[{"data":1,"prerenderedAt":781},["ShallowReactive",2],{"/en-us/blog/categories/security":3,"navigation-en-us":20,"banner-en-us":429,"footer-en-us":439,"security-category-page-total-items-en-us":681,"security-category-page-featured-en-us":682,"security-category-page-11-en-us":708},{"id":4,"title":5,"body":6,"category":6,"config":7,"content":11,"description":6,"extension":12,"meta":13,"navigation":14,"path":15,"seo":16,"slug":6,"stem":18,"testContent":6,"type":6,"__hash__":19},"blogCategories/en-us/blog/categories/security.yml","Security",null,{"template":8,"slug":9,"hide":10},"BlogCategory","security",false,{"name":5},"yml",{},true,"/en-us/blog/categories/security",{"title":5,"description":17},"Browse articles related to Security on the GitLab Blog","en-us/blog/categories/security","Hx58KagneyLDkWgUOsPQNGCsWqekf9YGQa6EJFfGFRw",{"data":21},{"logo":22,"freeTrial":27,"sales":32,"login":37,"items":42,"search":349,"minimal":380,"duo":399,"switchNav":408,"pricingDeployment":419},{"config":23},{"href":24,"dataGaName":25,"dataGaLocation":26},"/","gitlab logo","header",{"text":28,"config":29},"Get free trial",{"href":30,"dataGaName":31,"dataGaLocation":26},"https://gitlab.com/-/trial_registrations/new?glm_source=about.gitlab.com&glm_content=default-saas-trial/","free trial",{"text":33,"config":34},"Talk to sales",{"href":35,"dataGaName":36,"dataGaLocation":26},"/sales/","sales",{"text":38,"config":39},"Sign in",{"href":40,"dataGaName":41,"dataGaLocation":26},"https://gitlab.com/users/sign_in/","sign in",[43,70,164,169,270,330],{"text":44,"config":45,"cards":47},"Platform",{"dataNavLevelOne":46},"platform",[48,54,62],{"title":44,"description":49,"link":50},"The intelligent orchestration platform for DevSecOps",{"text":51,"config":52},"Explore our Platform",{"href":53,"dataGaName":46,"dataGaLocation":26},"/platform/",{"title":55,"description":56,"link":57},"GitLab Duo Agent Platform","Agentic AI for the entire software lifecycle",{"text":58,"config":59},"Meet GitLab Duo",{"href":60,"dataGaName":61,"dataGaLocation":26},"/gitlab-duo-agent-platform/","gitlab duo agent platform",{"title":63,"description":64,"link":65},"Why GitLab","See the top reasons enterprises choose GitLab",{"text":66,"config":67},"Learn more",{"href":68,"dataGaName":69,"dataGaLocation":26},"/why-gitlab/","why gitlab",{"text":71,"left":14,"config":72,"link":74,"lists":78,"footer":146},"Product",{"dataNavLevelOne":73},"solutions",{"text":75,"config":76},"View all Solutions",{"href":77,"dataGaName":73,"dataGaLocation":26},"/solutions/",[79,103,125],{"title":80,"description":81,"link":82,"items":87},"Automation","CI/CD and automation to accelerate deployment",{"config":83},{"icon":84,"href":85,"dataGaName":86,"dataGaLocation":26},"AutomatedCodeAlt","/solutions/delivery-automation/","automated software delivery",[88,92,95,99],{"text":89,"config":90},"CI/CD",{"href":91,"dataGaLocation":26,"dataGaName":89},"/solutions/continuous-integration/",{"text":55,"config":93},{"href":60,"dataGaLocation":26,"dataGaName":94},"gitlab duo agent platform - product menu",{"text":96,"config":97},"Source Code Management",{"href":98,"dataGaLocation":26,"dataGaName":96},"/solutions/source-code-management/",{"text":100,"config":101},"Automated Software Delivery",{"href":85,"dataGaLocation":26,"dataGaName":102},"Automated software delivery",{"title":5,"description":104,"link":105,"items":110},"Deliver code faster without compromising security",{"config":106},{"href":107,"dataGaName":108,"dataGaLocation":26,"icon":109},"/solutions/application-security-testing/","security and compliance","ShieldCheckLight",[111,115,120],{"text":112,"config":113},"Application Security Testing",{"href":107,"dataGaName":114,"dataGaLocation":26},"Application security testing",{"text":116,"config":117},"Software Supply Chain Security",{"href":118,"dataGaLocation":26,"dataGaName":119},"/solutions/supply-chain/","Software supply chain security",{"text":121,"config":122},"Software Compliance",{"href":123,"dataGaName":124,"dataGaLocation":26},"/solutions/software-compliance/","software compliance",{"title":126,"link":127,"items":132},"Measurement",{"config":128},{"icon":129,"href":130,"dataGaName":131,"dataGaLocation":26},"DigitalTransformation","/solutions/visibility-measurement/","visibility and measurement",[133,137,141],{"text":134,"config":135},"Visibility & Measurement",{"href":130,"dataGaLocation":26,"dataGaName":136},"Visibility and