gitlab-org/gitlab
Security features
GitLab's application security suite — SAST, DAST, dependency scanning, container scanning, secret detection, fuzz testing, IaC scanning, and the dashboards built on top.
Source
app/models/
├── vulnerability.rb (EE)
├── vulnerabilities/ (EE)
└── security/...
ee/app/models/security/ # most security models live here
ee/app/models/vulnerabilities/ # finding state, occurrences
ee/app/services/vulnerabilities/ # confirm, dismiss, resolve
ee/app/services/security/ # scan ingestion, scanners
ee/app/workers/vulnerabilities/, security/
lib/gitlab/ci/parsers/security/ # parse SAST/DAST/etc reports
lib/gitlab/ci/reports/security/
ee/lib/api/v3/ # vulnerability APIs
ee/lib/api/sast/ # SAST IDE integrationThe sec PostgreSQL database hosts security findings; see Database.
Scan-on-pipeline flow
graph TD
Job[CI job runs scanner]
Job -->|reports/sast.json + others| Artifact[CI artifact]
Artifact -->|on success| Worker[StoreScansService]
Worker --> Parse[Gitlab::Ci::Parsers::Security]
Parse --> Persist[Vulnerabilities::IngestService]
Persist --> Findings[(sec DB)]
Findings --> Dashboard[Vulnerability dashboard]
Findings --> MergeReq[MR security widget]Highlights:
- Each scanner produces a JSON report in a known schema (
gl-sast-report.json,gl-dependency-scanning-report.json, etc.). - Parsers in
lib/gitlab/ci/parsers/security/validate and normalize. - The
Vulnerabilities::Ingestflow merges new findings with existing state (deduplicates by signature). - Dashboards aggregate per project, group, and instance.
Scanners (CI templates)
CI templates under lib/gitlab/ci/templates/Jobs/ and lib/gitlab/ci/templates/Security/ provide ready-to-use scanner jobs:
SAST.gitlab-ci.ymlDAST.gitlab-ci.ymlDependency-Scanning.gitlab-ci.ymlContainer-Scanning.gitlab-ci.ymlSecret-Detection.gitlab-ci.ymlIaC-Scanning.gitlab-ci.ymlCoverage-Fuzzing.gitlab-ci.ymlAPI-Fuzzing.gitlab-ci.ymlBrowser-Performance.gitlab-ci.yml
The actual scanner Docker images live in separate repos under gitlab-org/security-products/.
Vulnerability lifecycle
A Vulnerability row tracks state:
detected(newly found).confirmed.dismissed(not a real risk).resolved(fixed).
State changes audit-log via vulnerability_state_transitions.
Approval gates and merge guards
EE features:
- Security policies — security approval, merge train policies;
ee/app/services/security/security_orchestration_policies/. - Approval rules — auto-required when new findings appear.
- Vulnerability merge widget — shown on MR.
Compliance frameworks
ee/app/services/compliance_management/ and ee/app/models/compliance_management/ define labels, frameworks, and audit-friendly merge enforcement.
Audit events
app/models/audit_events/, app/services/audit_events/, lib/audit/, ee/app/services/audit_events/. Events flow into the partitioned audit_events Postgres table and (optionally) ClickHouse for long-term retention.
Secret detection (in-product)
gems/gitlab-secret_detection plus lib/gitlab/secret_detection/ implement push-time detection. Secrets found in commits are reported via the GraphQL API and the MR widget.
API
- REST:
lib/api/vulnerabilities.rb,lib/api/vulnerability_findings.rb,lib/api/security/. - GraphQL:
app/graphql/types/vulnerability_*,app/graphql/mutations/vulnerabilities/.
Related
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.