### Dependency Scanning

If you’re using GitLab CI/CD, you can use dependency scanning to analyze your dependencies for known vulnerabilities. GitLab scans all dependencies, including transitive dependencies (also known as nested dependencies). You can take advantage of dependency scanning by either:

-   Including the dependency scanning template in your existing .gitlab-ci.yml file.
-   Implicitly using the auto dependency scanning provided by Auto DevOps.

GitLab checks the dependency scanning report, compares the found vulnerabilities between the source and target branches, and shows the information on the merge request. The results are sorted by the severity of the vulnerability.

![dependency scanning mr](./dependency-scanning-mr.png)

Example project using Dependency Scanning on JiHu GitLab:

[Dependency Scanning Demo](https://jihulab.com/ultimate-plan/demo/dependency-scanning-demo/-/tree/2-test-new-policy-name)