ContextQMD
Back to Gitlabhq

Security dashboards

doc/user/application_security/security_dashboard/_index.md

18.11.221.6 KB
Original Source

{{< details >}}

  • Tier: Ultimate
  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

{{< /details >}}

{{< history >}}

{{< /history >}}

GitLab 18.6 introduced an improved version of the security dashboards that use advanced vulnerability management.

The new dashboards are enabled by default on GitLab.com and GitLab Dedicated. GitLab Self-Managed users must enable advanced vulnerability management to access the new dashboards.

If your organization has not enabled advanced vulnerability management, see legacy security dashboards.

Security dashboards

{{< history >}}

{{< /history >}}

Use security dashboards to assess the security posture of your applications. GitLab provides you with a collection of metrics, ratings, and charts for the vulnerabilities detected by the security scanners run on your project. The security dashboards provide the following data:

  • Vulnerability trends over a 30, 60, or 90-day time frame for all projects in a group.
  • The total number of open vulnerabilities by severity.
  • The total risk score to compare vulnerability risk across projects.

Prerequisites

To view the security dashboard for a project or a group you must have:

[!note] The security dashboards show results of scans from the most recently completed pipeline on the default branch. Dashboards are updated with the results of completed pipelines run on the default branch. They do not include vulnerabilities discovered in pipelines from other un-merged branches.

Viewing the security dashboard

The security dashboard shows filterable charts and panels built with data from vulnerabilities detected in the default branch. Charts include vulnerabilities over time and severity counts. The data in many charts is grouped into two categories:

  • Open: Includes vulnerabilities with the Needs triage or Confirmed statuses
  • Closed: Includes vulnerabilities with the Dismissed and Resolved statuses

Charts and panels include only open vulnerabilities unless otherwise noted.

You can view a security dashboard for a project or a group. Each dashboard provides a unique viewpoint into your security posture.

Both dashboards include:

To view a security dashboard:

  1. In the top bar, select Search or go to and find your project.
  2. Select Secure > Security dashboard.

Project security dashboard

The project security dashboard shows vulnerabilities detected in the project's default branch. It includes:

Open vulnerabilities are those with Needs triage or Confirmed status. Closed vulnerabilities with Dismissed or Resolved status are not included in these charts.

Group security dashboard

The group security dashboard provides an overview of vulnerabilities found in the default branches of all projects in a group and its subgroups. The group security dashboard supplies the following:

Charts

Security dashboards include several charts that help you understand and act on vulnerabilities in your projects and groups.

Vulnerabilities over time

The Vulnerabilities over time chart is available on both project and group dashboards. It shows the open vulnerabilities trends over 30, 60, or 90-day periods. The default range is 30 days. GitLab retains vulnerability data for 365 days.

Use the chart to identify when vulnerabilities were introduced and how they change over time.

To view details:

  1. Hover over a data point to see the vulnerability count for that day.
  2. Use the time frame selector to switch between 30, 60, or 90 days.
  3. Drag the range handles ({{< icon name="scroll-handle" >}}) to zoom in on a specific period.
  4. Use the dropdown to filter by Severity (for example, Critical, High, Medium)
  5. Use the buttons to group the data by either of the following options:
    • Severity: Critical, high, medium, low, info, and unknown.
    • Report type: SAST, DAST, and dependency scanning and others.
  6. To explore data beyond 90 days, but within the last 365 days, use the SecurityMetrics.vulnerabilitiesOverTime GraphQL API
  7. Vulnerabilities that are no longer detected are not automatically counted as closed. Use vulnerability management policies to automatically close them if needed.

[!note] Starting in GitLab 18.8 (available January 2026) on GitLab.com and in GitLab 18.9 (available February 2026) on GitLab Self-Managed and GitLab Dedicated, the Vulnerabilities over time chart excludes no longer detected vulnerabilities. This approach more accurately reflects the number of detected vulnerabilities that require attention. This change might result in a drop in the total number of vulnerabilities shown in the chart. This change applies automatically to vulnerabilities no longer detected in pipelines run from GitLab 18.9 onward. A background migration handles remaining vulnerabilities from earlier pipelines.

