[{"data":1,"prerenderedAt":2050},["ShallowReactive",2],{"/en-us/blog/severity-override-vulnerability-management-policy":3,"navigation-en-us":1283,"banner-en-us":1698,"footer-en-us":1706,"blog-post-authors-en-us-Grant Hickman":1949,"blog-related-posts-en-us-severity-override-vulnerability-management-policy":1964,"blog-promotions-en-us":1987,"next-steps-en-us":2040},{"id":4,"title":5,"authors":6,"body":8,"category":1265,"date":1266,"description":1267,"extension":1268,"externalUrl":1269,"featured":1270,"heroImage":1271,"meta":1272,"navigation":1273,"path":1274,"seo":1275,"slug":1277,"stem":1278,"tags":1279,"template":1281,"updatedDate":1269,"__hash__":1282},"blogPosts/en-us/blog/severity-override-vulnerability-management-policy.md","5 ways to fix misleading vulnerability severities with policy",[7],"Grant Hickman",{"type":9,"value":10,"toc":1251},"minimark",[11,15,18,23,33,36,59,62,66,69,74,77,80,275,282,286,305,308,463,472,476,479,482,621,624,628,637,640,778,781,785,792,795,968,971,975,978,1015,1019,1180,1184,1193,1205,1213,1221,1229,1247],[12,13,14],"p",{},"A typical enterprise vulnerability report surfaces hundreds of findings per scan cycle, all ranked by the Common Vulnerability Scoring System (CVSS). The problem: CVSS describes the theoretical characteristics of a Common Vulnerabilities and Exposures (CVE), not whether it matters in your environment. A Critical vulnerability in an internal-only utility library is not the same risk as a Medium vulnerability in a public-facing authentication service, but they're treated identically until someone manually triages each one. That triage work doesn't scale.",[12,16,17],{},"GitLab vulnerability management policies can now automatically override those default CVSS severity levels based on conditions you define, so your vulnerability report reflects your actual risk model instead of a generic one.",[19,20,22],"h2",{"id":21},"how-severity-override-policies-work","How severity override policies work",[12,24,25,26,32],{},"A severity override policy is a type of ",[27,28,31],"a",{"href":29,"rel":30},"https://docs.gitlab.com/user/application_security/policies/vulnerability_management_policy/",[],"vulnerability management policy"," that adjusts vulnerability severity levels automatically on every default-branch pipeline. You define rules with match criteria (CVE ID, CWE ID, file path, or directory) and an override action. When a vulnerability matches, GitLab's Security Policy Bot updates its severity immediately.",[12,34,35],{},"Three override operations are available:",[37,38,39,47,53],"ul",{},[40,41,42,46],"li",{},[43,44,45],"strong",{},"Set Severity",": Forces the severity to a specific level (info, low, medium, high, or critical).",[40,48,49,52],{},[43,50,51],{},"Increase Severity",": Bumps the severity up one level.",[40,54,55,58],{},[43,56,57],{},"Decrease Severity",": Drops the severity down one level.",[12,60,61],{},"Manual overrides by authorized users always take precedence over policy overrides. Every automated change is logged in the vulnerability's history and audit events, so you maintain a complete record of what changed and why.",[19,63,65],{"id":64},"use-cases-with-ready-to-use-configurations","Use cases with ready-to-use configurations",[12,67,68],{},"Each example below includes a policy configuration you can copy, customize, and apply immediately.",[70,71,73],"h3",{"id":72},"_1-downgrade-low-risk-cves-in-internal-services","1. Downgrade low-risk CVEs in internal services",[12,75,76],{},"Security scanners don't know which projects are internal tools, test utilities, or production services. They rate every CVE the same regardless of deployment context. For teams running internal admin dashboards, developer tooling, or batch processing jobs that never face external traffic, a Critical-rated dependency vulnerability often doesn't warrant the same response as one in a customer-facing API.",[12,78,79],{},"This policy decreases the severity of specific CVEs found in internal service directories:",[81,82,87],"pre",{"className":83,"code":84,"language":85,"meta":86,"style":86},"language-yaml shiki shiki-themes github-light","vulnerability_management_policy:\n  - name: \"Downgrade CVEs in internal services\"\n    description: \"Internal-only services have lower exposure risk\"\n    enabled: true\n    rules:\n      - type: detected\n        criteria:\n          - type: identifier\n            identifier_type: cve\n            values:\n              - \"CVE-2023-44487\"\n              - \"CVE-2024-29041\"\n          - type: directory\n            value: \"internal/**/*\"\n    actions:\n      - type: severity_override\n        severity_override_operation: decrease\n","yaml","",[88,89,90,103,119,130,142,150,164,172,185,196,204,213,221,233,244,252,264],"code",{"__ignoreMap":86},[91,92,95,99],"span",{"class":93,"line":94},"line",1,[91,96,98],{"class":97},"shJU0","vulnerability_management_policy",[91,100,102],{"class":101},"sgsFI",":\n",[91,104,106,109,112,115],{"class":93,"line":105},2,[91,107,108],{"class":101},"  - ",[91,110,111],{"class":97},"name",[91,113,114],{"class":101},": ",[91,116,118],{"class":117},"sYBdl","\"Downgrade CVEs in internal services\"\n",[91,120,122,125,127],{"class":93,"line":121},3,[91,123,124],{"class":97},"    description",[91,126,114],{"class":101},[91,128,129],{"class":117},"\"Internal-only services have lower exposure risk\"\n",[91,131,133,136,138],{"class":93,"line":132},4,[91,134,135],{"class":97},"    enabled",[91,137,114],{"class":101},[91,139,141],{"class":140},"sYu0t","true\n",[91,143,145,148],{"class":93,"line":144},5,[91,146,147],{"class":97},"    rules",[91,149,102],{"class":101},[91,151,153,156,159,161],{"class":93,"line":152},6,[91,154,155],{"class":101},"      - ",[91,157,158],{"class":97},"type",[91,160,114],{"class":101},[91,162,163],{"class":117},"detected\n",[91,165,167,170],{"class":93,"line":166},7,[91,168,169],{"class":97},"        criteria",[91,171,102],{"class":101},[91,173,175,178,180,182],{"class":93,"line":174},8,[91,176,177],{"class":101},"          - ",[91,179,158],{"class":97},[91,181,114],{"class":101},[91,183,184],{"class":117},"identifier\n",[91,186,188,191,193],{"class":93,"line":187},9,[91,189,190],{"class":97},"            identifier_type",[91,192,114],{"class":101},[91,194,195],{"class":117},"cve\n",[91,197,199,202],{"class":93,"line":198},10,[91,200,201],{"class":97},"            values",[91,203,102],{"class":101},[91,205,207,210],{"class":93,"line":206},11,[91,208,209],{"class":101},"              - ",[91,211,212],{"class":117},"\"CVE-2023-44487\"\n",[91,214,216,218],{"class":93,"line":215},12,[91,217,209],{"class":101},[91,219,220],{"class":117},"\"CVE-2024-29041\"\n",[91,222,224,226,228,230],{"class":93,"line":223},13,[91,225,177],{"class":101},[91,227,158],{"class":97},[91,229,114],{"class":101},[91,231,232],{"class":117},"directory\n",[91,234,236,239,241],{"class":93,"line":235},14,[91,237,238],{"class":97},"            value",[91,240,114],{"class":101},[91,242,243],{"class":117},"\"internal/**/*\"\n",[91,245,247,250],{"class":93,"line":246},15,[91,248,249],{"class":97},"    