[{"data":1,"prerenderedAt":785},["ShallowReactive",2],{"/en-us/blog/categories/security":3,"navigation-en-us":20,"banner-en-us":429,"footer-en-us":439,"security-category-page-total-items-en-us":681,"security-category-page-featured-en-us":682,"security-category-page-8-en-us":708},{"id":4,"title":5,"body":6,"category":6,"config":7,"content":11,"description":6,"extension":12,"meta":13,"navigation":14,"path":15,"seo":16,"slug":6,"stem":18,"testContent":6,"type":6,"__hash__":19},"blogCategories/en-us/blog/categories/security.yml","Security",null,{"template":8,"slug":9,"hide":10},"BlogCategory","security",false,{"name":5},"yml",{},true,"/en-us/blog/categories/security",{"title":5,"description":17},"Browse articles related to Security on the GitLab Blog","en-us/blog/categories/security","Hx58KagneyLDkWgUOsPQNGCsWqekf9YGQa6EJFfGFRw",{"data":21},{"logo":22,"freeTrial":27,"sales":32,"login":37,"items":42,"search":349,"minimal":380,"duo":399,"switchNav":408,"pricingDeployment":419},{"config":23},{"href":24,"dataGaName":25,"dataGaLocation":26},"/","gitlab logo","header",{"text":28,"config":29},"Get free trial",{"href":30,"dataGaName":31,"dataGaLocation":26},"https://gitlab.com/-/trial_registrations/new?glm_source=about.gitlab.com&glm_content=default-saas-trial/","free trial",{"text":33,"config":34},"Talk to sales",{"href":35,"dataGaName":36,"dataGaLocation":26},"/sales/","sales",{"text":38,"config":39},"Sign in",{"href":40,"dataGaName":41,"dataGaLocation":26},"https://gitlab.com/users/sign_in/","sign in",[43,70,164,169,270,330],{"text":44,"config":45,"cards":47},"Platform",{"dataNavLevelOne":46},"platform",[48,54,62],{"title":44,"description":49,"link":50},"The intelligent orchestration platform for DevSecOps",{"text":51,"config":52},"Explore our Platform",{"href":53,"dataGaName":46,"dataGaLocation":26},"/platform/",{"title":55,"description":56,"link":57},"GitLab Duo Agent Platform","Agentic AI for the entire software lifecycle",{"text":58,"config":59},"Meet GitLab Duo",{"href":60,"dataGaName":61,"dataGaLocation":26},"/gitlab-duo-agent-platform/","gitlab duo agent platform",{"title":63,"description":64,"link":65},"Why GitLab","See the top reasons enterprises choose GitLab",{"text":66,"config":67},"Learn more",{"href":68,"dataGaName":69,"dataGaLocation":26},"/why-gitlab/","why gitlab",{"text":71,"left":14,"config":72,"link":74,"lists":78,"footer":146},"Product",{"dataNavLevelOne":73},"solutions",{"text":75,"config":76},"View all Solutions",{"href":77,"dataGaName":73,"dataGaLocation":26},"/solutions/",[79,103,125],{"title":80,"description":81,"link":82,"items":87},"Automation","CI/CD and automation to accelerate deployment",{"config":83},{"icon":84,"href":85,"dataGaName":86,"dataGaLocation":26},"AutomatedCodeAlt","/solutions/delivery-automation/","automated software delivery",[88,92,95,99],{"text":89,"config":90},"CI/CD",{"href":91,"dataGaLocation":26,"dataGaName":89},"/solutions/continuous-integration/",{"text":55,"config":93},{"href":60,"dataGaLocation":26,"dataGaName":94},"gitlab duo agent platform - product menu",{"text":96,"config":97},"Source Code Management",{"href":98,"dataGaLocation":26,"dataGaName":96},"/solutions/source-code-management/",{"text":100,"config":101},"Automated Software Delivery",{"href":85,"dataGaLocation":26,"dataGaName":102},"Automated software delivery",{"title":5,"description":104,"link":105,"items":110},"Deliver code faster without compromising security",{"config":106},{"href":107,"dataGaName":108,"dataGaLocation":26,"icon":109},"/solutions/application-security-testing/","security and compliance","ShieldCheckLight",[111,115,120],{"text":112,"config":113},"Application Security Testing",{"href":107,"dataGaName":114,"dataGaLocation":26},"Application security testing",{"text":116,"config":117},"Software Supply Chain Security",{"href":118,"dataGaLocation":26,"dataGaName":119},"/solutions/supply-chain/","Software supply chain security",{"text":121,"config":122},"Software Compliance",{"href":123,"dataGaName":124,"dataGaLocation":26},"/solutions/software-compliance/","software compliance",{"title":126,"link":127,"items":132},"Measurement",{"config":128},{"icon":129,"href":130,"dataGaName":131,"dataGaLocation":26},"DigitalTransformation","/solutions/visibility-measurement/","visibility and measurement",[133,137,141],{"text":134,"config":135},"Visibility & Measurement",{"href":130,"dataGaLocation":26,"dataGaName":136},"Visibility and Measurement",{"text":138,"config":139},"Value Stream