Measurement",{"text":138,"config":139},"Value Stream Management",{"href":140,"dataGaLocation":26,"dataGaName":138},"/solutions/value-stream-management/",{"text":142,"config":143},"Analytics & Insights",{"href":144,"dataGaLocation":26,"dataGaName":145},"/solutions/analytics-and-insights/","Analytics and insights",{"title":147,"items":148},"GitLab for",[149,154,159],{"text":150,"config":151},"Enterprise",{"href":152,"dataGaLocation":26,"dataGaName":153},"/enterprise/","enterprise",{"text":155,"config":156},"Small Business",{"href":157,"dataGaLocation":26,"dataGaName":158},"/small-business/","small business",{"text":160,"config":161},"Public Sector",{"href":162,"dataGaLocation":26,"dataGaName":163},"/solutions/public-sector/","public sector",{"text":165,"config":166},"Pricing",{"href":167,"dataGaName":168,"dataGaLocation":26,"dataNavLevelOne":168},"/pricing/","pricing",{"text":170,"config":171,"link":173,"lists":177,"feature":257},"Resources",{"dataNavLevelOne":172},"resources",{"text":174,"config":175},"View all resources",{"href":176,"dataGaName":172,"dataGaLocation":26},"/resources/",[178,211,229],{"title":179,"items":180},"Getting started",[181,186,191,196,201,206],{"text":182,"config":183},"Install",{"href":184,"dataGaName":185,"dataGaLocation":26},"/install/","install",{"text":187,"config":188},"Quick start guides",{"href":189,"dataGaName":190,"dataGaLocation":26},"/get-started/","quick setup checklists",{"text":192,"config":193},"Learn",{"href":194,"dataGaLocation":26,"dataGaName":195},"https://university.gitlab.com/","learn",{"text":197,"config":198},"Product documentation",{"href":199,"dataGaName":200,"dataGaLocation":26},"https://docs.gitlab.com/","product documentation",{"text":202,"config":203},"Best practice videos",{"href":204,"dataGaName":205,"dataGaLocation":26},"/getting-started-videos/","best practice videos",{"text":207,"config":208},"Integrations",{"href":209,"dataGaName":210,"dataGaLocation":26},"/integrations/","integrations",{"title":212,"items":213},"Discover",[214,219,224],{"text":215,"config":216},"Customer success stories",{"href":217,"dataGaName":218,"dataGaLocation":26},"/customers/","customer success stories",{"text":220,"config":221},"Blog",{"href":222,"dataGaName":223,"dataGaLocation":26},"/blog/","blog",{"text":225,"config":226},"Remote",{"href":227,"dataGaName":228,"dataGaLocation":26},"https://handbook.gitlab.com/handbook/company/culture/all-remote/","remote",{"title":230,"items":231},"Connect",[232,237,242,247,252],{"text":233,"config":234},"GitLab Services",{"href":235,"dataGaName":236,"dataGaLocation":26},"/services/","services",{"text":238,"config":239},"Community",{"href":240,"dataGaName":241,"dataGaLocation":26},"/community/","community",{"text":243,"config":244},"Forum",{"href":245,"dataGaName":246,"dataGaLocation":26},"https://forum.gitlab.com/","forum",{"text":248,"config":249},"Events",{"href":250,"dataGaName":251,"dataGaLocation":26},"/events/","events",{"text":253,"config":254},"Partners",{"href":255,"dataGaName":256,"dataGaLocation":26},"/partners/","partners",{"backgroundColor":258,"textColor":259,"text":260,"image":261,"link":265},"#2f2a6b","#fff","Insights for the future of software development",{"altText":262,"config":263},"the source promo card",{"src":264},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758208064/dzl0dbift9xdizyelkk4.svg",{"text":266,"config":267},"Read the latest",{"href":268,"dataGaName":269,"dataGaLocation":26},"/the-source/","the source",{"text":271,"config":272,"lists":274},"Company",{"dataNavLevelOne":273},"company",[275],{"items":276},[277,282,288,290,295,300,305,310,315,320,325],{"text":278,"config":279},"About",{"href":280,"dataGaName":281,"dataGaLocation":26},"/company/","about",{"text":283,"config":284,"footerGa":287},"Jobs",{"href":285,"dataGaName":286,"dataGaLocation":26},"/jobs/","jobs",{"dataGaName":286},{"text":248,"config":289},{"href":250,"dataGaName":251,"dataGaLocation":26},{"text":291,"config":292},"Leadership",{"href":293,"dataGaName":294,"dataGaLocation":26},"/company/team/e-group/","leadership",{"text":296,"config":297},"Team",{"href":298,"dataGaName":299,"dataGaLocation":26},"/company/team/","team",{"text":301,"config":302},"Handbook",{"href":303,"dataGaName":304,"dataGaLocation":26},"https://handbook.gitlab.com/","handbook",{"text":306,"config":307},"Investor relations",{"href":308,"dataGaName":309,"dataGaLocation":26},"https://ir.gitlab.com/","investor