Vulnerability management is about ensuring that assets and applications are scanned for vulnerabilities, and then the processes to record, manage, and mitigate those vulnerabilities.
Traditionally, vulnerability management has focused on scans of live web apps and assets, and management of those vulnerabilities in a single tool. At GitLab, we have a broader vision. Specifically, vulnerabilities should not be collected and managed in isolation, but instead they should be integrated with the rest of your DevOps lifecycle.
Our goal is to identify meaningful sets of vulnerabilities, in both your assets and application code, that can be mitigated, managed, and acted upon by your whole team, not just the security organization.
Our goal is also to provide unified interfaces and integrate with the systems teams are already using for managing results from
~"devops::secure" stage, so there is always a single source of truth, and a single place for management of security results.
Additionally, our goal is to support teams with compliance and auditing efforts by effectively being able to show the lifecycle of identifying and mitigating identified vulnerabilities.
We will start by creating an excellent experience around managing vulnerability results from scanners. This is a beneficial first step since the results from existing VM scanners can be then be imported into and managed within GitLab, rather than requiring multiple tools to be used.
Additionally, vulnerability results from SAST, DAST and container scanning can be used with the same workflow. This will give security teams a better view of the overall amount of risk associated with their apps, both from a pre-deployment and post-deployment perspective.
There is no feature available for this category.
The category is very new, so we still need to engage customers and get feedback about their interests and priorities in this area.