Management",{"href":140,"dataGaLocation":26,"dataGaName":138},"/solutions/value-stream-management/",{"text":142,"config":143},"Analytics & Insights",{"href":144,"dataGaLocation":26,"dataGaName":145},"/solutions/analytics-and-insights/","Analytics and insights",{"title":147,"items":148},"GitLab for",[149,154,159],{"text":150,"config":151},"Enterprise",{"href":152,"dataGaLocation":26,"dataGaName":153},"/enterprise/","enterprise",{"text":155,"config":156},"Small Business",{"href":157,"dataGaLocation":26,"dataGaName":158},"/small-business/","small business",{"text":160,"config":161},"Public Sector",{"href":162,"dataGaLocation":26,"dataGaName":163},"/solutions/public-sector/","public sector",{"text":165,"config":166},"Pricing",{"href":167,"dataGaName":168,"dataGaLocation":26,"dataNavLevelOne":168},"/pricing/","pricing",{"text":170,"config":171,"link":173,"lists":177,"feature":257},"Resources",{"dataNavLevelOne":172},"resources",{"text":174,"config":175},"View all resources",{"href":176,"dataGaName":172,"dataGaLocation":26},"/resources/",[178,211,229],{"title":179,"items":180},"Getting started",[181,186,191,196,201,206],{"text":182,"config":183},"Install",{"href":184,"dataGaName":185,"dataGaLocation":26},"/install/","install",{"text":187,"config":188},"Quick start guides",{"href":189,"dataGaName":190,"dataGaLocation":26},"/get-started/","quick setup checklists",{"text":192,"config":193},"Learn",{"href":194,"dataGaLocation":26,"dataGaName":195},"https://university.gitlab.com/","learn",{"text":197,"config":198},"Product documentation",{"href":199,"dataGaName":200,"dataGaLocation":26},"https://docs.gitlab.com/","product documentation",{"text":202,"config":203},"Best practice videos",{"href":204,"dataGaName":205,"dataGaLocation":26},"/getting-started-videos/","best practice videos",{"text":207,"config":208},"Integrations",{"href":209,"dataGaName":210,"dataGaLocation":26},"/integrations/","integrations",{"title":212,"items":213},"Discover",[214,219,224],{"text":215,"config":216},"Customer success stories",{"href":217,"dataGaName":218,"dataGaLocation":26},"/customers/","customer success stories",{"text":220,"config":221},"Blog",{"href":222,"dataGaName":223,"dataGaLocation":26},"/blog/","blog",{"text":225,"config":226},"Remote",{"href":227,"dataGaName":228,"dataGaLocation":26},"https://handbook.gitlab.com/handbook/company/culture/all-remote/","remote",{"title":230,"items":231},"Connect",[232,237,242,247,252],{"text":233,"config":234},"GitLab Services",{"href":235,"dataGaName":236,"dataGaLocation":26},"/services/","services",{"text":238,"config":239},"Community",{"href":240,"dataGaName":241,"dataGaLocation":26},"/community/","community",{"text":243,"config":244},"Forum",{"href":245,"dataGaName":246,"dataGaLocation":26},"https://forum.gitlab.com/","forum",{"text":248,"config":249},"Events",{"href":250,"dataGaName":251,"dataGaLocation":26},"/events/","events",{"text":253,"config":254},"Partners",{"href":255,"dataGaName":256,"dataGaLocation":26},"/partners/","partners",{"backgroundColor":258,"textColor":259,"text":260,"image":261,"link":265},"#2f2a6b","#fff","Insights for the future of software development",{"altText":262,"config":263},"the source promo card",{"src":264},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758208064/dzl0dbift9xdizyelkk4.svg",{"text":266,"config":267},"Read the latest",{"href":268,"dataGaName":269,"dataGaLocation":26},"/the-source/","the source",{"text":271,"config":272,"lists":274},"Company",{"dataNavLevelOne":273},"company",[275],{"items":276},[277,282,288,290,295,300,305,310,315,320,325],{"text":278,"config":279},"About",{"href":280,"dataGaName":281,"dataGaLocation":26},"/company/","about",{"text":283,"config":284,"footerGa":287},"Jobs",{"href":285,"dataGaName":286,"dataGaLocation":26},"/jobs/","jobs",{"dataGaName":286},{"text":248,"config":289},{"href":250,"dataGaName":251,"dataGaLocation":26},{"text":291,"config":292},"Leadership",{"href":293,"dataGaName":294,"dataGaLocation":26},"/company/team/e-group/","leadership",{"text":296,"config":297},"Team",{"href":298,"dataGaName":299,"dataGaLocation":26},"/company/team/","team",{"text":301,"config":302},"Handbook",{"href":303,"dataGaName":304,"dataGaLocation":26},"https://handbook.gitlab.com/","handbook",{"text":306,"config":307},"Investor relations",{"href":308,"dataGaName":309,"dataGaLocation":26},"https://ir.gitlab.com/","investor relations",{"text":311,"config":312},"Trust Center",{"href":313,"dataGaName":314,"dataGaLocation":26},"/security/","trust