Static reachability analysis
- Tier: Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
- Status: Beta
Version history
- Introduced as an experiment in GitLab 17.5.
- Changed from experiment to beta in GitLab 17.11.
- Introduced support for JavaScript and TypeScript in GitLab 18.2 and Dependency Scanning Analyzer v0.32.0.
Static reachability analysis (SRA) helps you prioritize remediation of vulnerabilities in dependencies. SRA identifies which dependencies your application actually uses. While dependency scanning finds all vulnerable dependencies, SRA focuses on those that are reachable and pose higher security risks, helping you prioritize remediation based on actual threat exposure.
Getting started
If you are new to static reachability analysis, the following steps show how to enable it for your project.
Prerequisites:
-
Only Python, JavaScript, and TypeScript projects are supported.
-
Dependency Scanning analyzer version 0.32.0 and later.
-
Enable Dependency Scanning by using SBOM. Gemnasium analyzers are not supported.
For Python, follow the pip or pipenv related instructions for dependency scanning using SBOM. You can also use any other Python package manager that is supported by the DS analyzer.
For JavaScript and TypeScript, ensure your repository has the supported lock files by the DS analyzer.
Exclusions:
- SRA cannot be used together with either a scan execution policy or pipeline execution policy.
To enable SRA:
-
On the left sidebar, select Search or go to and find your project.
-
Edit the
.gitlab-ci.yml
file, and add one of the following.If you're using the CI/CD template, add the following (ensure there is only one
variables:
line):variables: DS_STATIC_REACHABILITY_ENABLED: true
If you're using the Dependency Scanning component, add the following (ensuring there is only one
include:
line.):include: - component: ${CI_SERVER_FQDN}/components/dependency-scanning/main@0 inputs: enable_static_reachability: true rules: - if: $CI_SERVER_HOST == "gitlab.com"
At this point, SRA is enabled in your pipeline. When dependency scanning runs and outputs an SBOM, the results are supplemented by static reachability analysis.
Understanding the results
To identify vulnerable dependencies that are reachable, either:
- In the vulnerability report, hover over the Severity value of a vulnerability.
- In a vulnerability's details page, check the Reachable value.
- Use a GraphQL query to list those vulnerabilities that are reachable.
A dependency can have one of the following reachability values:
- Yes
- The package linked to this vulnerability is confirmed reachable in code.
- Not Found
- SRA ran successfully but did not detect usage of the vulnerable package. If a vulnerable dependency's reachability value is shown as Not Found exercise caution rather than completely dismissing it, because the beta version of SRA may produce false negatives.
- Not Available
- SRA was not executed, so no reachability data exists.
When a direct dependency is marked as in use, all its transitive dependencies are also marked as in use.
Supported languages and package managers
Static reachability analysis is available for Python, JavaScript, and TypeScript projects. SRA uses the new dependency scanning analyzer to generate SBOMs and supports the same package managers as the analyzer.
Language | Supported package managers | Supported file suffix |
---|---|---|
Python |
pip , pipenv , poetry , uv
|
.py |
JavaScript/TypeScript |
npm , pnpm , yarn
|
.js , .ts
|
For Python pipenv
, static reachability doesn't support Pipfile.lock
files. Support is available only for pipenv.graph.json
because it has support for a dependency graph.
If a package manager without dependency graph support is used, all indirect dependencies are marked as not in use.
Because of a known issue in Dependency Scanning with pipdeptree
,
optional dependencies
are marked as direct dependencies instead of as transitive dependencies. Static Reachability might not
identify those packages as in use.
For example, requiring passlib[bcrypt]
may result in passlib
being marked as in_use
whilst bcrypt
is marked as not_found
.
Running SRA in an offline environment
To use the dependency scanning component in an offline environment, you must first mirror the component project.
How static reachability analysis works
Dependency scanning generates an SBOM report that identifies all components and their transitive dependencies. Static reachability analysis checks each dependency in the SBOM report and adds a reachability value to the SBOM report. The enriched SBOM is then ingested by the GitLab instance.
The following are marked as not found:
- Dependencies that are found in the project's lock files but are not imported in the code.
- Tools that are included in the project's lock files for local usage but are not imported in the code. For example, tools such as coverage testing or linting packages are marked as not found even if used locally.