[{"data":1,"prerenderedAt":783},["ShallowReactive",2],{"/en-us/blog/categories/security":3,"navigation-en-us":20,"banner-en-us":429,"footer-en-us":439,"security-category-page-total-items-en-us":681,"security-category-page-featured-en-us":682,"security-category-page-10-en-us":708},{"id":4,"title":5,"body":6,"category":6,"config":7,"content":11,"description":6,"extension":12,"meta":13,"navigation":14,"path":15,"seo":16,"slug":6,"stem":18,"testContent":6,"type":6,"__hash__":19},"blogCategories/en-us/blog/categories/security.yml","Security",null,{"template":8,"slug":9,"hide":10},"BlogCategory","security",false,{"name":5},"yml",{},true,"/en-us/blog/categories/security",{"title":5,"description":17},"Browse articles related to Security on the GitLab Blog","en-us/blog/categories/security","Hx58KagneyLDkWgUOsPQNGCsWqekf9YGQa6EJFfGFRw",{"data":21},{"logo":22,"freeTrial":27,"sales":32,"login":37,"items":42,"search":349,"minimal":380,"duo":399,"switchNav":408,"pricingDeployment":419},{"config":23},{"href":24,"dataGaName":25,"dataGaLocation":26},"/","gitlab logo","header",{"text":28,"config":29},"Get free trial",{"href":30,"dataGaName":31,"dataGaLocation":26},"https://gitlab.com/-/trial_registrations/new?glm_source=about.gitlab.com&glm_content=default-saas-trial/","free trial",{"text":33,"config":34},"Talk to sales",{"href":35,"dataGaName":36,"dataGaLocation":26},"/sales/","sales",{"text":38,"config":39},"Sign in",{"href":40,"dataGaName":41,"dataGaLocation":26},"https://gitlab.com/users/sign_in/","sign in",[43,70,164,169,270,330],{"text":44,"config":45,"cards":47},"Platform",{"dataNavLevelOne":46},"platform",[48,54,62],{"title":44,"description":49,"link":50},"The intelligent orchestration platform for DevSecOps",{"text":51,"config":52},"Explore our Platform",{"href":53,"dataGaName":46,"dataGaLocation":26},"/platform/",{"title":55,"description":56,"link":57},"GitLab Duo Agent Platform","Agentic AI for the entire software lifecycle",{"text":58,"config":59},"Meet GitLab Duo",{"href":60,"dataGaName":61,"dataGaLocation":26},"/gitlab-duo-agent-platform/","gitlab duo agent platform",{"title":63,"description":64,"link":65},"Why GitLab","See the top reasons enterprises choose GitLab",{"text":66,"config":67},"Learn more",{"href":68,"dataGaName":69,"dataGaLocation":26},"/why-gitlab/","why gitlab",{"text":71,"left":14,"config":72,"link":74,"lists":78,"footer":146},"Product",{"dataNavLevelOne":73},"solutions",{"text":75,"config":76},"View all Solutions",{"href":77,"dataGaName":73,"dataGaLocation":26},"/solutions/",[79,103,125],{"title":80,"description":81,"link":82,"items":87},"Automation","CI/CD and automation to accelerate deployment",{"config":83},{"icon":84,"href":85,"dataGaName":86,"dataGaLocation":26},"AutomatedCodeAlt","/solutions/delivery-automation/","automated software delivery",[88,92,95,99],{"text":89,"config":90},"CI/CD",{"href":91,"dataGaLocation":26,"dataGaName":89},"/solutions/continuous-integration/",{"text":55,"config":93},{"href":60,"dataGaLocation":26,"dataGaName":94},"gitlab duo agent platform - product menu",{"text":96,"config":97},"Source Code Management",{"href":98,"dataGaLocation":26,"dataGaName":96},"/solutions/source-code-management/",{"text":100,"config":101},"Automated Software Delivery",{"href":85,"dataGaLocation":26,"dataGaName":102},"Automated software delivery",{"title":5,"description":104,"link":105,"items":110},"Deliver code faster without compromising security",{"config":106},{"href":107,"dataGaName":108,"dataGaLocation":26,"icon":109},"/solutions/application-security-testing/","security and compliance","ShieldCheckLight",[111,115,120],{"text":112,"config":113},"Application Security Testing",{"href":107,"dataGaName":114,"dataGaLocation":26},"Application security testing",{"text":116,"config":117},"Software Supply Chain Security",{"href":118,"dataGaLocation":26,"dataGaName":119},"/solutions/supply-chain/","Software supply chain security",{"text":121,"config":122},"Software Compliance",{"href":123,"dataGaName":124,"dataGaLocation":26},"/solutions/software-compliance/","software compliance",{"title":126,"link":127,"items":132},"Measurement",{"config":128},{"icon":129,"href":130,"dataGaName":131,"dataGaLocation":26},"DigitalTransformation","/solutions/visibility-measurement/","visibility and measurement",[133,137,141],{"text":134,"config":135},"Visibility & Measurement",{"href":130,"dataGaLocation":26,"dataGaName":136},"Visibility