Security Configuration

Version history

The Security Configuration page lists the following for the security testing and compliance tools:

  • Name, description, and a documentation link.
  • Whether or not it is available.
  • A configuration button or a link to its configuration guide.

The status of each security control is determined by the project’s latest default branch CI pipeline. If a job with the expected security report artifact exists in the pipeline, the feature’s status is enabled.

If the latest pipeline used Auto DevOps, all security features are configured by default.

To view a project’s security configuration:

  1. On the top bar, select Menu > Projects and find your project.
  2. On the left sidebar, select Security & Compliance > Configuration.

Select Configuration history to see the .gitlab-ci.yml file’s history.

Security testing

You can configure the following security controls:

  • Static Application Security Testing (SAST)
  • Dynamic Application Security Testing (DAST)
    • Select Enable DAST to configure DAST for the current project.
    • Select Manage scans to manage the saved DAST scans, site profiles, and scanner profiles. For more details, read DAST on-demand scans.
  • Dependency Scanning
  • Container Scanning
  • Cluster Image Scanning
  • Secret Detection
  • API Fuzzing
    • Select Enable API Fuzzing to use API Fuzzing for the current project. For more details, read API Fuzzing.
  • Coverage Fuzzing
    • Can be configured with .gitlab-ci.yml. For more details, read Coverage Fuzzing.


You can configure the following security controls:

  • License Compliance