Security

🌐 docs/user/application_security/secure_your_application

📝 docs/development/sec

Features

Detection

📝 gitlab-org/gitlab/templates/Jobs

GitLab Advisory Database

The GitLab Advisory Database serves as a repository for security advisories related to software dependencies. It is updated on an hourly basis with the latest security advisories.

🌐 docs/user/application_security/gitlab_advisory_database

Container scanning

🌐 docs/user/application_security/container_scanning

Dependency scanning

🌐 docs/user/application_security/dependency_scanning/

Secret detection

🌐 docs/user/application_security/secret_detection

📝 How to implement secret management best practices with GitLab

Static Application Security Testing (SAST)

🌐 docs/user/application_security/sast

Dynamic Application Security Testing (DAST)

🌐 docs/user/application_security/dast

Infrastructure as Code scanning

🌐 docs/user/application_security/iac_scanning

Compliance

🌐 docs/user/compliance

📝 Compliance features for administrators

Audit events

🌐 docs/user/compliance/audit_events

Compliance framework

🌐 docs/user/group/compliance_frameworks

Compliance center

The compliance center is the central location for compliance teams to manage their compliance standards adherence reporting, violations reporting, and compliance frameworks for their group.

🌐 docs/user/compliance/compliance_center

• Compliance standards adherence dashboard
• Compliance violations report
• Compliance frameworks report
• Compliance projects report

Policies

Policies provide security and compliance teams with a way to enforce controls globally in their organization

🌐 docs/user/application_security/policies

Name	Action
Scan execution policy	Enforce security scans, either as part of the pipeline or on a specified schedule
Merge request approval policy	Enforce project-level settings and approval rules based on scan results
Pipeline execution policy	Enforce CI/CD jobs as part of project pipelines
Vulnerability management policy	Automatically resolve vulnerabilities that are no longer detected in the default branch
License approval policy	Specify criteria that determines when approval is required before a merge request can be merged

Monitoring

Security dashboard

🌐 docs/user/application_security/security_dashboard

Vulnerability report

🌐 docs/user/application_security/vulnerability_report

Vulnerability page

🌐 docs/user/application_security/vulnerabilities

Generation

• SBOM

Learning

Getting started

🌐 docs/user/application_security/get-started-security

Delivery Kits

• gitlab-org/professional-services-automation/security-delivery-kits

Tutorials

• Set up a scan execution policy
• Set up a merge request approval policy
• Scan a full commit history to detect sensitive secrets - February 6, 2025
• Setup security scanning in air-gapped environments - February 5, 2025