[{"data":1,"prerenderedAt":2052},["ShallowReactive",2],{"/de-de/blog/severity-override-vulnerability-management-policy":3,"navigation-de-de":1284,"banner-de-de":1703,"footer-de-de":1712,"blog-post-authors-de-de-Grant Hickman":1951,"blog-related-posts-de-de-severity-override-vulnerability-management-policy":1966,"blog-promotions-de-de":1989,"next-steps-de-de":2042},{"id":4,"title":5,"authors":6,"body":8,"category":1265,"date":1266,"description":1267,"extension":1268,"externalUrl":1269,"featured":1270,"heroImage":1271,"meta":1272,"navigation":1273,"path":1274,"seo":1275,"slug":1278,"stem":1279,"tags":1280,"template":1282,"updatedDate":1269,"__hash__":1283},"blogPosts/de-de/blog/severity-override-vulnerability-management-policy.md","Irreführende CVSS-Scores automatisch korrigieren – 5 Richtlinienmuster",[7],"Grant Hickman",{"type":9,"value":10,"toc":1251},"minimark",[11,15,18,23,33,36,59,62,66,69,74,77,80,275,282,286,305,308,463,472,476,479,482,621,624,628,637,640,778,781,785,792,795,968,971,975,978,1015,1019,1180,1184,1193,1205,1213,1221,1229,1247],[12,13,14],"p",{},"Ein typischer Enterprise-Schwachstellenbericht zeigt pro Scan-Zyklus Hunderte\nvon Findings – alle nach dem Common Vulnerability Scoring System (CVSS)\neingestuft. Das Problem: CVSS beschreibt die theoretischen Eigenschaften einer\nCommon Vulnerabilities and Exposures (CVE), nicht ob sie in der eigenen Umgebung\nrelevant ist. Eine kritische Schwachstelle in einer internen Hilfsbibliothek\nist nicht dasselbe Risiko wie eine mittlere Schwachstelle in einem öffentlich\nzugänglichen Authentifizierungsdienst. Trotzdem werden beide identisch behandelt,\nbis jemand jede einzelne manuell triagiert. Diese Triage-Arbeit skaliert nicht.",[12,16,17],{},"GitLab-Schwachstellenmanagement-Richtlinien können diese Standard-CVSS-Schweregrade\njetzt automatisch auf Basis selbst definierter Bedingungen überschreiben – sodass\nder Schwachstellenbericht das tatsächliche Risikomodell widerspiegelt, nicht ein\ngenerisches.",[19,20,22],"h2",{"id":21},"wie-severity-override-richtlinien-funktionieren","Wie Severity-Override-Richtlinien funktionieren",[12,24,25,26,32],{},"Eine Severity-Override-Richtlinie ist ein Typ von\n",[27,28,31],"a",{"href":29,"rel":30},"https://docs.gitlab.com/user/application_security/policies/vulnerability_management_policy/",[],"Schwachstellenmanagement-Richtlinie",",\nder Schwachstellen-Schweregrade automatisch bei jeder Default-Branch-Pipeline\nanpasst. Regeln werden mit Übereinstimmungskriterien (CVE-ID, CWE-ID, Dateipfad\noder Verzeichnis) und einer Override-Aktion definiert. Wenn eine Schwachstelle\nübereinstimmt, aktualisiert GitLabs Security Policy Bot ihren Schweregrad\nsofort.",[12,34,35],{},"Drei Override-Operationen stehen zur Verfügung:",[37,38,39,47,53],"ul",{},[40,41,42,46],"li",{},[43,44,45],"strong",{},"Set Severity:"," Erzwingt einen bestimmten Schweregrad (info, low, medium,\nhigh oder critical).",[40,48,49,52],{},[43,50,51],{},"Increase Severity:"," Erhöht den Schweregrad um eine Stufe.",[40,54,55,58],{},[43,56,57],{},"Decrease Severity:"," Senkt den Schweregrad um eine Stufe.",[12,60,61],{},"Manuelle Überschreibungen durch autorisierte Nutzende haben stets Vorrang vor\nRichtlinien-Overrides. Jede automatisierte Änderung wird in der\nSchwachstellenhistorie und den Audit Events protokolliert – so entsteht eine\nvollständige Aufzeichnung darüber, was sich wann und warum geändert hat.",[19,63,65],{"id":64},"anwendungsfälle-mit-einsatzbereiten-konfigurationen","Anwendungsfälle mit einsatzbereiten Konfigurationen",[12,67,68],{},"Jedes der folgenden Beispiele enthält eine Richtlinienkonfiguration, die direkt\nkopiert, angepasst und angewendet werden kann.",[70,71,73],"h3",{"id":72},"_1-cves-in-internen-diensten-herabstufen","1. CVEs in internen Diensten herabstufen",[12,75,76],{},"Security-Scanner wissen nicht, welche Projekte interne Werkzeuge,\nTest-Utilities oder Produktionsdienste sind. Sie bewerten jede CVE gleich,\nunabhängig vom Deployment-Kontext. Für Teams, die interne Admin-Dashboards,\nEntwicklerwerkzeuge oder Batch-Verarbeitungsjobs betreiben, die nie externen\nTraffic empfangen, rechtfertigt eine kritisch bewertete\nAbhängigkeitsschwachstelle oft nicht dieselbe Reaktion wie eine in einer\nkundenseitigen API.",[12,78,79],{},"Diese Richtlinie senkt den Schweregrad bestimmter CVEs in Verzeichnissen\ninterner Dienste:",[81,82,87],"pre",{"className":83,"code":84,"language":85,"meta":86,"style":86},"language-yaml shiki shiki-themes github-light","vulnerability_management_policy:\n  - name: \"Downgrade CVEs in internal services\"\n    description: \"Internal-only services have lower exposure risk\"\n    enabled: true\n    rules:\n      - type: detected\n        criteria:\n          - type: identifier\n            identifier_type: cve\n            values:\n              - \"CVE-2023-44487\"\n              - \"CVE-2024-29041\"\n          - type: directory\n            value: \"internal/**/*\"\n    actions:\n      - type: severity_override\n        severity_override_operation: decrease\n","yaml","",[88,89,90,103,119,130,142,150,164,172,185,196,204,213,221,233,244,252,264],"code",{"__ignoreMap":86},[91,92,95,99],"span",{"class":93,"line":94},"line",1,[91,96,98],{"class":97},"shJU0","vulnerability_management_policy",[91,100,102],{"class":101},"sgsFI",":\n",[91,104,106,109,112,115],{"class":93,"line":105},2,[91,107,108],{"class":101},"  - ",[91,110,111],{"class":97},"name",[91,113,114],{"class":101},": ",[91,116,118],{"class":117},"sYBdl","\"Downgrade CVEs in internal services\"\n",[91,120,122,125,127],{"class":93,"line":121},3,[91,123,124],{"class":97},"    description",[91,126,114],{"class":101},[91,128,129],{"class":117},"\"Internal-only services have lower exposure risk\"\n",[91,131,133,136,138],{"class":93,"line":132},4,[91,134,135],{"class":97},"    enabled",[91,137,114],{"class":101},[91,139,141],{"class":140},"sYu0t","true\n",[91,143,145,148],{"class":93,"line":144},5,[91,146,147],{"class":97},"    rules",[91,149,102],{"class":101},[91,151,153,156,159,161],{"class":93,"line":152},6,[91,154,155],{"class":101},"      - ",[91,157,158],{"class":97},"type",[91,160,114],{"class":101},[91,162,163],{"class":117},"detected\n",[91,165,167,170],{"class":93,"line":166},7,[91,168,169],{"class":97},"        criteria",[91,171,102],{"class":101},[91,173,175,178,180,182],{"class":93,"line":174},8,[91,176,177],{"class":101},"          - ",[91,179,158],{"class":97},[91,181,114],{"class":101},[91,183,184],{"class":117},"identifier\n",[91,186,188,191,193],{"class":93,"line":187},9,[91,189,190],{"class":97},"            identifier_type",[91,192,114],{"class":101},[91,194,195],{"class":117},"cve\n",[91,197,199,202],{"class":93,"line":198},10,[91,200,201],{"class":97},"            values",[91,203,102],{"class":101},[91,205,207,210],{"class":93,"line":206},11,[91,208,209],{"class":101},"              - ",[91,211,212],{"class":117},"\"CVE-2023-44487\"\n",[91,214,216,218],{"class":93,"line":215},12,[91,217,209],{"class":101},[91,219,220],{"class":117},"\"CVE-2024-29041\"\n",[91,222,224,226,228,230],{"class":93,"line":223},13,[91,225,177],{"class":101},[91,227,158],{"class":97},[91,229,114],{"class":101},[91,231,232],{"class":117},"directory\n",[91,234,236,239,241],{"class":93,"line":235},14,[91,237,238],{"class":97},"            value",[91,240,114],{"class":101},[91,242,243],{"class":117},"\"internal/**/*\"\n",[91,245,247,250],{"class":93,"line":246},15,[91,248,249],{"class":97},"    