Group Security Dashboard [ULTIMATE]
The Group Security Dashboard gives an overview of the vulnerabilities of all the projects in a group and its subgroups.
The Dashboard is a good place to get an overview of the security vulnerabilities in your projects. You can also drill down into a vulnerability and get extra information, see which project it comes from, the file it's in, and various metadata to help you analyze the risk. You can also action these vulnerabilities by creating an issue for them, or by dismissing them.
Having your vulnerabilities in GitLab allows you to keep track of them and action them, all in the same application.
You want to measure how secure your projects are without having to look into each one separately.
To use the group security dashboard:
- At least one project inside a group must be configured with Static Application Security Testing, or Dependency Scanning, or Container Scanning, or Dynamic Application Security Testing.
- The configured jobs must use the new
reportssyntax (see an example job).
- GitLab Runner 11.5 or above must be used to execute the jobs.
Keeping the dashboard up to date
Vulnerabilities are spotted during CI/CD pipelines, so having up-to-date results depends on how often security jobs are run.
In order to have the latest results displayed in the dashboard, you can schedule a daily pipeline, so reports are created even if no code change happens.
Viewing the vulnerabilities
First, navigate to the Security Dashboard found under your group's Overview > Security Dashboard.
Once you're on the dashboard, at the top you should see a series of filters for:
- Report type
Selecting one or more filters will filter the results in this page. The first section is an overview of all the vulnerabilities, grouped by severity. Underneath this overview is a timeline chart that shows how many open vulnerabilities your projects had at various points in time. You can filter among 30, 60, and 90 days, with the default being 90. Hover over the chart to get more details about the open vulnerabilities at a specific time.
Finally, there is a list of all the vulnerabilities in the group, sorted by severity. In that list, you can see the severity of the vulnerability, its name, its confidence (likelihood of the vulnerability to be a positive one), and the project it's from.
If you hover over a row, there will appear some actions you can take:
- "More info"
- "Create issue"
- "Dismiss vulnerability"
Getting more information for a vulnerability
Clicking the "More info" button opens a modal with more information about the selected vulnerability where you can get a better description, as well as the file it came from, and a possible solution. You get access to the "Dismiss vulnerability", "Create merge request", and "Create issue" buttons inside this modal as well.
Creating an issue for a vulnerability
You can create an issue for a vulnerability by selecting the "Create issue" button from the action buttons to the right of a vulnerability row. This will create an issue on the project this vulnerability came from and pre-fill it with some useful information.
Once the issue is created, you will be redirected to it so you can edit, assign, or comment on it. Upon returning to the dashboard you'll see that the vulnerability will now have an associated issue next to the name.
You can get the same result if you select the Create issue button from inside the "More info" modal.
Create a Merge Request from a vulnerability
In certain cases, GitLab will allow you to create a merge request that will automatically remediate the vulnerability.
Clicking on the "Create merge request" button inside the more info modal will create a merge request onto the default branch, then redirect you to that merge request.
CAUTION: Warning: Automatic Patch creation is only available for a subset of Dependency Scanning. At the moment only Node.JS projects managed with yarn are supported.
Dismissing a vulnerability
You can also dismiss vulnerabilities by clicking the "Dismiss vulnerability" button. This will dismiss the vulnerability and re-render it to reflect its dismissed state. If you wish to undo this dismissal, you can click the "Undo dismiss" button.
You can get the same behaviour if you dismiss a vulnerability from within the "More info" modal.