Vulnerability management policy
-
Introduced in GitLab 17.7 with a flag named
vulnerability_management_policy_type. Disabled by default.
Use a vulnerability management policy to automatically resolve vulnerabilities that are no longer detected. This can help reduce the workload of triaging vulnerabilities.
When a scanner detects a vulnerability on the default branch, the scanner creates a vulnerability record with the status Needs triage. After the vulnerability has been remediated and the next security scan runs, the scan adds No longer detected to the record’s activity log but the record’s status does not change. You can change the status to Resolved either manually or by using a vulnerability management policy. Using a vulnerability management policy ensures rules are applied consistently. For example, you can create a policy that marks as resolved those vulnerabilities that are no longer detected on the default branch, but only those created by SAST and are of low risk.
The vulnerability management policy is applied when a pipeline runs against the default branch. For each vulnerability that is no longer detected and matches the policy’s rules:
- The vulnerability record’s status is set to Resolved by the GitLab Security Policy Bot user.
- A note about the status change is added to the vulnerability’s record.
To limit the pipeline load and duration, a maximum of 1,000 vulnerabilities per pipeline are set to status Resolved. This repeats in each pipeline until all vulnerabilities that are no longer detected are marked Resolved.
Restrictions
- You can assign a maximum of five rules to each policy.
- You can assign a maximum of five vulnerability management policies to each security policy project.
Create a vulnerability management policy
Create a vulnerability management policy to automatically resolve vulnerabilities matching specific criteria.
Prerequisites:
- By default, only group, subgroup, or project Owners have the permissions required to create or assign a security policy project. This can be changed using custom roles.
To create a vulnerability management policy:
- On the left sidebar, select Search or go to and find your project.
- Go to Secure > Policies.
- Select New policy.
- In Vulnerability management policy, select Select policy.
- Complete the fields and set the policy’s status to Enabled.
- Select Configure with a merge request.
- Review and merge the merge request.
After the vulnerability management policy has been created, the policy rules are applied to pipelines on the default branch.
Edit a vulnerability management policy
Edit a vulnerability management policy to change its rules.
- On the left sidebar, select Search or go to and find your project.
- Go to Secure > Policies.
- In the policy’s row, select Edit.
- Edit the policy’s details.
- Select Configure with a merge request.
- Review and merge the merge request.
The vulnerability management policy has been updated. When a pipeline next runs against the default branch, the policy’s rules are applied.
Schema
When a vulnerability management policy is created or edited, it’s checked against the vulnerability management policy schema to confirm it’s valid.