PackageFix / CI/CD Guides / npm Dependency CVE Scanning in GitLab CI

npm Dependency CVE Scanning in GitLab CI GitLab CI

Add npm CVE scanning to your GitLab CI/CD pipeline. Fail builds on high severity vulnerabilities.

Dependency scanning in GitLab CI

GitLab includes built-in dependency scanning. For npm, configure it in .gitlab-ci.yml.

include:
  - template: Security/Dependency-Scanning.gitlab-ci.yml

dependency_scanning:
  variables:
    DS_EXCLUDED_PATHS: "spec, test, tests, tmp"
    SECURE_LOG_LEVEL: info
✓ Manual Scan

For a quick one-off scan before deployment, paste your package.json into PackageFix — no pipeline setup needed.

Scan your dependencies now — paste your manifest, get a fixed version back in seconds.

Open PackageFix →

No signup · No CLI · No GitHub connection · Runs 100% in your browser

Frequently Asked Questions

How do I add dependency scanning to GitLab CI?
Add OSV Scanner or the ecosystem-specific audit tool to your GitLab CI build configuration. The config snippet above works out of the box.
Does PackageFix integrate with CI/CD pipelines?
PackageFix is a browser tool for manual scans. For automated CI scanning, use OSV Scanner (Google) or pip-audit/npm audit in your pipeline. PackageFix generates the Renovate config and GitHub Actions workflow you can copy.
How do I fail a GitLab CI build on critical CVEs?
Add --audit-level=critical to npm audit, or --fail-on=critical to pip-audit. The pipeline aborts if critical CVEs are found.
What is the OSV Scanner?
OSV Scanner is Google's open-source CLI tool that queries the same OSV database PackageFix uses. It's ideal for CI/CD integration.