Skip to content

Mucha dev gitlab security output #147

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jonathanStrange0 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Mucha dev gitlab security output #147

jonathanStrange0 wants to merge 2 commits into from

Conversation

@jonathanStrange0
Copy link

@jonathanStrange0 jonathanStrange0 commented Jan 12, 2026

Adds GitLab Security Dashboard integration with Dependency Scanning report output.
Socket CLI can now generate GitLab-compatible security reports that display
vulnerability findings directly in GitLab's native Security Dashboard and merge
request security widgets.

Why?

This feature enables Socket users to leverage GitLab's built-in Security Dashboard
for centralized vulnerability tracking and compliance reporting. Key benefits:

  • Native GitLab Integration: Security findings appear directly in GitLab's
    Security Dashboard, merge request security tabs, and vulnerability reports without
    requiring external tools
  • Compliance & Audit: Standardized Dependency Scanning reports (schema v15.0.0)
    support security audits and compliance requirements
  • Centralized Visibility: Teams already using GitLab for security management can
    view Socket findings alongside other security scanners
  • Policy Enforcement: Integrates with GitLab's security policies and approval
    rules for merge requests
  • Complementary to Socket GitLab App: Works alongside the existing Socket GitLab
    App - the App provides real-time PR comments and blocking, while Security
    Dashboard reports provide centralized tracking and historical analysis

The implementation includes:

  • New --enable-gitlab-security flag to generate reports
  • Customizable output path via --gitlab-security-file (default:
    gl-dependency-scanning-report.json)
  • Support for multiple simultaneous output formats (JSON, SARIF, GitLab)
  • Intelligent alert filtering (includes only actionable error/warn level alerts)
  • Complete vulnerability data including CVEs, severity levels, dependency chains,
    and remediation suggestions
  • Comprehensive test suite and documentation

Public Changelog

New Feature: GitLab Security Dashboard Integration

Socket CLI now supports generating GitLab-compatible Dependency Scanning reports
that integrate with GitLab's Security Dashboard. Enable with
--enable-gitlab-security to display Socket vulnerability findings directly in
GitLab merge requests and security dashboards.

Features:

  • Native GitLab Security Dashboard integration with Dependency Scanning schema
    v15.0.0
  • Automatic vulnerability report generation in GitLab CI/CD pipelines
  • Display Socket findings alongside other security scanners in GitLab's unified
    interface
  • Support for multiple simultaneous output formats (JSON, SARIF, GitLab)
  • Intelligent filtering of actionable security alerts (error/warn level)
  • Complete vulnerability metadata including CVEs, severity levels, and remediation
    guidance

Usage:
socketcli --enable-gitlab-security --repo owner/repo

See documentation for GitLab CI/CD integration examples and configuration options.

Jonathan Mucha and others added 2 commits January 12, 2026 10:35
@claude
feat: add GitLab Security Dashboard integration with Dependency Scann…
9e2b6ca 
…ing report output

Adds support for generating GitLab-compatible Dependency Scanning reports that integrate with GitLab's Security Dashboard. This feature enables Socket security findings to be displayed natively in GitLab merge requests and security dashboards.

Key Features:
- New --enable-gitlab-security flag to generate GitLab reports
- New --gitlab-security-file flag for custom output paths (default: gl-dependency-scanning-report.json)
- Generates GitLab Dependency Scanning schema v15.0.0 compliant reports
- Supports multiple simultaneous output formats (JSON, SARIF, GitLab)
- Includes actionable security alerts (error/warn level) in vulnerability reports
- Maps Socket severity levels to GitLab severity (Critical, High, Medium, Low)
- Extracts CVE identifiers and dependency chain information
- Generates deterministic UUIDs for vulnerability tracking

Implementation:
- Added GitLab report generator in messages.py with helper functions for severity mapping, identifier extraction, and location parsing
- Refactored OutputHandler to support multiple simultaneous output formats
- Added comprehensive unit tests (test_gitlab_format.py) and integration tests
- Updated documentation with usage examples, CI/CD integration guide, and alert filtering details

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
capturing all recent changes
a389972
@jonathanStrange0 jonathanStrange0 requested a review from a team as a code owner January 12, 2026 17:27
@github-actions
Copy link

github-actions bot commented Jan 12, 2026

Version Check Failed

Please increment...

@github-actions
Copy link

github-actions bot commented Jan 12, 2026

🚀 Preview package published!

Install with:

pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple socketsecurity==2.2.63.dev2

Docker image: socketdev/cli:pr-147

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jonathanStrange0