relations",{"text":311,"config":312},"Trust Center",{"href":313,"dataGaName":314,"dataGaLocation":26},"/security/","trust center",{"text":316,"config":317},"AI Transparency Center",{"href":318,"dataGaName":319,"dataGaLocation":26},"/ai-transparency-center/","ai transparency center",{"text":321,"config":322},"Newsletter",{"href":323,"dataGaName":324,"dataGaLocation":26},"/company/contact/#contact-forms","newsletter",{"text":326,"config":327},"Press",{"href":328,"dataGaName":329,"dataGaLocation":26},"/press/","press",{"text":331,"config":332,"lists":333},"Contact us",{"dataNavLevelOne":273},[334],{"items":335},[336,339,344],{"text":33,"config":337},{"href":35,"dataGaName":338,"dataGaLocation":26},"talk to sales",{"text":340,"config":341},"Support portal",{"href":342,"dataGaName":343,"dataGaLocation":26},"https://support.gitlab.com","support portal",{"text":345,"config":346},"Customer portal",{"href":347,"dataGaName":348,"dataGaLocation":26},"https://customers.gitlab.com/customers/sign_in/","customer portal",{"close":350,"login":351,"suggestions":358},"Close",{"text":352,"link":353},"To search repositories and projects, login to",{"text":354,"config":355},"gitlab.com",{"href":40,"dataGaName":356,"dataGaLocation":357},"search login","search",{"text":359,"default":360},"Suggestions",[361,363,367,369,373,377],{"text":55,"config":362},{"href":60,"dataGaName":55,"dataGaLocation":357},{"text":364,"config":365},"Code Suggestions (AI)",{"href":366,"dataGaName":364,"dataGaLocation":357},"/solutions/code-suggestions/",{"text":89,"config":368},{"href":91,"dataGaName":89,"dataGaLocation":357},{"text":370,"config":371},"GitLab on AWS",{"href":372,"dataGaName":370,"dataGaLocation":357},"/partners/technology-partners/aws/",{"text":374,"config":375},"GitLab on Google Cloud",{"href":376,"dataGaName":374,"dataGaLocation":357},"/partners/technology-partners/google-cloud-platform/",{"text":378,"config":379},"Why GitLab?",{"href":68,"dataGaName":378,"dataGaLocation":357},{"freeTrial":381,"mobileIcon":386,"desktopIcon":391,"secondaryButton":394},{"text":382,"config":383},"Start free trial",{"href":384,"dataGaName":31,"dataGaLocation":385},"https://gitlab.com/-/trials/new/","nav",{"altText":387,"config":388},"Gitlab Icon",{"src":389,"dataGaName":390,"dataGaLocation":385},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758203874/jypbw1jx72aexsoohd7x.svg","gitlab icon",{"altText":387,"config":392},{"src":393,"dataGaName":390,"dataGaLocation":385},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758203875/gs4c8p8opsgvflgkswz9.svg",{"text":395,"config":396},"Get Started",{"href":397,"dataGaName":398,"dataGaLocation":385},"https://gitlab.com/-/trial_registrations/new?glm_source=about.gitlab.com/get-started/","get started",{"freeTrial":400,"mobileIcon":404,"desktopIcon":406},{"text":401,"config":402},"Learn more about GitLab Duo",{"href":60,"dataGaName":403,"dataGaLocation":385},"gitlab duo",{"altText":387,"config":405},{"src":389,"dataGaName":390,"dataGaLocation":385},{"altText":387,"config":407},{"src":393,"dataGaName":390,"dataGaLocation":385},{"button":409,"mobileIcon":414,"desktopIcon":416},{"text":410,"config":411},"/switch",{"href":412,"dataGaName":413,"dataGaLocation":385},"#contact","switch",{"altText":387,"config":415},{"src":389,"dataGaName":390,"dataGaLocation":385},{"altText":387,"config":417},{"src":418,"dataGaName":390,"dataGaLocation":385},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1773335277/ohhpiuoxoldryzrnhfrh.png",{"freeTrial":420,"mobileIcon":425,"desktopIcon":427},{"text":421,"config":422},"Back to pricing",{"href":167,"dataGaName":423,"dataGaLocation":385,"icon":424},"back to pricing","GoBack",{"altText":387,"config":426},{"src":389,"dataGaName":390,"dataGaLocation":385},{"altText":387,"config":428},{"src":393,"dataGaName":390,"dataGaLocation":385},{"title":430,"button":431,"config":436},"See how agentic AI transforms software delivery",{"text":432,"config":433},"Watch GitLab Transcend now",{"href":434,"dataGaName":435,"dataGaLocation":26},"/events/transcend/virtual/","transcend event",{"layout":437,"icon":438,"disabled":14},"release","AiStar",{"data":440},{"text":441,"source":442,"edit":448,"contribute":453,"config":458,"items":463,"minimal":670},"Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license",{"text":443,"config":444},"View page source",{"href":445,"dataGaName":446,"dataGaLocation":447},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/","page