Security inventory
- Tier: Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
- Status: Beta
The availability of this feature is controlled by a feature flag. For more information, see the history.
Use the security inventory to visualize which assets you need to secure and understand the actions you need to take to improve security. A common phrase in security is, “you can’t secure what you can’t see.” The security inventory provides visibility into the security posture of your organization’s top-level groups, helps you identify coverage gaps, and enables you to make efficient, risk-based prioritization decisions.
The security inventory shows:
- Your groups, subgroups, and projects.
- Security scanner coverage for each project, regardless of how the scanner is enabled. Security scanners include:- Static application security testing (SAST)
- Dependency scanning
- Container scanning
- Secret detection
- Dynamic application security testing (DAST)
- Infrastructure-as-code (IaC) scanning
 
- The number of vulnerabilities in each group or project, sorted by severity level.
This feature is in beta. Track the development of the security inventory in epic 16484. Share your feedback with us as we continue to develop this feature. The security inventory is enabled by default.
View the security inventory
Prerequisites:
- You must have at least the Developer role in the group to view the security inventory.
To view the security inventory:
- On the left sidebar, select Search or go to and find your group.
- Select Secure > Security inventory.
- Complete one of the following actions:- To view a group’s subgroups, projects, and security assets, select the group.
- To view a group or project’s scanner coverage, search for the group or project.
 
Filter projects in the security inventory
The availability of this feature is controlled by a feature flag. For more information, see the history.
You can filter projects in the security inventory to focus on specific areas of interest. The following filters are available:
- Vulnerability count: Filter projects based on the number of identified vulnerabilities. For example, show projects with critical vulnerabilities ≥ 10.
- Tool coverage: Filter projects by the status of security analyzers (like enabled, not enabled, or failed). For example, show projects where Advanced SAST = enabled.
- Project name: Search for specific projects by name.
These filters help you narrow down results in large inventories and make it easier to identify projects that require immediate attention.
Related topics
- Security dashboard
- Vulnerability reports
- GraphQL references:- AnalyzerGroupStatusType - Counts for each analyzer status in the group and subgroups.
- AnalyzerProjectStatusType - Analyzer status (success/fail) for projects.
- VulnerabilityNamespaceStatisticType - Counts for each vulnerability severity in the group and its subgroups.
- VulnerabilityStatisticType - Counts for each vulnerability severity in the project.
 
Troubleshooting
When working with the security inventory, you might encounter the following issues:
Security inventory menu item missing
Some users do not have the required permissions to access the Security inventory menu item. The menu item only displays for groups when the authenticated user has at least the Developer role.