- Attack surface
- Duplicate finding
- False positive
- Insignificant finding
- Location fingerprint
- Pipeline Security tab
- Primary identifier
- Report finding
- Scan type (report type)
- Secure product
- Secure report format
- Security Dashboard
- Seed corpus
- Vulnerability finding
- Vulnerability tracking
- Vulnerability occurrence
This terminology list for GitLab Secure and Protect aims to:
- Promote a ubiquitous language for discussing application security.
- Improve the effectiveness of communication regarding GitLab application security features.
- Get new contributors up to speed faster.
This document defines application security terms in the specific context of GitLab Secure and Protect features. Terms may therefore have different meanings outside that context.
Software that performs a scan. The scan analyzes an attack surface for vulnerabilities and produces a report containing findings. Reports adhere to the Secure report format.
Analyzers integrate into GitLab using a CI job. The report produced by the analyzer is published as an artifact after the job is complete. GitLab ingests this report, allowing users to visualize and manage found vulnerabilities. For more information, see Security Scanner Integration.
Many GitLab analyzers follow a standard approach using Docker to run a wrapped scanner. For example,
the Docker image
bandit-sast is an analyzer that wraps the scanner
Bandit. You can optionally
use the Common library
to assist in building an Analyzer.
The different places in an application that are vulnerable to attack. Secure products discover and search the attack surface during scans. Each product defines the attack surface differently. For example, SAST uses files and line numbers, and DAST uses URLs.
The set of meaningful test cases that are generated while the fuzzer is running. Each meaningful test case produces new coverage in the tested program. It’s advised to re-use the corpus and pass it to subsequent runs.
Common Vulnerabilities and Exposures (CVE®) is a list of common identifiers for publicly known cybersecurity vulnerabilities. The list is managed by the Mitre Corporation.
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities.
Common Weakness Enumeration (CWE™) is a community-developed list of common software and hardware weakness types that have security ramifications. Weaknesses are flaws, faults, bugs, vulnerabilities, or other errors in software or hardware implementation, code, design, or architecture. If left unaddressed, weaknesses could result in systems, networks, or hardware being vulnerable to attack. The CWE List and associated classification taxonomy serve as a language that you can use to identify and describe these weaknesses in terms of CWEs.
A legitimate finding that is reported multiple times. This can occur when different scanners discover the same finding, or when a single scan inadvertently reports the same finding more than once.
A finding that doesn’t exist but is incorrectly reported as existing.
Feedback the user provides about a finding. Types of feedback include dismissal, creating an issue, or creating a merge request.
An asset that has the potential to be vulnerable, identified in a project by an analyzer. Assets include but are not restricted to source code, binary packages, containers, dependencies, networks, applications, and infrastructure.
Findings are all potential vulnerability items scanners identify in MRs/feature branches. Only after merging to default does a finding become a vulnerability.
A legitimate finding that a particular customer doesn’t care about.
A finding’s location fingerprint is a text value that’s unique for each location on the attack surface. Each Secure product defines this according to its type of attack surface. For example, SAST incorporates file path and line number.
A page that displays findings discovered in the associated CI pipeline.
A finding’s primary identifier is a value unique to that finding. The external type and external ID of the finding’s first identifier combine to create the value.
Examples of primary identifiers include
PluginID for OWASP Zed Attack Proxy (ZAP), or
Trivy. Note that the identifier must be stable. Subsequent scans must return the same value for the
same finding, even if the location has slightly changed.
The type of scan. This must be one of the following:
Software that can scan for vulnerabilities. The resulting scan report is typically not in the Secure report format. Examples include ESLint, Trivy, and ZAP.
A group of features related to a specific area of application security with first-class support by GitLab. Products include Container Scanning, Dependency Scanning, Dynamic Application Security Testing (DAST), Secret Detection, Static Application Security Testing (SAST), and Fuzz Testing. Each of these products typically include one or more analyzers.
A standard report format that Secure products comply with when creating JSON reports. The format is described by a JSON schema.
Provides an overview of all the vulnerabilities for a project, group, or GitLab instance. Vulnerabilities are only created from findings discovered on the project’s default branch.
The set of test cases given as initial input to the fuzz target. This usually speeds up the fuzz target substantially. This can be either manually created test cases or auto-generated with the fuzz target itself from previous runs.
The party maintaining an analyzer. As such, a vendor is responsible for integrating a scanner into GitLab and keeping it compatible as they evolve. A vendor isn’t necessarily the author or maintainer of the scanner, as in the case of using an open core or OSS project as a base solution of an offering. For scanners included as part of a GitLab distribution or GitLab subscription, the vendor is listed as GitLab.
A flaw that has a negative impact on the security of its environment. Vulnerabilities describe the error or weakness, and don’t describe where the error is located (see finding). Each vulnerability maps to a unique finding.
Vulnerabilities exist in the default branch. Findings (see finding) are all potential vulnerability items scanners identify in MRs/feature branches. Only after merging to default does a finding become a vulnerability.
Deals with the responsibility of matching findings across scans so that a finding’s life cycle can be understood. Engineers and security teams use this information to decide whether to merge code changes, and to see unresolved findings and when they were introduced. Vulnerabilities are tracked by comparing the location fingerprint, primary identifier, and report type.
Deprecated, see finding.