source","footer",{"text":449,"config":450},"Edit this page",{"href":451,"dataGaName":452,"dataGaLocation":447},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/content/","web ide",{"text":454,"config":455},"Please contribute",{"href":456,"dataGaName":457,"dataGaLocation":447},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/CONTRIBUTING.md/","please contribute",{"twitter":459,"facebook":460,"youtube":461,"linkedin":462},"https://twitter.com/gitlab","https://www.facebook.com/gitlab","https://www.youtube.com/channel/UCnMGQ8QHMAnVIsI3xJrihhg","https://www.linkedin.com/company/gitlab-com",[464,511,565,609,636],{"title":165,"links":465,"subMenu":480},[466,470,475],{"text":467,"config":468},"View plans",{"href":167,"dataGaName":469,"dataGaLocation":447},"view plans",{"text":471,"config":472},"Why Premium?",{"href":473,"dataGaName":474,"dataGaLocation":447},"/pricing/premium/","why premium",{"text":476,"config":477},"Why Ultimate?",{"href":478,"dataGaName":479,"dataGaLocation":447},"/pricing/ultimate/","why ultimate",[481],{"title":482,"links":483},"Contact Us",[484,487,489,491,496,501,506],{"text":485,"config":486},"Contact sales",{"href":35,"dataGaName":36,"dataGaLocation":447},{"text":340,"config":488},{"href":342,"dataGaName":343,"dataGaLocation":447},{"text":345,"config":490},{"href":347,"dataGaName":348,"dataGaLocation":447},{"text":492,"config":493},"Status",{"href":494,"dataGaName":495,"dataGaLocation":447},"https://status.gitlab.com/","status",{"text":497,"config":498},"Terms of use",{"href":499,"dataGaName":500,"dataGaLocation":447},"/terms/","terms of use",{"text":502,"config":503},"Privacy statement",{"href":504,"dataGaName":505,"dataGaLocation":447},"/privacy/","privacy statement",{"text":507,"config":508},"Cookie preferences",{"dataGaName":509,"dataGaLocation":447,"id":510,"isOneTrustButton":14},"cookie preferences","ot-sdk-btn",{"title":71,"links":512,"subMenu":521},[513,517],{"text":514,"config":515},"DevSecOps platform",{"href":53,"dataGaName":516,"dataGaLocation":447},"devsecops platform",{"text":518,"config":519},"AI-Assisted Development",{"href":60,"dataGaName":520,"dataGaLocation":447},"ai-assisted development",[522],{"title":523,"links":524},"Topics",[525,530,535,540,545,550,555,560],{"text":526,"config":527},"CICD",{"href":528,"dataGaName":529,"dataGaLocation":447},"/topics/ci-cd/","cicd",{"text":531,"config":532},"GitOps",{"href":533,"dataGaName":534,"dataGaLocation":447},"/topics/gitops/","gitops",{"text":536,"config":537},"DevOps",{"href":538,"dataGaName":539,"dataGaLocation":447},"/topics/devops/","devops",{"text":541,"config":542},"Version Control",{"href":543,"dataGaName":544,"dataGaLocation":447},"/topics/version-control/","version control",{"text":546,"config":547},"DevSecOps",{"href":548,"dataGaName":549,"dataGaLocation":447},"/topics/devsecops/","devsecops",{"text":551,"config":552},"Cloud Native",{"href":553,"dataGaName":554,"dataGaLocation":447},"/topics/cloud-native/","cloud native",{"text":556,"config":557},"AI for Coding",{"href":558,"dataGaName":559,"dataGaLocation":447},"/topics/devops/ai-for-coding/","ai for coding",{"text":561,"config":562},"Agentic AI",{"href":563,"dataGaName":564,"dataGaLocation":447},"/topics/agentic-ai/","agentic ai",{"title":566,"links":567},"Solutions",[568,570,572,577,581,584,588,591,593,596,599,604],{"text":112,"config":569},{"href":107,"dataGaName":112,"dataGaLocation":447},{"text":102,"config":571},{"href":85,"dataGaName":86,"dataGaLocation":447},{"text":573,"config":574},"Agile development",{"href":575,"dataGaName":576,"dataGaLocation":447},"/solutions/agile-delivery/","agile delivery",{"text":578,"config":579},"SCM",{"href":98,"dataGaName":580,"dataGaLocation":447},"source code management",{"text":526,"config":582},{"href":91,"dataGaName":583,"dataGaLocation":447},"continuous integration & delivery",{"text":585,"config":586},"Value stream management",{"href":140,"dataGaName":587,"dataGaLocation":447},"value stream management",{"text":531,"config":589},{"href":590,"dataGaName":534,"dataGaLocation":447},"/solutions/gitops/",{"text":150,"config":592},{"href":152,"dataGaName":153,"dataGaLocation":447},{"text":594,"config":595},"Small business",{"href":157,"dataGaName":158,"dataGaLocation":447},{"text":597,"config":598},"Public sector",{"href":162,"dataGaName":163,"dataGaLocation":447},{"text":600,"config":601},"Education",{"href":602,"dataGaName":603,"dataGaLocation":447},"/solutions/education/","education",{"text":605,"config":606},"Financial