actions",[91,251,102],{"class":101},[91,253,255,257,259,261],{"class":93,"line":254},16,[91,256,155],{"class":101},[91,258,158],{"class":97},[91,260,114],{"class":101},[91,262,263],{"class":117},"severity_override\n",[91,265,267,270,272],{"class":93,"line":266},17,[91,268,269],{"class":97},"        severity_override_operation",[91,271,114],{"class":101},[91,273,274],{"class":117},"decrease\n",[12,276,277,278,281],{},"Replace the CVE values with the identifiers your team has assessed as lower risk for internal deployments. The ",[88,279,280],{},"decrease"," operation drops severity by one level (Critical becomes High, High becomes Medium), preserving relative priority without overreacting to context-inappropriate scores.",[70,283,285],{"id":284},"_2-upgrade-injection-vulnerabilities-in-production-code","2. Upgrade injection vulnerabilities in production code",[12,287,288,289,294,295,300,301,304],{},"Some vulnerability classes warrant a stronger response when found in production source code. Cross-site scripting (CWE-79) and SQL injection (CWE-89) are consistently among the most exploited vulnerability types according to ",[27,290,293],{"href":291,"rel":292},"https://about.gitlab.com/blog/2025-owasp-top-10-whats-changed-and-why-it-matters/",[],"OWASP"," and CISA's ",[27,296,299],{"href":297,"rel":298},"https://www.cisa.gov/known-exploited-vulnerabilities-catalog",[],"Known Exploited Vulnerabilities (KEV)"," catalog. If your scanner reports these as Medium or High in your ",[88,302,303],{},"src/"," directory, your triage process needs to treat them as Critical.",[12,306,307],{},"This policy sets the severity to Critical for XSS and SQLi findings in production code:",[81,309,311],{"className":83,"code":310,"language":85,"meta":86,"style":86},"vulnerability_management_policy:\n  - name: \"Upgrade XSS and SQLi in production code\"\n    description: \"Injection vulnerabilities in src/ are always Critical\"\n    enabled: true\n    rules:\n      - type: detected\n        criteria:\n          - type: identifier\n            identifier_type: cwe\n            values:\n              - \"CWE-79\"\n              - \"CWE-89\"\n          - type: directory\n            value: \"src/**/*\"\n    actions:\n      - type: severity_override\n        severity_override_operation: set\n        severity_override_value: critical\n",[88,312,313,319,330,339,347,353,363,369,379,388,394,401,408,418,427,433,443,452],{"__ignoreMap":86},[91,314,315,317],{"class":93,"line":94},[91,316,98],{"class":97},[91,318,102],{"class":101},[91,320,321,323,325,327],{"class":93,"line":105},[91,322,108],{"class":101},[91,324,111],{"class":97},[91,326,114],{"class":101},[91,328,329],{"class":117},"\"Upgrade XSS and SQLi in production code\"\n",[91,331,332,334,336],{"class":93,"line":121},[91,333,124],{"class":97},[91,335,114],{"class":101},[91,337,338],{"class":117},"\"Injection vulnerabilities in src/ are always Critical\"\n",[91,340,341,343,345],{"class":93,"line":132},[91,342,135],{"class":97},[91,344,114],{"class":101},[91,346,141],{"class":140},[91,348,349,351],{"class":93,"line":144},[91,350,147],{"class":97},[91,352,102],{"class":101},[91,354,355,357,359,361],{"class":93,"line":152},[91,356,155],{"class":101},[91,358,158],{"class":97},[91,360,114],{"class":101},[91,362,163],{"class":117},[91,364,365,367],{"class":93,"line":166},[91,366,169],{"class":97},[91,368,102],{"class":101},[91,370,371,373,375,377],{"class":93,"line":174},[91,372,177],{"class":101},[91,374,158],{"class":97},[91,376,114],{"class":101},[91,378,184],{"class":117},[91,380,381,383,385],{"class":93,"line":187},[91,382,190],{"class":97},[91,384,114],{"class":101},[91,386,387],{"class":117},"cwe\n",[91,389,390,392],{"class":93,"line":198},[91,391,201],{"class":97},[91,393,102],{"class":101},[91,395,396,398],{"class":93,"line":206},[91,397,209],{"class":101},[91,399,400],{"class":117},"\"CWE-79\"\n",[91,402,403,405],{"class":93,"line":215},[91,404,209],{"class":101},[91,406,407],{"class":117},"\"CWE-89\"\n",[91,409,410,412,414,416],{"class":93,"line":223},[91,411,177],{"class":101},[91,413,158],{"class":97},[91,415,114],{"class":101},[91,417,232],{"class":117},[91,419,420,422,424],{"class":93,"line":235},[91,421,238],{"class":97},[91,423,114],{"class":101},[91,425,426],{"class":117},"\"src/**/*\"\n",[91,428,429,431],{"class":93,"line":246},[91,430,249],{"class":97},[91,432,102],{"class":101},[91,434,435,437,439,441],{"class":93,"line":254},[91,436,155],{"class":101},[91,438,158],{"class":97},[91,440,114],{"class":101},[91,442,263],{"class":117},[91,444,445,447,449],{"class":93,"line":266},[91,446,269],{"class":97},[91,448,114],{"class":101},[91,450,451],{"class":117},"set\n",[91,453,455,458,460],{"class":93,"line":454},18,[91,456,457],{"class":97},"        severity_override_value",[91,459,114],{"class":101},[91,461,462],{"class":117},"critical\n",[12,464,465,466,471],{},"Pair this with a ",[27,467,470],{"href":468,"rel":469},"https://docs.gitlab.com/user/application_security/policies/merge_request_approval_policies/",[],"merge request approval policy"," that requires security team approval for Critical findings. Together, the severity override ensures the right findings are flagged and prioritized in the vulnerability report, and the approval policy ensures newly detected findings cannot reach production without review.",[70,473,475],{"id":474},"_3-normalize-severity-across-scanners","3. Normalize severity across scanners",[12,477,478],{},"Different scanners sometimes assign different severity levels to the same CVE. Your static application security testing (SAST) scanner might rate a finding as High, while dependency scanning calls it Medium. These inconsistencies create confusion during triage and make it harder to set consistent approval thresholds across scan types.",[12,480,481],{},"Use a severity override policy to enforce a consistent baseline. If your security team has assessed a specific CVE family and determined it should always be High regardless of which scanner found it, set it explicitly:",[81,483,485],{"className":83,"code":484,"language":85,"meta":86,"style":86},"vulnerability_management_policy:\n  - name: \"Normalize log4j severity to High\"\n    description: \"Consistent severity for log4j CVEs across all scanners\"\n    enabled: true\n    rules:\n      - type: detected\n        criteria:\n          - type: identifier\n            identifier_type: cve\n            values:\n              - \"CVE-2021-44228\"\n              - \"CVE-2021-45046\"\n              - \"CVE-2021-45105\"\n    actions:\n      - type: severity_override\n        severity_override_operation: set\n        severity_override_value: high\n",[88,486,487,493,504,513,521,527,537,543,553,561,567,574,581,588,594,604,612],{"__ignoreMap":86},[91,488,489,491],{"class":93,"line":94},[91,490,98],{"class":97},[91,492,102],{"class":101},[91,494,495,497,499,501],{"class":93,"line":105},[91,496,108],{"class":101},[91,498,111],{"class":97},[91,500,114],{"class":101},[91,502,503],{"class":117},"\"Normalize log4j severity to High\"\n",[91,505,506,508,510],{"class":93,"line":121},[91,507,124],{"class":97},[91,509,114],{"class":101},[91,511,512],{"class":117},"\"Consistent