center",{"text":316,"config":317},"AI Transparency Center",{"href":318,"dataGaName":319,"dataGaLocation":26},"/ai-transparency-center/","ai transparency center",{"text":321,"config":322},"Newsletter",{"href":323,"dataGaName":324,"dataGaLocation":26},"/company/contact/#contact-forms","newsletter",{"text":326,"config":327},"Press",{"href":328,"dataGaName":329,"dataGaLocation":26},"/press/","press",{"text":331,"config":332,"lists":333},"Contact us",{"dataNavLevelOne":273},[334],{"items":335},[336,339,344],{"text":33,"config":337},{"href":35,"dataGaName":338,"dataGaLocation":26},"talk to sales",{"text":340,"config":341},"Support portal",{"href":342,"dataGaName":343,"dataGaLocation":26},"https://support.gitlab.com","support portal",{"text":345,"config":346},"Customer portal",{"href":347,"dataGaName":348,"dataGaLocation":26},"https://customers.gitlab.com/customers/sign_in/","customer portal",{"close":350,"login":351,"suggestions":358},"Close",{"text":352,"link":353},"To search repositories and projects, login to",{"text":354,"config":355},"gitlab.com",{"href":40,"dataGaName":356,"dataGaLocation":357},"search login","search",{"text":359,"default":360},"Suggestions",[361,363,367,369,373,377],{"text":55,"config":362},{"href":60,"dataGaName":55,"dataGaLocation":357},{"text":364,"config":365},"Code Suggestions (AI)",{"href":366,"dataGaName":364,"dataGaLocation":357},"/solutions/code-suggestions/",{"text":89,"config":368},{"href":91,"dataGaName":89,"dataGaLocation":357},{"text":370,"config":371},"GitLab on AWS",{"href":372,"dataGaName":370,"dataGaLocation":357},"/partners/technology-partners/aws/",{"text":374,"config":375},"GitLab on Google Cloud",{"href":376,"dataGaName":374,"dataGaLocation":357},"/partners/technology-partners/google-cloud-platform/",{"text":378,"config":379},"Why GitLab?",{"href":68,"dataGaName":378,"dataGaLocation":357},{"freeTrial":381,"mobileIcon":386,"desktopIcon":391,"secondaryButton":394},{"text":382,"config":383},"Start free trial",{"href":384,"dataGaName":31,"dataGaLocation":385},"https://gitlab.com/-/trials/new/","nav",{"altText":387,"config":388},"Gitlab Icon",{"src":389,"dataGaName":390,"dataGaLocation":385},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758203874/jypbw1jx72aexsoohd7x.svg","gitlab icon",{"altText":387,"config":392},{"src":393,"dataGaName":390,"dataGaLocation":385},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758203875/gs4c8p8opsgvflgkswz9.svg",{"text":395,"config":396},"Get Started",{"href":397,"dataGaName":398,"dataGaLocation":385},"https://gitlab.com/-/trial_registrations/new?glm_source=about.gitlab.com/get-started/","get started",{"freeTrial":400,"mobileIcon":404,"desktopIcon":406},{"text":401,"config":402},"Learn more about GitLab Duo",{"href":60,"dataGaName":403,"dataGaLocation":385},"gitlab duo",{"altText":387,"config":405},{"src":389,"dataGaName":390,"dataGaLocation":385},{"altText":387,"config":407},{"src":393,"dataGaName":390,"dataGaLocation":385},{"button":409,"mobileIcon":414,"desktopIcon":416},{"text":410,"config":411},"/switch",{"href":412,"dataGaName":413,"dataGaLocation":385},"#contact","switch",{"altText":387,"config":415},{"src":389,"dataGaName":390,"dataGaLocation":385},{"altText":387,"config":417},{"src":418,"dataGaName":390,"dataGaLocation":385},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1773335277/ohhpiuoxoldryzrnhfrh.png",{"freeTrial":420,"mobileIcon":425,"desktopIcon":427},{"text":421,"config":422},"Back to pricing",{"href":167,"dataGaName":423,"dataGaLocation":385,"icon":424},"back to pricing","GoBack",{"altText":387,"config":426},{"src":389,"dataGaName":390,"dataGaLocation":385},{"altText":387,"config":428},{"src":393,"dataGaName":390,"dataGaLocation":385},{"title":430,"button":431,"config":436},"See how agentic AI transforms software delivery",{"text":432,"config":433},"Watch GitLab Transcend now",{"href":434,"dataGaName":435,"dataGaLocation":26},"/events/transcend/virtual/","transcend event",{"layout":437,"icon":438,"disabled":14},"release","AiStar",{"data":440},{"text":441,"source":442,"edit":448,"contribute":453,"config":458,"items":463,"minimal":670},"Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license",{"text":443,"config":444},"View page source",{"href":445,"dataGaName":446,"dataGaLocation":447},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/","page source","footer",{"text":449,"config":450},"Edit this page",{"href":451,"dataGaName":452,"dataGaLocation":447},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/content/","web