Security dashboards

GitLab 18.6 introduced an improved version of the security dashboards that use advanced vulnerability management. For details, see new security dashboards.

Vulnerability metrics in the Value Streams Dashboard

You can view vulnerability metrics also in the Value Streams Dashboard comparison panel, which helps you understand security exposure in the context of your organization’s software delivery workflows.

Security dashboards

Security dashboards are used to assess the security posture of your applications. GitLab provides you with a collection of metrics, ratings, and charts for the vulnerabilities detected by the security scanners run on your project. The security dashboard provides data such as:

• Vulnerability trends over a 30, 60, or 90-day time-frame for all projects in a group
• A letter grade rating for each project based on vulnerability severity
• The total number of vulnerabilities detected within the last 365 days including their severity

The data provided by the security dashboards can be used to supply insight on what decisions can be made to improve your security posture. For example, using the 365 day trend view, you can see on which days a significant number of vulnerabilities were introduced. Then you can examine the code changes performed on those particular days in order perform a root-cause analysis to create better policies for preventing the introduction of vulnerabilities in the future.

For an overview, see Security Dashboard - Advanced Security Testing.

Prerequisites

To view the Security Dashboards, the following is required:

• You must have the Developer role for the group or project.
• At least one security scanner configured in your project.
• A successful security scan performed on the default branch of your project.
• At least 1 detected vulnerability in the project.

Viewing the Security Dashboard

The Security Dashboard can be seen at the project, group, and the Security Center levels. Each dashboard provides a unique viewpoint of your security posture.

Project Security Dashboard

The Project Security Dashboard shows the total number of vulnerabilities detected over time, with up to 365 days of historical data for a given project. The dashboard is a historical view of open vulnerabilities in the default branch. Open vulnerabilities are those of only Needs triage or Confirmed status (Dismissed or Resolved vulnerabilities are excluded).

To view a project’s security dashboard:

1. On the left sidebar, select Search or go to and find your project. If you’ve turned on the new navigation, this field is on the top bar.
2. Select Secure > Security dashboard.
3. Filter and search for what you need.
   • To filter the chart by severity, select the legend name.
   • To view a specific time frame, use the time range handles ( ).
   • To view a specific area of the chart, select the left-most icon ( ) and drag across the chart.
   • To reset to the original range, select Remove Selection ( ).

Downloading the vulnerability chart

You can download an image of the vulnerability chart from the Project Security Dashboard to use in documentation, presentations, and so on. To download the image of the vulnerability chart:

1. On the left sidebar, select Search or go to and find your project. If you’ve turned on the new navigation, this field is on the top bar.
2. Select Secure > Security dashboard.
3. Select Save chart as an image ( ).

You are prompted to download the image in SVG format.

Group Security Dashboard

The group Security Dashboard provides an overview of vulnerabilities found in the default branches of all projects in a group and its subgroups. The Group Security Dashboard supplies the following:

• Vulnerability trends over a 30, 60, or 90-day time frame
• A letter grade for each project in the group according to its highest-severity open vulnerability. The letter grades are assigned using the following criteria:

To view group security dashboard:

1. On the left sidebar, select Search or go to and find your group. If you’ve turned on the new navigation, this field is on the top bar.

2. Select Security > Security dashboard.

3. Hover over the Vulnerabilities over time chart to get more details about vulnerabilities.

   • You can display the vulnerability trends over a 30, 60, or 90-day time frame (the default is 90 days).
   • To view aggregated data beyond a 90-day time frame, use the VulnerabilitiesCountByDay GraphQL API. GitLab retains the data for 365 days.

4. Select the arrows under the Project security status section to see the what projects fall under a particular letter-grade rating:

   • You can see how many vulnerabilities of a particular severity are found in a project
   • You can select a project’s name to directly access its project security dashboard

New security dashboards

Use security dashboards to assess the security posture of your applications. GitLab provides you with a collection of metrics, ratings, and charts for the vulnerabilities detected by the security scanners run on your project. The security dashboard provides data such as:

• Vulnerability trends over a 30, 60, or 90-day time frame for all projects in a group.
• The total number of open vulnerabilities by severity.

