Security tab
The Security page is used to view and process vulnerabilities found by project security analyzers. Reports can be generated in a pipeline or uploaded manually.
To work with the security page, a role that includes the Управление уязвимостями permission is required. This permission is included by default in the standard Administrator role.
Supported report types
The security page supports the following report types:
| Report type | Description | Format |
|---|---|---|
| SAST | Results of static security analysis of source code | SARIF |
| DAST | Results of dynamic security analysis of the application | SARIF |
| SCA | Results of software composition analysis and used components | CycloneDX |
More information about preparing reports and connecting analyzers is provided in the SAST, DAST, and SCA articles.
Uploading reports
Reports can be added to the security page automatically from a pipeline or manually.
Uploading from a pipeline
The security analyzer runs in a pipeline job and generates a report in a supported format. After the job is completed, the report is transferred to GitFlic and displayed on the project security page.
The following formats are used for reports:
- SAST — SARIF;
- DAST — SARIF;
- SCA — CycloneDX.
The analyzer is configured and run on the resources used by the CI/CD agent. The analyzer and its launch scenario must be selected and configured for the project independently.
Manual upload
A prepared report can be uploaded without running the analyzer in a pipeline.
To manually upload a report, it is required to:
- Open the report management section on the security page.
- Go to adding a report.
- Upload the prepared file.
- Specify the report type.
- Select the branch to which the report belongs.
- Complete the upload.
During manual upload, the snapshot is linked to the latest commit of the selected working branch.
Report snapshots
Reports are grouped into snapshots. A snapshot records analysis results for a specific project state.
For a report generated in a pipeline, the snapshot contains a link to the pipeline in which the report was obtained. On the pipeline page, a link to the commit that defines the repository state at the time of scanning is available.
Thus, the chain of links has the following form:
Снапшот отчета → конвейер → коммит
Snapshots can be distinguished by the name, which is formed from the creation date and the name of the branch or tag for which the pipeline was started.
During manual upload, the snapshot is created for the latest commit of the selected working branch.
Working with vulnerabilities
After a report is uploaded, the detected vulnerabilities are displayed in the corresponding section of the security page.
Each new vulnerability receives the Requires attention status by default.
The status can be changed:
- in the list of vulnerabilities;
- on the page of an individual vulnerability;
- for several records at the same time.
To change the status in bulk, it is required to select the necessary vulnerabilities and choose a new status in the field above the list.
If a new report detects a vulnerability identical to a vulnerability from a previous report, the status set during the previous detection is applied to it.
Viewing and filtering vulnerabilities
On the security page, filters by severity and vulnerability status are available. The set of additional filters depends on the analyzer type and the contents of the uploaded report.
The following severity levels are provided for SAST and DAST vulnerabilities:
- critical;
- unacceptable;
- undesirable;
- informational;
- undefined.
The page of an individual vulnerability displays the available information from the report. Depending on the analyzer type, it may include:
- the file in which the vulnerability was found;
- commit;
- file line;
- description and additional analyzer information.
Requires attention when updating
If you previously used this section in a project to work with reports, archive information cannot be migrated; during the update, the data will not be saved. Run a new scan to fill the section with information
Automated translation!
This page has been automatically translated. The text may contain inaccuracies.