SH
SHELL
AI Powered Learning Portal
Module 9 Lesson 1: Vulnerability Management
·DevOps

Module 9 Lesson 1: Vulnerability Management

The triage process. Learn the professional workflow for identifying, dismissing, or resolving security vulnerabilities within the GitLab ecosystem.

securitygovernancevulnerability-managementops

Module 9 Lesson 1: Vulnerability Management

A pipeline with 100 security findings is a "Wall of Noise." To be effective, you need a Triage Process—the art of deciding what to fix now and what is a "False Positive."

1. The Vulnerability Lifecycle

In GitLab, every finding has a state:

  • Detected: The scan just found it.
  • Confirmed: You agree it's a real bug.
  • Dismissed: You've verified it's not a risk (or a False Positive).
  • Resolved: The code has been fixed and the scan no longer sees it.

2. Dealing with False Positives

Sometimes a scanner is "Too sensitive."

  • Example: It flags a "Test Database Password" as a secret leak.
  • The Action: You "Dismiss" the finding and provide a reason (e.g., "This is a mock password for local development").
  • Audit Trail: This dismissal is logged. If a regulator asks why you ignored it, you have the proof.

Visualizing the Process

graph TD
    Start[Input] --> Process[Processing]
    Process --> Decision{Check}
    Decision -->|Success| End[Complete]
    Decision -->|Retry| Process

3. Creating "Security Issues"

You shouldn't fix a security bug privately.

  • Click "Create Issue" from the security finding.
  • This creates a Confidential Issue that only developers can see. (You don't want to tell hackers about your bug before it's fixed!).

4. Why Triage Matters

Without triage, a team will eventually stop running security scans because they are "Too annoying." By keeping the dashboard clean (0 "Detected" items), you ensure that when a Real critical bug appears, it gets 100% of your attention.

Exercise: The Triage Drill

  1. Go to your project's Security Dashboard. Dismiss one finding as "Used in tests only."
  2. Create a "Confidential Issue" for another finding.
  3. Why is it important to provide a "Reason for Dismissal"?
  4. If a "Critical" bug is found in a library you don't control, what are your 3 options for "Resolution"?
  5. Research: What is a SAST exclusion file (e.g., .sast-ignore)?

Summary

Vulnerability Management is the difference between "Having many tools" and "Having a secure app." By mastering the triage process, you become the guardian of your company's digital integrity.

Next Lesson: Checking the ingredients: Dependency Scanning and License Compliance.

Previous LessonModule 8 Lesson 5: Security Alerts
Next LessonModule 9 Lesson 2: Dependency & License Compliance

Subscribe to our newsletter

Get the latest posts delivered right to your inbox.

Subscribe on LinkedIn