severity for log4j CVEs across all scanners\"\n",[91,514,515,517,519],{"class":93,"line":132},[91,516,135],{"class":97},[91,518,114],{"class":101},[91,520,141],{"class":140},[91,522,523,525],{"class":93,"line":144},[91,524,147],{"class":97},[91,526,102],{"class":101},[91,528,529,531,533,535],{"class":93,"line":152},[91,530,155],{"class":101},[91,532,158],{"class":97},[91,534,114],{"class":101},[91,536,163],{"class":117},[91,538,539,541],{"class":93,"line":166},[91,540,169],{"class":97},[91,542,102],{"class":101},[91,544,545,547,549,551],{"class":93,"line":174},[91,546,177],{"class":101},[91,548,158],{"class":97},[91,550,114],{"class":101},[91,552,184],{"class":117},[91,554,555,557,559],{"class":93,"line":187},[91,556,190],{"class":97},[91,558,114],{"class":101},[91,560,195],{"class":117},[91,562,563,565],{"class":93,"line":198},[91,564,201],{"class":97},[91,566,102],{"class":101},[91,568,569,571],{"class":93,"line":206},[91,570,209],{"class":101},[91,572,573],{"class":117},"\"CVE-2021-44228\"\n",[91,575,576,578],{"class":93,"line":215},[91,577,209],{"class":101},[91,579,580],{"class":117},"\"CVE-2021-45046\"\n",[91,582,583,585],{"class":93,"line":223},[91,584,209],{"class":101},[91,586,587],{"class":117},"\"CVE-2021-45105\"\n",[91,589,590,592],{"class":93,"line":235},[91,591,249],{"class":97},[91,593,102],{"class":101},[91,595,596,598,600,602],{"class":93,"line":246},[91,597,155],{"class":101},[91,599,158],{"class":97},[91,601,114],{"class":101},[91,603,263],{"class":117},[91,605,606,608,610],{"class":93,"line":254},[91,607,269],{"class":97},[91,609,114],{"class":101},[91,611,451],{"class":117},[91,613,614,616,618],{"class":93,"line":266},[91,615,457],{"class":97},[91,617,114],{"class":101},[91,619,620],{"class":117},"high\n",[12,622,623],{},"This is especially useful for organizations running multiple scan types (SAST, dependency scanning, container scanning) where the same underlying vulnerability appears with different ratings depending on the detection method.",[70,625,627],{"id":626},"_4-align-severity-with-exploitation-intelligence","4. Align severity with exploitation intelligence",[12,629,630,631,636],{},"CVSS scores are static. They don't change when a vulnerability starts being actively exploited, and they don't account for real-world exploitation probability. FIRST's ",[27,632,635],{"href":633,"rel":634},"https://www.first.org/epss/",[],"Exploit Prediction Scoring System (EPSS)"," and CISA's KEV catalog provide the missing signal.",[12,638,639],{},"When your threat intelligence tells you a Medium-severity CVE is now actively exploited (KEV) or has a high exploitation probability (EPSS above 0.5), use a severity override to upgrade it:",[81,641,643],{"className":83,"code":642,"language":85,"meta":86,"style":86},"vulnerability_management_policy:\n  - name: \"Upgrade actively exploited CVEs\"\n    description: \"CVEs in CISA KEV catalog should be treated as Critical\"\n    enabled: true\n    rules:\n      - type: detected\n        criteria:\n          - type: identifier\n            identifier_type: cve\n            values:\n              - \"CVE-2024-3094\"\n              - \"CVE-2023-4966\"\n              - \"CVE-2023-22515\"\n    actions:\n      - type: severity_override\n        severity_override_operation: set\n        severity_override_value: critical\n",[88,644,645,651,662,671,679,685,695,701,711,719,725,732,739,746,752,762,770],{"__ignoreMap":86},[91,646,647,649],{"class":93,"line":94},[91,648,98],{"class":97},[91,650,102],{"class":101},[91,652,653,655,657,659],{"class":93,"line":105},[91,654,108],{"class":101},[91,656,111],{"class":97},[91,658,114],{"class":101},[91,660,661],{"class":117},"\"Upgrade actively exploited CVEs\"\n",[91,663,664,666,668],{"class":93,"line":121},[91,665,124],{"class":97},[91,667,114],{"class":101},[91,669,670],{"class":117},"\"CVEs in CISA KEV catalog should be treated as Critical\"\n",[91,672,673,675,677],{"class":93,"line":132},[91,674,135],{"class":97},[91,676,114],{"class":101},[91,678,141],{"class":140},[91,680,681,683],{"class":93,"line":144},[91,682,147],{"class":97},[91,684,102],{"class":101},[91,686,687,689,691,693],{"class":93,"line":152},[91,688,155],{"class":101},[91,690,158],{"class":97},[91,692,114],{"class":101},[91,694,163],{"class":117},[91,696,697,699],{"class":93,"line":166},[91,698,169],{"class":97},[91,700,102],{"class":101},[91,702,703,705,707,709],{"class":93,"line":174},[91,704,177],{"class":101},[91,706,158],{"class":97},[91,708,114],{"class":101},[91,710,184],{"class":117},[91,712,713,715,717],{"class":93,"line":187},[91,714,190],{"class":97},[91,716,114],{"class":101},[91,718,195],{"class":117},[91,720,721,723],{"class":93,"line":198},[91,722,201],{"class":97},[91,724,102],{"class":101},[91,726,727,729],{"class":93,"line":206},[91,728,209],{"class":101},[91,730,731],{"class":117},"\"CVE-2024-3094\"\n",[91,733,734,736],{"class":93,"line":215},[91,735,209],{"class":101},[91,737,738],{"class":117},"\"CVE-2023-4966\"\n",[91,740,741,743],{"class":93,"line":223},[91,742,209],{"class":101},[91,744,745],{"class":117},"\"CVE-2023-22515\"\n",[91,747,748,750],{"class":93,"line":235},[91,749,249],{"class":97},[91,751,102],{"class":101},[91,753,754,756,758,760],{"class":93,"line":246},[91,755,155],{"class":101},[91,757,158],{"class":97},[91,759,114],{"class":101},[91,761,263],{"class":117},[91,763,764,766,768],{"class":93,"line":254},[91,765,269],{"class":97},[91,767,114],{"class":101},[91,769,451],{"class":117},[91,771,772,774,776],{"class":93,"line":266},[91,773,457],{"class":97},[91,775,114],{"class":101},[91,777,462],{"class":117},[12,779,780],{},"Maintain a living list of KEV entries relevant to your stack and update the policy as new CVEs are added to the catalog. This creates a feedback loop between threat intelligence and developer-facing severity, without requiring analysts to manually adjust each finding.",[70,782,784],{"id":783},"_5-apply-org-wide-risk-models-at-the-group-level","5. Apply org-wide risk models at the group level",[12,786,787,788,791],{},"Individual project policies don't scale when your organization has hundreds or thousands of projects. Severity override policies can be applied at the group level, affecting every project in the group. Combined with ",[88,789,790],{},"policy_scope",", you can target policies to projects matching a specific compliance framework label.",[12,793,794],{},"For example, an organization with a \"PCI-DSS\" compliance framework can enforce stricter severity treatment for injection vulnerabilities across all PCI-scoped projects, while applying a lighter policy to internal tooling groups:",[81,796,798],{"className":83,"code":797,"language":85,"meta":86,"style":86},"vulnerability_management_policy:\n  - name: \"PCI projects: upgrade injection severity\"\n    description: \"All injection vulnerabilities are Critical in PCI scope\"\n    enabled: true\n    policy_scope:\n      compliance_frameworks:\n        - id: 12345\n    rules:\n      - type: detected\n        criteria:\n          - type: identifier\n            identifier_type: cwe\n            values:\n              - \"CWE-79\"\n              - \"CWE-89\"\n              - \"CWE-78\"\n              - \"CWE-94\"\n    actions:\n      - type: severity_override\n        severity_override_operation: set\n        severity_override_value: critical\n",[88,799,800,806,817,826,834,841,848,861,867,877,883,893,901,907,913,919,926,933,939,950,959],{"__ignoreMap":86},[91,801,802,804],{"class":93,"line":94},[91,803,98],{"class":97},[91,805,102],{"class":101},[91,807,808,810,812,814],{"class":93,"line":105},[91,809,108],{"class":101},[91,811,111],{"class":97},[91,813,114],{"class":101},[91,815,816],{"class":117},"\"PCI projects: upgrade injection severity\"\n",[91,818,819,821,823],{"class":93,"line":121},[91,820,124],{"class":97},[91,822,114],{"class":101},[91,824,825],{"class":117},"\"All injection vulnerabilities are Critical in PCI scope\"\n",[91,827,828,830,832],{"class":93,"line":132},[91,829,135],{"class":97},[91,831,114],{"class":101},[91,833,141],{"class":140},[91,835,836,839],{"class":93,"line":144},[91,837,838],{"class":97},"    policy_scope",[91,840,102],{"class":101},[91,842,843,846],{"class":93,"line":152},[91,844,845],{"class":97},"      compliance_frameworks",[91,847,102],{"class":101},[91,849,850,853,856,858],{"class":93,"line":166},[91,851,852],{"class":101},"        - ",[91,854,855],{"class":97},"id",[91,857,114],{"class":101},[91,859,860],{"class":140},"12345\n",[91,862,863,865],{"class":93,"line":174},[91,864,147],{"class":97},[91,866,102],{"class":101},[91,868,869,871,873,875],{"class":93,"line":187},[91,870,155],{"class":101},[91,872,158],{"class":97},[91,874,114],{"class":101},[91,876,163],{"class":117},[91,878,879,881],{"class":93,"line":198},[91,880,169],{"class":97},[91,882,102],{"class":101},[91,884,885,887,889,891],{"class":93,"line":206},[91,886,177],{"class":101},[91,888,158],{"class":97},[91,890,114],{"class":101},[91,892,184],{"class":117},[91,894,895,897,899],{"class":93,"line":215},[91,896,190],{"class":97},[91,898,114],{"class":101},[91,900,387],{"class":117},[91,902,903,905],{"class":93,"line":223},[91,904,201],{"class":97},[91,906,102],{"class":101},[91,908,909,911],{"class":93,"line":235},[91,910,209],{"class":101},[91,912,400],{"class":117},[91,914,915,917],{"class":93,"line":246},[91,916,209],{"class":101},[91,918,407],{"class":117},[91,920,921,923],{"class":93,"line":254},[91,922,209],{"class":101},[91,924,925],{"class":117},"\"CWE-78\"\n",[91,927,928,930],{"class":93,"line":266},[91,929,209],{"class":101},[91,931,932],{"class":117},"\"CWE-94\"\n",[91,934,935,937],{"class":93,"line":454},[91,936,249],{"class":97},[91,938,102],{"class":101},[91,940,942,944,946,948],{"class":93,"line":941},19,[91,943,155],{"class":101},[91,945,158],{"class":97},[91,947,114],{"class":101},[91,949,263],{"class":117},[91,951,953,955,957],{"class":93,"line":952},20,[91,954,269],{"class":97},[91,956,114],{"class":101},[91,958,451],{"class":117},[91,960,962,964,966],{"class":93,"line":961},21,[91,963,457],{"class":97},[91,965,114],{"class":101},[91,967,462],{"class":117},[12,969,970],{},"This pattern means the security team defines the risk model once and it applies consistently everywhere. No per-project configuration. No reliance on individual teams remembering to set things up correctly.",[19,972,974],{"id":973},"getting-started","Getting started",[12,976,977],{},"Follow these steps to create vulnerability management policies:",[979,980,981,987,993,999,1009],"ol",{},[40,982,983,986],{},[43,984,985],{},"Identify the mismatch."," Open your vulnerability report and filter by \"Needs triage.\" Look for patterns: Critical findings in test code, Medium findings that are actively exploited, inconsistent ratings across scan types.",[40,988,989,992],{},[43,990,991],{},"Pick one use case."," Start with whichever scenario above accounts for the most misaligned findings.",[40,994,995,998],{},[43,996,997],{},"Record your baseline."," Note the severity distribution before creating a policy (how many Critical, High, Medium findings in the target scope).",[40,1000,1001,1004,1005,1008],{},[43,1002,1003],{},"Create and apply."," Navigate to ",[43,1006,1007],{},"Secure > Policies > New policy > Vulnerability management policy",". Paste the configuration from the use case above, then merge the MR.",[40,1010,1011,1014],{},[43,1012,1013],{},"Validate results."," After the next default-branch pipeline, check the vulnerability report for updated severities. Filter the activity log to see which findings were adjusted and confirm the right ones were affected.",[70,1016,1018],{"id":1017},"quick-reference","Quick reference",[1020,1021,1022,1035],"table",{},[1023,1024,1025],"thead",{},[1026,1027,1028,1032],"tr",{},[1029,1030,1031],"th",{},"Parameter",[1029,1033,1034],{},"Details",[1036,1037,1038,1072,1092,1116,1137,1147,1157,1170],"tbody",{},[1026,1039,1040,1046],{},[1041,1042,1043],"td",{},[43,1044,1045],{},"Criteria types",[1041,1047,1048,1051,1052,1051,1055,1058,1059,114,1062,1051,1065,1051,1068,1071],{},[88,1049,1050],{},"file_path",", ",[88,1053,1054],{},"directory",[88,1056,1057],{},"identifier"," (with optional ",[88,1060,1061],{},"identifier_type",[88,1063,1064],{},"cve",[88,1066,1067],{},"cwe",[88,1069,1070],{},"owasp",")",[1026,1073,1074,1079],{},[1041,1075,1076],{},[43,1077,1078],{},"Override operations",[1041,1080,1081,1084,1085,1088,1089,1091],{},[88,1082,1083],{},"set"," (to specific level), ",[88,1086,1087],{},"increase"," (one level up), ",[88,1090,280],{}," (one level down)",[1026,1093,1094,1099],{},[1041,1095,1096],{},[43,1097,1098],{},"Severity levels",[1041,1100,1101,1051,1104,1051,1107,1051,1110,1051,1113],{},[88,1102,1103],{},"info",[88,1105,1106],{},"low",[88,1108,1109],{},"medium",[88,1111,1112],{},"high",[88,1114,1115],{},"critical",[1026,1117,1118,1123],{},[1041,1119,1120],{},[43,1121,1122],{},"Values",[1041,1124,1125,1126,1129,1130,1133,1134,1071],{},"Single ",[88,1127,1128],{},"value"," or ",[88,1131,1132],{},"values"," array (up to 1,000 items, OR logic). Wildcards supported (e.g., ",[88,1135,1136],{},"CVE-2023-*",[1026,1138,1139,1144],{},[1041,1140,1141],{},[43,1142,1143],{},"Criteria logic",[1041,1145,1146],{},"Multiple criteria within a rule = AND (must match all). Multiple rules within a policy = OR (match any)",[1026,1148,1149,1154],{},[1041,1150,1151],{},[43,1152,1153],{},"Limits",[1041,1155,1156],{},"3 criteria per rule, 5 rules per policy, 5 policies per security policy project",[1026,1158,1159,1164],{},[1041,1160,1161],{},[43,1162,1163],{},"Scope",[1041,1165,1166,1167,1169],{},"Project-level or group-level. ",[88,1168,790],{}," for compliance framework targeting",[1026,1171,1172,1177],{},[1041,1173,1174],{},[43,1175,1176],{},"Manual override precedence",[1041,1178,1179],{},"Manual overrides by authorized users always take precedence",[19,1181,1183],{"id":1182},"faq","FAQ",[12,1185,1186,1189,1192],{},[43,1187,1188],{},"What's the difference between auto-dismiss and severity override?",[1190,1191],"br",{},"\nAuto-dismiss removes findings from your active triage queue. Severity override keeps them visible but adjusts their priority level, so they're still tracked and reviewed at the appropriate urgency.",[12,1194,1195,1198,1200,1201,1204],{},[43,1196,1197],{},"Can