GitLab Vulnerability Reports

Each vulnerability report contains vulnerabilities from the scans of the most recent branch merged into the default branch.

The vulnerability reports display the total number of vulnerabilities by severity (for example, Critical, High, Medium, Low, Info, Unknown). Below this, a table shows each vulnerability’s detected date, status, severity, description, identifier, the scanner where it was detected, and activity (including related issues or available solutions). By default, the vulnerability report is filtered to display all detected and confirmed vulnerabilities.

Vulnerability Report

Clicking any vulnerability in the table takes you to its vulnerability details page to see more information on that vulnerability.

The Activity column indicates the number of issues that have been created for the vulnerability. Hover over an Activity entry and select a link go to that issue.

Display attached issues

Filter options

You can filter which vulnerabilities display by:

Filter Available options
Status Detected, Confirmed, Dismissed, Resolved
Severity Critical, High, Medium, Low, Info, Unknown
Scanner Available scanners.
Project Projects configured in the Security Center settings, or all projects in the group for the group level report. This filter is not displayed on the project level vulnerability report.
Activity Vulnerabilities with issues and vulnerabilities that are no longer detected in the default branch.

Activity filter

Introduced in GitLab 13.9

The Activity filter behaves differently from the other Vulnerability Report filters. The other filter options all OR together to show results from any vulnerability matching one of the filter criteria. With the Activity filter, the selected values form mutually exclusive sets to allow for precisely locating the desired vulnerability records. Additionally, not all options can be selected in combination. Selection behavior when using the Activity filter:

Activity Selection Results Displayed
All Vulnerabilities with any Activity status (same as ignoring this filter). Selecting this will deselect any other Activity filter options.
No activity Only vulnerabilities without either an associated Issue or that are no longer detected. Selecting this will deselect any other Activity filter options.
With issues Only vulnerabilities with one or more associated issues. Does not include vulnerabilities that also are no longer detected.
No longer detected Only vulnerabilities that are no longer detected in the latest pipeline scan of the default branch. Does not include vulnerabilities with one or more associated issues.
With issues and No longer detected Only vulnerabilities that have one or more associated issues and also are no longer detected in the latest pipeline scan of the default branch.

Contents of the unfiltered vulnerability report can be exported using our export feature.

You can also change the status of vulnerabilities in the table:

  1. Select the checkbox for each vulnerability you want to update the status of.
  2. In the dropdown that appears select the desired status, then select Change status.

Project Vulnerability Report

Project Vulnerability Report

The vulnerabilities that exist in your project’s default branch are accessed by navigating to Security & Compliance > Vulnerability Report.

The project vulnerability report first displays the time at which the last pipeline completed on the project’s default branch. There’s also a link to view this in more detail. In the case of any pipeline failures, the number of failures is indicated. The failure notification takes you directly to the Failed jobs tab of the pipeline page.

Project Vulnerability Report

Export vulnerabilities

You can export all your vulnerabilities in CSV (comma separated values) format by clicking the Export button located at top right of the Security Dashboard. When the report is ready, the CSV report downloads to your local machine. The report contains all vulnerabilities for the projects defined in the Security Dashboard, as filters don’t apply to the export function.

noteIt may take several minutes for the download to start if your project contains thousands of vulnerabilities. Don’t close the page until the download finishes.

The fields in the export include:

  • Group Name
  • Project Name
  • Scanner Type
  • Scanner Name
  • Status
  • Vulnerability
  • Details
  • Additional Information
  • Severity
  • CVE (Common Vulnerabilities and Exposures)
  • CWE (Common Weakness Enumeration)
  • Other Identifiers