ide",{"text":454,"config":455},"Please contribute",{"href":456,"dataGaName":457,"dataGaLocation":447},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/CONTRIBUTING.md/","please contribute",{"twitter":459,"facebook":460,"youtube":461,"linkedin":462},"https://twitter.com/gitlab","https://www.facebook.com/gitlab","https://www.youtube.com/channel/UCnMGQ8QHMAnVIsI3xJrihhg","https://www.linkedin.com/company/gitlab-com",[464,511,565,609,636],{"title":165,"links":465,"subMenu":480},[466,470,475],{"text":467,"config":468},"View plans",{"href":167,"dataGaName":469,"dataGaLocation":447},"view plans",{"text":471,"config":472},"Why Premium?",{"href":473,"dataGaName":474,"dataGaLocation":447},"/pricing/premium/","why premium",{"text":476,"config":477},"Why Ultimate?",{"href":478,"dataGaName":479,"dataGaLocation":447},"/pricing/ultimate/","why ultimate",[481],{"title":482,"links":483},"Contact Us",[484,487,489,491,496,501,506],{"text":485,"config":486},"Contact sales",{"href":35,"dataGaName":36,"dataGaLocation":447},{"text":340,"config":488},{"href":342,"dataGaName":343,"dataGaLocation":447},{"text":345,"config":490},{"href":347,"dataGaName":348,"dataGaLocation":447},{"text":492,"config":493},"Status",{"href":494,"dataGaName":495,"dataGaLocation":447},"https://status.gitlab.com/","status",{"text":497,"config":498},"Terms of use",{"href":499,"dataGaName":500,"dataGaLocation":447},"/terms/","terms of use",{"text":502,"config":503},"Privacy statement",{"href":504,"dataGaName":505,"dataGaLocation":447},"/privacy/","privacy statement",{"text":507,"config":508},"Cookie preferences",{"dataGaName":509,"dataGaLocation":447,"id":510,"isOneTrustButton":14},"cookie preferences","ot-sdk-btn",{"title":71,"links":512,"subMenu":521},[513,517],{"text":514,"config":515},"DevSecOps platform",{"href":53,"dataGaName":516,"dataGaLocation":447},"devsecops platform",{"text":518,"config":519},"AI-Assisted Development",{"href":60,"dataGaName":520,"dataGaLocation":447},"ai-assisted development",[522],{"title":523,"links":524},"Topics",[525,530,535,540,545,550,555,560],{"text":526,"config":527},"CICD",{"href":528,"dataGaName":529,"dataGaLocation":447},"/topics/ci-cd/","cicd",{"text":531,"config":532},"GitOps",{"href":533,"dataGaName":534,"dataGaLocation":447},"/topics/gitops/","gitops",{"text":536,"config":537},"DevOps",{"href":538,"dataGaName":539,"dataGaLocation":447},"/topics/devops/","devops",{"text":541,"config":542},"Version Control",{"href":543,"dataGaName":544,"dataGaLocation":447},"/topics/version-control/","version control",{"text":546,"config":547},"DevSecOps",{"href":548,"dataGaName":549,"dataGaLocation":447},"/topics/devsecops/","devsecops",{"text":551,"config":552},"Cloud Native",{"href":553,"dataGaName":554,"dataGaLocation":447},"/topics/cloud-native/","cloud native",{"text":556,"config":557},"AI for Coding",{"href":558,"dataGaName":559,"dataGaLocation":447},"/topics/devops/ai-for-coding/","ai for coding",{"text":561,"config":562},"Agentic AI",{"href":563,"dataGaName":564,"dataGaLocation":447},"/topics/agentic-ai/","agentic ai",{"title":566,"links":567},"Solutions",[568,570,572,577,581,584,588,591,593,596,599,604],{"text":112,"config":569},{"href":107,"dataGaName":112,"dataGaLocation":447},{"text":102,"config":571},{"href":85,"dataGaName":86,"dataGaLocation":447},{"text":573,"config":574},"Agile development",{"href":575,"dataGaName":576,"dataGaLocation":447},"/solutions/agile-delivery/","agile delivery",{"text":578,"config":579},"SCM",{"href":98,"dataGaName":580,"dataGaLocation":447},"source code management",{"text":526,"config":582},{"href":91,"dataGaName":583,"dataGaLocation":447},"continuous integration & delivery",{"text":585,"config":586},"Value stream management",{"href":140,"dataGaName":587,"dataGaLocation":447},"value stream management",{"text":531,"config":589},{"href":590,"dataGaName":534,"dataGaLocation":447},"/solutions/gitops/",{"text":150,"config":592},{"href":152,"dataGaName":153,"dataGaLocation":447},{"text":594,"config":595},"Small business",{"href":157,"dataGaName":158,"dataGaLocation":447},{"text":597,"config":598},"Public sector",{"href":162,"dataGaName":163,"dataGaLocation":447},{"text":600,"config":601},"Education",{"href":602,"dataGaName":603,"dataGaLocation":447},"/solutions/education/","education",{"text":605,"config":606},"Financial services",{"href":607,"dataGaName":608,"dataGaLocation":447},"/solutions/finance/","financial