I combine severity overrides with other policy types?",[1190,1199],{},"\nYes. Severity overrides apply to findings on the ",[88,1202,1203],{},"default"," branch, affecting vulnerabilities appearing in your GitLab vulnerability reporting. You may then use merge request approval policies to gate newly detected findings.",[12,1206,1207,1210,1212],{},[43,1208,1209],{},"Do severity overrides apply retroactively to existing vulnerabilities?",[1190,1211],{},"\nYes. When a severity override policy is applied, it processes matching vulnerabilities with status \"Needs triage\" or \"Confirmed\" on the next default-branch pipeline, up to 1,000 per run.",[12,1214,1215,1218,1220],{},[43,1216,1217],{},"What happens if two policies set conflicting severities?",[1190,1219],{},"\nManual overrides always take precedence. For policy conflicts, the most recently applied policy takes precedence. Review your policies regularly to avoid overlapping criteria.",[12,1222,1223,1226,1228],{},[43,1224,1225],{},"Can developers bypass severity override policies?",[1190,1227],{},"\nNo. Policies are managed in a security policy project with restricted access. Developers can't modify or disable them. Authorized users can apply manual overrides on individual vulnerabilities, which take precedence.",[1230,1231,1232],"blockquote",{},[12,1233,1234,1235,1240,1241,1246],{},"Ready to make your vulnerability report reflect real risk? ",[27,1236,1239],{"href":1237,"rel":1238},"https://docs.gitlab.com/user/application_security/policies/vulnerability_management_policy/#severity-override-policies",[],"Read the severity override policy documentation"," to get started, or ",[27,1242,1245],{"href":1243,"rel":1244},"https://about.gitlab.com/free-trial/",[],"start a free GitLab Ultimate trial"," to try it today.",[1248,1249,1250],"style",{},"html pre.shiki code .shJU0, html code.shiki .shJU0{--shiki-default:#22863A}html pre.shiki code .sgsFI, html code.shiki .sgsFI{--shiki-default:#24292E}html pre.shiki code .sYBdl, html code.shiki .sYBdl{--shiki-default:#032F62}html pre.shiki code .sYu0t, html code.shiki .sYu0t{--shiki-default:#005CC5}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}",{"title":86,"searchDepth":105,"depth":105,"links":1252},[1253,1254,1261,1264],{"id":21,"depth":105,"text":22},{"id":64,"depth":105,"text":65,"children":1255},[1256,1257,1258,1259,1260],{"id":72,"depth":121,"text":73},{"id":284,"depth":121,"text":285},{"id":474,"depth":121,"text":475},{"id":626,"depth":121,"text":627},{"id":783,"depth":121,"text":784},{"id":973,"depth":105,"text":974,"children":1262},[1263],{"id":1017,"depth":121,"text":1018},{"id":1182,"depth":105,"text":1183},"security","2026-05-13","Default CVSS scores don't reflect your actual risk. Use GitLab severity override policies to automate adjustments based on CVE, CWE, file path, and directory.","md",null,false,"https://res.cloudinary.com/about-gitlab-com/image/upload/v1772630163/akp8ly2mrsfrhsb0liyb.png",{},true,"/en-us/blog/severity-override-vulnerability-management-policy",{"config":1276,"title":5,"description":1267},{"noIndex":1270},"severity-override-vulnerability-management-policy","en-us/blog/severity-override-vulnerability-management-policy",[1265,1280],"tutorial","BlogPost","RKVNarWBJ1RNDwrnGYg-VhmeHncY5s1A2SGRivnSNPE",{"logo":1284,"freeTrial":1289,"sales":1294,"login":1299,"items":1304,"search":1618,"minimal":1649,"duo":1668,"switchNav":1677,"pricingDeployment":1688},{"config":1285},{"href":1286,"dataGaName":1287,"dataGaLocation":1288},"/","gitlab logo","header",{"text":1290,"config":1291},"Get free trial",{"href":1292,"dataGaName":1293,"dataGaLocation":1288},"https://gitlab.com/-/trial_registrations/new?glm_source=about.gitlab.com&glm_content=default-saas-trial/","free trial",{"text":1295,"config":1296},"Talk to sales",{"href":1297,"dataGaName":1298,"dataGaLocation":1288},"/sales/","sales",{"text":1300,"config":1301},"Sign in",{"href":1302,"dataGaName":1303,"dataGaLocation":1288},"https://gitlab.com/users/sign_in/","sign in",[1305,1334,1434,1439,1542,1598],{"text":1306,"config":1307,"menu":1309},"Platform",{"dataNavLevelOne":1308},"platform",{"type":1310,"columns":1311},"cards",[1312,1318,1326],{"title":1306,"description":1313,"link":1314},"The intelligent orchestration platform for DevSecOps",{"text":1315,"config":1316},"Explore our Platform",{"href":1317,"dataGaName":1308,"dataGaLocation":1288},"/platform/",{"title":1319,"description":1320,"link":1321},"GitLab Duo Agent Platform","Agentic AI for the entire software lifecycle",{"text":1322,"config":1323},"Meet GitLab Duo",{"href":1324,"dataGaName":1325,"dataGaLocation":1288},"/gitlab-duo-agent-platform/","gitlab duo agent platform",{"title":1327,"description":1328,"link":1329},"Why GitLab","See the top reasons enterprises choose GitLab",{"text":1330,"config":1331},"Learn more",{"href":1332,"dataGaName":1333,"dataGaLocation":1288},"/why-gitlab/","why gitlab",{"text":1335,"left":1273,"config":1336,"menu":1338},"Product",{"dataNavLevelOne":1337},"solutions",{"type":1339,"link":1340,"columns":1344,"feature":1413},"lists",{"text":1341,"config":1342},"View all Solutions",{"href":1343,"dataGaName":1337,"dataGaLocation":1288},"/solutions/",[1345,1369,1392],{"title":1346,"description":1347,"link":1348,"items":1353},"Automation","CI/CD and automation to accelerate deployment",{"config":1349},{"icon":1350,"href":1351,"dataGaName":1352,"dataGaLocation":1288},"AutomatedCodeAlt","/solutions/delivery-automation/","automated software delivery",[1354,1358,1361,1365],{"text":1355,"config":1356},"CI/CD",{"href":1357,"dataGaLocation":1288,"dataGaName":1355},"/solutions/continuous-integration/",{"text":1319,"config":1359},{"href":1324,"dataGaLocation":1288,"dataGaName":1360},"gitlab duo agent platform - product menu",{"text":1362,"config":1363},"Source Code Management",{"href":1364,"dataGaLocation":1288,"dataGaName":1362},"/solutions/source-code-management/",{"text":1366,"config":1367},"Automated Software Delivery",{"href":1351,"dataGaLocation":1288,"dataGaName":1368},"Automated software delivery",{"title":1370,"description":1371,"link":1372,"items":1377},"Security","Deliver code faster without compromising security",{"config":1373},{"href":1374,"dataGaName":1375,"dataGaLocation":1288,"icon":1376},"/solutions/application-security-testing/","security and compliance","ShieldCheckLight",[1378,1382,1387],{"text":1379,"config":1380},"Application Security Testing",{"href":1374,"dataGaName":1381,"dataGaLocation":1288},"Application security testing",{"text":1383,"config":1384},"Software Supply Chain Security",{"href":1385,"dataGaLocation":1288,"dataGaName":1386},"/solutions/supply-chain/","Software supply chain security",{"text":1388,"config":1389},"Software Compliance",{"href":1390,"dataGaName":1391,"dataGaLocation":1288},"/solutions/software-compliance/","software compliance",{"title":1393,"link":1394,"items":1399},"Measurement",{"config":1395},{"icon":1396,"href":1397,"dataGaName":1398,"dataGaLocation":1288},"DigitalTransformation","/solutions/visibility-measurement/","visibility and measurement",[1400,1404,1408],{"text":1401,"config":1402},"Visibility & Measurement",{"href":1397,"dataGaLocation":1288,"dataGaName":1403},"Visibility and Measurement",{"text":1405,"config":1406},"Value Stream Management",{"href":1407,"dataGaLocation":1288,"dataGaName":1405},"/solutions/value-stream-management/",{"text":1409,"config":1410},"Analytics & Insights",{"href":1411,"dataGaLocation":1288,"dataGaName":1412},"/solutions/analytics-and-insights/","Analytics and insights",{"title":1414,"type":1339,"items":1415},"GitLab for",[1416,1422,1428],{"text":1417,"config":1418},"Enterprise",{"icon":1419,"href":1420,"dataGaLocation":1288,"dataGaName":1421},"Building","/enterprise/","enterprise",{"text":1423,"config":1424},"Small Business",{"icon":1425,"href":1426,"dataGaLocation":1288,"dataGaName":1427},"Work","/small-business/","small business",{"text":1429,"config":1430},"Public Sector",{"icon":1431,"href":1432,"dataGaLocation":1288,"dataGaName":1433},"Organization","/solutions/public-sector/","public sector",{"text":1435,"config":1436},"Pricing",{"href":1437,"dataGaName":1438,"dataGaLocation":1288,"dataNavLevelOne":1438},"/pricing/","pricing",{"text":1440,"config":1441,"menu":1443},"Resources",{"dataNavLevelOne":1442},"resources",{"type":1339,"link":1444,"columns":1448,"feature":1531},{"text":1445,"config":1446},"View all resources",{"href":1447,"dataGaName":1442,"dataGaLocation":1288},"/resources/",[1449,1481,1503],{"title":974,"items":1450},[1451,1456,1461,1466,1471,1476],{"text":1452,"config":1453},"Install",{"href":1454,"dataGaName":1455,"dataGaLocation":1288},"/install/","install",{"text":1457,"config":1458},"Quick start guides",{"href":1459,"dataGaName":1460,"dataGaLocation":1288},"/get-started/","quick setup checklists",{"text":1462,"config":1463},"Learn",{"href":1464,"dataGaLocation":1288,"dataGaName":1465},"https://university.gitlab.com/","learn",{"text":1467,"config":1468},"Product documentation",{"href":1469,"dataGaName":1470,"dataGaLocation":1288},"https://docs.gitlab.com/","product documentation",{"text":1472,"config":1473},"Best practice videos",{"href":1474,"dataGaName":1475,"dataGaLocation":1288},"/getting-started-videos/","best practice videos",{"text":1477,"config":1478},"Integrations",{"href":1479,"dataGaName":1480,"dataGaLocation":1288},"/integrations/","integrations",{"title":1482,"items":1483},"Discover",[1484,1489,1494,1498],{"text":1485,"config":1486},"Customer success stories",{"href":1487,"dataGaName":1488,"dataGaLocation":1288},"/customers/","customer success stories",{"text":1490,"config":1491},"Blog",{"href":1492,"dataGaName":1493,"dataGaLocation":1288},"/blog/","blog",{"text":1495,"config":1496},"The Source",{"href":1497,"dataGaName":1493,"dataGaLocation":1288},"/the-source/",{"text":1499,"config":1500},"Remote",{"href":1501,"dataGaName":1502,"dataGaLocation":1288},"https://handbook.gitlab.com/handbook/company/culture/all-remote/","remote",{"title":1504,"items":1505},"Connect",[1506,1511,1516,1521,1526],{"text":1507,"config":1508},"GitLab Services",{"href":1509,"dataGaName":1510,"dataGaLocation":1288},"/services/","services",{"text":1512,"config":1513},"Community",{"href":1514,"dataGaName":1515,"dataGaLocation":1288},"/community/","community",{"text":1517,"config":1518},"Forum",{"href":1519,"dataGaName":1520,"dataGaLocation":1288},"https://forum.gitlab.com/","forum",{"text":1522,"config":1523},"Events",{"href":1524,"dataGaName":1525,"dataGaLocation":1288},"/events/","events",{"text":1527,"config":1528},"Partners",{"href":1529,"dataGaName":1530,"dataGaLocation":1288},"/partners/","partners",{"config":1532,"title":1535,"text":1536,"link":1537},{"background":1533,"textColor":1534},"url('https://res.cloudinary.com/about-gitlab-com/image/upload/v1777322348/qpq8yrgn8knii57omj0c.png')","#000","What’s new in GitLab","Stay updated with our latest features and improvements.",{"text":1538,"config":1539},"Read the latest",{"href":1540,"dataGaName":1541,"dataGaLocation":1288},"/whats-new/","whats new",{"text":1543,"config":1544,"menu":1546},"Company",{"dataNavLevelOne":1545},"company",{"type":1339,"columns":1547},[1548],{"items":1549},[1550,1555,1561,1563,1568,1573,1578,1583,1588,1593],{"text":1551,"config":1552},"About",{"href":1553,"dataGaName":1554,"dataGaLocation":1288},"/company/","about",{"text":1556,"config":1557,"footerGa":1560},"Jobs",{"href":1558,"dataGaName":1559,"dataGaLocation":1288},"/jobs/","jobs",{"dataGaName":1559},{"text":1522,"config":1562},{"href":1524,"dataGaName":1525,"dataGaLocation":1288},{"text":1564,"config":1565},"Leadership",{"href":1566,"dataGaName":1567,"dataGaLocation":1288},"/company/team/e-group/","leadership",{"text":1569,"config":1570},"Handbook",{"href":1571,"dataGaName":1572,"dataGaLocation":1288},"https://handbook.gitlab.com/","handbook",{"text":1574,"config":1575},"Investor relations",{"href":1576,"dataGaName":1577,"dataGaLocation":1288},"https://ir.gitlab.com/","investor relations",{"text":1579,"config":1580},"Trust Center",{"href":1581,"dataGaName":1582,"dataGaLocation":1288},"/security/","trust center",{"text":1584,"config":1585},"AI Transparency Center",{"href":1586,"dataGaName":1587,"dataGaLocation":1288},"/ai-transparency-center/","ai transparency center",{"text":1589,"config":1590},"Newsletter",{"href":1591,"dataGaName":1592,"dataGaLocation":1288},"/company/contact/#contact-forms","newsletter",{"text":1594,"config":1595},"Press",{"href":1596,"dataGaName":1597,"dataGaLocation":1288},"/press/","press",{"text":1599,"config":1600,"menu":1601},"Contact us",{"dataNavLevelOne":1545},{"type":1339,"columns":1602},[1603],{"items":1604},[1605,1608,1613],{"text":1295,"config":1606},{"href":1297,"dataGaName":1607,"dataGaLocation":1288},"talk to sales",{"text":1609,"config":1610},"Support portal",{"href":1611,"dataGaName":1612,"dataGaLocation":1288},"https://support.gitlab.com","support portal",{"text":1614,"config":1615},"Customer portal",{"href":1616,"dataGaName":1617,"dataGaLocation":1288},"https://customers.gitlab.com/customers/sign_in/","customer portal",{"close":1619,"login":1620,"suggestions":1627},"Close",{"text":1621,"link":1622},"To search repositories and projects, login to",{"text":1623,"config":1624},"gitlab.com",{"href":1302,"dataGaName":1625,"dataGaLocation":1626},"search login","search",{"text":1628,"default":1629},"Suggestions",[1630,1632,1636,1638,1642,1646],{"text":1319,"config":1631},{"href":1324,"dataGaName":1319,"dataGaLocation":1626},{"text":1633,"config":1634},"Code Suggestions (AI)",{"href":1635,"dataGaName":1633,"dataGaLocation":1626},"/solutions/code-suggestions/",{"text":1355,"config":1637},{"href":1357,"dataGaName":1355,"dataGaLocation":1626},{"text":1639,"config":1640},"GitLab on AWS",{"href":1641,"dataGaName":1639,"dataGaLocation":1626},"/partners/technology-partners/aws/",{"text":1643,"config":1644},"GitLab on Google Cloud",{"href":1645,"dataGaName":1643,"dataGaLocation":1626},"/partners/technology-partners/google-cloud-platform/",{"text":1647,"config":1648},"Why GitLab?",{"href":1332,"dataGaName":1647,"dataGaLocation":1626},{"freeTrial":1650,"mobileIcon":1655,"desktopIcon":1660,"secondaryButton":1663},{"text":1651,"config":1652},"Start free trial",{"href":1653,"dataGaName":1293,"dataGaLocation":1654},"https://gitlab.com/-/trials/new/","nav",{"altText":1656,"config":1657},"Gitlab