services",{"href":607,"dataGaName":608,"dataGaLocation":447},"/solutions/finance/","financial services",{"title":170,"links":610},[611,613,615,617,620,622,624,626,628,630,632,634],{"text":182,"config":612},{"href":184,"dataGaName":185,"dataGaLocation":447},{"text":187,"config":614},{"href":189,"dataGaName":190,"dataGaLocation":447},{"text":192,"config":616},{"href":194,"dataGaName":195,"dataGaLocation":447},{"text":197,"config":618},{"href":199,"dataGaName":619,"dataGaLocation":447},"docs",{"text":220,"config":621},{"href":222,"dataGaName":223,"dataGaLocation":447},{"text":215,"config":623},{"href":217,"dataGaName":218,"dataGaLocation":447},{"text":225,"config":625},{"href":227,"dataGaName":228,"dataGaLocation":447},{"text":233,"config":627},{"href":235,"dataGaName":236,"dataGaLocation":447},{"text":238,"config":629},{"href":240,"dataGaName":241,"dataGaLocation":447},{"text":243,"config":631},{"href":245,"dataGaName":246,"dataGaLocation":447},{"text":248,"config":633},{"href":250,"dataGaName":251,"dataGaLocation":447},{"text":253,"config":635},{"href":255,"dataGaName":256,"dataGaLocation":447},{"title":271,"links":637},[638,640,642,644,646,648,650,654,659,661,663,665],{"text":278,"config":639},{"href":280,"dataGaName":273,"dataGaLocation":447},{"text":283,"config":641},{"href":285,"dataGaName":286,"dataGaLocation":447},{"text":291,"config":643},{"href":293,"dataGaName":294,"dataGaLocation":447},{"text":296,"config":645},{"href":298,"dataGaName":299,"dataGaLocation":447},{"text":301,"config":647},{"href":303,"dataGaName":304,"dataGaLocation":447},{"text":306,"config":649},{"href":308,"dataGaName":309,"dataGaLocation":447},{"text":651,"config":652},"Sustainability",{"href":653,"dataGaName":651,"dataGaLocation":447},"/sustainability/",{"text":655,"config":656},"Diversity, inclusion and belonging (DIB)",{"href":657,"dataGaName":658,"dataGaLocation":447},"/diversity-inclusion-belonging/","Diversity, inclusion and belonging",{"text":311,"config":660},{"href":313,"dataGaName":314,"dataGaLocation":447},{"text":321,"config":662},{"href":323,"dataGaName":324,"dataGaLocation":447},{"text":326,"config":664},{"href":328,"dataGaName":329,"dataGaLocation":447},{"text":666,"config":667},"Modern Slavery Transparency Statement",{"href":668,"dataGaName":669,"dataGaLocation":447},"https://handbook.gitlab.com/handbook/legal/modern-slavery-act-transparency-statement/","modern slavery transparency statement",{"items":671},[672,675,678],{"text":673,"config":674},"Terms",{"href":499,"dataGaName":500,"dataGaLocation":447},{"text":676,"config":677},"Cookies",{"dataGaName":509,"dataGaLocation":447,"id":510,"isOneTrustButton":14},{"text":679,"config":680},"Privacy",{"href":504,"dataGaName":505,"dataGaLocation":447},240,{"id":683,"title":684,"authorSlugs":685,"body":6,"categorySlug":9,"config":687,"content":690,"description":6,"extension":12,"isFeatured":14,"meta":702,"navigation":14,"path":703,"publishedDate":696,"seo":704,"stem":705,"tagSlugs":706,"__hash__":707},"blogPosts/en-us/blog/auto-dismiss-vulnerability-management-policy.yml","Auto Dismiss Vulnerability Management Policy",[686],"grant-hickman",{"slug":688,"featured":14,"template":689},"auto-dismiss-vulnerability-management-policy","BlogPost",{"title":691,"description":692,"authors":693,"heroImage":695,"date":696,"category":9,"tags":697,"body":701},"Manage vulnerability noise at scale with auto-dismiss policies","Learn how to cut through scanner noise and focus on the vulnerabilities that matter most with GitLab security, including use cases and templates.",[694],"Grant Hickman","https://res.cloudinary.com/about-gitlab-com/image/upload/v1774375772/kpaaaiqhokevxxeoxvu0.png","2026-03-25",[9,698,546,699,700],"tutorial","features","product","Security scanners are essential, but not every finding requires action. Test code, vendored dependencies, generated files, and known false positives create noise that buries the vulnerabilities that actually matter. Security teams waste hours manually dismissing the same irrelevant findings across projects and pipelines. They experience slower triage, alert fatigue, and developer friction that undermines adoption of security scanning itself.\n\nGitLab's auto-dismiss vulnerability policies let you codify your triage decisions once and apply them automatically on every default-branch pipeline. Define criteria based on file path, directory, or vulnerability identifier (CVE, CWE), choose a dismissal reason, and let GitLab handle the rest.