Get a Demo
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Overview

The Hopper GitLab integration connects to GitLab.com or self-managed instances using read-only Git access to scan your codebase and dependencies. It identifies only exploitable vulnerabilities through function-level reachability, flags license violations, and generates SBOMs—all without modifying code, requiring CI/CD integration, or disrupting developer workflows.

Capabilities

  • Auto-discovers GitLab repositories via group- or project-level access
  • Clone source code over Git (HTTPS or SSH) for static analysis
  • Detects direct and transitive open-source dependencies
  • Identifies only exploitable vulnerabilities using function-level reachability
  • Detects license violations based on organizational policy
  • Generates SBOMs in SPDX and CycloneDX format
  • Provides developer-centric remediation guidance including call graphs and fix effort

Requirements

  • Hopper account
  • GitLab.com
  • A GitLab user or machine account with:
    • read_repository access (via Personal Access Token or GitLab App)
    • Access to the relevant groups or projects

Setup Instructions

  1. Log in to the Hopper platform.
  2. Navigate to Integrations > GitLab.
  3. Enter a GitLab access token with a “read_repository” permission
  4. Hopper will begin cloning and analyzing repositories immediately—no CI/CD configuration required.

Permissions

Hopper uses read-only access and requires only the following:

  • Read access to repository metadata (names, paths, branches)
  • Read access to file contents for static analysis

The integration does not:

  • Modify any code, commits, or branches
  • Require admin access or write permissions
  • Access your CI pipelines, secrets, or deployment infrastructure

Security and Data Handling

  • Hopper connects over HTTPS or SSH, using secure authentication via GitLab tokens.
  • Source code is cloned temporarily for analysis and is not stored persistently.
  • All analysis occurs in memory or isolated environments, and no files are written back to GitLab.
  • Hopper does not access CI/CD jobs or build environments.

When used alongside a build or artifact integration (e.g., JFrog), Hopper may correlate results across source and binary analysis.

Output

The GitLab integration generates the following output in the Hopper platform:

  • Reachable vulnerabilities with:
    • CVE ID, severity, package name and version
      Call graphs and file/function usage context
    • Fix effort estimates and upgrade recommendations

  • License policy violations
    • Flagged by license type (e.g., GPL, AGPL, LGPL)
    • Linked to specific dependencies and affected paths

  • Exportable SBOMs
    • Formats: SPDX and CycloneDX
    • Includes full dependency tree with license and version info
  • Detailed repository-level risk dashboards

Support

For troubleshooting or technical questions, contact: support@hopper.security

ON THIS PAGE

Heading 2
Heading 3
Heading 4
Heading 5
Heading 6