doc/user/application_security/detect/security_scanning_results.md
{{< details >}}
{{< /details >}}
{{< history >}}
dependency_scanning_for_pipelines_with_cyclonedx_reports. Disabled by default.dependency_scanning_for_pipelines_with_cyclonedx_reports removed in 17.10.{{< /history >}}
View and act on the results of pipeline security scanning in GitLab. Select security scanners run in a pipeline and output security reports. The contents of these reports are processed and presented in GitLab.
Security scanning must be configured for your project to generate results. For information about configuring security scanners, see Security configuration.
Key terminology for understanding security scan results:
Finding : A finding is a potential vulnerability identified in a development branch. A finding becomes a vulnerability when the branch is merged into the default branch. : Findings expire, either when the related CI/CD job artifact expires, or 90 days after the pipeline is created, even if the related job artifacts are locked.
Vulnerability : A vulnerability is a software security weakness identified in the default branch. : Vulnerability records persist until they are archived, even if the vulnerability is no longer detected in the default branch.
Vulnerabilities identified in the default branch are listed in the vulnerability report.
Security scanners run in branch pipelines and, if enabled, merge request pipelines. Each security scanner outputs a security report artifact containing details of all findings or vulnerabilities detected by the specific security scanner.
Security reports from child pipelines are included in pipeline security reports and merge request reports.
In a development (non-default) branch, findings include any vulnerabilities present in the target branch when the development branch was created.
Findings expire either when the related CI/CD job artifact expires, or 90 days after the pipeline is created, even if the related job artifacts are locked. Expired findings are not shown in the pipeline's Security tab. To reproduce them, re-run the pipeline.
{{< details >}}
{{< /details >}}
You can download a security report, for example to analyze outside GitLab or for archival purposes. A security report is a JSON file.
Prerequisites:
To download a security report:
The selected security report is downloaded to your device.
{{< details >}}
{{< /details >}}
The pipeline security report contains details of all findings or vulnerabilities detected in the branch. For a pipeline run against the default branch, all vulnerabilities in the pipeline security report are also in the vulnerability report.
View the pipeline security report to see details of all findings or vulnerabilities detected in the branch.
Prerequisites:
To view a pipeline security report:
To see details of a finding or vulnerability, select its description.
Create an issue to track, document, and manage the remediation work for a finding or vulnerability.
Prerequisites:
To create an issue:
An issue is created in the project, with the description copied from the finding or vulnerability's description.
You can change the status of a finding or vulnerability in the pipeline's security tab. Any changes made to a finding persist when the branch is merged into the default branch.
Prerequisites:
admin_vulnerability custom permission.To change the status of findings or vulnerabilities:
In the top bar, select Search or go to and find your project.
In the left sidebar, select Build > Pipelines.
Select the latest pipeline.
Select the Security tab.
In the finding report:
Select the findings or vulnerabilities you want to change.
In the Select action dropdown list, select either Dismissed or Needs Triage.
Select Change status.
{{< details >}}
{{< /details >}}
You can download a security report, for example to analyze outside GitLab or for archival purposes. A security report is a JSON file.
Prerequisites:
To download a security report:
The selected security report is downloaded to your device.
For security scan results in a merge request, see merge request reports.
When working with security scanning, you might encounter the following issues.
[!note] These steps are to be used by GitLab Support to reproduce such errors.
Some security scans may result in errors in the Security tab of the pipeline related to report parsing or scan ingestion. If it is not possible to get a copy of the project from the user, you can reproduce the error using the report generated from the scan.
To recreate the error:
Obtain a copy of the report from the user. In this example, gl-sast-report.json.
Create a project.
Commit the report to the repository.
Add your .gitlab-ci.yml file and have the report as an artifact in a job.
For example, to reproduce an error caused by a SAST job:
sample-job:
script:
- echo "Testing report"
artifacts:
reports:
sast: gl-sast-report.json
After the pipeline completes, check the content of the pipeline's Security tab for errors.
You can replace sast: gl-sast-report.json with the respective artifacts:reports type and the correct JSON report filename depending on the scan that generated the report.