Due to issue 590022 and issue 590018, vulnerability counts in the Vulnerabilities over time chart may not be accurate. The first issue affects dependency scanning and container scanning vulnerabilities. The second issue affects vulnerabilities that were dismissed or resolved, and then confirmed.

Vulnerability severity panel

The vulnerability severity panel shows the total number of open vulnerabilities by severity.

To view details:

  1. In the severity panel, locate the severity you want to investigate.
  2. Select View.
    • The vulnerability report opens and includes only vulnerabilities of that severity.
    • Any page-level filters you have set are also applied.

Risk score panel

{{< history >}}

{{< /history >}}

The risk score panel shows the overall security risk for the group or project. The panel has two views:

  1. The No grouping (default) view shows the total risk score of the group:
    • The circular gauge shows the calculated risk score in the center.
    • The color bars indicate the risk level:
      • Green: Low risk
      • Yellow: Medium risk
      • Orange: High risk
      • Red: Critical risk
  2. Select Project to compare risk scores for each project:
    • Each project tile is color-coded according to the project's risk level.
    • Hover over a tile to see details, including the project name and risk score.
    • Select a tile and select the project's name to open that project's vulnerability report.

Risk scores are calculated from multiple factors, including:

  • Severity of vulnerabilities
  • Age of vulnerabilities
  • KEV (Known Exploited Vulnerabilities) status
  • EPSS (Exploit Prediction Scoring System) score

Vulnerabilities by age

{{< history >}}

{{< /history >}}

The Vulnerabilities by age chart is available on group and project dashboards. It shows the distribution of unresolved vulnerabilities based on the amount of time since they were first detected. You can group vulnerabilities by severity or by report type, helping you identify where remediation activities may be needed.

To view details:

  1. Hover over a data point to see the vulnerability count for that age grouping.
  2. Use the dropdown list to filter by Severity (for example, Critical, High, Medium)
  3. Use the buttons to group the data by either of the following options:
    • Severity: Critical, high, medium, low, info, and unknown.
    • Report type: SAST, DAST, and dependency scanning and others.

Top 10 CWEs

{{< history >}}

{{< /history >}}

[!flag] The availability of this feature is controlled by a feature flag. For more information, see the history.

The Top 10 CWEs chart is available on group and project dashboards. It shows the 10 most common CWE identifiers associated with the open vulnerabilities in the group or project.

To view details:

  1. Hover over a data point to see the total number of vulnerabilities of each CWE type.
  2. Use the dropdown list to filter by Severity (for example, Critical, Medium, or High).

Filter the entire dashboard

You can filter results at two levels:

  • Dashboard filters: Apply to the entire dashboard. All charts update when you use these filters.
  • Chart and panel filters: Apply only to the chart or panel you are viewing.

Available dashboard filters include:

  • Report type: Filter by scanner, including SAST, DAST, dependency scanning, and others.
  • Project: Limit results to specific projects. Available only for group security dashboards.

On the group security dashboard, you can also filter by:

  • Security attributes: Filter by the security attributes applied to your projects, which include categories for business impact, application, business unit, internet exposure, and location. These filters can be inclusive (using the is one of operator) or exclusive (using the is not one of operator). To configure your security attributes and apply them to projects, see security attributes.

Dashboard filter behavior:

  • Filters apply immediately across all dashboard charts and panels.
  • Filters that you apply continue to apply throughout your session unless you remove them.
  • When you open a vulnerability report from the dashboard, active filters are automatically applied to the vulnerability report.

To apply a filter to the whole dashboard:

  1. In the filter bar at the top of the dashboard, select Filter results....
  2. From the dropdown list, choose the filter type.
  3. Select one or more filter values.

Export as PDF

{{< history >}}

{{< /history >}}

[!flag] The availability of this feature is controlled by a feature flag. For more information, see the history.

You can export the security dashboard as a PDF for use in reports and presentations. The export captures the current state of all of the charts and panels in the dashboard, including any active filters.

To export the dashboard as a PDF:

  1. In the top bar, select Search or go to and find your project or group.
  2. Select Secure > Security dashboard.
  3. Optional. Apply filters to customize the data included in the export.
  4. Select Export as PDF.

