Vulnerability Report (ULTIMATE ALL)

The Vulnerability Report provides information about vulnerabilities from scans of the default branch. It contains cumulative results of all successful jobs, regardless of whether the pipeline was successful. The scan results from a pipeline are only ingested after all the jobs in the pipeline complete.

For an overview, see Vulnerability Management.

At all levels, the Vulnerability Report contains:

• Totals of vulnerabilities per severity level.
• Filters for common vulnerability attributes.
• Details of each vulnerability, presented in tabular layout.

At the project level, the Vulnerability Report also contains:

• A time stamp showing when it was updated, including a link to the latest pipeline.
• The number of failures that occurred in the most recent pipeline. Select the failure notification to view the Failed jobs tab of the pipeline's page.

The Activity column contains icons to indicate the activity, if any, taken on the vulnerability in that row:

• Issues {issues}: Links to issues created for the vulnerability. For more details, read Create an issue for a vulnerability.
• Wrench {admin}: The vulnerability has been remediated.
• False positive {false-positive}: The scanner determined this vulnerability to be a false positive.

To open an issue created for a vulnerability, hover over the Activity entry, then select the link. The issue icon ({issues}) indicates the issue's status. If Jira issue support is enabled, the issue link found in the Activity entry links out to the issue in Jira. Unlike GitLab issues, the status of a Jira issue is not shown in the GitLab UI.

When vulnerabilities originate from a multi-project pipeline setup, this page displays the vulnerabilities that originate from the selected project.

View the vulnerability report

View the vulnerability report to list all vulnerabilities in the project or group.

Prerequisites:

• You must have at least the Developer role for the project or group.

To view the vulnerability report:

1. On the left sidebar, select Search or go to and find your project or group.
2. Select Secure > Vulnerability report.

Vulnerability Report filters

You can filter the Vulnerability Report to narrow focus on only vulnerabilities matching specific criteria.

The filters available at all levels are:

• Status: Detected, confirmed, dismissed, resolved. For details on what each status means, see vulnerability status values.
• Severity: Critical, high, medium, low, info, unknown.
• Tool: For more details, see Tool filter.
• Activity: For more details, see Activity filter.

Additionally, the project filter is available at the group level.

Filter the list of vulnerabilities

To filter the list of vulnerabilities:

1. Select a filter.
2. Select values from the dropdown list.
3. Repeat the above steps for each desired filter.

After each filter is selected:

• The list of matching vulnerabilities is updated.
• The vulnerability severity totals are updated.

Tool filter

The tool filter allows you to focus on vulnerabilities detected by selected tools.

When using the tool filter, you can choose:

• All tools (default).
• Individual GitLab-provided tools.
• Any integrated third-party tool.

For details of each of the available tools, see Security scanning tools.

Project filter

The content of the Project filter depends on the current level:

• Security Center: Only projects you've added to your personal Security Center.
• Group level: All projects in the group.
• Project level: Not applicable.

Activity filter

The activity filter behaves differently from the other filters. You can select only one value in each category.

Selection behavior when using the activity filter:

• Activity
  • All activity: Vulnerabilities with any activity status (same as ignoring this filter). Selecting this deselects all other activity filter options.
• Detection
  • Still detected: Vulnerabilities that are still detected in the latest pipeline scan of the default branch.
  • No longer detected: Vulnerabilities that are no longer detected in the latest pipeline scan of the default branch.
• Issue
  • Has issues: Vulnerabilities with one or more associated issues.
  • Does not have issue: Vulnerabilities without an associated issue.
• Merge request
  • Has merge request: Vulnerabilities with one or more associated merge requests.
  • Does not have merge request: Vulnerabilities without an associated merge request.

View details of a vulnerability

To view more details of a vulnerability, select the vulnerability's Description. The vulnerability's details page is opened.

View vulnerable source location

Some security scanners output the filename and line number of a potential vulnerability. When that information is available, the vulnerability's details include a link to the relevant file, in the default branch.

