Each vulnerability report contains vulnerabilities from the scans of the most recent branch merged into the default branch.
The vulnerability reports display the total number of vulnerabilities by severity (for example, Critical, High, Medium, Low, Info, Unknown). Below this, a table shows each vulnerability’s detected date, status, severity, description, identifier, the scanner where it was detected, and activity (including related issues or available solutions). By default, the vulnerability report is filtered to display all detected and confirmed vulnerabilities.
Clicking any vulnerability in the table takes you to its vulnerability details page to see more information on that vulnerability.
The Activity column indicates the number of issues that have been created for the vulnerability. Hover over an Activity entry and select a link go to that issue.
You can filter which vulnerabilities display by:
|Status||Detected, Confirmed, Dismissed, Resolved|
|Severity||Critical, High, Medium, Low, Info, Unknown|
|Project||Projects configured in the Security Center settings, or all projects in the group for the group level report. This filter is not displayed on the project level vulnerability report.|
|Activity||Vulnerabilities with issues and vulnerabilities that are no longer detected in the default branch.|
Introduced in GitLab 13.9
The Activity filter behaves differently from the other Vulnerability Report filters. The other filter options all OR together to show results from any vulnerability matching one of the filter criteria. With the Activity filter, the selected values form mutually exclusive sets to allow for precisely locating the desired vulnerability records. Additionally, not all options can be selected in combination. Selection behavior when using the Activity filter:
|Activity Selection||Results Displayed|
|All||Vulnerabilities with any Activity status (same as ignoring this filter). Selecting this will deselect any other Activity filter options.|
|No activity||Only vulnerabilities without either an associated Issue or that are no longer detected. Selecting this will deselect any other Activity filter options.|
|With issues||Only vulnerabilities with one or more associated issues. Does not include vulnerabilities that also are no longer detected.|
|No longer detected||Only vulnerabilities that are no longer detected in the latest pipeline scan of the |
|With issues and No longer detected||Only vulnerabilities that have one or more associated issues and also are no longer detected in the latest pipeline scan of the |
Contents of the unfiltered vulnerability report can be exported using our export feature.
You can also change the status of vulnerabilities in the table:
- Select the checkbox for each vulnerability you want to update the status of.
- In the dropdown that appears select the desired status, then select Change status.
The vulnerabilities that exist in your project’s default branch are accessed by navigating to Security & Compliance > Vulnerability Report.
The project vulnerability report first displays the time at which the last pipeline completed on the project’s default branch. There’s also a link to view this in more detail. In the case of any pipeline failures, the number of failures is indicated. The failure notification takes you directly to the Failed jobs tab of the pipeline page.
You can export all your vulnerabilities in CSV (comma separated values) format by clicking the Export button located at top right of the Security Dashboard. When the report is ready, the CSV report downloads to your local machine. The report contains all vulnerabilities for the projects defined in the Security Dashboard, as filters don’t apply to the export function.
The fields in the export include: