►
Description
This walkthrough will show off some of GitLab's Vulnerability Management features. You will see how both a developer and security team member can use them in their workflows while collaborating entirely inside GitLab.
0:00 Vulnerability management intro
1:09 Merge request security approvals setup
5:26 Security Dashboards
6:24 Vulnerability Report
9:02 Merge request security results
11:28 Security Center
14:37 Vulnerability details
15:30 Fixing vulnerabilities, no security approvals needed
16:53 Collaboration by creating issues from vulnerabilities
19:53 Using issue boards for vulnerability tracking
A
A
I
don't
want
new
vulnerabilities
being
introduced
without
me,
knowing
about
it
so
a
good
way
to
help
prevent
that
is
by
using
one
of
our
merch
request
approvals.
So
this
is
something
I'm
going
to
set
up
on
my
project.
So
I'm
not
going
to
go
into
the
details
here,
but
I've
already
got
some
security
scanners
configured
to
run
on
my
pipelines.
A
A
Now
any
new
feature
branch
for
this
project
that
targets
the
main
branch
is
that
introduces
or
would
introduce
a
new
high,
critical
or
unknown
vulnerability
is
going
to
require
my
approval
as
the
security
user
before
it
can
merge.
So
this
is
a
great
way
to
help
keep
the
health
of
my
security
health
of
my
project
intact,
while
not
slowing
down
the
developer
workflow,
if
they're
not
introducing
any
serious
security
issues
so
now
back
over
to
the
developer
side.
A
A
A
A
A
It
the
web
id
doesn't
actually
support
dark
mode
yet
completely,
so
I
am
still
on
the
developer
side.
Just
it
looks
light.
So
just
ignore
that
part.
So,
let's
say
for
my
purposes,
I
need
at
least
version
two
of
this
particular
library,
so
I'm
gonna
go
ahead
and
make
that
change.
You
can
see
my
diff
right
here,
great
we'll,
say,
update
pigments
to
2.0
plus
and
I'm
going
to
commit
that
to
the
same
branch.
I'm
also
going
to
start
a
new
merge
request.
A
A
Okay,
so
I'll
leave
a
little
note
and
I
will
create
that
merge
request.
So
this
is
still
me
as
the
developer.
So
now
I've
checked
in
my
changes,
and
this
has
kicked
off
a
new
pipeline,
simple
pipeline.
It
just
has
a
build
stage
to
make
sure
that
everything
looks
okay
in
the
actual
project
itself,
followed
by
a
security
check
phase.
A
I
can
see
right
here.
These
are
all
the
approvals
that
I'm
going
to
need.
So
I
didn't
set
up
any
of
these
optional
approvals
say
for
a
code
review,
but
I
do
have
this
required
one
here
from
this
is
me
as
the
security
personas
he's
got
my
face:
not
the
monkey
so
zero
one
right
now
we're
going
to
come
back
to
this,
whatever
the
pipelines
are
finished
running
because
right
now,
I
can't
even
merge
this
because
I'm
I
am
waiting
for
that
pipeline.
A
So
we're
going
to
flip
back
over
to
the
security
percentage
side
and
show
off
a
few
of
the
features
we've
got
available.
So
the
first
thing
is
the
security
dashboard.
So
at
a
project
level
the
security
dashboard
is
going
to
give
me
a
really
quick,
high
level
overview
of
the
vulnerabilities
in
that
project
over
time.
This
is
great
for
spotting
trends
or
zooming
in
on
a
particular
area
that
you
want
to
see.
You
know
why
something
went
up
or
down.
A
I
can
stretch
it
back
here
through
time
notice,
I'm
kind
of
going
back
and
I
think,
as
long
as
you
have
enough
history,
you
can
go
up
to
365
days
here
and
then
I
can
see,
for
instance,
between
the
eighth
and
the
ninth.
I
actually
had
an
uptick
in
my
critical
and
highs,
so
this
may
be
something
I
want
to
drill
into.
A
A
A
The
vulnerability
report
shows
all
of
the
vulnerabilities
that
are
present
on
the
main
branch
or
the
default
branch
of
your
project.
In
my
case,
the
main
branch
I
can
see.
This
is
the
last
pipeline
that
ran.
If
there's
any
errors
with
the
pipeline,
I
can
easily
click
to
see
what
might
have
gone
wrong.
A
A
A
A
Another
common
use
is
this
no
longer
detected
feature
here,
so
this
is
pretty
handy,
so
sometimes
a
simple
dependency
upgrade,
for
instance,
might
resolve
multiple
vulnerabilities
or
you
may
have
many
same
type
vulnerabilities,
and
you
know
the
fix
to
take
those
out
could
resolve
a
lot
of
a
lot
of
existing
vulnerabilities
at
once.
So
when
a
subsequent
scan
of
the
default
branch
doesn't
find
a
vulnerability
anymore,
it
marks
it
as
no
longer
detected.
So
this
means
that
the
you
know
the
code
or
the
dependency
has
actually
been
removed.
A
Now
you
may
want
to
double
check
still.
That
depends
on
your
process
if
it
is
trust
but
verify
that's
fine,
but
in
some
cases
it
may
just
be
easier
to
filter
by
everything
that
has
this
no
longer
detected
indicator,
and
then
you
can
use
our
bulk
selection
feature
and
I
can
easily
set
the
status
to
resolved
for
all
of
those
items.
If
I
wanted
to
I'm
not
going
to
do
that
right
now,
but
we'll
just
go
ahead
and
cancel
that
out.
A
A
So
we
now
see
a
new
section
here,
so
I
have
security
scanning
and
I
see
that
it's
detected
one
potential
vulnerability
and
it's
high.
So
let
me
expand
it
to
see
what
is
in
here.
Well
we'll
notice.
The
sas
scans
didn't
pick
up
anything,
but
the
dependency
scanning
did
now.
Remember
I
upgraded
the
version
of
pigments,
so
it
seems
that
the
version
that
I
have
selected
it
actually
still
has
vulnerabilities
inside
of
it.
In
fact,
it
has
this
cpe
right
here
and
apparently
there's
something
that
can
lead
to
a
denial
of
service
attack.
A
That's
not
good!
Well,
our
analyzer
has
actually
provided
us
a
recommendation.
I
can
actually
just
upgrade
to
2.7.4
or
above
well,
that's
great.
So
normally
I
might
be
stuck
here
waiting
for
somebody
on
the
security
team,
where
I
may
not
know
that
I
was
introducing
a
high
high
severity
vulnerability
into
the
code
base.
A
If
I
didn't
have
this
kind
of
visibility
right
here
in
my
merge
request,
so
what
I
can
do
is
I'm
going
to
go
directly
into
my
change
file,
and
this
is
another
handy
feature,
so
I
can
actually
make
a
suggestion
that
edits
this
line.
So
I'm
just
going
to
change
this
to
2.7.4,
since
that
was
the
minimum
non-vulnerable
vulnerable
version,
and
I
will
add
that
comment.
A
A
Whoops,
we'll
just
give
that
a
refresh
it
picks
up
there
we
go,
and
so
it
kicked
off
a
new
pipeline,
so
we're
gonna
have
to
wait
for
this
to
run
again.
So
while
we
do
that
we're
going
to
go
back
to
the
security
side
and
show
off
a
few
more
features
over
there,
while
we
wait
so
one
thing
that
is
available,
this
is
actually
available
to
any
git
lab
user.
That
has
access
to
any
of
the
security
features.
A
For
any
project
is
this:
we
call
this
the
security
center,
so
this
is
a
personalized
space
where
I
can
actually
see
any
combination
of
projects
that
I
have
access
to
see.
The
vulnerabilities
for
this
is
different
from
like
a
group
level
dashboard,
because
I
can
mix
and
match
between
projects
from
different
groups
and,
if
I'm
using
gitlab
sas
actually
from
different
namespaces.
A
So
let
me
go
to
the
settings
right
here
and
I'll
show
you,
so
I
could
actually
add
any
project
that
I
have
access
to.
I've
got
two
already
so
one.
This
is
in
gitlab
examples.
So
this
is
not
a
project
that
I
own.
I
just
happen
to
be
a
developer.
On
this
particular
project,
and
then
this
is
the
one
that
I
actually
own
right
here
so
because
I've
added
both
these
projects
you'll
see,
I
have
a
very
similar
vulnerability
report.
A
This
looks
really
just
like
the
one
on
the
project
level,
except
I
have
this
handy
project
selection
filter
so
that
I
can
actually
toggle
see.
That's
just
my
gitlab
examples,
one
and
then
the
customer
portal
is
is
right
over
here.
So
I
can
actually
make
this
like
really
customized
view
of
things.
So
maybe
I've
got
let's
say
five
really
highest
priority
projects
that
are
spread
out
through
different
groups
in
my
company,
and
I
want
to
make
sure
that
I
keep
on
top
of
those.
This
is
a
great
way
to
do
that.
A
We've
also
got
the
security
dashboard
here.
This
is
actually
what
you'll
see
at
the
group
level,
so
we
have
a
very
similar
vulnerability
trendlines
chart.
So
I
get
a
quick
30
60
90,
so
I
can
keep
an
eye
on
any
trends,
but
I've
also
got
this
project
security
status
scorecard
over
here.
So
this
is
going
to
assign
a
letter
grade
based
on
how
many
so
we've
got
low.
C's
or
mediums
highs
or
critical,
so
if
there's
one
or
more
open
vulnerabilities
in
a
particular
project,
that's
what
grade
it
gets.
A
So
I
can
see
that
this
example
project
that
I
belong
to
actually
has
two
high
vulnerabilities.
So
that's
why
it's
got
a
grade
d
and
then
I've
got
a
critical
two
critical
vulnerabilities
on
that
customer
portal.
One
the
project
we've
been
looking
at
the
whole
time.
It's
a
really
really
quick
way
to
go
see.
Is
there
anything
that's
going
to
need
my
attention
across
really
anything
that
I
have
configured
here
so
pretty
pretty
powerful
ability?
A
A
A
We'll
show
off
the
vulnerability
details,
so
this
is
very
similar
to
the
modal.
You
saw
me
click
on
earlier
from
the
developer
side.
It's
a
full
list
of
information
that
is
output
by
our
scanner.
So
you
see
any
particular
links
that
are
provided.
We've
got
the
actual
file
location;
these
are
the
identifiers
that
came
out
of
the
scanner.
So
if
I
want,
for
instance,
this
is
going
to
take
me
down
to
mitre's
website
information
about
that
particular
cve.
A
A
Great
okay,
so
the
pipeline
is
passed.
Everything
is
all
done
now
we're
going
to
look
over
here
and
see
what
we've
got
and
you'll
notice.
If
you
remember
before
this
had
zero
of
one
approvals
because
it
was,
there
was
a
high
vulnerability,
so
the
approval
check
had
actually
gone
into
effect.
Well
now
it
says
that
I
don't
need
it,
because
I
fix
that
vulnerability.
A
A
In
fact,
we'll
just
go
ahead
and
do
that
so
quickly
and
easily.
I
was
able
to
really
unblock
myself.
I
can
continue
forward
with
any
work
that
I
needed
to
do
and
I
can
kind
of
repeat
the
cycle
now
to
show
off
a
little
bit
of
the
collaboration
side
of
things.
Let
me
go
back
over
to
the
security
engineering
side,
so
let
me
start
with
something
that
we
don't
have
identified
yet
so
there's
no
issue
for
this
one.
Yet
it's
not
part
of
that
requirements
file.
A
A
I
have
one
and
there
it
is
so
you'll
see
that
I've
actually
got
this
adventure
and
if
I
need
to,
I
can
click
right
through
to
that
vulnerability,
and
I
can
see
exactly
what
the
person
on
my
security
team
just
sent
over
to
me
now
either.
One
of
us
could
go
and
create
an
issue
from
that.
So
let's
say
I
want
to
create
an
issue
to
actually
address
the
work,
so
it's
copied
over
the
title
of
the
vulnerability.
A
What
the
vulnerability
name
is,
and
that
description
is
so.
This
is
a
we've
got
a
backlink
right
here,
which
is
nice
to
the
vulnerability
itself,
and
then
the
description
is
everything
that
was
just
in
that
vulnerability
description
itself.
So
I'm
getting
all
the
same
information,
it's
creating
it
as
a
confidential
issue
by
default,
because
security
tends
to
be.
You
know
it's
very
sensitive
and
you
may
want
to
restrict
that
so
that's
going
to
default
on,
you
can
always
uncheck
it.
A
If
you
want-
and
in
this
case
I've
got
some
labels
set
up-
I
may
say
you
know
what,
since
this
was
a
high
severity,
I'm
going
to
put
this
scoped
label
on
there
and
I'm
going
to
create
an
issue
out
of
it
and
again
this
could
have
just
as
easily
been
done
from
the
security
side.
That
may
actually
make
more
sense
to
do
it
that
way,
but
I've
just
done
it
myself.
A
A
A
I
might
want
to
see
my
security
issue,
so
I
set
this
up
ahead
of
time
and
I've
got
a
column
for
each
of
the
severity
labels
that
I've
got
each
of
these
scope
labels.
So
now
I
can
easily
say
that
I
have
this
high
high
severity
vulnerability.
That's
due
on
june,
the
30th
I
have
one
over
here,
that's
a
low.
I
didn't
put
an
sla
on
that.
Maybe
that's
not
part
of
my
process,
but
this
is
something
that
I
can
easily
get
to.
A
If
I
flip
back
over
to
the
security
person
persona,
I'm
gonna
have
access
since
we're
both
part
of
the
project.
I
have
access
to
that
same
board,
so
you've
got
both
the
security
team
member
and
the
developer.
We
both
have
this
nice
shared
view,
and
we
can,
you
know,
set
up
our
workflow
processes.
However,
it
makes
sense
for
us,
so
I
think
that's
pretty
much
it.
A
I
know
there
was
a
lot
of
ground
to
cover,
but
hopefully
that
really
highlighted
a
lot
of
the
functionality
that
we
have
available
inside
of
gitlab
for
security
and
vulnerability
management
and
provide
some
good
examples
of
how
you
might
get
your
security
team
and
your
engineering
teams
working
inside
and
collaboratively
to
really,
you
know,
manage
the
vulnerabilities
but
improve
that
security
health.
Your
projects,
thanks,
hope
you
enjoyed.