Next up, see how to use GitLab to manage vulnerabilities. GitLab provides a single source of truth that allows developers and appsec engineers to collaborate and address issues together. After the security scanners have been implemented, there are a few ways to manage vulnerabilities.
Developers will use the MR view to see all the vulnerabilities present in the diff between the feature branch and the branch you are merging with.
You can see below, that each vulnerability is presented in an easy-to-read view:
When you click on a vulnerability, you can see details such as:
- Status
- Description
- Evidence
- Severity
- Identifiers
- Linked Issues
- Solution
- Security Training
The vulnerabilities are also actionable which means they can be dismissed or a confidential issue can be created to triage later.
Then there is the vulnerability report which displays all the vulnerabilities detected within the main branch and allows for the security team to triage and address vulnerabilities from a common interface, enabling collaboration.
Once you click on a vulnerability, you are provided with advanced details on the vulnerability as well as how to remediate it.
An appsec engineer can change the status, add additional information, and create confidential issues from this view.