services",{"title":170,"links":610},[611,613,615,617,620,622,624,626,628,630,632,634],{"text":182,"config":612},{"href":184,"dataGaName":185,"dataGaLocation":447},{"text":187,"config":614},{"href":189,"dataGaName":190,"dataGaLocation":447},{"text":192,"config":616},{"href":194,"dataGaName":195,"dataGaLocation":447},{"text":197,"config":618},{"href":199,"dataGaName":619,"dataGaLocation":447},"docs",{"text":220,"config":621},{"href":222,"dataGaName":223,"dataGaLocation":447},{"text":215,"config":623},{"href":217,"dataGaName":218,"dataGaLocation":447},{"text":225,"config":625},{"href":227,"dataGaName":228,"dataGaLocation":447},{"text":233,"config":627},{"href":235,"dataGaName":236,"dataGaLocation":447},{"text":238,"config":629},{"href":240,"dataGaName":241,"dataGaLocation":447},{"text":243,"config":631},{"href":245,"dataGaName":246,"dataGaLocation":447},{"text":248,"config":633},{"href":250,"dataGaName":251,"dataGaLocation":447},{"text":253,"config":635},{"href":255,"dataGaName":256,"dataGaLocation":447},{"title":271,"links":637},[638,640,642,644,646,648,650,654,659,661,663,665],{"text":278,"config":639},{"href":280,"dataGaName":273,"dataGaLocation":447},{"text":283,"config":641},{"href":285,"dataGaName":286,"dataGaLocation":447},{"text":291,"config":643},{"href":293,"dataGaName":294,"dataGaLocation":447},{"text":296,"config":645},{"href":298,"dataGaName":299,"dataGaLocation":447},{"text":301,"config":647},{"href":303,"dataGaName":304,"dataGaLocation":447},{"text":306,"config":649},{"href":308,"dataGaName":309,"dataGaLocation":447},{"text":651,"config":652},"Sustainability",{"href":653,"dataGaName":651,"dataGaLocation":447},"/sustainability/",{"text":655,"config":656},"Diversity, inclusion and belonging (DIB)",{"href":657,"dataGaName":658,"dataGaLocation":447},"/diversity-inclusion-belonging/","Diversity, inclusion and belonging",{"text":311,"config":660},{"href":313,"dataGaName":314,"dataGaLocation":447},{"text":321,"config":662},{"href":323,"dataGaName":324,"dataGaLocation":447},{"text":326,"config":664},{"href":328,"dataGaName":329,"dataGaLocation":447},{"text":666,"config":667},"Modern Slavery Transparency Statement",{"href":668,"dataGaName":669,"dataGaLocation":447},"https://handbook.gitlab.com/handbook/legal/modern-slavery-act-transparency-statement/","modern slavery transparency statement",{"items":671},[672,675,678],{"text":673,"config":674},"Terms",{"href":499,"dataGaName":500,"dataGaLocation":447},{"text":676,"config":677},"Cookies",{"dataGaName":509,"dataGaLocation":447,"id":510,"isOneTrustButton":14},{"text":679,"config":680},"Privacy",{"href":504,"dataGaName":505,"dataGaLocation":447},240,{"id":683,"title":684,"authorSlugs":685,"body":6,"categorySlug":9,"config":687,"content":690,"description":6,"extension":12,"isFeatured":14,"meta":702,"navigation":14,"path":703,"publishedDate":696,"seo":704,"stem":705,"tagSlugs":706,"__hash__":707},"blogPosts/en-us/blog/auto-dismiss-vulnerability-management-policy.yml","Auto Dismiss Vulnerability Management Policy",[686],"grant-hickman",{"slug":688,"featured":14,"template":689},"auto-dismiss-vulnerability-management-policy","BlogPost",{"title":691,"description":692,"authors":693,"heroImage":695,"date":696,"category":9,"tags":697,"body":701},"Manage vulnerability noise at scale with auto-dismiss policies","Learn how to cut through scanner noise and focus on the vulnerabilities that matter most with GitLab security, including use cases and templates.",[694],"Grant Hickman","https://res.cloudinary.com/about-gitlab-com/image/upload/v1774375772/kpaaaiqhokevxxeoxvu0.png","2026-03-25",[9,698,546,699,700],"tutorial","features","product","Security scanners are essential, but not every finding requires action. Test code, vendored dependencies, generated files, and known false positives create noise that buries the vulnerabilities that actually matter. Security teams waste hours manually dismissing the same irrelevant findings across projects and pipelines. They experience slower triage, alert fatigue, and developer friction that undermines adoption of security scanning itself.\n\nGitLab's auto-dismiss vulnerability policies let you codify your triage decisions once and apply them automatically on every default-branch pipeline. Define criteria based on file path, directory, or vulnerability identifier (CVE, CWE), choose a dismissal reason, and let GitLab handle the rest.\n\n## Why auto-dismiss?\nAuto-dismiss vulnerability policies enable security teams to:\n- **Eliminate triage noise**: Automatically dismiss findings in test code, vendored dependencies, and generated files.