2019-10-12 21:52:04 +05:30
---
type: reference, howto
2020-07-28 23:09:34 +05:30
stage: Secure
group: Threat Insights
2021-02-22 17:27:13 +05:30
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
2019-10-12 21:52:04 +05:30
---
2021-03-11 19:13:27 +05:30
# GitLab Security Dashboards and Security Center **(ULTIMATE)**
2019-07-31 22:56:46 +05:30
2022-03-02 08:16:31 +05:30
You can use Security Dashboards to view details about vulnerabilities
detected by [security scanners ](../index.md#security-scanning-tools ).
These details are shown in pipelines, projects, and groups.
2022-01-26 12:08:38 +05:30
2022-03-02 08:16:31 +05:30
To use the Security Dashboards, you must:
2021-01-03 14:25:43 +05:30
2022-03-02 08:16:31 +05:30
- Configure at least one [security scanner ](../index.md#security-scanning-tools ) in a project.
- Configure jobs to use the [`reports` syntax ](../../../ci/yaml/index.md#artifactsreports ).
- Use [GitLab Runner ](https://docs.gitlab.com/runner/ ) 11.5 or later. If you use the
shared runners on GitLab.com, you are using the correct version.
2019-07-31 22:56:46 +05:30
2022-03-02 08:16:31 +05:30
## When Security Dashboards are updated
2019-07-31 22:56:46 +05:30
2022-03-02 08:16:31 +05:30
The Security Dashboards show results of the most recent security scan on the
[default branch ](../../project/repository/branches/default.md ).
Security scans run only when the default branch updates, so
information on the Security Dashboard might not reflect newly-discovered vulnerabilities.
2019-07-31 22:56:46 +05:30
2022-03-02 08:16:31 +05:30
To run a daily security scan,
[configure a scheduled pipeline ](../../../ci/pipelines/schedules.md ).
2019-07-31 22:56:46 +05:30
2022-03-02 08:16:31 +05:30
## Reduce false negatives in dependency scans
2019-07-31 22:56:46 +05:30
2022-03-02 08:16:31 +05:30
WARNING:
False negatives occur when you resolve dependency versions during a scan, which differ from those
resolved when your project built and released in a previous pipeline.
2019-07-31 22:56:46 +05:30
2022-03-02 08:16:31 +05:30
To reduce false negatives in [dependency scans ](../../../user/application_security/dependency_scanning/index.md ) in scheduled pipelines, ensure you:
2019-07-31 22:56:46 +05:30
2022-03-02 08:16:31 +05:30
- Include a lock file in your project. A lock file lists all transient dependencies and tracks their versions.
- Java projects can't have lock files.
- Python projects can have lock files, but GitLab Secure tools don't support them.
- Configure your project for [Continuous Delivery ](../../../ci/introduction/index.md ).
2019-07-31 22:56:46 +05:30
2022-03-02 08:16:31 +05:30
## View vulnerabilities in a pipeline
2019-12-04 20:38:33 +05:30
2021-11-11 11:23:49 +05:30
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/13496) in GitLab 12.3.
2019-12-04 20:38:33 +05:30
2022-03-02 08:16:31 +05:30
To view vulnerabilities in a pipeline:
2019-12-04 20:38:33 +05:30
2022-03-02 08:16:31 +05:30
1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **CI/CD > Pipelines** .
1. From the list, select the pipeline you want to check for vulnerabilities.
1. Select the **Security** tab.
2020-10-24 23:57:45 +05:30
2022-06-21 17:19:12 +05:30
**Scan details** shows vulnerabilities introduced by the merge request, in addition to existing vulnerabilities
from the latest successful pipeline in your project's default branch.
2022-03-02 08:16:31 +05:30
A pipeline consists of multiple jobs, such as SAST and DAST scans. If a job fails to finish,
the security dashboard doesn't show SAST scanner output. For example, if the SAST
2021-01-03 14:25:43 +05:30
job finishes but the DAST job fails, the security dashboard doesn't show SAST results. On failure,
2022-03-02 08:16:31 +05:30
the analyzer outputs an [exit code ](../../../development/integrations/secure.md#exit-code ).
## View total number of vulnerabilities per scan
To view the total number of vulnerabilities per scan:
1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **CI/CD > Pipelines** .
