- Supported reports
- Pipeline Security
- Project Security Dashboard
- Group Security Dashboard
- Security Center
- Keeping the dashboards up to date
- Security scans using Auto DevOps
GitLab provides a comprehensive set of features for viewing and managing vulnerabilities:
- Security dashboards: An overview of the security status in your personal Security Center, groups, and projects.
- Vulnerability reports: Detailed lists of all vulnerabilities for the Security Center, group, project, or pipeline. This is where you triage and manage vulnerabilities.
- Security Center: A dedicated area for personalized vulnerability management. This includes a security dashboard, vulnerability report, and settings.
You can also drill down into a vulnerability and get extra information on the Vulnerability Page. This view includes the project it comes from, any related file(s), and metadata that helps you analyze the risk it poses. You can also confirm, dismiss, or resolve a vulnerability, create an issue for it, and in some cases, generate a merge request to fix the vulnerability.
To benefit from these features, you must first configure one of the security scanners.
The security dashboard and vulnerability report displays information about vulnerabilities detected by scanners such as:
- Container Scanning
- Dynamic Application Security Testing
- Dependency Scanning
- Static Application Security Testing
- Cluster Image Scanning
- And others!
- At least one project inside a group must be configured with at least one of the supported reports.
- The configured jobs must use the new
- GitLab Runner 11.5 or newer must be used. If you’re using the shared runners on GitLab.com, this is already the case.
At the pipeline level, the Security section displays the vulnerabilities present in the branch of the project the pipeline ran against.
Visit the page for any pipeline that ran any of the supported reports. To view the pipeline’s security findings, select the Security tab when viewing the pipeline.
A pipeline consists of multiple jobs, including SAST and DAST scanning. If any job fails to finish for any reason, the security dashboard doesn’t show SAST scanner output. For example, if the SAST job finishes but the DAST job fails, the security dashboard doesn’t show SAST results. On failure, the analyzer outputs an exit code.
The Scan details section lists the scans run in the pipeline and the total number of vulnerabilities per scan. For the DAST scan, select Download scanned resources to download a CSV file containing details of the resources scanned.
A project’s Security Dashboard displays a chart with the total number of vulnerabilities over time with up to 365 days of historical data. Data is refreshed daily at 1:15am UTC. By default, it shows statistics for all vulnerability severities.
To access the dashboard, from your project’s home page go to Security & Compliance > Security Dashboard.
To filter the chart by vulnerability severity, select the corresponding legend name.
In the previous example, the chart shows statistics only for vulnerabilities of medium or unknown severity.
To customize the view of the vulnerability chart, you can select:
- A specific time frame by using the time range handles ().
- A specific area of the chart by using the left-most icon () then drag across the chart. To reset to the original range, select Remove Selection ().
To download an SVG image of the chart, select Save chart to an image ().
The group Security Dashboard gives an overview of the vulnerabilities found in the default branches of the projects in a group and its subgroups. Access it by navigating to Security > Security Dashboard after selecting your group. By default, the Security Dashboard displays all detected and confirmed vulnerabilities. If you don’t see the vulnerabilities over time graph, the likely cause is that you have not selected a group.
Note that the Security Dashboard only shows projects with security reports enabled in a group.
There is a timeline chart that shows how many open vulnerabilities your projects had at various points in time. You can display the vulnerability trends over a 30, 60, or 90-day time frame (the default is 90 days). Hover over the chart to get more details about the open vulnerabilities at a specific time. Aggregated data beyond 90 days can be accessed by querying our VulnerabilitiesCountByDay GraphQL API. This data is retained for 365 days.
Next to the timeline chart is a list of projects, grouped and sorted by the severity of the vulnerability found:
|F||One or more “critical”|
|D||One or more “high” or “unknown”|
|C||One or more “medium”|
|B||One or more “low”|
Projects with no vulnerability tests configured don’t appear in the list. Additionally, dismissed vulnerabilities are excluded.
Navigate to the group’s vulnerability report to view the vulnerabilities found.
The Security Center is personal space where you manage vulnerabilities across all your projects. It displays the vulnerabilities present in the default branches of all the projects you configure. It includes the following:
- The group security dashboard’s features.
- A vulnerability report.
- A dedicated settings area to configure which projects to display.
To view the Security Center, on the top bar, select Menu > Security.
To add projects to the Security Center:
- Click Settings in the left navigation bar or click the Add projects button.
- Search for and add one or more projects using the Search your projects field.
- Click the Add projects button.
After you add projects, the security dashboard and vulnerability report display the vulnerabilities found in those projects’ default branches.
The Security Dashboard displays information from the results of the most recent security scan on the default branch, which means that security scans are performed every time the branch is updated.
If the default branch is updated infrequently, scans are run infrequently and the information on the Security Dashboard can become outdated as new vulnerabilities are discovered.
To ensure the information on the Security Dashboard is regularly updated, configure a scheduled pipeline to run a daily security scan. This updates the information displayed on the Security Dashboard regardless of how often the default branch is updated.
That way, reports are created even if no code change happens.
Read more on how to address the vulnerabilities.