\n\n## Why auto-dismiss?\nAuto-dismiss vulnerability policies enable security teams to:\n- **Eliminate triage noise**: Automatically dismiss findings in test code, vendored dependencies, and generated files.\n- **Enforce decisions at scale**: Apply policies centrally to dismiss known false positives across your entire organization.\n- **Maintain audit transparency**: Every auto-dismissed finding includes a documented reason and links back to the policy that triggered it.\n- **Preserve the record**: Unlike scanner exclusions, dismissed vulnerabilities remain in your report, so you can revisit decisions if conditions change.\n\n## How auto-dismiss policies work\n\n1. **Define your policy** in a vulnerability management policy YAML file. Specify match criteria (file path, directory, or identifier) and a dismissal reason.\n\n2. **Merge and activate.** Create the policy via **Secure > Policies > New  policy > Vulnerability management policy**. Merge the MR to enable it.\n3. **Run your pipeline.** On every default-branch pipeline, matching vulnerabilities are automatically set to \"Dismissed\" with the specified reason. Up to 1,000 vulnerabilities are processed per run.\n4. **Measure the impact.** Filter your vulnerability report by status \"Dismissed\" to see exactly what was cleaned up and validate that the right findings are being handled.\n\n## Use cases with ready-to-use configurations\n\nEach example below includes a policy configuration you can copy, customize, and apply immediately.\n\n### 1. Dismiss test code vulnerabilities\n\nSAST and dependency scanners flag hardcoded credentials, insecure fixtures, and dev-only dependencies in test directories. These are not production risks.\n\n```yaml\nvulnerability_management_policy:\n  - name: \"Dismiss test code vulnerabilities\"\n    description: \"Auto-dismiss findings in test directories\"\n    enabled: true\n    rules:\n      - type: detected\n        criteria:\n          - type: file_path\n            value: \"test/**/*\"\n      - type: detected\n        criteria:\n          - type: file_path\n            value: \"tests/**/*\"\n      - type: detected\n        criteria:\n          - type: file_path\n            value: \"spec/**/*\"\n      - type: detected\n        criteria:\n          - type: directory\n            value: \"__tests__/*\"\n    actions:\n      - type: auto_dismiss\n        dismissal_reason: used_in_tests\n\n```\n\n### 2. Dismiss vendored and third-party code\n\nVulnerabilities in `vendor/`, `third_party/`, or checked-in `node_modules` are managed upstream and not actionable for your team.\n\n```yaml\nvulnerability_management_policy:\n  - name: \"Dismiss vendored dependency findings\"\n    description: \"Findings in vendored code are managed upstream\"\n    enabled: true\n    rules:\n      - type: detected\n        criteria:\n          - type: directory\n            value: \"vendor/*\"\n      - type: detected\n        criteria:\n          - type: directory\n            value: \"third_party/*\"\n      - type: detected\n        criteria:\n          - type: directory\n            value: \"vendored/*\"\n    actions:\n      - type: auto_dismiss\n        dismissal_reason: not_applicable\n\n```\n\n### 3. Dismiss known false positive CVEs\n\nCertain CVEs are repeatedly flagged but don't apply to your usage context. Teams dismiss these manually every time they appear. Replace the example CVEs below with your own.\n\n```yaml\nvulnerability_management_policy:\n  - name: \"Dismiss known false positive CVEs\"\n    description: \"CVEs confirmed as false positives for our environment\"\n    enabled: true\n    rules:\n      - type: detected\n        criteria:\n          - type: identifier\n            value: \"CVE-2023-44487\"\n      - type: detected\n        criteria:\n          - type: identifier\n            value: \"CVE-2024-29041\"\n      - type: detected\n        criteria:\n          - type: identifier\n            value: \"CVE-2023-26136\"\n    actions:\n      - type: auto_dismiss\n        dismissal_reason: false_positive\n\n```\n\n### 4. Dismiss generated and auto-created code\n\nProtobuf, gRPC, OpenAPI generators, and ORM scaffolding tools produce files with flagged patterns that cannot be patched by your team.