Icon",{"src":1658,"dataGaName":1659,"dataGaLocation":1654},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758203874/jypbw1jx72aexsoohd7x.svg","gitlab icon",{"altText":1656,"config":1661},{"src":1662,"dataGaName":1659,"dataGaLocation":1654},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758203875/gs4c8p8opsgvflgkswz9.svg",{"text":1664,"config":1665},"Get Started",{"href":1666,"dataGaName":1667,"dataGaLocation":1654},"https://gitlab.com/-/trial_registrations/new?glm_source=about.gitlab.com/get-started/","get started",{"freeTrial":1669,"mobileIcon":1673,"desktopIcon":1675},{"text":1670,"config":1671},"Learn more about GitLab Duo",{"href":1324,"dataGaName":1672,"dataGaLocation":1654},"gitlab duo",{"altText":1656,"config":1674},{"src":1658,"dataGaName":1659,"dataGaLocation":1654},{"altText":1656,"config":1676},{"src":1662,"dataGaName":1659,"dataGaLocation":1654},{"button":1678,"mobileIcon":1683,"desktopIcon":1685},{"text":1679,"config":1680},"/switch",{"href":1681,"dataGaName":1682,"dataGaLocation":1654},"#contact","switch",{"altText":1656,"config":1684},{"src":1658,"dataGaName":1659,"dataGaLocation":1654},{"altText":1656,"config":1686},{"src":1687,"dataGaName":1659,"dataGaLocation":1654},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1773335277/ohhpiuoxoldryzrnhfrh.png",{"freeTrial":1689,"mobileIcon":1694,"desktopIcon":1696},{"text":1690,"config":1691},"Back to pricing",{"href":1437,"dataGaName":1692,"dataGaLocation":1654,"icon":1693},"back to pricing","GoBack",{"altText":1656,"config":1695},{"src":1658,"dataGaName":1659,"dataGaLocation":1654},{"altText":1656,"config":1697},{"src":1662,"dataGaName":1659,"dataGaLocation":1654},{"title":1699,"button":1700,"config":1704},"GitLab Orbit is here: The context layer for AI agents.",{"text":1330,"config":1701},{"href":1702,"dataGaName":1703,"dataGaLocation":1288},"/gitlab-orbit/","orbit",{"layout":1705,"disabled":1270},"release",{"data":1707},{"text":1708,"source":1709,"edit":1715,"contribute":1720,"config":1725,"items":1730,"minimal":1938},"Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license",{"text":1710,"config":1711},"View page source",{"href":1712,"dataGaName":1713,"dataGaLocation":1714},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/","page source","footer",{"text":1716,"config":1717},"Edit this page",{"href":1718,"dataGaName":1719,"dataGaLocation":1714},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/content/","web ide",{"text":1721,"config":1722},"Please contribute",{"href":1723,"dataGaName":1724,"dataGaLocation":1714},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/CONTRIBUTING.md/","please contribute",{"twitter":1726,"facebook":1727,"youtube":1728,"linkedin":1729},"https://twitter.com/gitlab","https://www.facebook.com/gitlab","https://www.youtube.com/channel/UCnMGQ8QHMAnVIsI3xJrihhg","https://www.linkedin.com/company/gitlab-com",[1731,1778,1832,1876,1906],{"title":1435,"links":1732,"subMenu":1747},[1733,1737,1742],{"text":1734,"config":1735},"View plans",{"href":1437,"dataGaName":1736,"dataGaLocation":1714},"view plans",{"text":1738,"config":1739},"Why Premium?",{"href":1740,"dataGaName":1741,"dataGaLocation":1714},"/pricing/premium/","why premium",{"text":1743,"config":1744},"Why Ultimate?",{"href":1745,"dataGaName":1746,"dataGaLocation":1714},"/pricing/ultimate/","why ultimate",[1748],{"title":1749,"links":1750},"Contact Us",[1751,1754,1756,1758,1763,1768,1773],{"text":1752,"config":1753},"Contact sales",{"href":1297,"dataGaName":1298,"dataGaLocation":1714},{"text":1609,"config":1755},{"href":1611,"dataGaName":1612,"dataGaLocation":1714},{"text":1614,"config":1757},{"href":1616,"dataGaName":1617,"dataGaLocation":1714},{"text":1759,"config":1760},"Status",{"href":1761,"dataGaName":1762,"dataGaLocation":1714},"https://status.gitlab.com/","status",{"text":1764,"config":1765},"Terms of use",{"href":1766,"dataGaName":1767,"dataGaLocation":1714},"/terms/","terms of use",{"text":1769,"config":1770},"Privacy statement",{"href":1771,"dataGaName":1772,"dataGaLocation":1714},"/privacy/","privacy statement",{"text":1774,"config":1775},"Cookie preferences",{"dataGaName":1776,"dataGaLocation":1714,"id":1777,"isOneTrustButton":1273},"cookie preferences","ot-sdk-btn",{"title":1335,"links":1779,"subMenu":1788},[1780,1784],{"text":1781,"config":1782},"DevSecOps platform",{"href":1317,"dataGaName":1783,"dataGaLocation":1714},"devsecops platform",{"text":1785,"config":1786},"AI-Assisted Development",{"href":1324,"dataGaName":1787,"dataGaLocation":1714},"ai-assisted development",[1789],{"title":1790,"links":1791},"Topics",[1792,1797,1802,1807,1812,1817,1822,1827],{"text":1793,"config":1794},"CICD",{"href":1795,"dataGaName":1796,"dataGaLocation":1714},"/topics/ci-cd/","cicd",{"text":1798,"config":1799},"GitOps",{"href":1800,"dataGaName":1801,"dataGaLocation":1714},"/topics/gitops/","gitops",{"text":1803,"config":1804},"DevOps",{"href":1805,"dataGaName":1806,"dataGaLocation":1714},"/topics/devops/","devops",{"text":1808,"config":1809},"Version Control",{"href":1810,"dataGaName":1811,"dataGaLocation":1714},"/topics/version-control/","version control",{"text":1813,"config":1814},"DevSecOps",{"href":1815,"dataGaName":1816,"dataGaLocation":1714},"/topics/devsecops/","devsecops",{"text":1818,"config":1819},"Cloud Native",{"href":1820,"dataGaName":1821,"dataGaLocation":1714},"/topics/cloud-native/","cloud native",{"text":1823,"config":1824},"AI for Coding",{"href":1825,"dataGaName":1826,"dataGaLocation":1714},"/topics/devops/ai-for-coding/","ai for coding",{"text":1828,"config":1829},"Agentic AI",{"href":1830,"dataGaName":1831,"dataGaLocation":1714},"/topics/agentic-ai/","agentic ai",{"title":1833,"links":1834},"Solutions",[1835,1837,1839,1844,1848,1851,1855,1858,1860,1863,1866,1871],{"text":1379,"config":1836},{"href":1374,"dataGaName":1379,"dataGaLocation":1714},{"text":1368,"config":1838},{"href":1351,"dataGaName":1352,"dataGaLocation":1714},{"text":1840,"config":1841},"Agile development",{"href":1842,"dataGaName":1843,"dataGaLocation":1714},"/solutions/agile-delivery/","agile delivery",{"text":1845,"config":1846},"SCM",{"href":1364,"dataGaName":1847,"dataGaLocation":1714},"source code management",{"text":1793,"config":1849},{"href":1357,"dataGaName":1850,"dataGaLocation":1714},"continuous integration & delivery",{"text":1852,"config":1853},"Value stream management",{"href":1407,"dataGaName":1854,"dataGaLocation":1714},"value stream management",{"text":1798,"config":1856},{"href":1857,"dataGaName":1801,"dataGaLocation":1714},"/solutions/gitops/",{"text":1417,"config":1859},{"href":1420,"dataGaName":1421,"dataGaLocation":1714},{"text":1861,"config":1862},"Small business",{"href":1426,"dataGaName":1427,"dataGaLocation":1714},{"text":1864,"config":1865},"Public sector",{"href":1432,"dataGaName":1433,"dataGaLocation":1714},{"text":1867,"config":1868},"Education",{"href":1869,"dataGaName":1870,"dataGaLocation":1714},"/solutions/education/","education",{"text":1872,"config":1873},"Financial services",{"href":1874,"dataGaName":1875,"dataGaLocation":1714},"/solutions/finance/","financial