Bulk Triage Phase

When first adopting GitLab Secure

  1. Prioritize projects according to exposure risk: High/Medium/Low based on business impact and network exposure. Start with the high-priority projects and move down. Approach each project one at a time for initial bulk triage
  2. For one project at a time, ensure that scan execution policies have been applied to the project and have run successfully on the default branch
  3. Filter the Vulnerability Report for
    • Project: The project under examination
    • Status: Needs triage
    • Severity: Critical
    • If necessary because of the size of the results list, a scanner in the following order:
      1. Secret detection
      2. Dependency scanning
      3. Container scanning
      4. SAST + SAST-IaC
      5. API security testing
      6. DAST browser-based scanning
      7. Fuzz (both kinds)
  4. Starting at the top of the search results, open each vulnerability
    • Read the vulnerability page thoroughly
    • Click through to the links as necessary to understand the vulnerability
    • If needed and available, click "Explain this vulnerability with AI" for more information
    • Decide how to handle this vulnerability
    • Execute the decision by choosing a Status in the top right corner
    • Add a comment to the vulnerability explaining the decision
    • If the status is Confirmed, create and assign a Jira issue
  5. Continue through the remaining vulnerabilities in the search results, performing the previous step for each
  6. If you filtered by scanner, update the filter to the next scanner and repeat
  7. Complete triage of all the Critical vulnerabilities in one project before moving to the next project
  8. Complete triage of all vulnerabilities in the following order shown in the table below
  9. While triaging vulnerabilities, when trends appear, consider adjusting the scan execution policies by referencing the GitLab documentation. If different projects and/or groups seem to require different policies, consider creating separate scan execution policies and linking them appropriately
    • All the scanners have variables to customize
    • Secret detection and SAST have RULESET_GIT_REFERENCE variables
    • DAST browser-based scanning and API scanning have site profiles

Proposed order for vulnerability bulk triage

High risk projectsMedium risk projectsLow risk projects
Critical vulnerabilities124
High severity vulns357
Medium severity vulns6810
Low severity vulns91112
  1. Perform initial application risk assessments
  2. Prioritize applications
  3. Set non-intrusive scanners
  4. Establish guardrails with exceptions
  5. Monitor and adjust