Skip to main content
Version: 21.5 - latest

Dependency Scanning

Gitea Enterprise is continuously evolving to cater to the growing needs of software development in a secure environment. One of the key features of Gitea Enterprise is dependency scanning. This feature is designed to ensure the safety of your code by identifying vulnerabilities in the dependencies your projects rely on.

What is dependency scanning?

In the world of software development, it's common to use third-party packages or libraries, known as dependencies, to avoid reinventing the wheel. These dependencies, while useful, can sometimes contain security vulnerabilities that, if left unchecked, could potentially harm your application.

That's where dependency scanning comes in. Gitea Enterprise's dependency scanning feature is capable of scanning your code's dependencies, identifying the ones that have known security vulnerabilities.

How Does dependency scanning work?

Dependency scanning in Gitea Enterprise is designed to be efficient and easy to use.

Gitea Enterprise will automatically scan your project's dependencies for any known vulnerabilities. If a vulnerability is detected, Gitea Enterprise will submit a report, providing you with detailed information about the issue, including its severity, a description of the vulnerability, and any known fixes.

This proactive approach allows you to address potential security risks before they become a problem, significantly enhancing the security and integrity of your software projects.

Supported languages

Dependency scanning in Gitea Enterprise supports major programming languages, making it versatile and applicable to a wide range of projects.

LanguageLockfiles
C/C++conan.lock
Dartpubspec.lock
Elixirmix.lock
Gogo.mod
Javabuildscript-gradle.lockfile
gradle.lockfile
pom.xml
Javascriptpackage-lock.json
pnpm-lock.yaml
yarn.lock
PHPcomposer.lock
PythonPipfile.lock
poetry.lock

Give it a try

You want to give it a try but your codes are so secure that they don't have any vulnerabilities?

No worries, we have prepared a demo for you. You can save this go.mod file to the root of your repository and push it to your Gitea Enterprise instance.

