Skip to content

Mucha dev gitlab security output#147

Merged
dacoburn merged 6 commits intomainfrom
mucha-dev-gitlab-security-output
Jan 16, 2026
Merged

Mucha dev gitlab security output#147
dacoburn merged 6 commits intomainfrom
mucha-dev-gitlab-security-output

Conversation

@jonathanStrange0
Copy link
Contributor

@jonathanStrange0 jonathanStrange0 commented Jan 12, 2026

Adds GitLab Security Dashboard integration with Dependency Scanning report output.
Socket CLI can now generate GitLab-compatible security reports that display
vulnerability findings directly in GitLab's native Security Dashboard and merge
request security widgets.

Why?

This feature enables Socket users to leverage GitLab's built-in Security Dashboard
for centralized vulnerability tracking and compliance reporting. Key benefits:

  • Native GitLab Integration: Security findings appear directly in GitLab's
    Security Dashboard, merge request security tabs, and vulnerability reports without
    requiring external tools
  • Compliance & Audit: Standardized Dependency Scanning reports (schema v15.0.0)
    support security audits and compliance requirements
  • Centralized Visibility: Teams already using GitLab for security management can
    view Socket findings alongside other security scanners
  • Policy Enforcement: Integrates with GitLab's security policies and approval
    rules for merge requests
  • Complementary to Socket GitLab App: Works alongside the existing Socket GitLab
    App - the App provides real-time PR comments and blocking, while Security
    Dashboard reports provide centralized tracking and historical analysis

The implementation includes:

  • New --enable-gitlab-security flag to generate reports
  • Customizable output path via --gitlab-security-file (default:
    gl-dependency-scanning-report.json)
  • Support for multiple simultaneous output formats (JSON, SARIF, GitLab)
  • Intelligent alert filtering (includes only actionable error/warn level alerts)
  • Complete vulnerability data including CVEs, severity levels, dependency chains,
    and remediation suggestions
  • Comprehensive test suite and documentation

Public Changelog

New Feature: GitLab Security Dashboard Integration

Socket CLI now supports generating GitLab-compatible Dependency Scanning reports
that integrate with GitLab's Security Dashboard. Enable with
--enable-gitlab-security to display Socket vulnerability findings directly in
GitLab merge requests and security dashboards.

Features:

  • Native GitLab Security Dashboard integration with Dependency Scanning schema
    v15.0.0
  • Automatic vulnerability report generation in GitLab CI/CD pipelines
  • Display Socket findings alongside other security scanners in GitLab's unified
    interface
  • Support for multiple simultaneous output formats (JSON, SARIF, GitLab)
  • Intelligent filtering of actionable security alerts (error/warn level)
  • Complete vulnerability metadata including CVEs, severity levels, and remediation
    guidance

Usage:
socketcli --enable-gitlab-security --repo owner/repo

See documentation for GitLab CI/CD integration examples and configuration options.

Jonathan Mucha and others added 2 commits January 12, 2026 10:35
@claude
feat: add GitLab Security Dashboard integration with Dependency Scann…
9e2b6ca 
…ing report output

Adds support for generating GitLab-compatible Dependency Scanning reports that integrate with GitLab's Security Dashboard. This feature enables Socket security findings to be displayed natively in GitLab merge requests and security dashboards.

Key Features:
- New --enable-gitlab-security flag to generate GitLab reports
- New --gitlab-security-file flag for custom output paths (default: gl-dependency-scanning-report.json)
- Generates GitLab Dependency Scanning schema v15.0.0 compliant reports
- Supports multiple simultaneous output formats (JSON, SARIF, GitLab)
- Includes actionable security alerts (error/warn level) in vulnerability reports
- Maps Socket severity levels to GitLab severity (Critical, High, Medium, Low)
- Extracts CVE identifiers and dependency chain information
- Generates deterministic UUIDs for vulnerability tracking

Implementation:
- Added GitLab report generator in messages.py with helper functions for severity mapping, identifier extraction, and location parsing
- Refactored OutputHandler to support multiple simultaneous output formats
- Added comprehensive unit tests (test_gitlab_format.py) and integration tests
- Updated documentation with usage examples, CI/CD integration guide, and alert filtering details

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
capturing all recent changes
a389972
@jonathanStrange0 jonathanStrange0 requested a review from a team as a code owner January 12, 2026 17:27
@github-actions
Copy link

github-actions bot commented Jan 12, 2026
edited
Loading

🚀 Preview package published!

Install with:

pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple socketsecurity==2.2.68.dev1

Docker image: socketdev/cli:pr-147

@dacoburn dacoburn merged commit 3defe2e into main Jan 16, 2026
6 checks passed
@dacoburn dacoburn deleted the mucha-dev-gitlab-security-output branch January 16, 2026 20:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dacoburn dacoburn dacoburn approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jonathanStrange0 @dacoburn