\n- **Enforce decisions at scale**: Apply policies centrally to dismiss known false positives across your entire organization.\n- **Maintain audit transparency**: Every auto-dismissed finding includes a documented reason and links back to the policy that triggered it.\n- **Preserve the record**: Unlike scanner exclusions, dismissed vulnerabilities remain in your report, so you can revisit decisions if conditions change.\n\n## How auto-dismiss policies work\n\n1. **Define your policy** in a vulnerability management policy YAML file. Specify match criteria (file path, directory, or identifier) and a dismissal reason.\n\n2. **Merge and activate.** Create the policy via **Secure > Policies > New  policy > Vulnerability management policy**. Merge the MR to enable it.\n3. **Run your pipeline.** On every default-branch pipeline, matching vulnerabilities are automatically set to \"Dismissed\" with the specified reason. Up to 1,000 vulnerabilities are processed per run.\n4. **Measure the impact.** Filter your vulnerability report by status \"Dismissed\" to see exactly what was cleaned up and validate that the right findings are being handled.\n\n## Use cases with ready-to-use configurations\n\nEach example below includes a policy configuration you can copy, customize, and apply immediately.\n\n### 1. Dismiss test code vulnerabilities\n\nSAST and dependency scanners flag hardcoded credentials, insecure fixtures, and dev-only dependencies in test directories. These are not production risks.\n\n```yaml\nvulnerability_management_policy:\n  - name: \"Dismiss test code vulnerabilities\"\n    description: \"Auto-dismiss findings in test directories\"\n    enabled: true\n    rules:\n      - type: detected\n        criteria:\n          - type: file_path\n            value: \"test/**/*\"\n      - type: detected\n        criteria:\n          - type: file_path\n            value: \"tests/**/*\"\n      - type: detected\n        criteria:\n          - type: file_path\n            value: \"spec/**/*\"\n      - type: detected\n        criteria:\n          - type: directory\n            value: \"__tests__/*\"\n    actions:\n      - type: auto_dismiss\n        dismissal_reason: used_in_tests\n\n```\n\n### 2. Dismiss vendored and third-party code\n\nVulnerabilities in `vendor/`, `third_party/`, or checked-in `node_modules` are managed upstream and not actionable for your team.\n\n```yaml\nvulnerability_management_policy:\n  - name: \"Dismiss vendored dependency findings\"\n    description: \"Findings in vendored code are managed upstream\"\n    enabled: true\n    rules:\n      - type: detected\n        criteria:\n          - type: directory\n            value: \"vendor/*\"\n      - type: detected\n        criteria:\n          - type: directory\n            value: \"third_party/*\"\n      - type: detected\n        criteria:\n          - type: directory\n            value: \"vendored/*\"\n    actions:\n      - type: auto_dismiss\n        dismissal_reason: not_applicable\n\n```\n\n### 3. Dismiss known false positive CVEs\n\nCertain CVEs are repeatedly flagged but don't apply to your usage context. Teams dismiss these manually every time they appear. Replace the example CVEs below with your own.\n\n```yaml\nvulnerability_management_policy:\n  - name: \"Dismiss known false positive CVEs\"\n    description: \"CVEs confirmed as false positives for our environment\"\n    enabled: true\n    rules:\n      - type: detected\n        criteria:\n          - type: identifier\n            value: \"CVE-2023-44487\"\n      - type: detected\n        criteria:\n          - type: identifier\n            value: \"CVE-2024-29041\"\n      - type: detected\n        criteria:\n          - type: identifier\n            value: \"CVE-2023-26136\"\n    actions:\n      - type: auto_dismiss\n        dismissal_reason: false_positive\n\n```\n\n### 4. Dismiss generated and auto-created code\n\nProtobuf, gRPC, OpenAPI generators, and ORM scaffolding tools produce files with flagged patterns that cannot be patched by your team.\n\n```yaml\nvulnerability_management_policy:\n  - name: \"Dismiss generated code findings\"\n    description: \"Generated files are not authored by us\"\n    enabled: true\n    rules:\n      - type: detected\n        criteria:\n          - type: directory\n            value: \"generated/*\"\n      - type: detected\n        criteria:\n          - type: file_path\n            value: \"**/*.pb.go\"\n      - type: detected\n        criteria:\n          - type: file_path\n            value: \"**/*.generated.