\n\n```yaml\nvulnerability_management_policy:\n  - name: \"Dismiss generated code findings\"\n    description: \"Generated files are not authored by us\"\n    enabled: true\n    rules:\n      - type: detected\n        criteria:\n          - type: directory\n            value: \"generated/*\"\n      - type: detected\n        criteria:\n          - type: file_path\n            value: \"**/*.pb.go\"\n      - type: detected\n        criteria:\n          - type: file_path\n            value: \"**/*.generated.*\"\n    actions:\n      - type: auto_dismiss\n        dismissal_reason: not_applicable\n\n```\n\n### 5. Dismiss infrastructure-mitigated vulnerabilities\n\nVulnerability classes like XSS (CWE-79) or SQL injection (CWE-89) that are already addressed by WAF rules or runtime protection. Only use this when mitigating controls are verified and consistently enforced.\n\n```yaml\nvulnerability_management_policy:\n  - name: \"Dismiss CWEs mitigated by WAF\"\n    description: \"XSS and SQLi mitigated by WAF rules\"\n    enabled: true\n    rules:\n      - type: detected\n        criteria:\n          - type: identifier\n            value: \"CWE-79\"\n      - type: detected\n        criteria:\n          - type: identifier\n            value: \"CWE-89\"\n    actions:\n      - type: auto_dismiss\n        dismissal_reason: mitigating_control\n\n```\n\n### 6. Dismiss CVE families across your organization\n\nA wave of related CVEs for a widely-used library your team has assessed? Apply at the group level to dismiss them across dozens of projects. The wildcard pattern (e.g., `CVE-2021-44*`) matches all CVEs with that prefix.\n\n```yaml\nvulnerability_management_policy:\n  - name: \"Accept risk for log4j CVE family\"\n    description: \"Log4j CVEs mitigated by version pinning and WAF\"\n    enabled: true\n    rules:\n      - type: detected\n        criteria:\n          - type: identifier\n            value: \"CVE-2021-44*\"\n    actions:\n      - type: auto_dismiss\n        dismissal_reason: acceptable_risk\n\n```\n\n## Quick reference\n\n| Parameter | Details |\n|-----------|---------|\n| **Criteria types** | `file_path` (glob patterns, e.g., `test/**/*`), `directory` (e.g., `vendor/*`), `identifier` (CVE/CWE with wildcards, e.g., `CVE-2023-*`) |\n| **Dismissal reasons** | `acceptable_risk`, `false_positive`, `mitigating_control`, `used_in_tests`, `not_applicable` |\n| **Criteria logic** | Multiple criteria within a rule = AND (must match all). Multiple rules within a policy = OR (match any). |\n| **Limits** | 3 criteria per rule, 5 rules per policy, 5 policies per security policy project. Vulnerabilty management policy actions process 1000 vulnerabilities per pipeline run in the target project, until all matching vulnerabilities are processed. |\n| **Affected statuses** | Needs triage, Confirmed |\n| **Scope** | Project-level or group-level (group-level applies across all projects) |\n\n## Getting started\nHere's how to get started with auto-dismiss policies:\n\n1. **Identify the noise.** Open your vulnerability report and sort by \"Needs triage.\" Look for patterns: test files, vendored code, the same CVE across projects.\n\n2. **Pick a scenario.** Start with whichever use case above accounts for the most findings.\n\n3. **Record your baseline.** Note the number of \"Needs triage\" vulnerabilities before creating a policy.\n\n4. **Create and enable.** Navigate to **Secure > Policies > New policy > Vulnerability management policy**. Paste the configuration from the use case above, then merge the MR.\n\n5. **Validate results.** After the next default-branch pipeline, filter by status \"Dismissed\" to confirm the right findings were handled.\n\nFor full configuration details, see the [vulnerability management policy documentation](https://docs.gitlab.com/user/application_security/policies/vulnerability_management_policy/#auto-dismiss-policies).\n\n> Ready to take control of vulnerability noise? [Start a free GitLab Ultimate trial](https://about.gitlab.com/free-trial/) and configure your first auto-dismiss policy today.