SCA Vulnerability Report in GitLab

Frogbot can publish SCA scan results to GitLab's Vulnerability Report by generating dependency scanning and CycloneDX SBOM reports that GitLab ingests and displays in its Security UI.

Report upload occurs during commit scans (scan-repository), not PR scans (scan-pull-request).

Prerequisites

• GitLab Ultimate
• GitLab pipelines that support security report uploads

Generated Reports

When frogbot scan-repository runs, Frogbot writes two report files to JF_SCAN_RESULTS_OUTPUT_DIR:

• gl-dependency-scanning-report.json — GitLab dependency scanning report
• cyclonedx.json — CycloneDX SBOM, enriched with GitLab properties so the UI can populate fields like Reachable

The CI job uploads both files as GitLab security report artifacts:

• artifacts:reports:dependency_scanning → gl-dependency-scanning-report.json
• artifacts:reports:cyclonedx → cyclonedx.json

Once ingested, findings appear in Security → Vulnerability Report.

Configuring the CI Job

In your .gitlab-ci.yml, configure a job that runs frogbot scan-repository, sets JF_SCAN_RESULTS_OUTPUT_DIR to a path under $CI_PROJECT_DIR, and uploads both report files under artifacts:reports (not only artifacts:paths).

frogbot-scan-repository:
  image: releases-docker.jfrog.io/jfrog-ecosystem-integration-env
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_PIPELINE_SOURCE == "schedule"
  variables:
    FROGBOT_CMD: "scan-repository"
    JF_URL: $JF_URL
    JF_ACCESS_TOKEN: $JF_ACCESS_TOKEN
    JF_GIT_TOKEN: $JF_GIT_TOKEN
    JF_GIT_PROVIDER: gitlab
    JF_GIT_OWNER: $CI_PROJECT_NAMESPACE
    JF_GIT_REPO: $CI_PROJECT_NAME
    JF_SCAN_RESULTS_OUTPUT_DIR: "$CI_PROJECT_DIR/test_gitlab_reports"
  script:
    # Download and Run Frogbot
  artifacts:
    when: always
    paths:
      - test_gitlab_reports/
    reports:
      dependency_scanning: test_gitlab_reports/gl-dependency-scanning-report.json
      cyclonedx:
        - test_gitlab_reports/cyclonedx.json