and Measurement",{"text":138,"config":139},"Value Stream Management",{"href":140,"dataGaLocation":26,"dataGaName":138},"/solutions/value-stream-management/",{"text":142,"config":143},"Analytics & Insights",{"href":144,"dataGaLocation":26,"dataGaName":145},"/solutions/analytics-and-insights/","Analytics and insights",{"title":147,"items":148},"GitLab for",[149,154,159],{"text":150,"config":151},"Enterprise",{"href":152,"dataGaLocation":26,"dataGaName":153},"/enterprise/","enterprise",{"text":155,"config":156},"Small Business",{"href":157,"dataGaLocation":26,"dataGaName":158},"/small-business/","small business",{"text":160,"config":161},"Public Sector",{"href":162,"dataGaLocation":26,"dataGaName":163},"/solutions/public-sector/","public sector",{"text":165,"config":166},"Pricing",{"href":167,"dataGaName":168,"dataGaLocation":26,"dataNavLevelOne":168},"/pricing/","pricing",{"text":170,"config":171,"link":173,"lists":177,"feature":257},"Resources",{"dataNavLevelOne":172},"resources",{"text":174,"config":175},"View all resources",{"href":176,"dataGaName":172,"dataGaLocation":26},"/resources/",[178,211,229],{"title":179,"items":180},"Getting started",[181,186,191,196,201,206],{"text":182,"config":183},"Install",{"href":184,"dataGaName":185,"dataGaLocation":26},"/install/","install",{"text":187,"config":188},"Quick start guides",{"href":189,"dataGaName":190,"dataGaLocation":26},"/get-started/","quick setup checklists",{"text":192,"config":193},"Learn",{"href":194,"dataGaLocation":26,"dataGaName":195},"https://university.gitlab.com/","learn",{"text":197,"config":198},"Product documentation",{"href":199,"dataGaName":200,"dataGaLocation":26},"https://docs.gitlab.com/","product documentation",{"text":202,"config":203},"Best practice videos",{"href":204,"dataGaName":205,"dataGaLocation":26},"/getting-started-videos/","best practice videos",{"text":207,"config":208},"Integrations",{"href":209,"dataGaName":210,"dataGaLocation":26},"/integrations/","integrations",{"title":212,"items":213},"Discover",[214,219,224],{"text":215,"config":216},"Customer success stories",{"href":217,"dataGaName":218,"dataGaLocation":26},"/customers/","customer success stories",{"text":220,"config":221},"Blog",{"href":222,"dataGaName":223,"dataGaLocation":26},"/blog/","blog",{"text":225,"config":226},"Remote",{"href":227,"dataGaName":228,"dataGaLocation":26},"https://handbook.gitlab.com/handbook/company/culture/all-remote/","remote",{"title":230,"items":231},"Connect",[232,237,242,247,252],{"text":233,"config":234},"GitLab Services",{"href":235,"dataGaName":236,"dataGaLocation":26},"/services/","services",{"text":238,"config":239},"Community",{"href":240,"dataGaName":241,"dataGaLocation":26},"/community/","community",{"text":243,"config":244},"Forum",{"href":245,"dataGaName":246,"dataGaLocation":26},"https://forum.gitlab.com/","forum",{"text":248,"config":249},"Events",{"href":250,"dataGaName":251,"dataGaLocation":26},"/events/","events",{"text":253,"config":254},"Partners",{"href":255,"dataGaName":256,"dataGaLocation":26},"/partners/","partners",{"backgroundColor":258,"textColor":259,"text":260,"image":261,"link":265},"#2f2a6b","#fff","Insights for the future of software development",{"altText":262,"config":263},"the source promo card",{"src":264},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758208064/dzl0dbift9xdizyelkk4.svg",{"text":266,"config":267},"Read the latest",{"href":268,"dataGaName":269,"dataGaLocation":26},"/the-source/","the source",{"text":271,"config":272,"lists":274},"Company",{"dataNavLevelOne":273},"company",[275],{"items":276},[277,282,288,290,295,300,305,310,315,320,325],{"text":278,"config":279},"About",{"href":280,"dataGaName":281,"dataGaLocation":26},"/company/","about",{"text":283,"config":284,"footerGa":287},"Jobs",{"href":285,"dataGaName":286,"dataGaLocation":26},"/jobs/","jobs",{"dataGaName":286},{"text":248,"config":289},{"href":250,"dataGaName":251,"dataGaLocation":26},{"text":291,"config":292},"Leadership",{"href":293,"dataGaName":294,"dataGaLocation":26},"/company/team/e-group/","leadership",{"text":296,"config":297},"Team",{"href":298,"dataGaName":299,"dataGaLocation":26},"/company/team/","team",{"text":301,"config":302},"Handbook",{"href":303,"dataGaName":304,"dataGaLocation":26},"https://handbook.gitlab.com/","handbook",{"text":306,"config":307},"Investor relations",{"href":308,"dataGaName":309,"dataGaLocation":26},"https://ir.gitlab.com/","investor