Blog Security Introducing a community-driven advisory database for third-party software dependencies
February 16, 2022
3 min read

Introducing a community-driven advisory database for third-party software dependencies

The advisory data can be readily adopted, adapted, and exchanged. Learn more here.


GitLab provides a Dependency Scanning
feature that can automatically detect vulnerabilities in your software
dependencies. Dependency Scanning covers various programming languages and
relies on the GitLab Advisory Database, that
on a periodic basis by the
Vulnerability Research
team at GitLab. The GitLab Advisory Database covers security advisories in software packages that have a CVE identifier, as well as malicious packages marked as such by their ecosystem (example). The database is an essential part of
the Dependency Scanning feature, which is
available in GitLab Ultimate self-managed
and GitLab Ultimate SaaS.

As of recently, GitLab also provides a free and open-source version of the
database, the GitLab Advisory Database (Open Source Edition), a time-delayed
(+30 days) clone of the GitLab Advisory Database.

In the spirit of
Collaboration and
Transparency, two of
the GitLab core values, we share
the database with the open-source community in a format that is
and can be easily parsed. The advisory data can be readily adopted, adapted, and
exchanged. For example, links to proof of concepts or write-ups, or any other
directly related information that will benefit the community, can be added to
the urls array:

  - ""
  - ""
  - ""

Additionally, in our advisories we use Common Weakness Enumeration
in conjunction with Common Vulnerability Scoring System as a standard means
of communicating vulnerabilities, as well as their impact/severity, internally and externally.

The GitLab Advisory Database is integrated
into GitLab Dependency Scanning. Once
an existing advisory is modified or a new advisory is created, the information included in the advisory will appear
in the Vulnerability Pages
where findings/vulnerabilities originating from all security scanners,
including Dependency Scanning, can be managed at a central place.

The open-source database has recently been integrated into
Trivy, a free and open-source solution
for container scanning.
We are very grateful for community contributions
to the GitLab Advisory Database.
Our community has aided us by suggesting improvements to our data or by
creating entirely new advisories, allowing everyone to benefit from their

At GitLab, everyone can contribute.
The Vulnerability Research
team at GitLab has made it easy to contribute to both databases.

Community contributions can be made available in
instantaneously by means of the community-sync flag,
which has been introduced recently. Using this synchronization, you can make
the same contribution appear in both databases at the time of a Merge Request
(within one hour after the merge).

We have also used this flag to make the advisories concerning the recent
vulnerabilities available to the community immediately after these were made public.
Even though the open-source version of the database is time-delayed, particular
vulnerabilities that have the potential to become widespread and cause
disruptions to the entire Internet, are pushed into the open-source version
of the GitLab security advisory database.

Cover image by Charles Deluvio on Unsplash

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

New to GitLab and not sure where to start?

Get started guide

Learn about what GitLab can do for your team

Talk to an expert