Skip to content

Security Report Generalized Details Structure

Release notes

Automated security scanning is an important part of any secure development process. There are a wide variety of tools and technologies covering the entire SDLC from source code scanning to post-deployment application and infrastructure scanning. While the ultimate goal of any of these tools is to discover both known and potential vulnerabilities, the information coming from any given scanner can vary widely. Efforts to standardize scanning output data do exist but they tend to focus only on one category of scanning technology or even a specific set of tools. This presents a big challenge to security teams who need to aggregate a wide array of scanner findings. Without a consistent way to normalize disparate findings, viewing the unique details for each scanner's output can be a very apples-and-oranges experience. And if the tool outputs aren't aggregated, then results are often reviewed in the source tool, leaving the true picture of vulnerability risk fragmented and sitting outside of the rest of the DevOps toolchain.

The new generalized details structure in our security report schemas can bridge this gap. You can already integrate a wide variety of security scanners into GitLab with minimal effort. Now you can go even further with rich formatting options for finding details. Our new structure makes it easy to map most tool's existing outputs into our JSON report formats while adding consistent presentation logic automatically. Flexibility without sacrificing the ability to provide rich vulnerability finding data is a primary purpose behind the new structure. Details are provided in an open structure using pre-defined data types. The pre-defined types handle both data validation as well as standardized UI presentation inside GitLab. For instance, we provide types such as Integer, URL, Table, and even GFM (GitLab Flavored Markdown). This allows granular control over how finding details are presented while keeping the overall experience inside GitLab consistent.

generalized_vulnerability_details

Purpose

This issue is for the Release Post supporting release of the new details field added to the existing scanner schemas and the presentation logic to render it in the Vulnerability Management UI. Part of this work includes validation of the JSON schemas as part of the ingest process. This work also forms the foundation for having a generic report schema that will eventually support almost any security tool type inside the vulnerability management workflow.![generalized_vulnerability_details]

Edited by Matt Wilson