go.mod
module test

go 1.21

require (
code.sajari.com/docconv v1.0.0
filippo.io/nistec v0.0.1
github.com/AndrewBurian/powermux v1.0.0
github.com/Masterminds/goutils v1.0.1
github.com/Masterminds/vcs v1.10.0
github.com/antchfx/xmlquery v1.0.0
github.com/apache/thrift v0.12.0
github.com/argoproj/argo-cd/v2 v2.0.0
github.com/argoproj/argo-events v0.13.0
github.com/artdarek/go-unzip v1.0.0
github.com/astaxie/beego v0.6.0
github.com/aws/aws-sdk-go v0.10.0
github.com/beego/beego v0.6.0
github.com/beego/beego/v2 v2.0.0
github.com/binance-chain/tss-lib v1.0.0
github.com/biscuit-auth/biscuit-go v1.0.0
github.com/blevesearch/bleve v0.1.0
github.com/blevesearch/bleve/v2 v2.0.0
github.com/bnb-chain/tss-lib v1.0.0
github.com/bradleyfalzon/ghinstallation v0.1.0
github.com/btcsuite/btcd v0.20.0-beta
github.com/buger/jsonparser v1.0.0
github.com/bytom/bytom v0.1.0
github.com/caddyserver/caddy/v2 v2.0.0
github.com/cloudflare/cfrpki v1.1.0
github.com/cloudflare/circl v1.0.0
github.com/cloudwego/hertz v0.0.1
github.com/codenotary/immudb v0.0.0-20200206
github.com/cometbft/cometbft v0.34.27
github.com/consensys/gnark v0.1.0-alpha
github.com/consensys/gnark-crypto v0.0.1
github.com/containerd/containerd v0.1.0
github.com/containerd/imgcrypt v1.0.0
github.com/containernetworking/cni v0.1.0
github.com/containers/buildah v0.16.0
github.com/containers/image v1.5.1
github.com/containers/podman/v4 v4.0.0
github.com/containers/psgo v1.2.0
github.com/containers/storage v0.21.1
github.com/containrrr/shoutrrr v0.3.0
github.com/corazawaf/coraza/v2 v2.0.0
github.com/corazawaf/coraza/v3 v3.0.0
github.com/cortexproject/cortex v0.1.0
github.com/cosmos/cosmos-sdk v0.0.2
github.com/cosmos/ibc-go/v4 v4.0.0-rc0
github.com/cosmos/ibc-go/v5 v5.0.0-beta1
github.com/cosmos/ibc-go/v6 v6.0.0-alpha1
github.com/cosmos/ibc-go/v7 v7.0.0-beta2
github.com/crewjam/saml v0.3.0
github.com/crossplane/crossplane-runtime v0.1.0
github.com/cyphar/filepath-securejoin v0.1.0
github.com/dablelv/go-huge-util v0.0.1
github.com/deislabs/oras v0.1.0
github.com/dgrijalva/jwt-go v1.0.0
github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1
github.com/dinever/golf v0.1.0
github.com/distribution/distribution v2.0.0+incompatible
github.com/docker/distribution v2.0.0+incompatible
github.com/documize/community v0.14.1
github.com/duke-git/lancet v1.0.0
github.com/duke-git/lancet/v2 v2.0.0
github.com/ecnepsnai/web v1.10.0
github.com/elastic/beats v0.1.0
github.com/emicklei/go-restful v1.0.0
github.com/emicklei/go-restful/v2 v2.7.1
github.com/emicklei/go-restful/v3 v3.0.0
github.com/ethereum/go-ethereum v0.4.1
github.com/evanphx/json-patch v0.5.2
github.com/facebook/fbthrift v0.20.0
github.com/filebrowser/filebrowser/v2 v2.0.0
github.com/fluxcd/helm-controller/api v0.0.10
github.com/fluxcd/image-automation-controller/api v0.1.0
github.com/fluxcd/image-reflector-controller/api v0.1.0
github.com/fluxcd/kustomize-controller/api v0.0.10
github.com/fluxcd/notification-controller/api v0.0.10
github.com/fluxcd/source-controller/api v0.0.10
github.com/flynn/noise v1.0.0
github.com/flyteorg/flyteadmin v0.1.0
github.com/free5gc/aper v1.0.0
github.com/gagliardetto/binary v0.2.0
github.com/gin-gonic/gin v1.1.1
github.com/git-lfs/git-lfs v0.1.0
github.com/go-jose/go-jose/v3 v3.0.0
github.com/go-macaron/i18n v0.5.0
github.com/go-resty/resty/v2 v2.0.0
github.com/go-yaml/yaml v2.0.0+incompatible
github.com/goadesign/goa v1.0.0
github.com/gofiber/fiber v0.6.9
github.com/gofiber/fiber/v2 v2.0.0
github.com/gogits/gogs v0.10.1
github.com/gogo/protobuf v1.0.0
github.com/google/fscrypt v0.1.0
github.com/google/go-attestation v0.1.1
github.com/google/go-tpm v0.0.1
github.com/gookit/goutil v0.1.0
github.com/goreleaser/nfpm/v2 v2.0.0
github.com/gorilla/handlers v1.2.1
github.com/gorilla/websocket v1.0.0
github.com/grafana/google-sheets-datasource v0.1.0
github.com/graph-gophers/graphql-go v1.0.0
github.com/graphql-go/graphql v0.4.18
github.com/hakobe/paranoidhttp v0.1.0
github.com/hamba/avro v0.0.1
github.com/hamba/avro/v2 v2.0.0
github.com/hashicorp/consul-template v0.1.0
github.com/hashicorp/go-getter v1.0.0
github.com/hashicorp/go-getter/gcs/v2 v2.0.2
github.com/hashicorp/go-getter/s3/v2 v2.0.2
github.com/hashicorp/go-getter/v2 v2.0.0
github.com/hashicorp/go-slug v0.1.0
github.com/hashicorp/vault v0.1.0
github.com/holiman/uint256 v0.1.0
github.com/hybridgroup/gobot v0.11.0
github.com/ipfs/go-bitfield v1.0.0
github.com/ipfs/go-bitswap v0.0.1
github.com/ipfs/go-libipfs v0.1.0
github.com/ipfs/go-merkledag v0.0.1
github.com/ipfs/go-unixfs v0.0.1
github.com/ipfs/go-unixfsnode v1.0.0