actions",[91,251,102],{"class":101},[91,253,255,257,259,261],{"class":93,"line":254},16,[91,256,155],{"class":101},[91,258,158],{"class":97},[91,260,114],{"class":101},[91,262,263],{"class":117},"severity_override\n",[91,265,267,270,272],{"class":93,"line":266},17,[91,268,269],{"class":97},"        severity_override_operation",[91,271,114],{"class":101},[91,273,274],{"class":117},"decrease\n",[12,276,277,278,281],{},"Die CVE-Werte durch die Identifier ersetzen, die das Team für interne\nDeployments als geringeres Risiko eingestuft hat. Die ",[88,279,280],{},"decrease","-Operation\nsenkt den Schweregrad um eine Stufe (Critical wird High, High wird Medium) –\nrelative Prioritäten bleiben erhalten, ohne auf kontextunangemessene Scores\nüberzureagieren.",[70,283,285],{"id":284},"_2-injektionsschwachstellen-in-produktionscode-hochstufen","2. Injektionsschwachstellen in Produktionscode hochstufen",[12,287,288,289,294,295,300,301,304],{},"Bestimmte Schwachstellenklassen erfordern eine stärkere Reaktion, wenn sie\nin Produktionsquellcode gefunden werden. Cross-Site-Scripting (CWE-79) und\nSQL-Injection (CWE-89) gehören laut ",[27,290,293],{"href":291,"rel":292},"https://about.gitlab.com/de-de/blog/2025-owasp-top-10-whats-changed-and-why-it-matters/",[],"OWASP","\nund dem ",[27,296,299],{"href":297,"rel":298},"https://www.cisa.gov/known-exploited-vulnerabilities-catalog",[],"Known Exploited Vulnerabilities (KEV)-Katalog","\nvon CISA zu den am häufigsten ausgenutzten Schwachstellentypen. Wenn der\nScanner diese Schwachstellen im ",[88,302,303],{},"src/","-Verzeichnis als Medium oder High meldet,\nmuss der Triage-Prozess sie als Critical behandeln.",[12,306,307],{},"Diese Richtlinie setzt den Schweregrad für XSS- und SQLi-Findings in\nProduktionscode auf Critical:",[81,309,311],{"className":83,"code":310,"language":85,"meta":86,"style":86},"vulnerability_management_policy:\n  - name: \"Upgrade XSS and SQLi in production code\"\n    description: \"Injection vulnerabilities in src/ are always Critical\"\n    enabled: true\n    rules:\n      - type: detected\n        criteria:\n          - type: identifier\n            identifier_type: cwe\n            values:\n              - \"CWE-79\"\n              - \"CWE-89\"\n          - type: directory\n            value: \"src/**/*\"\n    actions:\n      - type: severity_override\n        severity_override_operation: set\n        severity_override_value: critical\n",[88,312,313,319,330,339,347,353,363,369,379,388,394,401,408,418,427,433,443,452],{"__ignoreMap":86},[91,314,315,317],{"class":93,"line":94},[91,316,98],{"class":97},[91,318,102],{"class":101},[91,320,321,323,325,327],{"class":93,"line":105},[91,322,108],{"class":101},[91,324,111],{"class":97},[91,326,114],{"class":101},[91,328,329],{"class":117},"\"Upgrade XSS and SQLi in production code\"\n",[91,331,332,334,336],{"class":93,"line":121},[91,333,124],{"class":97},[91,335,114],{"class":101},[91,337,338],{"class":117},"\"Injection vulnerabilities in src/ are always Critical\"\n",[91,340,341,343,345],{"class":93,"line":132},[91,342,135],{"class":97},[91,344,114],{"class":101},[91,346,141],{"class":140},[91,348,349,351],{"class":93,"line":144},[91,350,147],{"class":97},[91,352,102],{"class":101},[91,354,355,357,359,361],{"class":93,"line":152},[91,356,155],{"class":101},[91,358,158],{"class":97},[91,360,114],{"class":101},[91,362,163],{"class":117},[91,364,365,367],{"class":93,"line":166},[91,366,169],{"class":97},[91,368,102],{"class":101},[91,370,371,373,375,377],{"class":93,"line":174},[91,372,177],{"class":101},[91,374,158],{"class":97},[91,376,114],{"class":101},[91,378,184],{"class":117},[91,380,381,383,385],{"class":93,"line":187},[91,382,190],{"class":97},[91,384,114],{"class":101},[91,386,387],{"class":117},"cwe\n",[91,389,390,392],{"class":93,"line":198},[91,391,201],{"class":97},[91,393,102],{"class":101},[91,395,396,398],{"class":93,"line":206},[91,397,209],{"class":101},[91,399,400],{"class":117},"\"CWE-79\"\n",[91,402,403,405],{"class":93,"line":215},[91,404,209],{"class":101},[91,406,407],{"class":117},"\"CWE-89\"\n",[91,409,410,412,414,416],{"class":93,"line":223},[91,411,177],{"class":101},[91,413,158],{"class":97},[91,415,114],{"class":101},[91,417,232],{"class":117},[91,419,420,422,424],{"class":93,"line":235},[91,421,238],{"class":97},[91,423,114],{"class":101},[91,425,426],{"class":117},"\"src/**/*\"\n",[91,428,429,431],{"class":93,"line":246},[91,430,249],{"class":97},[91,432,102],{"class":101},[91,434,435,437,439,441],{"class":93,"line":254},[91,436,155],{"class":101},[91,438,158],{"class":97},[91,440,114],{"class":101},[91,442,263],{"class":117},[91,444,445,447,449],{"class":93,"line":266},[91,446,269],{"class":97},[91,448,114],{"class":101},[91,450,451],{"class":117},"set\n",[91,453,455,458,460],{"class":93,"line":454},18,[91,456,457],{"class":97},"        severity_override_value",[91,459,114],{"class":101},[91,461,462],{"class":117},"critical\n",[12,464,465,466,471],{},"Diese Richtlinie lässt sich mit einer\n",[27,467,470],{"href":468,"rel":469},"https://docs.gitlab.com/user/application_security/policies/merge_request_approval_policies/",[],"Merge-Request-Approval-Richtlinie","\nkombinieren, die für Critical-Findings eine Security-Team-Freigabe verlangt.\nDer Severity Override stellt sicher, dass die richtigen Findings im\nSchwachstellenbericht markiert und priorisiert werden. Die Approval-Richtlinie\nstellt sicher, dass neu erkannte Findings die Produktion nicht ohne Review\nerreichen.",[70,473,475],{"id":474},"_3-schweregrade-über-scanner-hinweg-normalisieren","3. Schweregrade über Scanner hinweg normalisieren",[12,477,478],{},"Verschiedene Scanner weisen derselben CVE manchmal unterschiedliche\nSchweregrade zu. Der Static Application Security Testing (SAST)-Scanner meldet\nein Finding möglicherweise als High, während Dependency Scanning es als Medium\neinstuft. Diese Inkonsistenzen erzeugen Verwirrung bei der Triage und erschweren\nes, konsistente Freigabe-Schwellenwerte über Scanner-Typen hinweg festzulegen.",[12,480,481],{},"Eine Severity-Override-Richtlinie erzwingt eine konsistente Ausgangsbasis. Hat\ndas Security-Team eine bestimmte CVE-Familie bewertet und festgestellt, dass sie\nunabhängig vom Scanner stets High sein sollte, lässt sich das explizit festlegen:",[81,483,485],{"className":83,"code":484,"language":85,"meta":86,"style":86},"vulnerability_management_policy:\n  - name: \"Normalize log4j severity to High\"\n    description: \"Consistent severity for log4j CVEs across all scanners\"\n    enabled: true\n    rules:\n      - type: detected\n        criteria:\n          - type: identifier\n            identifier_type: cve\n            values:\n              - \"CVE-2021-44228\"\n              - \"CVE-2021-45046\"\n              - \"CVE-2021-45105\"\n    actions:\n      - type: severity_override\n        severity_override_operation: set\n        severity_override_value: high\n",[88,486,487,493,504,513,521,527,537,543,553,561,567,574,581,588,594,604,612],{"__ignoreMap":86},[91,488,489,491],{"class":93,"line":94},[91,490,98],{"class":97},[91,492,102],{"class":101},[91,494,495,497,499,501],{"class":93,"line":105},[91,496,108],{"class":101},[91,498,111],{"class":97},[91,500,114],{"class":101},[91,502,503],{"class":117},"\"Normalize log4j severity to