relations",{"text":311,"config":312},"Trust Center",{"href":313,"dataGaName":314,"dataGaLocation":26},"/security/","trust center",{"text":316,"config":317},"AI Transparency Center",{"href":318,"dataGaName":319,"dataGaLocation":26},"/ai-transparency-center/","ai transparency center",{"text":321,"config":322},"Newsletter",{"href":323,"dataGaName":324,"dataGaLocation":26},"/company/contact/#contact-forms","newsletter",{"text":326,"config":327},"Press",{"href":328,"dataGaName":329,"dataGaLocation":26},"/press/","press",{"text":331,"config":332,"lists":333},"Contact us",{"dataNavLevelOne":273},[334],{"items":335},[336,339,344],{"text":33,"config":337},{"href":35,"dataGaName":338,"dataGaLocation":26},"talk to sales",{"text":340,"config":341},"Support portal",{"href":342,"dataGaName":343,"dataGaLocation":26},"https://support.gitlab.com","support portal",{"text":345,"config":346},"Customer portal",{"href":347,"dataGaName":348,"dataGaLocation":26},"https://customers.gitlab.com/customers/sign_in/","customer portal",{"close":350,"login":351,"suggestions":358},"Close",{"text":352,"link":353},"To search repositories and projects, login to",{"text":354,"config":355},"gitlab.com",{"href":40,"dataGaName":356,"dataGaLocation":357},"search login","search",{"text":359,"default":360},"Suggestions",[361,363,367,369,373,377],{"text":55,"config":362},{"href":60,"dataGaName":55,"dataGaLocation":357},{"text":364,"config":365},"Code Suggestions (AI)",{"href":366,"dataGaName":364,"dataGaLocation":357},"/solutions/code-suggestions/",{"text":89,"config":368},{"href":91,"dataGaName":89,"dataGaLocation":357},{"text":370,"config":371},"GitLab on AWS",{"href":372,"dataGaName":370,"dataGaLocation":357},"/partners/technology-partners/aws/",{"text":374,"config":375},"GitLab on Google Cloud",{"href":376,"dataGaName":374,"dataGaLocation":357},"/partners/technology-partners/google-cloud-platform/",{"text":378,"config":379},"Why GitLab?",{"href":68,"dataGaName":378,"dataGaLocation":357},{"freeTrial":381,"mobileIcon":386,"desktopIcon":391,"secondaryButton":394},{"text":382,"config":383},"Start free trial",{"href":384,"dataGaName":31,"dataGaLocation":385},"https://gitlab.com/-/trials/new/","nav",{"altText":387,"config":388},"Gitlab Icon",{"src":389,"dataGaName":390,"dataGaLocation":385},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758203874/jypbw1jx72aexsoohd7x.svg","gitlab icon",{"altText":387,"config":392},{"src":393,"dataGaName":390,"dataGaLocation":385},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758203875/gs4c8p8opsgvflgkswz9.svg",{"text":395,"config":396},"Get Started",{"href":397,"dataGaName":398,"dataGaLocation":385},"https://gitlab.com/-/trial_registrations/new?glm_source=about.gitlab.com/get-started/","get started",{"freeTrial":400,"mobileIcon":404,"desktopIcon":406},{"text":401,"config":402},"Learn more about GitLab Duo",{"href":60,"dataGaName":403,"dataGaLocation":385},"gitlab duo",{"altText":387,"config":405},{"src":389,"dataGaName":390,"dataGaLocation":385},{"altText":387,"config":407},{"src":393,"dataGaName":390,"dataGaLocation":385},{"button":409,"mobileIcon":414,"desktopIcon":416},{"text":410,"config":411},"/switch",{"href":412,"dataGaName":413,"dataGaLocation":385},"#contact","switch",{"altText":387,"config":415},{"src":389,"dataGaName":390,"dataGaLocation":385},{"altText":387,"config":417},{"src":418,"dataGaName":390,"dataGaLocation":385},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1773335277/ohhpiuoxoldryzrnhfrh.png",{"freeTrial":420,"mobileIcon":425,"desktopIcon":427},{"text":421,"config":422},"Back to pricing",{"href":167,"dataGaName":423,"dataGaLocation":385,"icon":424},"back to pricing","GoBack",{"altText":387,"config":426},{"src":389,"dataGaName":390,"dataGaLocation":385},{"altText":387,"config":428},{"src":393,"dataGaName":390,"dataGaLocation":385},{"title":430,"button":431,"config":436},"See how agentic AI transforms software delivery",{"text":432,"config":433},"Watch GitLab Transcend now",{"href":434,"dataGaName":435,"dataGaLocation":26},"/events/transcend/virtual/","transcend event",{"layout":437,"icon":438,"disabled":14},"release","AiStar",{"data":440},{"text":441,"source":442,"edit":448,"contribute":453,"config":458,"items":463,"minimal":670},"Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license",{"text":443,"config":444},"View page