Remediate

Remediation is the fourth phase of the vulnerability management lifecycle: detect, triage, analyze, remediate.

Remediation is the process of finding the root cause of a vulnerability and fixing the root cause, reducing the risks, or both. Use information contained in each vulnerability’s details page to help you understand the nature of the vulnerability and remediate it.

The objective of the remediation phase is to either resolve or dismiss a vulnerability. A vulnerability is resolved when either you’ve remediated the root cause or it’s no longer present. A vulnerability is dismissed when you’ve decided that no further effort is justified.

For a walkthrough of how GitLab Duo can help you analyze and remediate a vulnerability, see Use GitLab Duo to remediate an SQL injection.

Scope

The scope of the remediation phase is all those vulnerabilities that have been through the analysis phase and confirmed as needing further action. To list these vulnerabilities, use the following filter criteria in the vulnerability report:

Status: Confirmed
Activity: Has issue

Document the vulnerability

If you’ve not already, create an issue to document your investigation and remediation work. This documentation provides a reference point if you discover a similar vulnerability, or if the same vulnerability is detected again.

Remediate the vulnerability

Use the information gathered in the analysis phase to help guide you to remediate the vulnerability. It’s important to understand the root cause of the vulnerability so that remediation is effective.

For some vulnerabilities detected by SAST, GitLab can:

Explain the vulnerability, using GitLab Duo Chat.
Resolve the vulnerability, using GitLab Duo Chat.
Provide the complete data path from input to the vulnerable line of code, if you’re using GitLab Advanced SAST.

When the root cause of a vulnerability is remediated, resolve the vulnerability.

To do this:

Change the vulnerability’s status to Resolved.
Document in the issue created for the vulnerability how it was remediated, then close the issue.
If a resolved vulnerability is reintroduced and detected again, its record is reinstated and its status set to Needs triage.

Dismiss the vulnerability

At any point during the remediation phase you might decide to dismiss the vulnerability, possibly because you have decided:

The estimated cost of remediation effort is too high.
The vulnerability poses little to no risk.
The vulnerability’s risk has already been mitigated.
The vulnerability is not valid in your environment.

When you dismiss the vulnerability:

Provide a brief comment that states why you’ve dismissed it.
Change the vulnerability’s status to Dismissed.
If you created an issue for the vulnerability, add a comment noting that you dismissed the vulnerability, then close the issue.
A dismissed vulnerability is ignored if it’s detected in subsequent scans.

Docs

Edit this page to fix an error or add an improvement in a merge request.

Create an issue to suggest an improvement to this page.

Product

Create an issue if there's something you don't like about this feature.

Propose functionality by submitting a feature request.

Feature availability and product trials

View pricing to see all GitLab tiers and features, or to upgrade.

Try GitLab for free with access to all features for 30 days.

Get help

If you didn't find what you were looking for, search the docs.

If you want help with something specific and could use community support, post on the GitLab forum.

For problems setting up or using this feature (depending on your GitLab subscription).

Request support