Legacy security dashboards

{{< details >}}

  • Offering: GitLab Self-Managed

{{< /details >}}

GitLab Self-Managed customers that have not enabled advanced vulnerability management cannot access the latest security dashboards. In this case, you still have access to the legacy security dashboards.

Security dashboards are used to assess the security posture of your applications. GitLab provides you with a collection of metrics, ratings, and charts for the vulnerabilities detected by the security scanners run on your project. The security dashboard provides data such as:

  • Vulnerability trends over a 30, 60, or 90-day time-frame for all projects in a group
  • A letter grade rating for each project based on vulnerability severity
  • The total number of vulnerabilities detected within the last 365 days including their severity

Use security dashboard data to improve your security posture. For example, the 365-day trend view shows which days had a spike in vulnerabilities. Examine the code changes from those days to perform a root-cause analysis and build better policies to prevent future vulnerabilities.

<i class="fa-youtube-play" aria-hidden="true"></i> For an overview, see Security Dashboard - Advanced Security Testing.

Prerequisites for the legacy dashboards

To view the security dashboards, the following is required:

  • You must have the Developer role for the group or project.
  • At least one security scanner configured in your project.
  • A successful security scan performed on the default branch of your project.
  • At least 1 detected vulnerability in the project.

[!note] The security dashboards show results of scans from the most recent completed pipeline on the default branch. Dashboards are updated with the result of completed pipelines run on the default branch; they do not include vulnerabilities discovered in pipelines from other un-merged branches.

Viewing the legacy security dashboard

The security dashboard can be seen at the project, group, and the Security Center levels. Each dashboard provides a unique viewpoint of your security posture.

Project security dashboard

The Project security dashboard shows the total number of vulnerabilities detected over time, with up to 365 days of historical data for a given project. The dashboard is a historical view of open vulnerabilities in the default branch. Open vulnerabilities are those of only Needs triage or Confirmed status (Dismissed or Resolved vulnerabilities are excluded).

To view a project's security dashboard:

  1. In the top bar, select Search or go to and find your project.
  2. Select Secure > Security dashboard.
  3. Filter and search for what you need.
    • To filter the chart by severity, select the legend name.
    • To view a specific time frame, use the time range handles ({{< icon name="scroll-handle" >}}).
    • To view a specific area of the chart, select the left-most icon ({{< icon name="marquee-selection" >}}) and drag across the chart.
    • To reset to the original range, select Remove Selection ({{< icon name="redo" >}}).

Downloading the vulnerability chart

You can download an image of the vulnerability chart from the Project security dashboard to use in documentation, presentations, and so on. To download the image of the vulnerability chart:

  1. In the top bar, select Search or go to and find your project.
  2. Select Secure > Security dashboard.
  3. Select Save chart as an image ({{< icon name="download" >}}).

You are prompted to download the image in SVG format.

Group security dashboard

The group security dashboard provides an overview of vulnerabilities found in the default branches of all projects in a group and its subgroups. The group security dashboard supplies the following:

  • Vulnerability trends over a 30, 60, or 90-day time frame
  • A letter grade for each project in the group according to its highest-severity open vulnerability. The letter grades are assigned using the following criteria:
GradeDescription
FOne or more critical vulnerabilities
DOne or more high or unknown vulnerabilities
COne or more medium vulnerabilities
BOne or more low vulnerabilities
AZero vulnerabilities

To view group security dashboard:

  1. In the top bar, select Search or go to and find your group.

  2. Select Security > Security dashboard.

  3. Hover over the Vulnerabilities over time chart to get more details about vulnerabilities.

    • You can display the vulnerability trends over a 30, 60, or 90-day time frame (the default is 90 days).
    • To view aggregated data beyond a 90-day time frame, use the VulnerabilitiesCountByDay GraphQL API. GitLab retains the data for 365 days.

  4. Select the arrows under the Project security status section to see which projects fall under a particular letter-grade rating:

    • You can see how many vulnerabilities of a particular severity are found in a project
    • You can select a project's name to directly access its project security dashboard

Vulnerability metrics in the value streams dashboard

{{< history >}}

{{< /history >}}

There are additional vulnerability metrics available in the value streams dashboard comparison panel, which helps you understand security exposure in the context of your organization's software delivery workflows.