Security inventory

{{< details >}}

• Tier: Ultimate
• Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

{{< /details >}}

{{< history >}}

• Introduced as a beta in GitLab 18.2 with a flag named security_inventory_dashboard. Enabled by default.
• Generally available in GitLab 18.9. Feature flag security_inventory_dashboard removed.

{{< /history >}}

Use the security inventory to visualize which assets you need to secure and understand the actions you need to take to improve security. A common phrase in security is, "you can't secure what you can't see." The security inventory provides visibility into the security posture of your organization's top-level groups, helps you identify coverage gaps, and enables you to make efficient, risk-based prioritization decisions.

The security inventory shows:

• Your groups, subgroups, and projects.
• Security scanner coverage for each project, regardless of how the scanner is enabled. Security scanners include:
  • Static application security testing (SAST)
  • Dependency scanning
  • Container scanning
  • Secret detection
  • Dynamic application security testing (DAST)
  • Infrastructure-as-code (IaC) scanning
• The number of vulnerabilities in each group or project, sorted by severity level.

Track the development of the security inventory in epic 16939. Share your feedback as development continues on this feature.

View the security inventory

Prerequisites:

• You must have the Security Manager, Developer, Maintainer, or Owner role in the group to view the security inventory.

To view the security inventory:

1. In the top bar, select Search or go to and find your group.
2. Select Secure > Security inventory.
3. Complete one of the following actions:
   • To view a group's subgroups, projects, and security assets, select the group.
   • To view a group or project's scanner coverage, search for the group or project.

Filter projects in the security inventory

{{< history >}}

• Introduced in GitLab 18.5 with a flag named security_inventory_filtering. Enabled by default.

{{< /history >}}

[!flag] The availability of this feature is controlled by a feature flag. For more information, see the history.

You can filter projects in the security inventory to focus on specific areas of interest. The following filters are available:

• Vulnerability count: Filter projects based on the number of identified vulnerabilities. For example, show projects with critical vulnerabilities ≥ 10.
• Tool coverage: Filter projects by the status of security analyzers (like enabled, not enabled, or failed). For example, show projects where Advanced SAST = enabled.
• Project name: Search for specific projects by name.

These filters help you narrow down results in large inventories and make it easier to identify projects that require immediate attention.

Related topics

• Security dashboard
• Vulnerability reports
• GraphQL references:
  • AnalyzerGroupStatusType - Counts for each analyzer status in the group and subgroups.
  • AnalyzerProjectStatusType - Analyzer status (success/fail) for projects.
  • VulnerabilityNamespaceStatisticType - Counts for each vulnerability severity in the group and its subgroups.
  • VulnerabilityStatisticType - Counts for each vulnerability severity in the project.

Troubleshooting

When working with the security inventory, you might encounter the following issues:

Security inventory menu item missing

Some users do not have the required permissions to access the Security inventory menu item. The menu item only displays for groups when the authenticated user has the Security Manager, Developer, Maintainer, or Owner role.