High\"\n",[91,505,506,508,510],{"class":93,"line":121},[91,507,124],{"class":97},[91,509,114],{"class":101},[91,511,512],{"class":117},"\"Consistent severity for log4j CVEs across all scanners\"\n",[91,514,515,517,519],{"class":93,"line":132},[91,516,135],{"class":97},[91,518,114],{"class":101},[91,520,141],{"class":140},[91,522,523,525],{"class":93,"line":144},[91,524,147],{"class":97},[91,526,102],{"class":101},[91,528,529,531,533,535],{"class":93,"line":152},[91,530,155],{"class":101},[91,532,158],{"class":97},[91,534,114],{"class":101},[91,536,163],{"class":117},[91,538,539,541],{"class":93,"line":166},[91,540,169],{"class":97},[91,542,102],{"class":101},[91,544,545,547,549,551],{"class":93,"line":174},[91,546,177],{"class":101},[91,548,158],{"class":97},[91,550,114],{"class":101},[91,552,184],{"class":117},[91,554,555,557,559],{"class":93,"line":187},[91,556,190],{"class":97},[91,558,114],{"class":101},[91,560,195],{"class":117},[91,562,563,565],{"class":93,"line":198},[91,564,201],{"class":97},[91,566,102],{"class":101},[91,568,569,571],{"class":93,"line":206},[91,570,209],{"class":101},[91,572,573],{"class":117},"\"CVE-2021-44228\"\n",[91,575,576,578],{"class":93,"line":215},[91,577,209],{"class":101},[91,579,580],{"class":117},"\"CVE-2021-45046\"\n",[91,582,583,585],{"class":93,"line":223},[91,584,209],{"class":101},[91,586,587],{"class":117},"\"CVE-2021-45105\"\n",[91,589,590,592],{"class":93,"line":235},[91,591,249],{"class":97},[91,593,102],{"class":101},[91,595,596,598,600,602],{"class":93,"line":246},[91,597,155],{"class":101},[91,599,158],{"class":97},[91,601,114],{"class":101},[91,603,263],{"class":117},[91,605,606,608,610],{"class":93,"line":254},[91,607,269],{"class":97},[91,609,114],{"class":101},[91,611,451],{"class":117},[91,613,614,616,618],{"class":93,"line":266},[91,615,457],{"class":97},[91,617,114],{"class":101},[91,619,620],{"class":117},"high\n",[12,622,623],{},"Das ist besonders nützlich für Unternehmen, die mehrere Scanner-Typen betreiben\n(SAST, Dependency Scanning, Container Scanning), bei denen dieselbe\nzugrundeliegende Schwachstelle je nach Erkennungsmethode mit unterschiedlichen\nBewertungen erscheint.",[70,625,627],{"id":626},"_4-schweregrade-an-ausnutzungsintelligenz-ausrichten","4. Schweregrade an Ausnutzungsintelligenz ausrichten",[12,629,630,631,636],{},"CVSS-Scores sind statisch. Sie ändern sich nicht, wenn eine Schwachstelle\naktiv ausgenutzt wird, und sie berücksichtigen keine reale\nAusnutzungswahrscheinlichkeit. FIRSTs ",[27,632,635],{"href":633,"rel":634},"https://www.first.org/epss/",[],"Exploit Prediction Scoring System (EPSS)","\nund CISAs KEV-Katalog liefern das fehlende Signal.",[12,638,639],{},"Wenn Threat Intelligence zeigt, dass eine Medium-CVE aktiv ausgenutzt wird\n(KEV) oder eine hohe Ausnutzungswahrscheinlichkeit hat (EPSS über 0,5), lässt\nsie sich per Severity Override hochstufen:",[81,641,643],{"className":83,"code":642,"language":85,"meta":86,"style":86},"vulnerability_management_policy:\n  - name: \"Upgrade actively exploited CVEs\"\n    description: \"CVEs in CISA KEV catalog should be treated as Critical\"\n    enabled: true\n    rules:\n      - type: detected\n        criteria:\n          - type: identifier\n            identifier_type: cve\n            values:\n              - \"CVE-2024-3094\"\n              - \"CVE-2023-4966\"\n              - \"CVE-2023-22515\"\n    actions:\n      - type: severity_override\n        severity_override_operation: set\n        severity_override_value: critical\n",[88,644,645,651,662,671,679,685,695,701,711,719,725,732,739,746,752,762,770],{"__ignoreMap":86},[91,646,647,649],{"class":93,"line":94},[91,648,98],{"class":97},[91,650,102],{"class":101},[91,652,653,655,657,659],{"class":93,"line":105},[91,654,108],{"class":101},[91,656,111],{"class":97},[91,658,114],{"class":101},[91,660,661],{"class":117},"\"Upgrade actively exploited CVEs\"\n",[91,663,664,666,668],{"class":93,"line":121},[91,665,124],{"class":97},[91,667,114],{"class":101},[91,669,670],{"class":117},"\"CVEs in CISA KEV catalog should be treated as Critical\"\n",[91,672,673,675,677],{"class":93,"line":132},[91,674,135],{"class":97},[91,676,114],{"class":101},[91,678,141],{"class":140},[91,680,681,683],{"class":93,"line":144},[91,682,147],{"class":97},[91,684,102],{"class":101},[91,686,687,689,691,693],{"class":93,"line":152},[91,688,155],{"class":101},[91,690,158],{"class":97},[91,692,114],{"class":101},[91,694,163],{"class":117},[91,696,697,699],{"class":93,"line":166},[91,698,169],{"class":97},[91,700,102],{"class":101},[91,702,703,705,707,709],{"class":93,"line":174},[91,704,177],{"class":101},[91,706,158],{"class":97},[91,708,114],{"class":101},[91,710,184],{"class":117},[91,712,713,715,717],{"class":93,"line":187},[91,714,190],{"class":97},[91,716,114],{"class":101},[91,718,195],{"class":117},[91,720,721,723],{"class":93,"line":198},[91,722,201],{"class":97},[91,724,102],{"class":101},[91,726,727,729],{"class":93,"line":206},[91,728,209],{"class":101},[91,730,731],{"class":117},"\"CVE-2024-3094\"\n",[91,733,734,736],{"class":93,"line":215},[91,735,209],{"class":101},[91,737,738],{"class":117},"\"CVE-2023-4966\"\n",[91,740,741,743],{"class":93,"line":223},[91,742,209],{"class":101},[91,744,745],{"class":117},"\"CVE-2023-22515\"\n",[91,747,748,750],{"class":93,"line":235},[91,749,249],{"class":97},[91,751,102],{"class":101},[91,753,754,756,758,760],{"class":93,"line":246},[91,755,155],{"class":101},[91,757,158],{"class":97},[91,759,114],{"class":101},[91,761,263],{"class":117},[91,763,764,766,768],{"class":93,"line":254},[91,765,269],{"class":97},[91,767,114],{"class":101},[91,769,451],{"class":117},[91,771,772,774,776],{"class":93,"line":266},[91,773,457],{"class":97},[91,775,114],{"class":101},[91,777,462],{"class":117},[12,779,780],{},"Eine laufend gepflegte Liste der relevanten KEV-Einträge pflegen und die Richtlinie\naktualisieren, wenn neue CVEs zum Katalog hinzugefügt werden. So entsteht eine\nRückkopplungsschleife zwischen Threat Intelligence und dem entwicklerseitig\nsichtbaren Schweregrad – ohne manuelle Anpassung jedes einzelnen Findings.",[70,782,784],{"id":783},"_5-organisationsweite-risikomodelle-auf-group-ebene-anwenden","5. Organisationsweite Risikomodelle auf Group-Ebene anwenden",[12,786,787,788,791],{},"Einzelne Projektrichtlinien skalieren nicht, wenn eine Organisation Hunderte\noder Tausende von Projekten hat. Severity-Override-Richtlinien können auf\nGroup-Ebene angewendet werden und betreffen dann jedes Projekt in der Group.