services",{"title":1440,"links":1877},[1878,1880,1882,1884,1887,1889,1892,1894,1896,1898,1900,1902,1904],{"text":1452,"config":1879},{"href":1454,"dataGaName":1455,"dataGaLocation":1714},{"text":1457,"config":1881},{"href":1459,"dataGaName":1460,"dataGaLocation":1714},{"text":1462,"config":1883},{"href":1464,"dataGaName":1465,"dataGaLocation":1714},{"text":1467,"config":1885},{"href":1469,"dataGaName":1886,"dataGaLocation":1714},"docs",{"text":1490,"config":1888},{"href":1492,"dataGaName":1493,"dataGaLocation":1714},{"text":1890,"config":1891},"What's new",{"href":1540,"dataGaName":1541,"dataGaLocation":1714},{"text":1485,"config":1893},{"href":1487,"dataGaName":1488,"dataGaLocation":1714},{"text":1499,"config":1895},{"href":1501,"dataGaName":1502,"dataGaLocation":1714},{"text":1507,"config":1897},{"href":1509,"dataGaName":1510,"dataGaLocation":1714},{"text":1512,"config":1899},{"href":1514,"dataGaName":1515,"dataGaLocation":1714},{"text":1517,"config":1901},{"href":1519,"dataGaName":1520,"dataGaLocation":1714},{"text":1522,"config":1903},{"href":1524,"dataGaName":1525,"dataGaLocation":1714},{"text":1527,"config":1905},{"href":1529,"dataGaName":1530,"dataGaLocation":1714},{"title":1543,"links":1907},[1908,1910,1912,1914,1916,1918,1922,1927,1929,1931,1933],{"text":1551,"config":1909},{"href":1553,"dataGaName":1545,"dataGaLocation":1714},{"text":1556,"config":1911},{"href":1558,"dataGaName":1559,"dataGaLocation":1714},{"text":1564,"config":1913},{"href":1566,"dataGaName":1567,"dataGaLocation":1714},{"text":1569,"config":1915},{"href":1571,"dataGaName":1572,"dataGaLocation":1714},{"text":1574,"config":1917},{"href":1576,"dataGaName":1577,"dataGaLocation":1714},{"text":1919,"config":1920},"Sustainability",{"href":1921,"dataGaName":1919,"dataGaLocation":1714},"/sustainability/",{"text":1923,"config":1924},"Diversity, inclusion and belonging (DIB)",{"href":1925,"dataGaName":1926,"dataGaLocation":1714},"/diversity-inclusion-belonging/","Diversity, inclusion and belonging",{"text":1579,"config":1928},{"href":1581,"dataGaName":1582,"dataGaLocation":1714},{"text":1589,"config":1930},{"href":1591,"dataGaName":1592,"dataGaLocation":1714},{"text":1594,"config":1932},{"href":1596,"dataGaName":1597,"dataGaLocation":1714},{"text":1934,"config":1935},"Modern Slavery Transparency Statement",{"href":1936,"dataGaName":1937,"dataGaLocation":1714},"https://handbook.gitlab.com/handbook/legal/modern-slavery-act-transparency-statement/","modern slavery transparency statement",{"items":1939},[1940,1943,1946],{"text":1941,"config":1942},"Terms",{"href":1766,"dataGaName":1767,"dataGaLocation":1714},{"text":1944,"config":1945},"Cookies",{"dataGaName":1776,"dataGaLocation":1714,"id":1777,"isOneTrustButton":1273},{"text":1947,"config":1948},"Privacy",{"href":1771,"dataGaName":1772,"dataGaLocation":1714},[1950],{"id":1951,"title":7,"body":1269,"config":1952,"content":1954,"description":1269,"extension":1958,"meta":1959,"navigation":1273,"path":1960,"seo":1961,"stem":1962,"__hash__":1963},"blogAuthors/en-us/blog/authors/grant-hickman.yml",{"template":1953},"BlogAuthor",{"name":7,"config":1955},{"headshot":1956,"ctfId":1957},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1749682570/Blog/Author%20Headshots/g.png","ghickman","yml",{},"/en-us/blog/authors/grant-hickman",{},"en-us/blog/authors/grant-hickman","3OY7ZjUzeOb_im7m1kimID61q_0OEhuzipAc3AHq2WM",[1965,1973,1980],{"title":1966,"description":1967,"heroImage":1968,"category":1265,"date":1969,"authors":1970,"slug":1972,"externalUrl":1269},"Full security scanner coverage of your codebase in minutes","Security configuration profiles lead to faster scanner rollouts. Learn how this new capability in GitLab 19.0 covers thousands of projects in minutes, no gaps.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1779189265/iqzyhhiwagxzwywvjzow.png","2026-05-26",[1971],"Michael Omokoh","security-configuration-profiles",{"title":1974,"description":1975,"heroImage":1968,"category":1265,"date":1969,"authors":1976,"slug":1979,"externalUrl":1269},"Reduce supply chain risk with SBOM-based dependency scanning","Detect transitive dependencies, trace how they entered your project, and prioritize them by real-world exposure.",[1977,1978],"Mark Settle","Joel Patterson","sbom-based-dependency-scanning",{"title":1981,"description":1982,"heroImage":1968,"category":1265,"date":1983,"authors":1984,"slug":1986,"externalUrl":1269},"Manage CI/CD credentials with GitLab Secrets Manager","Each secret is scoped to its environment or branch and governed by the same controls you use for code. Join the public beta in GitLab 19.0.","2026-05-21",[1985,1977],"Joe Randazzo","secrets-manager-in-public-beta",{"promotions":1988},[1989,2003,2015,2026],{"id":1990,"categories":1991,"header":1993,"text":1994,"button":1995,"image":2000},"ai-modernization",[1992],"ai","Is AI achieving its promise at scale?","Quiz will take 5 minutes or less",{"text":1996,"config":1997},"Get your AI maturity score",{"href":1998,"dataGaName":1999,"dataGaLocation":1493},"/assessments/ai-modernization-assessment/","modernization assessment",{"config":2001},{"src":2002},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1772138786/qix0m7kwnd8x2fh1zq49.png",{"id":2004,"categories":2005,"header":2007,"text":1994,"button":2008,"image":2012},"devops-modernization",[2006,1816],"product","Are you just managing tools or shipping innovation?",{"text":2009,"config":2010},"Get your DevOps maturity score",{"href":2011,"dataGaName":1999,"dataGaLocation":1493},"/assessments/devops-modernization-assessment/",{"config":2013},{"src":2014},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1772138785/eg818fmakweyuznttgid.png",{"id":2016,"categories":2017,"header":2018,"text":1994,"button":2019,"image":2023},"security-modernization",[1265],"Are you trading speed for security?",{"text":2020,"config":2021},"Get your security maturity score",{"href":2022,"dataGaName":1999,"dataGaLocation":1493},"/assessments/security-modernization-assessment/",{"config":2024},{"src":2025},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1772138786/p4pbqd9nnjejg5ds6mdk.png",{"id":2027,"paths":2028,"header":2031,"text":2032,"button":2033,"image":2038},"github-azure-migration",[2029,2030],"migration-from-azure-devops-to-gitlab","integrating-azure-devops-scm-and-gitlab","Is your team ready for GitHub's Azure move?","GitHub is already rebuilding around Azure. Find out what it means for you.",{"text":2034,"config":2035},"See how GitLab compares to GitHub",{"href":2036,"dataGaName":2037,"dataGaLocation":1493},"/compare/gitlab-vs-github/github-azure-migration/","github azure migration",{"config":2039},{"src":2014},{"header":2041,"blurb":2042,"button":2043,"secondaryButton":2048},"Start building faster today","See what your team can do with the intelligent orchestration platform for DevSecOps.\n",{"text":2044,"config":2045},"Get your free trial",{"href":2046,"dataGaName":1293,"dataGaLocation":2047},"https://gitlab.com/-/trial_registrations/new?glm_content=default-saas-trial&glm_source=about.gitlab.com/","feature",{"text":1752,"config":2049},{"href":1297,"dataGaName":1298,"dataGaLocation":2047},1781392809418]