1. Select the **Status** of a branch.
1. Select the **Security** tab.
2020-05-24 23:13:21 +05:30
2022-06-21 17:19:12 +05:30
**Scan details** shows vulnerabilities introduced by the merge request, in addition to existing vulnerabilities
from the latest successful pipeline in your project's default branch.
2022-03-02 08:16:31 +05:30
### Download security scan outputs
2021-04-17 20:07:23 +05:30
2021-12-11 22:18:48 +05:30
> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/3728) in GitLab 13.10.
> - [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/333660) in GitLab 14.2.
2021-04-17 20:07:23 +05:30
2022-03-02 08:16:31 +05:30
Depending on the type of security scanner, you can download:
2022-04-04 11:22:00 +05:30
- A JSON artifact that contains the security scanner [report ](../../../development/integrations/secure.md#report ).
2022-03-02 08:16:31 +05:30
- A CSV file that contains URLs and endpoints scanned by the security scanner.
To download a security scan output:
2021-12-11 22:18:48 +05:30
2022-03-02 08:16:31 +05:30
1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **CI/CD > Pipelines** .
1. Select the **Status** of a branch.
1. Select the **Security** tab.
1. In **Scan details** , select **Download results** :
- To download a JSON file, select the JSON artifact.
- To download a CSV file, select **Download scanned resources** .
2021-04-17 20:07:23 +05:30
2022-03-02 08:16:31 +05:30
## View vulnerabilities over time for a project
2019-07-31 22:56:46 +05:30
2021-04-29 21:17:54 +05:30
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/235558) in GitLab 13.6.
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/285476) in GitLab 13.10, options to zoom in on a date range, and download the vulnerabilities chart.
2021-06-08 01:23:25 +05:30
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/285477) in GitLab 13.11, date range slider to visualize data between given dates.
2021-01-29 00:20:46 +05:30
2022-03-02 08:16:31 +05:30
The project Security Dashboard shows the total number of vulnerabilities
over time, with up to 365 days of historical data. Data refreshes daily at 01:15 UTC.
It shows statistics for all vulnerabilities.
2021-06-08 01:23:25 +05:30
2022-03-02 08:16:31 +05:30
To view total number of vulnerabilities over time:
2021-01-29 00:20:46 +05:30
2022-03-02 08:16:31 +05:30
1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **Security & Compliance > Security Dashboard** .
1. Filter and search for what you need.
- To filter the chart by severity, select the legend name.
- To view a specific time frame, use the time range handles (**{scroll-handle}**).
- To view a specific area of the chart, select the left-most icon (**{marquee-selection}**) and drag
across the chart.
- To reset to the original range, select **Remove Selection** (**{redo}**).
2021-01-29 00:20:46 +05:30
2022-03-02 08:16:31 +05:30
### Download the vulnerabilities chart
2021-06-08 01:23:25 +05:30
2022-03-02 08:16:31 +05:30
To download an SVG image of the vulnerabilities chart:
2021-06-08 01:23:25 +05:30
2022-03-02 08:16:31 +05:30
1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **Security & Compliance > Security dashboard** .
1. Select **Save chart as an image** (**{download}**).
2021-06-08 01:23:25 +05:30
2022-03-02 08:16:31 +05:30
## View vulnerabilities over time for a group
2021-01-29 00:20:46 +05:30
2022-03-02 08:16:31 +05:30
The group Security Dashboard gives an overview of vulnerabilities found in the default
branches of projects in a group and its subgroups.
2021-06-08 01:23:25 +05:30
2022-03-02 08:16:31 +05:30
To view vulnerabilities over time for a group:
2021-06-08 01:23:25 +05:30
2022-03-02 08:16:31 +05:30
1. On the top bar, select **Menu > Groups** and select a group.
1. Select **Security > Security Dashboard** .
1. Hover over the chart to get more details about vulnerabilities.
- You can display the vulnerability trends over a 30, 60, or 90-day time frame (the default is 90 days).
- To view aggregated data beyond a 90-day time frame, use the
[VulnerabilitiesCountByDay GraphQL API ](../../../api/graphql/reference/index.md#vulnerabilitiescountbyday ).
GitLab retains the data for 365 days.
2021-04-29 21:17:54 +05:30
2022-03-02 08:16:31 +05:30
## View project security status for a group
2021-04-29 21:17:54 +05:30
2022-03-02 08:16:31 +05:30
Use the group Security Dashboard to view the security status of projects. The security status is based
on the number of detected vulnerabilities.
2019-07-31 22:56:46 +05:30
2022-03-02 08:16:31 +05:30
To view project security status for a group:
2019-07-31 22:56:46 +05:30
2022-03-02 08:16:31 +05:30
1. On the top bar, select **Menu > Groups** and select a group.
1. Select **Security > Security Dashboard** .
2019-07-31 22:56:46 +05:30
2022-03-02 08:16:31 +05:30
Projects are [graded ](#project-vulnerability-grades ) by vulnerability severity. Dismissed vulnerabilities are excluded.
2020-07-28 23:09:34 +05:30
2022-03-02 08:16:31 +05:30
To view vulnerabilities, go to the group's [vulnerability report ](../vulnerability_report/index.md ).
2019-07-31 22:56:46 +05:30
2022-03-02 08:16:31 +05:30
### Project vulnerability grades
2020-01-01 13:55:28 +05:30
2021-01-29 00:20:46 +05:30
| Grade | Description |
2022-03-02 08:16:31 +05:30
| --- | --- |
| **F** | One or more `critical` vulnerabilities |
| **D** | One or more `high` or `unknown` vulnerabilities |
| **C** | One or more `medium` vulnerabilities |
| **B** | One or more `low` vulnerabilities |
| **A** | Zero vulnerabilities |
2019-07-31 22:56:46 +05:30
2021-03-11 19:13:27 +05:30
## Security Center
2020-03-13 15:44:24 +05:30
2021-11-11 11:23:49 +05:30
> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/3426) in GitLab 13.4.
2020-03-13 15:44:24 +05:30
2022-03-02 08:16:31 +05:30
The Security Center is a personal space where you view vulnerabilities across all your projects. It
shows the vulnerabilities present in the default branches of the projects.
The Security Center includes:
2021-01-03 14:25:43 +05:30
2022-03-02 08:16:31 +05:30
- The group Security Dashboard.
2021-03-11 19:13:27 +05:30
- A [vulnerability report ](../vulnerability_report/index.md ).
2022-03-02 08:16:31 +05:30
- A settings area to configure which projects to display.
2020-03-13 15:44:24 +05:30
2021-03-11 19:13:27 +05:30
![Security Center Dashboard with projects ](img/security_center_dashboard_v13_4.png )
2020-11-24 15:15:51 +05:30
2022-03-02 08:16:31 +05:30
### View the Security Center
2021-09-04 01:27:46 +05:30
To view the Security Center, on the top bar, select **Menu > Security** .
2020-03-13 15:44:24 +05:30
2022-03-02 08:16:31 +05:30
### Add projects to the Security Center
2020-03-13 15:44:24 +05:30
2021-01-03 14:25:43 +05:30
To add projects to the Security Center:
2020-03-13 15:44:24 +05:30
2022-03-02 08:16:31 +05:30
1. On the top bar, select **Menu > Security** .
1. On the left sidebar, select **Settings** , or select **Add projects** .
1. Use the **Search your projects** text box to search for and select projects.
1. Select **Add projects** .
2020-03-13 15:44:24 +05:30
2022-03-02 08:16:31 +05:30
After you add projects, the security dashboard and vulnerability report show the vulnerabilities
2021-01-03 14:25:43 +05:30
found in those projects' default branches.
2020-03-13 15:44:24 +05:30
2019-10-12 21:52:04 +05:30
<!-- ## Troubleshooting
Include any troubleshooting steps that you can foresee. If you know beforehand what issues
one might have when setting this up, or when something is changed, or on upgrading, it's
important to describe those, too. Think of things that may go wrong and include them here.
This is important to minimize requests for support, and to avoid doc comments with
questions that you know someone might ask.
Each scenario can be a third-level heading, e.g. `### Getting error message X` .
If you have none to add when creating a doc, leave this section in place
but commented out to help encourage others to add to it in the future. -->
2020-10-24 23:57:45 +05:30
2022-03-02 08:16:31 +05:30
## Related topics
- [Address the vulnerabilities ](../vulnerabilities/index.md )
- [Vulnerability reports ](../vulnerability_report/index.md )
- [Vulnerability Page ](../vulnerabilities/index.md )