\nIn Kombination mit ",[88,789,790],{},"policy_scope"," lassen sich Richtlinien auf Projekte mit\neinem bestimmten Compliance-Framework-Label ausrichten.",[12,793,794],{},"Eine Organisation mit dem Compliance-Framework \"PCI-DSS\" kann beispielsweise\neine strengere Schweregradbehandlung für Injektionsschwachstellen für alle\nPCI-relevanten Projekte durchsetzen, während für interne Tooling-Groups eine\nleichtere Richtlinie gilt:",[81,796,798],{"className":83,"code":797,"language":85,"meta":86,"style":86},"vulnerability_management_policy:\n  - name: \"PCI projects: upgrade injection severity\"\n    description: \"All injection vulnerabilities are Critical in PCI scope\"\n    enabled: true\n    policy_scope:\n      compliance_frameworks:\n        - id: 12345\n    rules:\n      - type: detected\n        criteria:\n          - type: identifier\n            identifier_type: cwe\n            values:\n              - \"CWE-79\"\n              - \"CWE-89\"\n              - \"CWE-78\"\n              - \"CWE-94\"\n    actions:\n      - type: severity_override\n        severity_override_operation: set\n        severity_override_value: critical\n",[88,799,800,806,817,826,834,841,848,861,867,877,883,893,901,907,913,919,926,933,939,950,959],{"__ignoreMap":86},[91,801,802,804],{"class":93,"line":94},[91,803,98],{"class":97},[91,805,102],{"class":101},[91,807,808,810,812,814],{"class":93,"line":105},[91,809,108],{"class":101},[91,811,111],{"class":97},[91,813,114],{"class":101},[91,815,816],{"class":117},"\"PCI projects: upgrade injection severity\"\n",[91,818,819,821,823],{"class":93,"line":121},[91,820,124],{"class":97},[91,822,114],{"class":101},[91,824,825],{"class":117},"\"All injection vulnerabilities are Critical in PCI scope\"\n",[91,827,828,830,832],{"class":93,"line":132},[91,829,135],{"class":97},[91,831,114],{"class":101},[91,833,141],{"class":140},[91,835,836,839],{"class":93,"line":144},[91,837,838],{"class":97},"    policy_scope",[91,840,102],{"class":101},[91,842,843,846],{"class":93,"line":152},[91,844,845],{"class":97},"      compliance_frameworks",[91,847,102],{"class":101},[91,849,850,853,856,858],{"class":93,"line":166},[91,851,852],{"class":101},"        - ",[91,854,855],{"class":97},"id",[91,857,114],{"class":101},[91,859,860],{"class":140},"12345\n",[91,862,863,865],{"class":93,"line":174},[91,864,147],{"class":97},[91,866,102],{"class":101},[91,868,869,871,873,875],{"class":93,"line":187},[91,870,155],{"class":101},[91,872,158],{"class":97},[91,874,114],{"class":101},[91,876,163],{"class":117},[91,878,879,881],{"class":93,"line":198},[91,880,169],{"class":97},[91,882,102],{"class":101},[91,884,885,887,889,891],{"class":93,"line":206},[91,886,177],{"class":101},[91,888,158],{"class":97},[91,890,114],{"class":101},[91,892,184],{"class":117},[91,894,895,897,899],{"class":93,"line":215},[91,896,190],{"class":97},[91,898,114],{"class":101},[91,900,387],{"class":117},[91,902,903,905],{"class":93,"line":223},[91,904,201],{"class":97},[91,906,102],{"class":101},[91,908,909,911],{"class":93,"line":235},[91,910,209],{"class":101},[91,912,400],{"class":117},[91,914,915,917],{"class":93,"line":246},[91,916,209],{"class":101},[91,918,407],{"class":117},[91,920,921,923],{"class":93,"line":254},[91,922,209],{"class":101},[91,924,925],{"class":117},"\"CWE-78\"\n",[91,927,928,930],{"class":93,"line":266},[91,929,209],{"class":101},[91,931,932],{"class":117},"\"CWE-94\"\n",[91,934,935,937],{"class":93,"line":454},[91,936,249],{"class":97},[91,938,102],{"class":101},[91,940,942,944,946,948],{"class":93,"line":941},19,[91,943,155],{"class":101},[91,945,158],{"class":97},[91,947,114],{"class":101},[91,949,263],{"class":117},[91,951,953,955,957],{"class":93,"line":952},20,[91,954,269],{"class":97},[91,956,114],{"class":101},[91,958,451],{"class":117},[91,960,962,964,966],{"class":93,"line":961},21,[91,963,457],{"class":97},[91,965,114],{"class":101},[91,967,462],{"class":117},[12,969,970],{},"Dieses Muster bedeutet: Das Security-Team definiert das Risikomodell einmalig,\nund es wird überall konsistent angewendet. Keine projektbezogene Konfiguration.\nKeine Abhängigkeit davon, dass einzelne Teams sich an die Einrichtung erinnern.",[19,972,974],{"id":973},"erste-schritte","Erste Schritte",[12,976,977],{},"So werden Schwachstellenmanagement-Richtlinien erstellt:",[979,980,981,987,993,999,1009],"ol",{},[40,982,983,986],{},[43,984,985],{},"Die Diskrepanz identifizieren."," Den Schwachstellenbericht öffnen und nach\n„Needs triage\" filtern. Nach Mustern suchen: Critical-Findings in\nTestcode, Medium-Findings mit aktiver Ausnutzung, inkonsistente Bewertungen\nüber Scanner-Typen hinweg.",[40,988,989,992],{},[43,990,991],{},"Einen Anwendungsfall wählen."," Mit dem Szenario oben beginnen, das die\nmeisten fehlausgerichteten Findings abdeckt.",[40,994,995,998],{},[43,996,997],{},"Die Ausgangssituation festhalten."," Die Schweregradverteilung vor der\nRichtlinienerstellung notieren (wie viele Critical-, High-, Medium-Findings\nim Zielbereich).",[40,1000,1001,1004,1005,1008],{},[43,1002,1003],{},"Erstellen und anwenden."," Zu ",[43,1006,1007],{},"Secure > Policies > New policy >\nVulnerability management policy"," navigieren. Die Konfiguration aus dem\nobigen Anwendungsfall einfügen, dann den MR mergen.",[40,1010,1011,1014],{},[43,1012,1013],{},"Ergebnisse validieren."," Nach der nächsten Default-Branch-Pipeline den\nSchwachstellenbericht auf aktualisierte Schweregrade prüfen. Das\nAktivitätsprotokoll filtern, um zu sehen, welche Findings angepasst wurden,\nund bestätigen, dass die richtigen betroffen sind.",[70,1016,1018],{"id":1017},"kurzreferenz","Kurzreferenz",[1020,1021,1022,1035],"table",{},[1023,1024,1025],"thead",{},[1026,1027,1028,1032],"tr",{},[1029,1030,1031],"th",{},"Parameter",[1029,1033,1034],{},"Details",[1036,1037,1038,1072,1092,1116,1137,1147,1157,1170],"tbody",{},[1026,1039,1040,1046],{},[1041,1042,1043],"td",{},[43,1044,1045],{},"Kriterientypen",[1041,1047,1048,1051,1052,1051,1055,1058,1059,114,1062,1051,1065,1051,1068,1071],{},[88,1049,1050],{},"file_path",", ",[88,1053,1054],{},"directory",[88,1056,1057],{},"identifier"," (mit optionalem ",[88,1060,1061],{},"identifier_type",[88,1063,1064],{},"cve",[88,1066,1067],{},"cwe",[88,1069,1070],{},"owasp",")",[1026,1073,1074,1079],{},[1041,1075,1076],{},[43,1077,1078],{},"Override-Operationen",[1041,1080,1081,1084,1085,1088,1089,1091],{},[88,1082,1083],{},"set"," (auf bestimmten Level), ",[88,1086,1087],{},"increase"," (eine Stufe hoch), ",[88,1090,280],{}," (eine Stufe runter)",[1026,1093,1094,1099],{},[1041,1095,1096],{},[43,1097,1098],{},"Schweregradtufen",[1041,1100,1101,1051,1104,1051,1107,1051,1110,1051,1113],{},[88,1102,1103],{},"info",[88,1105,1106],{},"low",[88,1108,1109],{},"medium",[88,1111,1112],{},"high",[88,1114,1115],{},"critical",[1026,1117,1118,1123],{},[1041,1119,1120],{},[43,1121,1122],{},"Werte",[1041,1124,1125,1126,1129,1130,1133,1134,1071],{},"Einzelner ",[88,1127,1128],{},"value"," oder ",[88,1131,1132],{},"values","-Array (bis zu 1.000 Einträge, ODER-Logik). Wildcards unterstützt (z. B. ",[88,1135,1136],{},"CVE-2023-*",[1026,1138,1139,1144],{},[1041,1140,1141],{},[43,1142,1143],{},"Kriterienlogik",[1041,1145,1146],{},"Mehrere Kriterien in einer Regel = UND (alle müssen übereinstimmen). Mehrere Regeln in einer Richtlinie = ODER (eine muss übereinstimmen)",[1026,1148,1149,1154],{},[1041,1150,1151],{},[43,1152,1153],{},"Limits",[1041,1155,1156],{},"3 Kriterien pro Regel, 5 Regeln pro Richtlinie, 5 Richtlinien pro Security-Policy-Projekt",[1026,1158,1159,1164],{},[1041,1160,1161],{},[43,1162,1163],{},"Geltungsbereich",[1041,1165,1166,1167,1169],{},"Projekt- oder Group-Ebene. ",[88,1168,790],{}," für Compliance-Framework-Targeting",[1026,1171,1172,1177],{},[1041,1173,1174],{},[43,1175,1176],{},"Vorrang manueller Overrides",[1041,1178,1179],{},"Manuelle Overrides durch autorisierte Nutzende haben stets Vorrang",[19,1181,1183],{"id":1182},"faq","FAQ",[12,1185,1186,1189,1192],{},[43,1187,1188],{},"Was ist der Unterschied zwischen Auto-Dismiss und Severity Override?",[1190,1191],"br",{},"\nAuto-Dismiss entfernt Findings aus der aktiven Triage-Warteschlange. Severity\nOverride hält sie sichtbar, passt aber ihre Prioritätsstufe an – sie werden\nweiterhin verfolgt und mit angemessener Dringlichkeit geprüft.",[12,1194,1195,1198,1200,1201,1204],{},[43,1196,1197],{},"Lassen sich Severity