Security and compliance settings

  • Tier: Ultimate
  • Offering: GitLab Self-Managed, GitLab Dedicated

Dependency Scanning

SBOM Scan API limits

The dependency scanning using SBOM feature uses an internal API with predefined limits

To configure different values for these limits:

  1. In the upper-right corner, select Admin.
  2. Select Settings > Security and compliance.
  3. Expand Dependency Scanning.
  4. Change the value of any rate limit, or set a rate limit to 0 to disable it.
  5. Select Save changes.

Package Metadata Database synchronization

Choose package registry metadata to sync

To choose the packages you want to synchronize with the GitLab Package Metadata Database (PMDB) for License Compliance and continuous vulnerability scanning:

  1. In the upper-right corner, select Admin.
  2. Select Settings > Security and compliance.
  3. Expand License Compliance.
  4. In Package registry metadata to sync, select or clear checkboxes for the package registries that you want to sync.
  5. Select Save changes.

For this data synchronization to work, you must allow outbound network traffic from your GitLab instance to the domain storage.googleapis.com. See also the offline setup instructions described in Enabling the Package Metadata Database.

Security considerations

PMDB is a service that publishes license and advisory data to publicly accessible (read-only) Google Cloud Storage buckets. The buckets can be read by anyone, but only authorized GitLab maintainers have write access through IAM controls. GitLab continuously ingests data from a secured PostgreSQL database and exports it by using a private service using OIDC authentication. GitLab instances sync data from the public buckets, perform schema validation, and then upsert the validated data into the GitLab database.