Welcome to mirror list, hosted at ThFree Co, Russian Federation.

comparison_dependency_and_container_scanning.md « application_security « user « doc - gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/doc/user/application_security/comparison_dependency_and_container_scanning.md
blob: d02d94b7a3e4055835db89eeddddabea92b69b82 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

---
stage: Secure
group: Composition Analysis
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
---

# Dependency Scanning compared to Container Scanning

GitLab offers both [Dependency Scanning](dependency_scanning/index.md) and
[Container Scanning](container_scanning/index.md) to ensure coverage for all of these
dependency types. To cover as much of your risk area as possible, we encourage you to use all of our
security scanning tools:

- Dependency Scanning analyzes your project and tells you which software dependencies,
  including upstream dependencies, have been included in your project, and what known
  risks the dependencies contain.
- Container Scanning analyzes your containers and tells you about known risks in the operating
  system's (OS) packages.

The following table summarizes which types of dependencies each scanning tool can detect:

| Feature                                                                                      | Dependency Scanning | Container Scanning                           |
|----------------------------------------------------------------------------------------------|---------------------|----------------------------------------------|
| Identify the manifest, lock file, or static file that introduced the dependency              | **{check-circle}**  | **{dotted-circle}**                          |
| Development dependencies                                                                     | **{check-circle}**  | **{dotted-circle}**                          |
| Dependencies in a lock file committed to your repository                                     | **{check-circle}**  | **{check-circle}** <sup>1</sup>              |
| Binaries built by Go                                                                         | **{dotted-circle}** | **{check-circle}** <sup>2</sup> <sup>3</sup> |
| Dynamically-linked language-specific dependencies installed by the Operating System          | **{dotted-circle}** | **{check-circle}** <sup>3</sup>              |
| Operating system dependencies                                                                | **{dotted-circle}** | **{check-circle}**                           |
| Language-specific dependencies installed on the operating system (not built by your project) | **{dotted-circle}** | **{check-circle}**                           |

1. Lock file must be present in the image to be detected.
1. Binary file must be present in the image to be detected.
1. Only when using Trivy.
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-12 22:35:17 +0300