source",{"href":445,"dataGaName":446,"dataGaLocation":447},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/","page source","footer",{"text":449,"config":450},"Edit this page",{"href":451,"dataGaName":452,"dataGaLocation":447},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/content/","web ide",{"text":454,"config":455},"Please contribute",{"href":456,"dataGaName":457,"dataGaLocation":447},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/CONTRIBUTING.md/","please contribute",{"twitter":459,"facebook":460,"youtube":461,"linkedin":462},"https://twitter.com/gitlab","https://www.facebook.com/gitlab","https://www.youtube.com/channel/UCnMGQ8QHMAnVIsI3xJrihhg","https://www.linkedin.com/company/gitlab-com",[464,511,565,609,636],{"title":165,"links":465,"subMenu":480},[466,470,475],{"text":467,"config":468},"View plans",{"href":167,"dataGaName":469,"dataGaLocation":447},"view plans",{"text":471,"config":472},"Why Premium?",{"href":473,"dataGaName":474,"dataGaLocation":447},"/pricing/premium/","why premium",{"text":476,"config":477},"Why Ultimate?",{"href":478,"dataGaName":479,"dataGaLocation":447},"/pricing/ultimate/","why ultimate",[481],{"title":482,"links":483},"Contact Us",[484,487,489,491,496,501,506],{"text":485,"config":486},"Contact sales",{"href":35,"dataGaName":36,"dataGaLocation":447},{"text":340,"config":488},{"href":342,"dataGaName":343,"dataGaLocation":447},{"text":345,"config":490},{"href":347,"dataGaName":348,"dataGaLocation":447},{"text":492,"config":493},"Status",{"href":494,"dataGaName":495,"dataGaLocation":447},"https://status.gitlab.com/","status",{"text":497,"config":498},"Terms of use",{"href":499,"dataGaName":500,"dataGaLocation":447},"/terms/","terms of use",{"text":502,"config":503},"Privacy statement",{"href":504,"dataGaName":505,"dataGaLocation":447},"/privacy/","privacy statement",{"text":507,"config":508},"Cookie preferences",{"dataGaName":509,"dataGaLocation":447,"id":510,"isOneTrustButton":14},"cookie preferences","ot-sdk-btn",{"title":71,"links":512,"subMenu":521},[513,517],{"text":514,"config":515},"DevSecOps platform",{"href":53,"dataGaName":516,"dataGaLocation":447},"devsecops platform",{"text":518,"config":519},"AI-Assisted Development",{"href":60,"dataGaName":520,"dataGaLocation":447},"ai-assisted development",[522],{"title":523,"links":524},"Topics",[525,530,535,540,545,550,555,560],{"text":526,"config":527},"CICD",{"href":528,"dataGaName":529,"dataGaLocation":447},"/topics/ci-cd/","cicd",{"text":531,"config":532},"GitOps",{"href":533,"dataGaName":534,"dataGaLocation":447},"/topics/gitops/","gitops",{"text":536,"config":537},"DevOps",{"href":538,"dataGaName":539,"dataGaLocation":447},"/topics/devops/","devops",{"text":541,"config":542},"Version Control",{"href":543,"dataGaName":544,"dataGaLocation":447},"/topics/version-control/","version control",{"text":546,"config":547},"DevSecOps",{"href":548,"dataGaName":549,"dataGaLocation":447},"/topics/devsecops/","devsecops",{"text":551,"config":552},"Cloud Native",{"href":553,"dataGaName":554,"dataGaLocation":447},"/topics/cloud-native/","cloud native",{"text":556,"config":557},"AI for Coding",{"href":558,"dataGaName":559,"dataGaLocation":447},"/topics/devops/ai-for-coding/","ai for coding",{"text":561,"config":562},"Agentic AI",{"href":563,"dataGaName":564,"dataGaLocation":447},"/topics/agentic-ai/","agentic ai",{"title":566,"links":567},"Solutions",[568,570,572,577,581,584,588,591,593,596,599,604],{"text":112,"config":569},{"href":107,"dataGaName":112,"dataGaLocation":447},{"text":102,"config":571},{"href":85,"dataGaName":86,"dataGaLocation":447},{"text":573,"config":574},"Agile development",{"href":575,"dataGaName":576,"dataGaLocation":447},"/solutions/agile-delivery/","agile delivery",{"text":578,"config":579},"SCM",{"href":98,"dataGaName":580,"dataGaLocation":447},"source code management",{"text":526,"config":582},{"href":91,"dataGaName":583,"dataGaLocation":447},"continuous integration & delivery",{"text":585,"config":586},"Value stream management",{"href":140,"dataGaName":587,"dataGaLocation":447},"value stream management",{"text":531,"config":589},{"href":590,"dataGaName":534,"dataGaLocation":447},"/solutions/gitops/",{"text":150,"config":592},{"href":152,"dataGaName":153,"dataGaLocation":447},{"text":594,"config":595},"Small business",{"href":157,"dataGaName":158,"dataGaLocation":447},{"text":597,"config":598},"Public