Overrides mit anderen Richtlinientypen kombinieren?",[1190,1199],{},"\nJa. Severity Overrides gelten für Findings auf dem ",[88,1202,1203],{},"default","-Branch und\nbetreffen Schwachstellen im GitLab-Schwachstellen-Reporting. Merge-Request-\nApproval-Richtlinien lassen sich verwenden, um neu erkannte Findings zu\nkontrollieren.",[12,1206,1207,1210,1212],{},[43,1208,1209],{},"Gelten Severity Overrides rückwirkend für bestehende Schwachstellen?",[1190,1211],{},"\nJa. Wenn eine Severity-Override-Richtlinie angewendet wird, verarbeitet sie\nübereinstimmende Schwachstellen mit dem Status „Needs triage\" oder „Confirmed\"\nbei der nächsten Default-Branch-Pipeline – bis zu 1.000 pro Durchlauf.",[12,1214,1215,1218,1220],{},[43,1216,1217],{},"Was passiert, wenn zwei Richtlinien widersprüchliche Schweregrade setzen?",[1190,1219],{},"\nManuelle Overrides haben stets Vorrang. Bei Richtlinienkonflikten hat die\nzuletzt angewendete Richtlinie Vorrang. Richtlinien regelmäßig überprüfen, um\nüberlappende Kriterien zu vermeiden.",[12,1222,1223,1226,1228],{},[43,1224,1225],{},"Können Entwicklungsteams Severity-Override-Richtlinien umgehen?",[1190,1227],{},"\nNein. Richtlinien werden in einem Security-Policy-Projekt mit eingeschränktem\nZugriff verwaltet. Entwicklungsteams können sie weder ändern noch deaktivieren.\nAutorisierte Nutzende können manuelle Overrides für einzelne Schwachstellen\nanwenden, die Vorrang haben.",[1230,1231,1232],"blockquote",{},[12,1233,1234,1235,1240,1241,1246],{},"Schwachstellenberichte, die das tatsächliche Risiko widerspiegeln?\n",[27,1236,1239],{"href":1237,"rel":1238},"https://docs.gitlab.com/user/application_security/policies/vulnerability_management_policy/#severity-override-policies",[],"Dokumentation zu Severity-Override-Richtlinien lesen","\noder ",[27,1242,1245],{"href":1243,"rel":1244},"https://about.gitlab.com/de-de/free-trial/",[],"kostenlose GitLab-Ultimate-Testversion starten",".",[1248,1249,1250],"style",{},"html pre.shiki code .shJU0, html code.shiki .shJU0{--shiki-default:#22863A}html pre.shiki code .sgsFI, html code.shiki .sgsFI{--shiki-default:#24292E}html pre.shiki code .sYBdl, html code.shiki .sYBdl{--shiki-default:#032F62}html pre.shiki code .sYu0t, html code.shiki .sYu0t{--shiki-default:#005CC5}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}",{"title":86,"searchDepth":105,"depth":105,"links":1252},[1253,1254,1261,1264],{"id":21,"depth":105,"text":22},{"id":64,"depth":105,"text":65,"children":1255},[1256,1257,1258,1259,1260],{"id":72,"depth":121,"text":73},{"id":284,"depth":121,"text":285},{"id":474,"depth":121,"text":475},{"id":626,"depth":121,"text":627},{"id":783,"depth":121,"text":784},{"id":973,"depth":105,"text":974,"children":1262},[1263],{"id":1017,"depth":121,"text":1018},{"id":1182,"depth":105,"text":1183},"security","2026-05-13","CVSS-Scores spiegeln das tatsächliche Risiko nicht wider. Severity-Override-Richtlinien in GitLab automatisieren Korrekturen nach CVE, CWE und Verzeichnis.","md",null,false,"https://res.cloudinary.com/about-gitlab-com/image/upload/v1772630163/akp8ly2mrsfrhsb0liyb.png",{},true,"/de-de/blog/severity-override-vulnerability-management-policy",{"config":1276,"title":1277,"description":1267},{"noIndex":1270},"Schwachstellen-Schweregrade mit Richtlinien korrigieren","severity-override-vulnerability-management-policy","de-de/blog/severity-override-vulnerability-management-policy",[1265,1281],"tutorial","BlogPost","V6PxEz4mJEIoSFW9_8eJ-4SLiDoWTNctHMcqqkOPiH4",{"logo":1285,"freeTrial":1290,"sales":1295,"login":1300,"items":1305,"search":1621,"minimal":1655,"duo":1673,"switchNav":1682,"pricingDeployment":1693},{"config":1286},{"href":1287,"dataGaName":1288,"dataGaLocation":1289},"/de-de/","gitlab logo","header",{"text":1291,"config":1292},"Kostenlose Testversion anfordern",{"href":1293,"dataGaName":1294,"dataGaLocation":1289},"https://gitlab.com/-/trial_registrations/new?glm_source=about.gitlab.com/de-de&glm_content=default-saas-trial/","free trial",{"text":1296,"config":1297},"Vertrieb kontaktieren",{"href":1298,"dataGaName":1299,"dataGaLocation":1289},"/de-de/sales/","sales",{"text":1301,"config":1302},"Anmelden",{"href":1303,"dataGaName":1304,"dataGaLocation":1289},"https://gitlab.com/users/sign_in/","sign in",[1306,1335,1437,1442,1545,1601],{"text":1307,"config":1308,"menu":1310},"Plattform",{"dataNavLevelOne":1309},"platform",{"type":1311,"columns":1312},"cards",[1313,1319,1327],{"title":1307,"description":1314,"link":1315},"Die intelligente Orchestrierungsplattform für DevSecOps",{"text":1316,"config":1317},"Die Plattform erkunden",{"href":1318,"dataGaName":1309,"dataGaLocation":1289},"/de-de/platform/",{"title":1320,"description":1321,"link":1322},"GitLab Duo Agent Platform","Agentische KI für den gesamten Software-Lebenszyklus",{"text":1323,"config":1324},"Lerne GitLab Duo kennen",{"href":1325,"dataGaName":1326,"dataGaLocation":1289},"/de-de/gitlab-duo-agent-platform/","gitlab duo agent platform",{"title":1328,"description":1329,"link":1330},"Warum GitLab?","Erfahre, warum sich Unternehmen für GitLab entscheiden",{"text":1331,"config":1332},"Mehr erfahren",{"href":1333,"dataGaName":1334,"dataGaLocation":1289},"/de-de/why-gitlab/","why gitlab",{"text":1336,"left":1273,"config":1337,"menu":1339},"Produkt",{"dataNavLevelOne":1338},"solutions",{"type":1340,"link":1341,"columns":1345,"feature":1416},"lists",{"text":1342,"config":1343},"Alle Lösungen anzeigen",{"href":1344,"dataGaName":1338,"dataGaLocation":1289},"/de-de/solutions/",[1346,1371,1394],{"title":1347,"description":1348,"link":1349,"items":1354},"Automatisierung","CI/CD und Automatisierung zur Beschleunigung der Bereitstellung",{"config":1350},{"icon":1351,"href":1352,"dataGaName":1353,"dataGaLocation":1289},"AutomatedCodeAlt","/de-de/solutions/delivery-automation/","automated software delivery",[1355,1359,1362,1367],{"text":1356,"config":1357},"CI/CD",{"href":1358,"dataGaLocation":1289,"dataGaName":1356},"/de-de/solutions/continuous-integration/",{"text":1320,"config":1360},{"href":1325,"dataGaLocation":1289,"dataGaName":1361},"gitlab duo agent platform - product menu",{"text":1363,"config":1364},"Quellcodeverwaltung",{"href":1365,"dataGaLocation":1289,"dataGaName":1366},"/de-de/solutions/source-code-management/","Source Code Management",{"text":1368,"config":1369},"Automatische Softwarebereitstellung",{"href":1352,"dataGaLocation":1289,"dataGaName":1370},"Automated software delivery",{"title":1372,"description":1373,"link":1374,"items":1379},"Sicherheit","Entwickle Code schneller ohne Abstriche bei der Sicherheit",{"config":1375},{"href":1376,"dataGaName":1377,"dataGaLocation":1289,"icon":1378},"/de-de/solutions/application-security-testing/","security and compliance","ShieldCheckLight",[1380,1384,1389],{"text":1381,"config":1382},"Anwendungssicherheitstests",{"href":1376,"dataGaName":1383,"dataGaLocation":1289},"Application security testing",{"text":1385,"config":1386},"Sicherheit der Software-Lieferkette",{"href":1387,"dataGaLocation":1289,"dataGaName":1388},"/de-de/solutions/supply-chain/","Software supply chain security",{"text":1390,"config":1391},"Software-Compliance",{"href":1392,"dataGaName":1393,"dataGaLocation":1289},"/de-de/solutions/software-compliance/","software compliance",{"title":1395,"link":1396,"items":1401},"Messung",{"config":1397},{"icon":1398,"href":1399,"dataGaName":1400,"dataGaLocation":1289},"DigitalTransformation","/de-de/solutions/visibility-measurement/","visibility