github.com/ipld/go-car v0.0.1
github.com/ipld/go-car/v2 v2.0.0
github.com/ipld/go-codec-dagpb v1.0.0
github.com/ipld/go-ipld-prime v0.0.1
github.com/justinas/nosurf v1.0.0
github.com/kataras/iris v0.0.1
github.com/kataras/iris/v12 v12.2.0
github.com/kitabisa/teler-waf v0.0.1
github.com/kyverno/kyverno v0.1.0
github.com/labstack/echo/v4 v4.0.0
github.com/lestrrat-go/jwx v0.9.0
github.com/lestrrat-go/jwx/v2 v2.0.0
github.com/libp2p/go-libp2p v0.0.1
github.com/lxc/lxd v0.1.0
github.com/malfunkt/iprange v0.9.0
github.com/mastercactapus/proxyprotocol v0.0.1
github.com/mholt/caddy v0.10.0
github.com/microcosm-cc/bluemonday v1.0.26
github.com/miekg/dns v1.0.0
github.com/moov-io/signedxml v1.0.0
github.com/nats-io/jwt v0.0.3
github.com/nats-io/jwt/v2 v2.0.0
github.com/nats-io/nats-server/v2 v2.0.0
github.com/nats-io/nkeys v0.0.1
github.com/notaryproject/notation-go v0.10.0-alpha.3
github.com/ntbosscher/gobase v0.1.0
github.com/oam-dev/kubevela v0.0.1
github.com/open-policy-agent/opa v0.15.0
github.com/opencontainers/runc v0.0.1
github.com/opencontainers/selinux v1.0.0
github.com/openfga/openfga v0.0.1
github.com/openshift/osin v1.0.0
github.com/openshift/source-to-image v0.5.1
github.com/ory/fosite v0.1.0
github.com/pandatix/go-cvss v0.1.0
github.com/peterzen/goresolver v1.0.0
github.com/pion/dtls v1.0.0
github.com/pion/dtls/v2 v2.0.0
github.com/pion/webrtc/v3 v3.0.0
github.com/pires/go-proxyproto v0.1.3
github.com/pomerium/pomerium v0.0.1
github.com/proglottis/gpgme v0.1.0
github.com/projectdiscovery/nuclei/v2 v2.0.0
github.com/prometheus/client_golang v0.12.1
github.com/prometheus/exporter-toolkit v0.1.0
github.com/quay/claircore v0.0.1
github.com/quic-go/quic-go v0.10.0
github.com/rancher/rancher v0.10.0
github.com/rancher/wrangler v0.1.0
github.com/revel/revel v0.10.0
github.com/robbert229/jwt v1.0.0
github.com/rs/cors v1.10.0
github.com/runatlantis/atlantis v0.1.0
github.com/russellhaering/gosaml2 v0.1.0
github.com/russellhaering/goxmldsig v1.1.0
github.com/sagernet/sing v0.1.0
github.com/sassoftware/go-rpmutils v0.1.0
github.com/satori/go.uuid v1.0.0
github.com/seccomp/libseccomp-golang v0.10.0
github.com/shamaton/msgpack/v2 v2.0.0
github.com/sigstore/cosign v0.1.0
github.com/sigstore/cosign/v2 v2.0.0
github.com/sjqzhang/go-fastdfs v1.0.1
github.com/square/go-jose v1.0.0
github.com/superfly/tokenizer v0.0.1
github.com/supranational/blst v0.1.0
github.com/sylabs/scs-library-client v0.0.1
github.com/sylabs/sif/v2 v2.0.0
github.com/tendermint/tendermint v0.0.0
github.com/theupdateframework/go-tuf v0.1.0
github.com/tidwall/gjson v1.0.0
github.com/uber/kraken v0.1.0
github.com/ulikunitz/xz v0.3.1
github.com/unknwon/cae v0.0.1
github.com/usememos/memos v0.0.1
github.com/valyala/fasthttp v0.1.0
github.com/weaviate/weaviate v0.22.18
github.com/ydb-platform/ydb-go-sdk/v3 v3.0.0
github.com/yi-ge/unzip v1.0.0
github.com/zalando/skipper v0.10.0
go.elastic.co/apm v0.4.0
go.etcd.io/etcd v0.1.0
go.mongodb.org/mongo-driver v0.0.1
go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful v0.12.0
go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin v0.12.0
go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.12.0
go.opentelemetry.io/contrib/instrumentation/github.com/labstack/echo/otelecho v0.12.0
go.opentelemetry.io/contrib/instrumentation/gopkg.in/macaron.v1/otelmacaron v0.12.0
go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.12.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.12.0
goa.design/goa v1.0.0
goa.design/goa/v3 v3.0.0
golang.org/x/crypto v0.1.0
golang.org/x/image v0.1.0
golang.org/x/net v0.1.0
golang.org/x/sys v0.1.0
golang.org/x/text v0.1.0
google.golang.org/grpc v1.0.0
google.golang.org/protobuf v1.20.0
gopkg.in/macaron.v1 v1.0.1
gopkg.in/square/go-jose.v1 v1.0.0
gopkg.in/yaml.v2 v2.0.0
gopkg.in/yaml.v3 v3.0.0
helm.sh/helm/v3 v3.0.0
k8s.io/apimachinery v0.15.10
k8s.io/client-go v0.15.10
k8s.io/kube-state-metrics v0.1.0
k8s.io/kubernetes v0.10.0
mellium.im/sasl v0.0.1
mellium.im/xmpp v0.0.1
sigs.k8s.io/secrets-store-csi-driver v0.0.1
vitess.io/vitess v0.10.0
)

Then you can navigate to the repository's Security tab to see the scanning result. If you can't find any report, please just wait for a while, as the scanning process may take some time. After the scanning is complete, you can see many reports:

Vulnerability list

You can click on the report to see the details of the vulnerability:

Vulnerability detail

We hope you never see such reports, which means your code is secure enough. But if problems do occur, don't worry, Gitea Enterprise will help you find and fix them in time.