Prerequisites to view the dashboard

To view the security dashboard for a project or a group you must have:

• The Developer role or higher for the group or project.
• At least one security scanner configured in your project.
• A successful security scan performed on the default branch of your project.
• At least one detected vulnerability in the project.
• Advanced vulnerability management with Advanced search enabled.

Viewing the security dashboard

The security dashboard shows filterable charts and panels built with data from vulnerabilities detected in the default branch. Charts include vulnerabilities over time and severity counts. The data in many charts is grouped into two categories:

• Open: Includes vulnerabilities with the Needs triage or Confirmed statuses
• Closed: Includes vulnerabilities with the Dismissed and Resolved statuses

Charts and panels include only open vulnerabilities unless otherwise noted.

You can view a security dashboard for a project or a group. Each dashboard provides a unique viewpoint into your security posture.

Both dashboards include:

• Charts
  • Vulnerabilities over time
  • Vulnerability severity panels
• Filter the entire dashboard

To view a security dashboard:

1. On the left sidebar, select Search or go to and find your project.
2. Select Secure > Security dashboard.

Project security dashboard

The project security dashboard shows vulnerabilities detected in the project’s default branch. It includes:

• The Vulnerabilities over time chart, which includes up to 90 days of history.
• The Severity panels, which show open vulnerabilities by severity.

Open vulnerabilities are those with Needs triage or Confirmed status. Closed vulnerabilities with Dismissed or Resolved status are not included in these charts.

Group security dashboard

The group security dashboard provides an overview of vulnerabilities found in the default branches of all projects in a group and its subgroups. The group security dashboard supplies the following:

• The Vulnerabilities over time chart, which includes up to 90 days of history.
• The Severity panels, which show open vulnerabilities by severity.

Charts

Security dashboards include several charts that help you understand and act on vulnerabilities in your projects and groups.

Vulnerabilities over time

The Vulnerabilities over time chart is available on both project and group dashboards. It shows the open vulnerabilities trends over 30, 60, or 90-day periods. The default range is 30 days. GitLab retains vulnerability data for 365 days.

Use the chart to identify when vulnerabilities were introduced and how they change over time.

To view details:

1. Hover over a data point to see the vulnerability count for that day.
2. Use the time frame selector to switch between 30, 60, or 90 days.
3. Drag the range handles ( ) to zoom in on a specific period.
4. Use the dropdowns to filter the chart by:
   • Severity (for example: Critical, High, Medium)
   • Report type (SAST, DAST, Dependency Scanning, and others)
5. To explore data beyond 90 days, but within the last 365 days, use the SecurityMetrics.vulnerabilitiesOverTime GraphQL API
6. Vulnerabilities that are no longer detected are not automatically counted as closed. Use vulnerability management policies to automatically close them if needed.

Vulnerability severity panel

The vulnerability severity panel shows the total number of open vulnerabilities by severity.

To view details:

1. In the severity panel, locate the severity you want to investigate.
2. Select View.
   • The vulnerability report opens and includes only vulnerabilities of that severity.
   • Any page-level filters you have set are also applied.

Filter the entire dashboard

You can filter results at two levels:

• Dashboard filters: Apply to the entire dashboard. All charts update when you use these filters.
• Chart and panel filters: Apply only to the chart or panel you are viewing.

Available dashboard filters include:

• Report type: Filter by scanner, including SAST, DAST, Dependency Scanning, and others.
• Project: Limit results to specific projects. Available only for group security dashboards.

Dashboard filter behavior:

• Filters apply immediately across all dashboard charts and panels.
• Filters that you apply continue to apply throughout your session unless you remove them.
• When you open a vulnerability report from the dashboard, active filters are automatically applied to the vulnerability report.

To apply a filter to the whole dashboard:

1. In the filter bar at the top of the dashboard, select Filter results….
2. From the dropdown list, choose the filter type.
3. Select one or more filter values.

Related topics

• Security center
• Vulnerability reports
• Vulnerability Page