and measurement",[1402,1406,1411],{"text":1403,"config":1404},"Sichtbarkeit und Messung",{"href":1399,"dataGaLocation":1289,"dataGaName":1405},"Visibility and Measurement",{"text":1407,"config":1408},"Wertstrommanagement",{"href":1409,"dataGaLocation":1289,"dataGaName":1410},"/de-de/solutions/value-stream-management/","Value Stream Management",{"text":1412,"config":1413},"Analysen und Einblicke",{"href":1414,"dataGaLocation":1289,"dataGaName":1415},"/de-de/solutions/analytics-and-insights/","Analytics and insights",{"title":1417,"type":1340,"items":1418},"GitLab für",[1419,1425,1431],{"text":1420,"config":1421},"Enterprise",{"icon":1422,"href":1423,"dataGaLocation":1289,"dataGaName":1424},"Building","/de-de/enterprise/","enterprise",{"text":1426,"config":1427},"Kleinunternehmen",{"icon":1428,"href":1429,"dataGaLocation":1289,"dataGaName":1430},"Work","/de-de/small-business/","small business",{"text":1432,"config":1433},"Öffentlicher Sektor",{"icon":1434,"href":1435,"dataGaLocation":1289,"dataGaName":1436},"Organization","/de-de/solutions/public-sector/","public sector",{"text":1438,"config":1439},"Preise",{"href":1440,"dataGaName":1441,"dataGaLocation":1289,"dataNavLevelOne":1441},"/de-de/pricing/","pricing",{"text":1443,"config":1444,"menu":1446},"Ressourcen",{"dataNavLevelOne":1445},"resources",{"type":1340,"link":1447,"columns":1451,"feature":1534},{"text":1448,"config":1449},"Alle Ressourcen anzeigen",{"href":1450,"dataGaName":1445,"dataGaLocation":1289},"/de-de/resources/",[1452,1484,1506],{"title":974,"items":1453},[1454,1459,1464,1469,1474,1479],{"text":1455,"config":1456},"Installieren",{"href":1457,"dataGaName":1458,"dataGaLocation":1289},"/de-de/install/","install",{"text":1460,"config":1461},"Kurzanleitungen",{"href":1462,"dataGaName":1463,"dataGaLocation":1289},"/de-de/get-started/","quick setup checklists",{"text":1465,"config":1466},"Lernen",{"href":1467,"dataGaLocation":1289,"dataGaName":1468},"https://university.gitlab.com/","learn",{"text":1470,"config":1471},"Produktdokumentation",{"href":1472,"dataGaName":1473,"dataGaLocation":1289},"https://docs.gitlab.com/","product documentation",{"text":1475,"config":1476},"Best-Practice-Videos",{"href":1477,"dataGaName":1478,"dataGaLocation":1289},"/de-de/getting-started-videos/","best practice videos",{"text":1480,"config":1481},"Integrationen",{"href":1482,"dataGaName":1483,"dataGaLocation":1289},"/de-de/integrations/","integrations",{"title":1485,"items":1486},"Entdecken",[1487,1492,1497,1501],{"text":1488,"config":1489},"Kundenerfolge",{"href":1490,"dataGaName":1491,"dataGaLocation":1289},"/de-de/customers/","customer success stories",{"text":1493,"config":1494},"Blog",{"href":1495,"dataGaName":1496,"dataGaLocation":1289},"/de-de/blog/","blog",{"text":1498,"config":1499},"The Source",{"href":1500,"dataGaName":1496,"dataGaLocation":1289},"/de-de/the-source/",{"text":1502,"config":1503},"Remote",{"href":1504,"dataGaName":1505,"dataGaLocation":1289},"https://handbook.gitlab.com/handbook/company/culture/all-remote/","remote",{"title":1507,"items":1508},"Vernetzen",[1509,1514,1519,1524,1529],{"text":1510,"config":1511},"GitLab-Services",{"href":1512,"dataGaName":1513,"dataGaLocation":1289},"/de-de/services/","services",{"text":1515,"config":1516},"Community",{"href":1517,"dataGaName":1518,"dataGaLocation":1289},"/community/","community",{"text":1520,"config":1521},"Forum",{"href":1522,"dataGaName":1523,"dataGaLocation":1289},"https://forum.gitlab.com/","forum",{"text":1525,"config":1526},"Veranstaltungen",{"href":1527,"dataGaName":1528,"dataGaLocation":1289},"/events/","events",{"text":1530,"config":1531},"Partner",{"href":1532,"dataGaName":1533,"dataGaLocation":1289},"/de-de/partners/","partners",{"config":1535,"title":1538,"text":1539,"link":1540},{"background":1536,"textColor":1537},"url('https://res.cloudinary.com/about-gitlab-com/image/upload/v1777322348/qpq8yrgn8knii57omj0c.png')","#000","Neues bei GitLab","Über die neuesten Funktionen und Verbesserungen auf dem Laufenden bleiben.",{"text":1541,"config":1542},"Aktuelle Nachrichten",{"href":1543,"dataGaName":1544,"dataGaLocation":1289},"/de-de/whats-new/","whats new",{"text":1546,"config":1547,"menu":1549},"Company",{"dataNavLevelOne":1548},"company",{"type":1340,"columns":1550},[1551],{"items":1552},[1553,1558,1564,1566,1571,1576,1581,1586,1591,1596],{"text":1554,"config":1555},"Über",{"href":1556,"dataGaName":1557,"dataGaLocation":1289},"/de-de/company/","about",{"text":1559,"config":1560,"footerGa":1563},"Karriere",{"href":1561,"dataGaName":1562,"dataGaLocation":1289},"/jobs/","jobs",{"dataGaName":1562},{"text":1525,"config":1565},{"href":1527,"dataGaName":1528,"dataGaLocation":1289},{"text":1567,"config":1568},"Geschäftsführung",{"href":1569,"dataGaName":1570,"dataGaLocation":1289},"/company/team/e-group/","leadership",{"text":1572,"config":1573},"Handbuch",{"href":1574,"dataGaName":1575,"dataGaLocation":1289},"https://handbook.gitlab.com/","handbook",{"text":1577,"config":1578},"Investor Relations",{"href":1579,"dataGaName":1580,"dataGaLocation":1289},"https://ir.gitlab.com/","investor relations",{"text":1582,"config":1583},"Trust Center",{"href":1584,"dataGaName":1585,"dataGaLocation":1289},"/de-de/security/","trust center",{"text":1587,"config":1588},"AI Transparency Center",{"href":1589,"dataGaName":1590,"dataGaLocation":1289},"/de-de/ai-transparency-center/","ai transparency center",{"text":1592,"config":1593},"Newsletter",{"href":1594,"dataGaName":1595,"dataGaLocation":1289},"/company/contact/#contact-forms","newsletter",{"text":1597,"config":1598},"Presse",{"href":1599,"dataGaName":1600,"dataGaLocation":1289},"/press/","press",{"text":1602,"config":1603,"menu":1604},"Kontakt",{"dataNavLevelOne":1548},{"type":1340,"columns":1605},[1606],{"items":1607},[1608,1611,1616],{"text":1296,"config":1609},{"href":1298,"dataGaName":1610,"dataGaLocation":1289},"talk to sales",{"text":1612,"config":1613},"Support-Portal",{"href":1614,"dataGaName":1615,"dataGaLocation":1289},"https://support.gitlab.com","support portal",{"text":1617,"config":1618},"Kundenportal",{"href":1619,"dataGaName":1620,"dataGaLocation":1289},"https://customers.gitlab.com/customers/sign_in/","customer portal",{"close":1622,"login":1623,"suggestions":1630},"Schließen",{"text":1624,"link":1625},"Um Repositorys und Projekte zu durchsuchen, melde dich an bei",{"text":1626,"config":1627},"gitlab.com",{"href":1303,"dataGaName":1628,"dataGaLocation":1629},"search login","search",{"text":1631,"default":1632},"Vorschläge",[1633,1635,1640,1642,1647,1652],{"text":1320,"config":1634},{"href":1325,"dataGaName":1320,"dataGaLocation":1629},{"text":1636,"config":1637},"Codevorschläge (KI)",{"href":1638,"dataGaName":1639,"dataGaLocation":1629},"/de-de/solutions/code-suggestions/","Code Suggestions (AI)",{"text":1356,"config":1641},{"href":1358,"dataGaName":1356,"dataGaLocation":1629},{"text":1643,"config":1644},"GitLab auf AWS",{"href":1645,"dataGaName":1646,"dataGaLocation":1629},"/de-de/partners/technology-partners/aws/","GitLab on AWS",{"text":1648,"config":1649},"GitLab auf Google Cloud",{"href":1650,"dataGaName":1651,"dataGaLocation":1629},"/de-de/partners/technology-partners/google-cloud-platform/","GitLab on Google Cloud",{"text":1328,"config":1653},{"href":1333,"dataGaName":1654,"dataGaLocation":1629},"Why GitLab?",{"freeTrial":1656,"mobileIcon":1661,"desktopIcon":1666,"secondaryButton":1669},{"text":1657,"config":1658},"Kostenlos