sector",{"href":162,"dataGaName":163,"dataGaLocation":447},{"text":600,"config":601},"Education",{"href":602,"dataGaName":603,"dataGaLocation":447},"/solutions/education/","education",{"text":605,"config":606},"Financial services",{"href":607,"dataGaName":608,"dataGaLocation":447},"/solutions/finance/","financial services",{"title":170,"links":610},[611,613,615,617,620,622,624,626,628,630,632,634],{"text":182,"config":612},{"href":184,"dataGaName":185,"dataGaLocation":447},{"text":187,"config":614},{"href":189,"dataGaName":190,"dataGaLocation":447},{"text":192,"config":616},{"href":194,"dataGaName":195,"dataGaLocation":447},{"text":197,"config":618},{"href":199,"dataGaName":619,"dataGaLocation":447},"docs",{"text":220,"config":621},{"href":222,"dataGaName":223,"dataGaLocation":447},{"text":215,"config":623},{"href":217,"dataGaName":218,"dataGaLocation":447},{"text":225,"config":625},{"href":227,"dataGaName":228,"dataGaLocation":447},{"text":233,"config":627},{"href":235,"dataGaName":236,"dataGaLocation":447},{"text":238,"config":629},{"href":240,"dataGaName":241,"dataGaLocation":447},{"text":243,"config":631},{"href":245,"dataGaName":246,"dataGaLocation":447},{"text":248,"config":633},{"href":250,"dataGaName":251,"dataGaLocation":447},{"text":253,"config":635},{"href":255,"dataGaName":256,"dataGaLocation":447},{"title":271,"links":637},[638,640,642,644,646,648,650,654,659,661,663,665],{"text":278,"config":639},{"href":280,"dataGaName":273,"dataGaLocation":447},{"text":283,"config":641},{"href":285,"dataGaName":286,"dataGaLocation":447},{"text":291,"config":643},{"href":293,"dataGaName":294,"dataGaLocation":447},{"text":296,"config":645},{"href":298,"dataGaName":299,"dataGaLocation":447},{"text":301,"config":647},{"href":303,"dataGaName":304,"dataGaLocation":447},{"text":306,"config":649},{"href":308,"dataGaName":309,"dataGaLocation":447},{"text":651,"config":652},"Sustainability",{"href":653,"dataGaName":651,"dataGaLocation":447},"/sustainability/",{"text":655,"config":656},"Diversity, inclusion and belonging (DIB)",{"href":657,"dataGaName":658,"dataGaLocation":447},"/diversity-inclusion-belonging/","Diversity, inclusion and belonging",{"text":311,"config":660},{"href":313,"dataGaName":314,"dataGaLocation":447},{"text":321,"config":662},{"href":323,"dataGaName":324,"dataGaLocation":447},{"text":326,"config":664},{"href":328,"dataGaName":329,"dataGaLocation":447},{"text":666,"config":667},"Modern Slavery Transparency Statement",{"href":668,"dataGaName":669,"dataGaLocation":447},"https://handbook.gitlab.com/handbook/legal/modern-slavery-act-transparency-statement/","modern slavery transparency statement",{"items":671},[672,675,678],{"text":673,"config":674},"Terms",{"href":499,"dataGaName":500,"dataGaLocation":447},{"text":676,"config":677},"Cookies",{"dataGaName":509,"dataGaLocation":447,"id":510,"isOneTrustButton":14},{"text":679,"config":680},"Privacy",{"href":504,"dataGaName":505,"dataGaLocation":447},240,{"id":683,"title":684,"authorSlugs":685,"body":6,"categorySlug":9,"config":687,"content":690,"description":6,"extension":12,"isFeatured":14,"meta":702,"navigation":14,"path":703,"publishedDate":696,"seo":704,"stem":705,"tagSlugs":706,"__hash__":707},"blogPosts/en-us/blog/auto-dismiss-vulnerability-management-policy.yml","Auto Dismiss Vulnerability Management Policy",[686],"grant-hickman",{"slug":688,"featured":14,"template":689},"auto-dismiss-vulnerability-management-policy","BlogPost",{"title":691,"description":692,"authors":693,"heroImage":695,"date":696,"category":9,"tags":697,"body":701},"Manage vulnerability noise at scale with auto-dismiss policies","Learn how to cut through scanner noise and focus on the vulnerabilities that matter most with GitLab security, including use cases and templates.",[694],"Grant Hickman","https://res.cloudinary.com/about-gitlab-com/image/upload/v1774375772/kpaaaiqhokevxxeoxvu0.png","2026-03-25",[9,698,546,699,700],"tutorial","features","product","Security scanners are essential, but not every finding requires action. Test code, vendored dependencies, generated files, and known false positives create noise that buries the vulnerabilities that actually matter. Security teams waste hours manually dismissing the same irrelevant findings across projects and pipelines. They experience slower triage, alert fatigue, and developer friction that undermines adoption of security scanning itself.