|Content Last Reviewed||
Vulnerability management is about ensuring that assets and applications are scanned for vulnerabilities, and then the processes to record, manage, and mitigate those vulnerabilities.
Traditionally, vulnerability management has focused on scans of live web apps and assets, and management of those vulnerabilities in a single tool. At GitLab, we have a broader vision. Specifically, vulnerabilities should not be collected and managed in isolation, but instead they should be integrated with the rest of your DevOps lifecycle.
Our goal is to identify meaningful sets of vulnerabilities, in both your assets and application code, that can be mitigated, managed, and acted upon by your whole team, not just the security organization.
Our goal is also to provide unified interfaces and integrate with the systems teams are already using for managing results from
~"devops::secure" stage, so there is always a single source of truth, and a single place for management of security results.
Additionally, our goal is to support teams with compliance and auditing efforts by effectively being able to show the lifecycle of identifying and mitigating identified vulnerabilities.
We will start by creating an excellent experience around managing vulnerability results from scanners. This is a beneficial first step since the results from existing VM scanners can be then be imported into and managed within GitLab, rather than requiring multiple tools to be used.
Additionally, vulnerability results from SAST, DAST and container scanning can be used with the same workflow. This will give security teams a better view of the overall amount of risk associated with their apps, both from a pre-deployment and post-deployment perspective.
Security Dashboards—available at instance, group and project level—are the primary tool for Security Teams and Directors of Security. They can use these dashboards to access the current security status of their applications and to start a remediation process.
The dashboards also provides stats and charts to figure out how the team is performing. This helps keep project security health at a proper level.
GitLab believes in responsibly disclosing software vulnerabilities. As such, GitLab is a CVE Numbering Authority (CNA) and can provide CVE IDs to researchers and information technology vendors. We will be integrating CVE ID request solution which will be available within our Secure and Defend Categories.
You can read more about reporting a vulnerability, our disclosure policy, and request a CVE ID at our Responsible Disclosure page.
There is no feature available for this category.
The category is very new, so we still need to engage customers and get feedback about their interests and priorities in this area.