📣 Feedback - GitLab Vulnerabilities Retention Policy
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
GitLab intends to introduce a new Vulnerability Retention Policy on Vulnerability records that appear in the Vulnerability Report. As we continue to build more features like adding support for the Vulnerability Report and Dependency List at the Organization Level and the ability to track Vulnerabilities in locations other than the default branch we want to assure storage of only useful, meaningful data and allow our service to maintain optimal performance with that data.
Our research shows that as much as 47% of vulnerability records have not been updated in over a year and are unlikely to be as relevant or useful as more up-to-date scans may provide.
Given this, GitLab intends to implement a default retention period of 12 months for vulnerability records, after which they will be automatically archived. This information will be retrievable from GitLab.com in the form of a machine readable "json" format document for 3 years following archival, after which it will be permanently deleted.
Later iterations may include the ability for users to customise the retention period to a degree and opt for extended storage of archived data at an additional cost which will be communicated at a later stage.
We are planning to implement the retention policy in %18.0, May 2025. Another notification will be sent out closer to the implementation beginning to keep you informed of our implementation plans and progress.
Items which will not be applicable for this retention policy are as follows:
- Dismissed vulnerabilities that are still detected
- Detected (Needs Triage) vulnerabilities
- Manually-created vulnerabilities that are not resolved
For Self Managed instances - We intend to implement the policy as off by default, but configurable by admins. This may be beneficial for self-managed instances which have accrued significant vulnerability data and may be experiencing performance degradation on the Group Vulnerability Report pages.
If you have any concerns or comments, please comment on this issue and tag @ghavenga and @abellucci.
Warmly, The GitLab Team