\n\nGitLab's auto-dismiss vulnerability policies let you codify your triage decisions once and apply them automatically on every default-branch pipeline. Define criteria based on file path, directory, or vulnerability identifier (CVE, CWE), choose a dismissal reason, and let GitLab handle the rest.\n\n## Why auto-dismiss?\nAuto-dismiss vulnerability policies enable security teams to:\n- **Eliminate triage noise**: Automatically dismiss findings in test code, vendored dependencies, and generated files.\n- **Enforce decisions at scale**: Apply policies centrally to dismiss known false positives across your entire organization.\n- **Maintain audit transparency**: Every auto-dismissed finding includes a documented reason and links back to the policy that triggered it.\n- **Preserve the record**: Unlike scanner exclusions, dismissed vulnerabilities remain in your report, so you can revisit decisions if conditions change.\n\n## How auto-dismiss policies work\n\n1. **Define your policy** in a vulnerability management policy YAML file. Specify match criteria (file path, directory, or identifier) and a dismissal reason.\n\n2. **Merge and activate.** Create the policy via **Secure > Policies > New  policy > Vulnerability management policy**. Merge the MR to enable it.\n3. **Run your pipeline.** On every default-branch pipeline, matching vulnerabilities are automatically set to \"Dismissed\" with the specified reason. Up to 1,000 vulnerabilities are processed per run.\n4. **Measure the impact.** Filter your vulnerability report by status \"Dismissed\" to see exactly what was cleaned up and validate that the right findings are being handled.\n\n## Use cases with ready-to-use configurations\n\nEach example below includes a policy configuration you can copy, customize, and apply immediately.\n\n### 1. Dismiss test code vulnerabilities\n\nSAST and dependency scanners flag hardcoded credentials, insecure fixtures, and dev-only dependencies in test directories. These are not production risks.\n\n```yaml\nvulnerability_management_policy:\n  - name: \"Dismiss test code vulnerabilities\"\n    description: \"Auto-dismiss findings in test directories\"\n    enabled: true\n    rules:\n      - type: detected\n        criteria:\n          - type: file_path\n            value: \"test/**/*\"\n      - type: detected\n        criteria:\n          - type: file_path\n            value: \"tests/**/*\"\n      - type: detected\n        criteria:\n          - type: file_path\n            value: \"spec/**/*\"\n      - type: detected\n        criteria:\n          - type: directory\n            value: \"__tests__/*\"\n    actions:\n      - type: auto_dismiss\n        dismissal_reason: used_in_tests\n\n```\n\n### 2. Dismiss vendored and third-party code\n\nVulnerabilities in `vendor/`, `third_party/`, or checked-in `node_modules` are managed upstream and not actionable for your team.\n\n```yaml\nvulnerability_management_policy:\n  - name: \"Dismiss vendored dependency findings\"\n    description: \"Findings in vendored code are managed upstream\"\n    enabled: true\n    rules:\n      - type: detected\n        criteria:\n          - type: directory\n            value: \"vendor/*\"\n      - type: detected\n        criteria:\n          - type: directory\n            value: \"third_party/*\"\n      - type: detected\n        criteria:\n          - type: directory\n            value: \"vendored/*\"\n    actions:\n      - type: auto_dismiss\n        dismissal_reason: not_applicable\n\n```\n\n### 3. Dismiss known false positive CVEs\n\nCertain CVEs are repeatedly flagged but don't apply to your usage context. Teams dismiss these manually every time they appear. Replace the example CVEs below with your own.\n\n```yaml\nvulnerability_management_policy:\n  - name: \"Dismiss known false positive CVEs\"\n    description: \"CVEs confirmed as false positives for our environment\"\n    enabled: true\n    rules:\n      - type: detected\n        criteria:\n          - type: identifier\n            value: \"CVE-2023-44487\"\n      - type: detected\n        criteria:\n          - type: identifier\n            value: \"CVE-2024-29041\"\n      - type: detected\n        criteria:\n          - type: identifier\n            value: \"CVE-2023-26136\"\n    actions:\n      - type: auto_dismiss\n        dismissal_reason: false_positive\n\n```\n\n### 4. Dismiss generated and auto-created code\n\nProtobuf, gRPC, OpenAPI generators, and ORM scaffolding tools produce files with flagged patterns that cannot be patched by your team.