*\"\n    actions:\n      - type: auto_dismiss\n        dismissal_reason: not_applicable\n\n```\n\n### 5. Dismiss infrastructure-mitigated vulnerabilities\n\nVulnerability classes like XSS (CWE-79) or SQL injection (CWE-89) that are already addressed by WAF rules or runtime protection. Only use this when mitigating controls are verified and consistently enforced.\n\n```yaml\nvulnerability_management_policy:\n  - name: \"Dismiss CWEs mitigated by WAF\"\n    description: \"XSS and SQLi mitigated by WAF rules\"\n    enabled: true\n    rules:\n      - type: detected\n        criteria:\n          - type: identifier\n            value: \"CWE-79\"\n      - type: detected\n        criteria:\n          - type: identifier\n            value: \"CWE-89\"\n    actions:\n      - type: auto_dismiss\n        dismissal_reason: mitigating_control\n\n```\n\n### 6. Dismiss CVE families across your organization\n\nA wave of related CVEs for a widely-used library your team has assessed? Apply at the group level to dismiss them across dozens of projects. The wildcard pattern (e.g., `CVE-2021-44*`) matches all CVEs with that prefix.\n\n```yaml\nvulnerability_management_policy:\n  - name: \"Accept risk for log4j CVE family\"\n    description: \"Log4j CVEs mitigated by version pinning and WAF\"\n    enabled: true\n    rules:\n      - type: detected\n        criteria:\n          - type: identifier\n            value: \"CVE-2021-44*\"\n    actions:\n      - type: auto_dismiss\n        dismissal_reason: acceptable_risk\n\n```\n\n## Quick reference\n\n| Parameter | Details |\n|-----------|---------|\n| **Criteria types** | `file_path` (glob patterns, e.g., `test/**/*`), `directory` (e.g., `vendor/*`), `identifier` (CVE/CWE with wildcards, e.g., `CVE-2023-*`) |\n| **Dismissal reasons** | `acceptable_risk`, `false_positive`, `mitigating_control`, `used_in_tests`, `not_applicable` |\n| **Criteria logic** | Multiple criteria within a rule = AND (must match all). Multiple rules within a policy = OR (match any). |\n| **Limits** | 3 criteria per rule, 5 rules per policy, 5 policies per security policy project. Vulnerabilty management policy actions process 1000 vulnerabilities per pipeline run in the target project, until all matching vulnerabilities are processed. |\n| **Affected statuses** | Needs triage, Confirmed |\n| **Scope** | Project-level or group-level (group-level applies across all projects) |\n\n## Getting started\nHere's how to get started with auto-dismiss policies:\n\n1. **Identify the noise.** Open your vulnerability report and sort by \"Needs triage.\" Look for patterns: test files, vendored code, the same CVE across projects.\n\n2. **Pick a scenario.** Start with whichever use case above accounts for the most findings.\n\n3. **Record your baseline.** Note the number of \"Needs triage\" vulnerabilities before creating a policy.\n\n4. **Create and enable.** Navigate to **Secure > Policies > New policy > Vulnerability management policy**. Paste the configuration from the use case above, then merge the MR.\n\n5. **Validate results.** After the next default-branch pipeline, filter by status \"Dismissed\" to confirm the right findings were handled.\n\nFor full configuration details, see the [vulnerability management policy documentation](https://docs.gitlab.com/user/application_security/policies/vulnerability_management_policy/#auto-dismiss-policies).\n\n> Ready to take control of vulnerability noise? [Start a free GitLab Ultimate trial](https://about.gitlab.com/free-trial/) and configure your first auto-dismiss policy today.\n",{},"/en-us/blog/auto-dismiss-vulnerability-management-policy",{"title":691,"description":692},"en-us/blog/auto-dismiss-vulnerability-management-policy",[9,698,549,699,700],"fnflV-WQz24f0kwMvgtRNVEbdbsyS062QYVn8Pw2y_s",[709,719,729,736,745,755,764,770,779],{"content":710,"config":717},{"title":711,"heroImage":712,"category":9,"description":713,"authors":714},"Annotate container images with build provenance using Cosign in GitLab CI/CD","https://res.cloudinary.com/about-gitlab-com/image/upload/v1750098395/Blog/Hero%20Images/Blog/Hero%20Images/blog-image-template-1800x945%20%2823%29_2w6waL76KROjhJHM2vXet6_1750098395162.png","Use GitLab pipelines to automate building, signing, and annotating Docker images. This tutorial shares code to show you how. Try it out in your own organization.",[715,716],"João Pereira","Tim