To view the relevant file, select the filename in the vulnerability's details.

Change status of vulnerabilities

Providing a comment and dismissal reason introduced in GitLab 16.0.

From the Vulnerability Report you can change the status of one or more vulnerabilities.

To change the status of vulnerabilities in the table:

1. Select the checkbox beside each vulnerability you want to update the status of. To select all, select the checkbox in the table header.
2. In the Set status dropdown list, select the desired status.
3. If the Dismissed status is chosen, select the desired reason in the Set dismissal reason dropdown list.
4. In the Add a comment input, you can provide a comment. For the Dismissed status, a comment is required.
5. Select Change status.

Sort vulnerabilities by date detected

By default, vulnerabilities are sorted by severity level, with the highest-severity vulnerabilities listed at the top.

To sort vulnerabilities by the date each vulnerability was detected, select the "Detected" column header.

Export vulnerability details

You can export details of the vulnerabilities listed in the Vulnerability Report. The export format is CSV (comma separated values). All vulnerabilities are included because filters do not apply to the export.

Fields included are:

• Group name
• Project name
• Tool
• Scanner name
• Status
• Vulnerability
• Basic details
• Additional information
• Severity
• CVE (Common Vulnerabilities and Exposures)
• CWE (Common Weakness Enumeration)
• Other identifiers
• Detected At
• Location
• Activity: Returns true if the vulnerability is resolved on the default branch, and false if not.
• Comments
• Full Path
• CVSS Vectors

NOTE: Full details are available through our Job Artifacts API. Use one of the gl-*-report.json report filenames in place of *artifact_path to obtain, for example, the path of files in which vulnerabilities were detected.

Export details in CSV format

To export details of all vulnerabilities listed in the Vulnerability Report, select Export.

The details are retrieved from the database, then the CSV file is downloaded to your local computer.

NOTE: It may take several minutes for the download to start if your project contains thousands of vulnerabilities. Do not close the page until the download finishes.

Dismiss a vulnerability

When you evaluate a vulnerability and decide it requires no more action, you can mark it as Dismissed. Dismissed vulnerabilities do not appear in the merge request security widget when detected in future scans.

When a vulnerability is dismissed in a project or group, a record is made of:

• Who dismissed it.
• Date and time when it was dismissed.
• Optionally, a reason why it was dismissed.

Vulnerability records cannot be deleted, so a permanent record always remains.

You can dismiss a vulnerability in projects and groups:

1. Select the vulnerability in the Security Dashboard.
2. In the upper-right corner, from the Status dropdown list, select Dismissed.
3. Optional. Add a reason for the dismissal and select Save comment.

To undo this action, select a different status from the same menu.

Manually add a vulnerability finding

• Introduced in GitLab 14.9. Disabled by default.
• Enabled on GitLab.com in GitLab 14.10.
• Feature flag new_vulnerability_form removed in GitLab 15.0.

To add a new vulnerability finding from your project level Vulnerability Report page:

1. On the left sidebar, select Search or go to and find your project.
2. Select Secure > Vulnerability report.
3. Select Submit vulnerability.
4. Complete the fields and submit the form.

You are brought to the newly created vulnerability's detail page. Manually created records appear in the Group, Project, and Security Center Vulnerability Reports. To filter them, use the Generic Tool filter.

Group vulnerabilities

• Introduced in GitLab 16.4 with a flag named vulnerability_report_grouping. Disabled by default.
• Generally available in GitLab 16.6. Feature flag vulnerability_report_grouping removed.

To group the Vulnerability Report:

1. Below the Vulnerability Report filters, select the Group By dropdown list.
2. Select the attribute you want to group by: status or severity.

To see what is included in a group, select a category to expand the report and see related vulnerabilities.

Operational vulnerabilities

Introduced in GitLab 14.6.

The Operational vulnerabilities tab lists vulnerabilities found by Operational container scanning. This tab appears on the project, group, and Security Center vulnerability reports.