URL to your instance.

In CI

.gitlab-ci.yml
dpndncy_scan:
  image: ghcr.io/dpndncy/cli:latest
  script:
    - dpndncy scan . --policy default --fail-on high --sarif > gl-sast-report.json
  artifacts:
    reports:
      sast: gl-sast-report.json

The SARIF report lands in GitLab’s Security & Compliance dashboard and on the merge request.

Authenticate the job
Set two masked CI/CD variables: DPNDNCY_SERVER — the URL the runner can reach (for GitLab.com SaaS runners this must be your public API host, e.g. https://api.dpndncy.com; a self-hosted runner can use your internal URL) — and DPNDNCY_TOKEN, a token created from Settings → API tokens. The CLI binary is served by your instance at $DPNDNCY_SERVER/releases/dpndncy-linux.

What you get

  • Project import + scheduled scanning.
  • Merge-request creation for remediation, with the breaking-change analysis in the description.
  • Policy gate as a pipeline job that passes/fails the pipeline.

See also