ContextQMD
Back to Gitlabhq

Security inventory

doc/user/application_security/security_inventory/_index.md

19.0.05.1 KB
Original Source

{{< details >}}

  • Tier: Ultimate
  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

{{< /details >}}

{{< history >}}

  • Introduced as a beta in GitLab 18.2 with a flag named security_inventory_dashboard. Enabled by default.
  • Generally available in GitLab 18.9. Feature flag security_inventory_dashboard removed.

{{< /history >}}

Use the security inventory to visualize which assets you need to secure and understand the actions you need to take to improve security. A common phrase in security is, "you can't secure what you can't see." The security inventory provides visibility into the security posture of your organization's top-level groups, helps you identify coverage gaps, and enables you to make efficient, risk-based prioritization decisions.

The security inventory shows:

  • Your groups, subgroups, and projects.
  • Security scanner coverage for each project, regardless of how the scanner is enabled. Tool coverage reflects the scan status of the most recent pipeline on the default branch. Security scanners include:
    • Static application security testing (SAST)
    • Dependency scanning
    • Container scanning
    • Secret detection
    • Dynamic application security testing (DAST)
    • Infrastructure-as-code (IaC) scanning
  • The number of vulnerabilities in each group or project, sorted by severity level.

Track the development of the security inventory in epic 16939. Share your feedback as development continues on this feature.

View the security inventory

Prerequisites:

  • You must have the Security Manager, Developer, Maintainer, or Owner role in the group to view the security inventory.

To view the security inventory:

  1. In the top bar, select Search or go to and find your group.
  2. In the left sidebar, select Secure > Security inventory.
  3. Complete one of the following actions:
    • To view a group's subgroups, projects, and security assets, select the group.
    • To view a group or project's scanner coverage, search for the group or project.

Scanner coverage

{{< history >}}

{{< /history >}}

Security scanner status is evaluated when a default branch pipeline completes. Each security scanner shows one of the following coverage statuses for every project or group:

  • Not enabled: The scanner is not configured.
  • Enabled: The scanner is configured and completed successfully.
  • Failed: The scanner ran but did not complete successfully.
  • Stale: A previously enabled scanner has not run in the last three consecutive pipelines.

Filter projects in the security inventory

{{< history >}}

{{< /history >}}

[!flag] The availability of this feature is controlled by a feature flag. For more information, see the history.

You can filter projects in the security inventory to focus on specific areas of interest. The following filters are available:

  • Vulnerability count: Filter projects based on the number of identified vulnerabilities. For example, show projects with critical vulnerabilities ≥ 10.
  • Tool coverage: Filter projects by the status of security analyzers (like enabled, not enabled, or failed). For example, show projects where Advanced SAST = enabled.
  • Project name: Search for specific projects by name.

These filters help you narrow down results in large inventories and make it easier to identify projects that require immediate attention.

Troubleshooting

When working with the security inventory, you might encounter the following issues:

Security inventory menu item missing

Some users do not have the required permissions to access the Security inventory menu item. The menu item only displays for groups when the authenticated user has the Security Manager, Developer, Maintainer, or Owner role.