\n\n```yaml\nvulnerability_management_policy:\n  - name: \"Dismiss generated code findings\"\n    description: \"Generated files are not authored by us\"\n    enabled: true\n    rules:\n      - type: detected\n        criteria:\n          - type: directory\n            value: \"generated/*\"\n      - type: detected\n        criteria:\n          - type: file_path\n            value: \"**/*.pb.go\"\n      - type: detected\n        criteria:\n          - type: file_path\n            value: \"**/*.generated.*\"\n    actions:\n      - type: auto_dismiss\n        dismissal_reason: not_applicable\n\n```\n\n### 5. Dismiss infrastructure-mitigated vulnerabilities\n\nVulnerability classes like XSS (CWE-79) or SQL injection (CWE-89) that are already addressed by WAF rules or runtime protection. Only use this when mitigating controls are verified and consistently enforced.\n\n```yaml\nvulnerability_management_policy:\n  - name: \"Dismiss CWEs mitigated by WAF\"\n    description: \"XSS and SQLi mitigated by WAF rules\"\n    enabled: true\n    rules:\n      - type: detected\n        criteria:\n          - type: identifier\n            value: \"CWE-79\"\n      - type: detected\n        criteria:\n          - type: identifier\n            value: \"CWE-89\"\n    actions:\n      - type: auto_dismiss\n        dismissal_reason: mitigating_control\n\n```\n\n### 6. Dismiss CVE families across your organization\n\nA wave of related CVEs for a widely-used library your team has assessed? Apply at the group level to dismiss them across dozens of projects. The wildcard pattern (e.g., `CVE-2021-44*`) matches all CVEs with that prefix.\n\n```yaml\nvulnerability_management_policy:\n  - name: \"Accept risk for log4j CVE family\"\n    description: \"Log4j CVEs mitigated by version pinning and WAF\"\n    enabled: true\n    rules:\n      - type: detected\n        criteria:\n          - type: identifier\n            value: \"CVE-2021-44*\"\n    actions:\n      - type: auto_dismiss\n        dismissal_reason: acceptable_risk\n\n```\n\n## Quick reference\n\n| Parameter | Details |\n|-----------|---------|\n| **Criteria types** | `file_path` (glob patterns, e.g., `test/**/*`), `directory` (e.g., `vendor/*`), `identifier` (CVE/CWE with wildcards, e.g., `CVE-2023-*`) |\n| **Dismissal reasons** | `acceptable_risk`, `false_positive`, `mitigating_control`, `used_in_tests`, `not_applicable` |\n| **Criteria logic** | Multiple criteria within a rule = AND (must match all). Multiple rules within a policy = OR (match any). |\n| **Limits** | 3 criteria per rule, 5 rules per policy, 5 policies per security policy project. Vulnerabilty management policy actions process 1000 vulnerabilities per pipeline run in the target project, until all matching vulnerabilities are processed. |\n| **Affected statuses** | Needs triage, Confirmed |\n| **Scope** | Project-level or group-level (group-level applies across all projects) |\n\n## Getting started\nHere's how to get started with auto-dismiss policies:\n\n1. **Identify the noise.** Open your vulnerability report and sort by \"Needs triage.\" Look for patterns: test files, vendored code, the same CVE across projects.\n\n2. **Pick a scenario.** Start with whichever use case above accounts for the most findings.\n\n3. **Record your baseline.** Note the number of \"Needs triage\" vulnerabilities before creating a policy.\n\n4. **Create and enable.** Navigate to **Secure > Policies > New policy > Vulnerability management policy**. Paste the configuration from the use case above, then merge the MR.\n\n5. **Validate results.** After the next default-branch pipeline, filter by status \"Dismissed\" to confirm the right findings were handled.\n\nFor full configuration details, see the [vulnerability management policy documentation](https://docs.gitlab.com/user/application_security/policies/vulnerability_management_policy/#auto-dismiss-policies).\n\n> Ready to take control of vulnerability noise? [Start a free GitLab Ultimate trial](https://about.gitlab.com/free-trial/) and configure your first auto-dismiss policy today.