testen",{"href":1659,"dataGaName":1294,"dataGaLocation":1660},"https://gitlab.com/-/trials/new/","nav",{"altText":1662,"config":1663},"GitLab-Symbol",{"src":1664,"dataGaName":1665,"dataGaLocation":1660},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758203874/jypbw1jx72aexsoohd7x.svg","gitlab icon",{"altText":1662,"config":1667},{"src":1668,"dataGaName":1665,"dataGaLocation":1660},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1758203875/gs4c8p8opsgvflgkswz9.svg",{"text":974,"config":1670},{"href":1671,"dataGaName":1672,"dataGaLocation":1660},"https://gitlab.com/-/trial_registrations/new?glm_source=about.gitlab.com/de-de/get-started/","get started",{"freeTrial":1674,"mobileIcon":1678,"desktopIcon":1680},{"text":1675,"config":1676},"Mehr über GitLab Duo erfahren",{"href":1325,"dataGaName":1677,"dataGaLocation":1660},"gitlab duo",{"altText":1662,"config":1679},{"src":1664,"dataGaName":1665,"dataGaLocation":1660},{"altText":1662,"config":1681},{"src":1668,"dataGaName":1665,"dataGaLocation":1660},{"button":1683,"mobileIcon":1688,"desktopIcon":1690},{"text":1684,"config":1685},"/Option",{"href":1686,"dataGaName":1687,"dataGaLocation":1660},"#contact","switch",{"altText":1662,"config":1689},{"src":1664,"dataGaName":1665,"dataGaLocation":1660},{"altText":1662,"config":1691},{"src":1692,"dataGaName":1665,"dataGaLocation":1660},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1773335277/ohhpiuoxoldryzrnhfrh.png",{"freeTrial":1694,"mobileIcon":1699,"desktopIcon":1701},{"text":1695,"config":1696},"Zurück zur Preisübersicht",{"href":1440,"dataGaName":1697,"dataGaLocation":1660,"icon":1698},"back to pricing","GoBack",{"altText":1662,"config":1700},{"src":1664,"dataGaName":1665,"dataGaLocation":1660},{"altText":1662,"config":1702},{"src":1668,"dataGaName":1665,"dataGaLocation":1660},{"title":1704,"button":1705,"config":1710},"Sieh dir an, wie agentische KI die Softwarebereitstellung transformiert",{"text":1706,"config":1707},"Jetzt live bei GitLab Transcend am 10. Juni dabei sein",{"href":1708,"dataGaName":1709,"dataGaLocation":1289},"/de-de/events/transcend/virtual/","transcend event",{"layout":1711,"disabled":1270},"release",{"data":1713},{"text":1714,"source":1715,"edit":1721,"contribute":1726,"config":1731,"items":1736,"minimal":1942},"Git ist eine Marke von Software Freedom Conservancy und unsere Verwendung von „GitLab“ erfolgt unter Lizenz.",{"text":1716,"config":1717},"Quelltext der Seite anzeigen",{"href":1718,"dataGaName":1719,"dataGaLocation":1720},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/","page source","footer",{"text":1722,"config":1723},"Diese Seite bearbeiten",{"href":1724,"dataGaName":1725,"dataGaLocation":1720},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/content/","web ide",{"text":1727,"config":1728},"Beteilige dich",{"href":1729,"dataGaName":1730,"dataGaLocation":1720},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/CONTRIBUTING.md/","please contribute",{"twitter":1732,"facebook":1733,"youtube":1734,"linkedin":1735},"https://x.com/gitlab","https://www.facebook.com/gitlab","https://www.youtube.com/channel/UCnMGQ8QHMAnVIsI3xJrihhg","https://www.linkedin.com/company/gitlab-com",[1737,1782,1835,1877,1908],{"title":1438,"links":1738,"subMenu":1753},[1739,1743,1748],{"text":1740,"config":1741},"Tarife anzeigen",{"href":1440,"dataGaName":1742,"dataGaLocation":1720},"view plans",{"text":1744,"config":1745},"Vorteile von Premium",{"href":1746,"dataGaName":1747,"dataGaLocation":1720},"/de-de/pricing/premium/","why premium",{"text":1749,"config":1750},"Vorteile von Ultimate",{"href":1751,"dataGaName":1752,"dataGaLocation":1720},"/de-de/pricing/ultimate/","why ultimate",[1754],{"title":1602,"links":1755},[1756,1758,1760,1762,1767,1772,1777],{"text":1296,"config":1757},{"href":1298,"dataGaName":1299,"dataGaLocation":1720},{"text":1612,"config":1759},{"href":1614,"dataGaName":1615,"dataGaLocation":1720},{"text":1617,"config":1761},{"href":1619,"dataGaName":1620,"dataGaLocation":1720},{"text":1763,"config":1764},"Status",{"href":1765,"dataGaName":1766,"dataGaLocation":1720},"https://status.gitlab.com/","status",{"text":1768,"config":1769},"Nutzungsbedingungen",{"href":1770,"dataGaName":1771,"dataGaLocation":1720},"/terms/","terms of use",{"text":1773,"config":1774},"Datenschutzerklärung",{"href":1775,"dataGaName":1776,"dataGaLocation":1720},"/de-de/privacy/","privacy statement",{"text":1778,"config":1779},"Cookie-Einstellungen",{"dataGaName":1780,"dataGaLocation":1720,"id":1781,"isOneTrustButton":1273},"cookie preferences","ot-sdk-btn",{"title":1336,"links":1783,"subMenu":1792},[1784,1788],{"text":1785,"config":1786},"DevSecOps-Plattform",{"href":1318,"dataGaName":1787,"dataGaLocation":1720},"devsecops platform",{"text":1789,"config":1790},"KI-unterstützte Entwicklung",{"href":1325,"dataGaName":1791,"dataGaLocation":1720},"ai-assisted development",[1793],{"title":1794,"links":1795},"Themen",[1796,1800,1805,1810,1815,1820,1825,1830],{"text":1356,"config":1797},{"href":1798,"dataGaName":1799,"dataGaLocation":1720},"/de-de/topics/ci-cd/","cicd",{"text":1801,"config":1802},"GitOps",{"href":1803,"dataGaName":1804,"dataGaLocation":1720},"/de-de/topics/gitops/","gitops",{"text":1806,"config":1807},"DevOps",{"href":1808,"dataGaName":1809,"dataGaLocation":1720},"/de-de/topics/devops/","devops",{"text":1811,"config":1812},"Versionskontrolle",{"href":1813,"dataGaName":1814,"dataGaLocation":1720},"/de-de/topics/version-control/","version control",{"text":1816,"config":1817},"DevSecOps",{"href":1818,"dataGaName":1819,"dataGaLocation":1720},"/de-de/topics/devsecops/","devsecops",{"text":1821,"config":1822},"Cloud-nativ",{"href":1823,"dataGaName":1824,"dataGaLocation":1720},"/de-de/topics/cloud-native/","cloud native",{"text":1826,"config":1827},"KI für das Programmieren",{"href":1828,"dataGaName":1829,"dataGaLocation":1720},"/de-de/topics/devops/ai-for-coding/","ai for coding",{"text":1831,"config":1832},"Agentische KI",{"href":1833,"dataGaName":1834,"dataGaLocation":1720},"/de-de/topics/agentic-ai/","agentic ai",{"title":1836,"links":1837},"Lösungen",[1838,1841,1843,1848,1852,1855,1858,1861,1863,1865,1867,1872],{"text":1381,"config":1839},{"href":1376,"dataGaName":1840,"dataGaLocation":1720},"Application Security Testing",{"text":1368,"config":1842},{"href":1352,"dataGaName":1353,"dataGaLocation":1720},{"text":1844,"config":1845},"Agile Entwicklung",{"href":1846,"dataGaName":1847,"dataGaLocation":1720},"/de-de/solutions/agile-delivery/","agile delivery",{"text":1849,"config":1850},"SCM",{"href":1365,"dataGaName":1851,"dataGaLocation":1720},"source code management",{"text":1356,"config":1853},{"href":1358,"dataGaName":1854,"dataGaLocation":1720},"continuous integration & delivery",{"text":1407,"config":1856},{"href":1409,"dataGaName":1857,"dataGaLocation":1720},"value stream management",{"text":1801,"config":1859},{"href":1860,"dataGaName":1804,"dataGaLocation":1720},"/de-de/solutions/gitops/",{"text":1420,"config":1862},{"href":1423,"dataGaName":1424,"dataGaLocation":1720},{"text":1426,"config":1864},{"href":1429,"dataGaName":1430,"dataGaLocation":1720},{"text":1432,"config":1866},{"href":1435,"dataGaName":1436,"dataGaLocation":1720},{"text":1868,"config":1869},"Bildungswesen",{"href":1870,"dataGaName":1871,"dataGaLocation":1720},"/de-de/solutions/education/","education",{"text":1873,"config":1874},"Finanzdienstleistungen",{"href":1875,"dataGaName":1876,"dataGaLocation":1720},"/de-de/solutions/finance/","financial