Vulnerability management policy
- Tier: Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
Use a vulnerability management policy to automatically resolve vulnerabilities that are no longer detected. This can help reduce the workload of triaging vulnerabilities.
When a scanner detects a vulnerability on the default branch, the scanner creates a vulnerability record with the status Needs triage. After the vulnerability has been remediated and the next security scan runs, the scan adds No longer detected to the record’s activity log but the record’s status does not change. You can change the status to Resolved either manually or by using a vulnerability management policy. Using a vulnerability management policy ensures rules are applied consistently. For example, you can create a policy that marks as resolved those vulnerabilities that are no longer detected on the default branch, but only those created by SAST and are of low risk.
The vulnerability management policy is applied when a pipeline runs against the default branch. For each vulnerability that is no longer detected and matches the policy’s rules:
- The vulnerability record’s status is set to Resolved by the GitLab Security Policy Bot user.
- A note about the status change is added to the vulnerability’s record.
To limit the pipeline load and duration, a maximum of 1,000 vulnerabilities per pipeline are set to status Resolved. This repeats in each pipeline until all vulnerabilities that are no longer detected are marked Resolved.
Restrictions
- You can assign a maximum of five rules to each policy.
- You can assign a maximum of five vulnerability management policies to each security policy project.
Create a vulnerability management policy
Create a vulnerability management policy to automatically resolve vulnerabilities matching specific criteria.
Prerequisites:
- By default, only group, subgroup, or project Owners have the permissions required to create or assign a security policy project. This can be changed using custom roles.
To create a vulnerability management policy:
- On the left sidebar, select Search or go to and find your project.
- Go to Secure > Policies.
- Select New policy.
- In Vulnerability management policy, select Select policy.
- Complete the fields and set the policy’s status to Enabled.
- Select Create policy.
- Review and merge the merge request.
After the vulnerability management policy has been created, the policy rules are applied to pipelines on the default branch.
Edit a vulnerability management policy
Edit a vulnerability management policy to change its rules.
- On the left sidebar, select Search or go to and find your project.
- Go to Secure > Policies.
- In the policy’s row, select Edit.
- Edit the policy’s details.
- Select Save changes.
- Review and merge the merge request.
The vulnerability management policy has been updated. When a pipeline next runs against the default branch, the policy’s rules are applied.
Schema
When a vulnerability management policy is created or edited, it’s checked against the vulnerability management policy schema to confirm it’s valid.
Docs
Edit this page to fix an error or add an improvement in a merge request.
Create an issue to suggest an improvement to this page.
Product
Create an issue if there's something you don't like about this feature.
Propose functionality by submitting a feature request.
Feature availability and product trials
View pricing to see all GitLab tiers and features, or to upgrade.
Try GitLab for free with access to all features for 30 days.
Get help
If you didn't find what you were looking for, search the docs.
If you want help with something specific and could use community support, post on the GitLab forum.
For problems setting up or using this feature (depending on your GitLab subscription).
Request support