Supply Chain Security

Supply chain - all libraries and tools used to develop, build and publish

Supply chain security - enhance the security within the supply chain

Supply chain attack - exploit of a vulnerability in the supply chain

Your responsibilities

Make sure you are not part of the problem

Ship a secure product

Check where you get stuff from

Your risk

Unable to solve supply chain security recursively


Automated updates of dependencies

Container image available

No integration with GitLab


Pipeline job - optionally with official template

Process running separate from GitLab instance

Self-hosted Renovate (formerly paid product)


See chapter Renovate

Pro tip: Automerge

Renovate can automatically merge updates


The merge request must have completed a pipeline successfully

The configuration must allow automerge

Slow start

Do not enable automerge globally

Start with specific dependencies…

…or patchlevel updates

Pro tip: Use slim image

Image is smaller and loads faster

Tools are not pre-installed…

…but installed on-demand…

…natively or using container sidecars

  image: renovate/renovate:slim
  script: |
    renovate --platform gitlab \
        --endpoint ${CI_API_V4_URL} \
        --token ${RENOVATE_TOKEN} \

Request tools version using constraints

Or use tool specific directives like engine for npm