services",{"title":1443,"links":1878},[1879,1881,1883,1885,1888,1890,1893,1895,1897,1900,1902,1904,1906],{"text":1455,"config":1880},{"href":1457,"dataGaName":1458,"dataGaLocation":1720},{"text":1460,"config":1882},{"href":1462,"dataGaName":1463,"dataGaLocation":1720},{"text":1465,"config":1884},{"href":1467,"dataGaName":1468,"dataGaLocation":1720},{"text":1470,"config":1886},{"href":1472,"dataGaName":1887,"dataGaLocation":1720},"docs",{"text":1493,"config":1889},{"href":1495,"dataGaName":1496,"dataGaLocation":1720},{"text":1891,"config":1892},"Neuigkeiten",{"href":1543,"dataGaName":1544,"dataGaLocation":1720},{"text":1488,"config":1894},{"href":1490,"dataGaName":1491,"dataGaLocation":1720},{"text":1502,"config":1896},{"href":1504,"dataGaName":1505,"dataGaLocation":1720},{"text":1898,"config":1899},"GitLab Services",{"href":1512,"dataGaName":1513,"dataGaLocation":1720},{"text":1515,"config":1901},{"href":1517,"dataGaName":1518,"dataGaLocation":1720},{"text":1520,"config":1903},{"href":1522,"dataGaName":1523,"dataGaLocation":1720},{"text":1525,"config":1905},{"href":1527,"dataGaName":1528,"dataGaLocation":1720},{"text":1530,"config":1907},{"href":1532,"dataGaName":1533,"dataGaLocation":1720},{"title":1909,"links":1910},"Unternehmen",[1911,1913,1915,1917,1919,1921,1926,1931,1933,1935,1937],{"text":1554,"config":1912},{"href":1556,"dataGaName":1548,"dataGaLocation":1720},{"text":1559,"config":1914},{"href":1561,"dataGaName":1562,"dataGaLocation":1720},{"text":1567,"config":1916},{"href":1569,"dataGaName":1570,"dataGaLocation":1720},{"text":1572,"config":1918},{"href":1574,"dataGaName":1575,"dataGaLocation":1720},{"text":1577,"config":1920},{"href":1579,"dataGaName":1580,"dataGaLocation":1720},{"text":1922,"config":1923},"Nachhaltigkeit",{"href":1924,"dataGaName":1925,"dataGaLocation":1720},"/sustainability/","Sustainability",{"text":1927,"config":1928},"Vielfalt, Inklusion und Zugehörigkeit",{"href":1929,"dataGaName":1930,"dataGaLocation":1720},"/de-de/diversity-inclusion-belonging/","Diversity, inclusion and belonging",{"text":1582,"config":1932},{"href":1584,"dataGaName":1585,"dataGaLocation":1720},{"text":1592,"config":1934},{"href":1594,"dataGaName":1595,"dataGaLocation":1720},{"text":1597,"config":1936},{"href":1599,"dataGaName":1600,"dataGaLocation":1720},{"text":1938,"config":1939},"Transparenzerklärung zu moderner Sklaverei",{"href":1940,"dataGaName":1941,"dataGaLocation":1720},"https://handbook.gitlab.com/handbook/legal/modern-slavery-act-transparency-statement/","modern slavery transparency statement",{"items":1943},[1944,1946,1949],{"text":1768,"config":1945},{"href":1770,"dataGaName":1771,"dataGaLocation":1720},{"text":1947,"config":1948},"Cookies",{"dataGaName":1780,"dataGaLocation":1720,"id":1781,"isOneTrustButton":1273},{"text":1773,"config":1950},{"href":1775,"dataGaName":1776,"dataGaLocation":1720},[1952],{"id":1953,"title":7,"body":1269,"config":1954,"content":1956,"description":1269,"extension":1960,"meta":1961,"navigation":1273,"path":1962,"seo":1963,"stem":1964,"__hash__":1965},"blogAuthors/en-us/blog/authors/grant-hickman.yml",{"template":1955},"BlogAuthor",{"name":7,"config":1957},{"headshot":1958,"ctfId":1959},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1749682570/Blog/Author%20Headshots/g.png","ghickman","yml",{},"/en-us/blog/authors/grant-hickman",{},"en-us/blog/authors/grant-hickman","3OY7ZjUzeOb_im7m1kimID61q_0OEhuzipAc3AHq2WM",[1967,1975,1982],{"title":1968,"description":1969,"heroImage":1970,"category":1265,"date":1971,"authors":1972,"slug":1974,"externalUrl":1269},"Vollständige Security-Scanner-Abdeckung der Codebase in Minuten","Security Configuration Profiles ermöglichen schnellere Scanner-Rollouts. Wie GitLab 19.0 Tausende von Projekten in Minuten abdeckt – ohne Lücken.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1779189265/iqzyhhiwagxzwywvjzow.png","2026-05-26",[1973],"Michael Omokoh","security-configuration-profiles",{"title":1976,"description":1977,"heroImage":1970,"category":1265,"date":1971,"authors":1978,"slug":1981,"externalUrl":1269},"Supply-Chain-Risiken reduzieren – mit SBOM-basiertem Dependency Scanning","Transitive Abhängigkeiten erkennen, ihren Ursprung nachverfolgen und nach realer Exposition priorisieren.",[1979,1980],"Mark Settle","Joel Patterson","sbom-based-dependency-scanning",{"title":1983,"description":1984,"heroImage":1970,"category":1265,"date":1985,"authors":1986,"slug":1988,"externalUrl":1269},"CI/CD-Zugangsdaten absichern mit GitLab Secrets Manager","Secrets Manager (Public Beta): Job-Scoping, Least-Privilege-Zugriffsmodell und lückenloser Audit-Trail – nativ in GitLab 19.0.","2026-05-21",[1987,1979],"Joe Randazzo","secrets-manager-in-public-beta",{"promotions":1990},[1991,2005,2017,2028],{"id":1992,"categories":1993,"header":1995,"text":1996,"button":1997,"image":2002},"ai-modernization",[1994],"ai","Hält KI, was uns versprochen wurde?","Das Quiz dauert maximal 5 Minuten.",{"text":1998,"config":1999},"Ermittle deinen KI-Reifegrad",{"href":2000,"dataGaName":2001,"dataGaLocation":1496},"/de-de/assessments/ai-modernization-assessment/","modernization assessment",{"config":2003},{"src":2004},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1772138786/qix0m7kwnd8x2fh1zq49.png",{"id":2006,"categories":2007,"header":2009,"text":1996,"button":2010,"image":2014},"devops-modernization",[2008,1819],"product","Verwaltest du Tool-Chaos oder stellst du Innovationen bereit?",{"text":2011,"config":2012},"Ermittle deinen DevOps-Reifegrad",{"href":2013,"dataGaName":2001,"dataGaLocation":1496},"/de-de/assessments/devops-modernization-assessment/",{"config":2015},{"src":2016},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1772138785/eg818fmakweyuznttgid.png",{"id":2018,"categories":2019,"header":2020,"text":1996,"button":2021,"image":2025},"security-modernization",[1265],"Tauschst du Schnelligkeit gegen Sicherheit ein?",{"text":2022,"config":2023},"Ermittle deinen Sicherheitsreifegrad",{"href":2024,"dataGaName":2001,"dataGaLocation":1496},"/de-de/assessments/security-modernization-assessment/",{"config":2026},{"src":2027},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1772138786/p4pbqd9nnjejg5ds6mdk.png",{"id":2029,"paths":2030,"header":2033,"text":2034,"button":2035,"image":2040},"github-azure-migration",[2031,2032],"migration-from-azure-devops-to-gitlab","integrating-azure-devops-scm-and-gitlab","Ist dein Team bereit für den Umzug von GitHub nach Azure?","GitHub stellt bereits auf Azure um. Finde heraus, was das für dich bedeutet.",{"text":2036,"config":2037},"Erfahre, wie GitLab im Vergleich zu GitHub abschneidet",{"href":2038,"dataGaName":2039,"dataGaLocation":1496},"/de-de/compare/gitlab-vs-github/github-azure-migration/","github azure migration",{"config":2041},{"src":2016},{"header":2043,"blurb":2044,"button":2045,"secondaryButton":2050},"Beginne noch heute, schneller zu entwickeln","Entdecke, was dein Team mit der intelligenten Orchestrierungsplattform für DevSecOps erreichen kann.\n",{"text":2046,"config":2047},"Kostenlosen Test starten",{"href":2048,"dataGaName":1294,"dataGaLocation":2049},"https://gitlab.com/-/trial_registrations/new?glm_content=default-saas-trial&glm_source=about.gitlab.com/de-de/","feature",{"text":1296,"config":2051},{"href":1298,"dataGaName":1299,"dataGaLocation":2049},1781392786711]