Blog Security Introducing a community-driven advisory database for third-party software dependencies
Published on February 16, 2022
3 min read

Introducing a community-driven advisory database for third-party software dependencies

The advisory data can be readily adopted, adapted, and exchanged. Learn more here.


GitLab provides a Dependency Scanning feature that can automatically detect vulnerabilities in your software dependencies. Dependency Scanning covers various programming languages and relies on the GitLab Advisory Database, that is updated on a periodic basis by the Vulnerability Research team at GitLab. The GitLab Advisory Database covers security advisories in software packages that have a CVE identifier, as well as malicious packages marked as such by their ecosystem (example). The database is an essential part of the Dependency Scanning feature, which is available in GitLab Ultimate self-managed and GitLab Ultimate SaaS.

As of recently, GitLab also provides a free and open-source version of the database, the GitLab Advisory Database (Open Source Edition), a time-delayed (+30 days) clone of the GitLab Advisory Database.

In the spirit of Collaboration and Transparency, two of the GitLab core values, we share the database with the open-source community in a format that is well-documented and can be easily parsed. The advisory data can be readily adopted, adapted, and exchanged. For example, links to proof of concepts or write-ups, or any other directly related information that will benefit the community, can be added to the urls array:

  - ""
  - ""
  - ""

Additionally, in our advisories we use Common Weakness Enumeration in conjunction with Common Vulnerability Scoring System as a standard means of communicating vulnerabilities, as well as their impact/severity, internally and externally.

The GitLab Advisory Database is integrated into GitLab Dependency Scanning. Once an existing advisory is modified or a new advisory is created, the information included in the advisory will appear in the Vulnerability Pages where findings/vulnerabilities originating from all security scanners, including Dependency Scanning, can be managed at a central place.

The open-source database has recently been integrated into Trivy, a free and open-source solution for container scanning. We are very grateful for community contributions to the GitLab Advisory Database. Our community has aided us by suggesting improvements to our data or by creating entirely new advisories, allowing everyone to benefit from their contributions.

At GitLab, everyone can contribute. The Vulnerability Research team at GitLab has made it easy to contribute to both databases.

Community contributions can be made available in advisories-community instantaneously by means of the community-sync flag, which has been introduced recently. Using this synchronization, you can make the same contribution appear in both databases at the time of a Merge Request (within one hour after the merge).

We have also used this flag to make the advisories concerning the recent log4Shell vulnerabilities available to the community immediately after these were made public. Even though the open-source version of the database is time-delayed, particular vulnerabilities that have the potential to become widespread and cause disruptions to the entire Internet, are pushed into the open-source version of the GitLab security advisory database.

Cover image by Charles Deluvio on Unsplash

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

New to GitLab and not sure where to start?

Get started guide

Learn about what GitLab can do for your team

Talk to an expert