\n",{},"/en-us/blog/auto-dismiss-vulnerability-management-policy",{"title":691,"description":692},"en-us/blog/auto-dismiss-vulnerability-management-policy",[9,698,549,699,700],"fnflV-WQz24f0kwMvgtRNVEbdbsyS062QYVn8Pw2y_s",[709,718,725,734,743,751,760,769,775],{"content":710,"config":716},{"title":711,"heroImage":712,"category":9,"description":713,"authors":714},"Detect application vulnerabilities with GitLab’s browser-based DAST","https://res.cloudinary.com/about-gitlab-com/image/upload/v1749664923/Blog/Hero%20Images/security-checklist.png","Learn why you should include dynamic application security testing as part of a defense-in-depth strategy for software development, and how to migrate from proxy-based DAST.",[715],"Sara Meadzinger",{"externalUrl":-1,"slug":717},"detect-application-vulnerabilities-with-gitlabs-browser-based-dast",{"content":719,"config":723},{"title":720,"heroImage":721,"category":9,"description":722,"authors":-1},"GitLab Patch Release: 16.11.2, 16.10.5, 16.9.7","https://res.cloudinary.com/about-gitlab-com/image/upload/v1749662877/Blog/Hero%20Images/security-cover-new.png","Learn more about GitLab Patch Release: 16.11.2, 16.10.5, 16.9.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).",{"externalUrl":724,"slug":-1},"https://about.gitlab.com/releases/2024/05/08/patch-release-gitlab-16-11-2-released/",{"content":726,"config":732},{"title":727,"heroImage":728,"category":9,"description":729,"authors":730},"Migration guide: GitHub Advanced Security to GitLab Ultimate","https://res.cloudinary.com/about-gitlab-com/image/upload/v1749666187/Blog/Hero%20Images/blog-image-template-1800x945__6_.png","Understand the similarities and differences between GitLab Ultimate and GitHub Advanced Security. Then follow this in-depth tutorial to make the move to the GitLab DevSecOps platform.",[731],"Fernando Diaz",{"externalUrl":-1,"slug":733},"migration-guide-github-advanced-security-to-gitlab-ultimate",{"content":735,"config":741},{"title":736,"heroImage":737,"category":9,"description":738,"authors":739},"Happy birthday, Secure by Design!","https://res.cloudinary.com/about-gitlab-com/image/upload/v1749664530/Blog/Hero%20Images/AdobeStock_282096522.jpg","The U.S. government's initiative to ensure greater security in software products turns one. Find out what GitLab has done to align with this critical effort.",[740],"Joel Krooswyk",{"externalUrl":-1,"slug":742},"happy-birthday-secure-by-design",{"content":744,"config":749},{"title":745,"heroImage":712,"category":9,"description":746,"authors":747},"GitLab introduces new CIS Benchmark for improved security","Learn why CIS Benchmarks matter, how the CIS GitLab Benchmark was created, and how to use it to properly secure your GitLab installation.",[715,748],"Ayoub Fandi",{"externalUrl":-1,"slug":750},"gitlab-introduces-new-cis-benchmark-for-improved-security",{"content":752,"config":758},{"title":753,"heroImage":754,"category":9,"description":755,"authors":756},"Integrate external security scanners into your DevSecOps workflow","https://res.cloudinary.com/about-gitlab-com/image/upload/v1750098768/Blog/Hero%20Images/Blog/Hero%20Images/blog-image-template-1800x945%20%282%29_1khno1AUtxuL6zzmEmjK7v_1750098768560.png","Learn how to bring Snyk scan results into the merge request widget by parsing JSON artifacts and leveraging the SARIF file format.",[757],"Sam Morris",{"externalUrl":-1,"slug":759},"integrate-external-security-scanners-into-your-devsecops-workflow",{"content":761,"config":767},{"title":762,"heroImage":763,"category":9,"description":764,"authors":765},"Important information regarding xz-utils (CVE-2024-3094)","https://res.cloudinary.com/about-gitlab-com/image/upload/v1749659561/Blog/Hero%20Images/securitycheck.png","Affected software not used for GitLab.com, GitLab Dedicated, or default self-hosted software packages.",[766],"Shrishti Choudhary",{"externalUrl":-1,"slug":768},"important-information-regarding-xz-utils-cve-2024-3094",{"content":770,"config":773},{"title":771,"heroImage":721,"category":9,"description":772,"authors":-1},"GitLab Security Release: 16.10.1, 16.9.3, 16.8.5","Learn more about GitLab Security Release: 16.10.1, 16.9.3, 16.8.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).",{"externalUrl":774,"slug":-1},"https://about.gitlab.com/releases/2024/03/27/security-release-gitlab-16-10-1-released/",{"content":776,"config":781},{"title":777,"heroImage":763,"category":9,"description":778,"authors":779},"We’re combining patch and security releases","This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner.",[780],"Sam Wiskow",{"externalUrl":-1,"slug":782},"were-combining-patch-and-security-releases",1776436816153]