\n",{},"/en-us/blog/auto-dismiss-vulnerability-management-policy",{"title":691,"description":692},"en-us/blog/auto-dismiss-vulnerability-management-policy",[9,698,549,699,700],"fnflV-WQz24f0kwMvgtRNVEbdbsyS062QYVn8Pw2y_s",[709,718,727,736,743,752,760,766,772],{"content":710,"config":716},{"title":711,"heroImage":712,"category":9,"description":713,"authors":714},"Coming soon: GitLab dependency firewall","https://res.cloudinary.com/about-gitlab-com/image/upload/v1749665667/Blog/Hero%20Images/built-in-security.jpg","Learn how this new feature will help organizations avoid supply chain software attacks by warning them or blocking the download based on a project's policy.",[715],"Tim Rizzi",{"externalUrl":-1,"slug":717},"coming-soon-gitlab-dependency-firewall",{"content":719,"config":725},{"title":720,"heroImage":721,"category":9,"description":722,"authors":723},"Simplify your cloud account management for Kubernetes access","https://res.cloudinary.com/about-gitlab-com/image/upload/v1749670563/Blog/Hero%20Images/cloudcomputing.jpg","In this tutorial, learn how to use the GitLab agent for Kubernetes and its user impersonation features for secure cluster access.\n\n",[724],"Viktor Nagy",{"externalUrl":-1,"slug":726},"simplify-your-cloud-account-management-for-kubernetes-access",{"content":728,"config":734},{"title":729,"heroImage":730,"category":9,"description":731,"authors":732},"The ultimate guide to least privilege access with GitLab","https://res.cloudinary.com/about-gitlab-com/image/upload/v1750099438/Blog/Hero%20Images/Blog/Hero%20Images/built-in-security_built-in-security.jpeg_1750099438377.jpg","This tutorial demonstrates how to achieve least privilege access using custom roles, security policies, compliance pipelines, branch protections, and more.",[733],"Fernando Diaz",{"externalUrl":-1,"slug":735},"the-ultimate-guide-to-least-privilege-access-with-gitlab",{"content":737,"config":741},{"title":738,"heroImage":739,"category":9,"description":740,"authors":-1},"GitLab Security Release: 16.9.2, 16.8.4, 16.7.7","https://res.cloudinary.com/about-gitlab-com/image/upload/v1749662877/Blog/Hero%20Images/security-cover-new.png","Learn more about GitLab Security Release: 16.9.2, 16.8.4, 16.7.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).",{"externalUrl":742,"slug":-1},"https://about.gitlab.com/releases/2024/03/06/security-release-gitlab-16-9-2-released/",{"content":744,"config":750},{"title":745,"heroImage":746,"category":9,"description":747,"authors":748},"How-to: Detecting secrets in video content ","https://res.cloudinary.com/about-gitlab-com/image/upload/v1750099421/Blog/Hero%20Images/Blog/Hero%20Images/security-checklist_security-checklist.png_1750099421443.png","GitLab’s Security team identifies and mitigates security risks in video content by searching for API keys or other sensitive tokens. Here's how we do it (with an assist from AI) and how you can, too.",[749],"Dennis Appelt",{"externalUrl":-1,"slug":751},"how-to-detecting-secrets-in-video",{"content":753,"config":758},{"title":754,"heroImage":755,"category":9,"description":756,"authors":757},"How to integrate custom security scanners into GitLab","https://res.cloudinary.com/about-gitlab-com/image/upload/v1750097082/Blog/Hero%20Images/Blog/Hero%20Images/securitycheck_securitycheck.png_1750097081856.png","Learn how to extend the DevSecOps platform by adding custom security scanners to your workflows (includes an easy-to-follow tutorial).",[733],{"externalUrl":-1,"slug":759},"how-to-integrate-custom-security-scanners-into-gitlab",{"content":761,"config":764},{"title":762,"heroImage":739,"category":9,"description":763,"authors":-1},"GitLab Security Release: 16.9.1, 16.8.3, 16.7.6","Learn more about GitLab Security Release: 16.9.1, 16.8.3, 16.7.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).",{"externalUrl":765,"slug":-1},"https://about.gitlab.com/releases/2024/02/21/security-release-gitlab-16-9-1-released/",{"content":767,"config":770},{"title":768,"heroImage":739,"category":9,"description":769,"authors":-1},"GitLab Security Release: 16.8.2, 16.7.5, 16.6.7","Learn more about GitLab Security Release: 16.8.2, 16.7.5, 16.6.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).",{"externalUrl":771,"slug":-1},"https://about.gitlab.com/releases/2024/02/07/security-release-gitlab-16-8-2-released/",{"content":773,"config":779},{"title":774,"heroImage":775,"category":9,"description":776,"authors":777},"GitLab drives automotive industry information security with TISAX certification","https://res.cloudinary.com/about-gitlab-com/image/upload/v1749659703/Blog/Hero%20Images/AdobeStock_577940357.jpg","Learn why we pursued this certification and how it will help GitLab customers in the automotive industry.",[778],"Liz Coleman",{"externalUrl":-1,"slug":780},"gitlab-drives-automotive-industry-information-security-with-tisax",1776443006328]