Consider the impact of tracking vulnerability management across multiple branches on Self Managed instances

While working through more considerations of the architecture of this feature, it occurred to me that we have not yet considered the impact that the introduction of this functionality might have on self-managed instances.

In the case of GitLab.com, we've gone to the effort of decomposing our security data to a new Sec database. This bought us substantial expansion room for which we have the benefit of being able to, largely, safely explore this implementation without significant fear of bringing GitLab.com down.

Self-managed instances do not have this benefit. Additionally, during the course of the Sec Decomposition it was elected that Gitlab.com does not support the decomposition of self-managed databases.

This introduces a potential operational risk to our self-managed/dedicated instances. All current plans for the implementation of this feature anticipate substantial amounts of increased data processing and storage. This may overwhelm smaller instances, or push instances that were near their operational border over the edge.

We should ensure that branch based scanning is

As scalable as possible.
Off by default
Limitable

Edited Jun 13, 2025 by Gregory Havenga (is on PTO from 15 December 2025 to 02 January 2026)