The site that you are currently viewing is a static version of the Software Factory documentation delivered with the

version v7.2.
For up-to-date documentation, see the latest version.

Vulnerability Report

View, triage, and remediate vulnerabilities across your projects

GitLab logo
After analyzing your source code with [SAST], [SCA], and/or your application with [DAST], you can check scan results in the Vulnerability report, available at the group and project level.
To access, navigate to Secure > Vulnerability report .

Tip

At the group level, in addition to the vulnerability report, there is a Security Dashboard that provides an overview of the group’s security posture. To access it: in the left sidebar, select Secure > Security Dashboard .

Vulnerability Report Overview

The vulnerability report provides a detailed breakdown of vulnerability counts by severity level and includes a comprehensive list of each vulnerability identified in your project or group.

A search bar helps you filter the report based on various parameters. By default, the report displays all vulnerabilities that need triage or have been confirmed and are still detected in the project.

You can also attach an issue to a vulnerability or create a new issue related to it.

secure-overview

ElementsDescription
1Last security analysis with the pipeline id
2Global view of number vulnerabilities grouped by severity
3Overview table of detected vulnerabilities
4Date of the first detection
5Current status of the vulnerability. New vulnerability is set to Needs triage
6Severity level of the vulnerability
7Detail and the filename with line number of the vulnerability
8Scanner that detected the vulnerability

Vulnerability Details Page

The Vulnerability Details page provides detailed information about each detected vulnerability within your project or group.

This includes the severity level, relevant descriptions, affected files or dependencies, and suggested remediation steps.

The page also allows you to attach or create an issue and change the severity.

vulnerability-detail

ElementsDescription
SeverityThe severity of the vulnerability: low, medium, high, or critical
CVSSGeneral CVSS score. The score may differ depending on your application use case
EPSSThe likelihood of a vulnerability being exploited in the next 30 days
Has Known ExploitYes or No — whether a public exploit exists for this vulnerability
ReachabilityNot available: reachability unknown. Yes: vulnerability can be reached. No: vulnerability cannot be reached
LocationLocation of the vulnerability within the codebase, including the file name and line number

Issue and Vulnerability Tracking

Through the vulnerability report, it is possible to create a new issue or associate an existing issue with a vulnerability.

Remediation Process

GitLab generates detailed reports for any detected vulnerabilities, accessible directly within the merge request and pipeline reports.

secure-vul-wfw

  1. Assessment of the vulnerabilities.

    • Collect information about the vulnerabilities from the vulnerability details page.
    • Analyze the impact and severity of each vulnerability to prioritize remediation efforts.
  2. Assign the issue to the appropriate team member for resolution.

  3. Fix vulnerabilities by changing the code or dependencies.

    • Make the necessary code changes or update dependencies to fix the detected vulnerabilities.
    • Communicate with your Product Design Authority (PDA) to confirm the appropriate next steps in cases where no immediate fix is available.
  4. Review the issue and determine the appropriate remediation steps.

  5. Conduct additional scans and tests to verify that vulnerabilities have been properly addressed.

  6. Once verified, code changes can be merged into the main branch.

  7. Regularly run security scans as part of the CI/CD pipeline to detect new vulnerabilities.