Rizzi",{"externalUrl":-1,"slug":718},"annotate-container-images-with-build-provenance-using-cosign-in-gitlab-ci-cd",{"content":720,"config":727},{"title":721,"heroImage":722,"category":9,"description":723,"authors":724},"How to choose the right security scanning approach","https://res.cloudinary.com/about-gitlab-com/image/upload/v1750097969/Blog/Hero%20Images/Blog/Hero%20Images/AdobeStock_282096522_securitycompliance.jpeg_1750097968823.jpg","GitLab offers multiple scanning methods for CI/CD pipelines, including compliance frameworks and scan and pipeline execution policies. Learn the basics, configurations, and advantages/disadvantages.",[725,726],"Matt Genelin","Mathias Ewald",{"externalUrl":-1,"slug":728},"how-to-choose-the-right-security-scanning-approach",{"content":730,"config":734},{"title":731,"heroImage":732,"category":9,"description":733,"authors":-1},"GitLab Patch Release: 17.3.1, 17.2.4, 17.1.6","https://res.cloudinary.com/about-gitlab-com/image/upload/v1749662877/Blog/Hero%20Images/security-cover-new.png","Learn more about GitLab Patch Release: 17.3.1, 17.2.4, 17.1.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).",{"externalUrl":735,"slug":-1},"https://about.gitlab.com/releases/2024/08/21/patch-release-gitlab-17-3-1-released/",{"content":737,"config":743},{"title":738,"heroImage":739,"category":9,"description":740,"authors":741},"How GitLab helps meet NIS2 requirements","https://res.cloudinary.com/about-gitlab-com/image/upload/v1749659437/Blog/Hero%20Images/AdobeStock_398929148.jpg","The EU's NIS2 cybersecurity legislation focuses on resilience, incident response, and risk management. Learn how GitLab's DevSecOps platform helps meet these compliance requirements.",[742],"Joseph Longo",{"externalUrl":-1,"slug":744},"how-gitlab-helps-meet-nis2-requirements",{"content":746,"config":753},{"title":747,"heroImage":748,"category":9,"description":749,"authors":750},"FinServ: How to implement GitLab's separation of duties features","https://res.cloudinary.com/about-gitlab-com/image/upload/v1750097688/Blog/Hero%20Images/Blog/Hero%20Images/blog-image-template-1800x945%20%286%29_6vL96ttKF8zJLLqfPpvFs_1750097687913.png","Learn how GitLab ensures secure, compliant software development with separation of duties in the financial services sector, including features that help adhere to regulatory frameworks.",[751,752],"Cherry Han","Gavin Peltz",{"externalUrl":-1,"slug":754},"finserv-how-to-implement-gitlabs-separation-of-duties-features",{"content":756,"config":762},{"title":757,"heroImage":758,"category":9,"description":759,"authors":760},"How GitLab supports the FedRAMP authorization journey","https://res.cloudinary.com/about-gitlab-com/image/upload/v1749659684/Blog/Hero%20Images/AdobeStock_479904468__1_.jpg","This comprehensive guide dives into the FedRAMP certification process, explaining how GitLab offers guidance and best practices for configuration and compliance.",[761],"Christian Nnachi",{"externalUrl":-1,"slug":763},"how-gitlab-supports-the-fedramp-authorization-journey",{"content":765,"config":768},{"title":766,"heroImage":732,"category":9,"description":767,"authors":-1},"GitLab Patch Release: 17.2.2, 17.1.4, 17.0.6","Learn more about GitLab Patch Release: 17.2.2, 17.1.4, 17.0.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).",{"externalUrl":769,"slug":-1},"https://about.gitlab.com/releases/2024/08/07/patch-release-gitlab-17-2-2-released/",{"content":771,"config":777},{"title":772,"heroImage":773,"category":9,"description":774,"authors":775},"Get to know the security and governance updates in GitLab 17, 17.1","https://res.cloudinary.com/about-gitlab-com/image/upload/v1750098858/Blog/Hero%20Images/Blog/Hero%20Images/AdobeStock_282096522_securitycompliance.jpeg_1750098857843.jpg","Dive deep into the new enhancements that can strengthen your organization's security posture, including how-to videos for SAST, DAST, API security, container registry, and more.",[776],"Fernando Diaz",{"externalUrl":-1,"slug":778},"get-to-know-the-security-and-governance-updates-in-gitlab-17-17-1",{"content":780,"config":783},{"title":781,"heroImage":732,"category":9,"description":782,"authors":-1},"GitLab Critical Patch Release: 17.1.2, 17.0.4, 16.11.6","Learn more about GitLab Critical Patch Release: 17.1.2, 17.0.4, 16.11.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).",{"externalUrl":784,"slug":-1},"https://about.gitlab.com/releases/2024/07/10/patch-release-gitlab-17-1-2-released/",1776436816068]