Security Dashboard Release to Dedicated and Self Managed
Note this is for the release post. The development work is tracked via security infrastructure (https://gitlab.com/groups/gitlab-org/-/epics/18758#top & https://gitlab.com/gitlab-org/gitlab/-/issues/581947) Dedicated and Self Managed Customers now have access to the new security dashboard ElasticSearch must be deployed Available Features: 1. [Security Dashboard - Chart 1 Project Scope: Total open vulnerabilities per severity](https://gitlab.com/groups/gitlab-org/-/epics/17073) 2. [Security Dashboard - Chart 1 Multi Project Scope: Total open vulnerabilities per severity](https://gitlab.com/groups/gitlab-org/-/epics/17411) 3. [Security Dashboard - Chart 2 Project-Scope: Open vulnerabilities over time](https://gitlab.com/groups/gitlab-org/-/epics/17076) 4. [Security Dashboard - Chart 2 Multi Project Scope: Open vulnerabilities over time](https://gitlab.com/groups/gitlab-org/-/epics/17413) 5. [Security Dashboard - Chart 7 Multi Project Scope: Total risk score](https://gitlab.com/groups/gitlab-org/-/epics/17425) 6. [Show median vulnerability age in counts per severity chart](https://gitlab.com/groups/gitlab-org/-/epics/18536) 7. [Persist applied filters and group-by selections to Query parameters](https://gitlab.com/gitlab-org/gitlab/-/issues/561226) See release 2 for additional roadmap items: [**Security Dashboard Upgrade - Release 2**](https://gitlab.com/groups/gitlab-org/-/epics/18510) Additional Technical Details 1. ElasticSearch is required for self-managed and dedicated users  2. Because of ElasticSearch, the vulnerability counts over 1000 will be \_accurate\_ and not aggregated as “1000+ vulnerabilities” like the vulnerability report.  3. In 18.8, ‘no longer detected’ vulnerabilities’ will be removed by default from the vulnerabilities over time chart (and all future charts) 1. In the meantime users can enable Auto-resolve to address no longer detected 4. The expected behavior of a vulnerability with multiple status changes (closed to open to closed) on charts over time is that the vulnerability over time charts will refer to the last closed date only. The chart will see a -1 increment in open vulnerabilities at that last closed date, _not_ a -1, +1, -1 increment for each status change.This is because the vulnerability was not truly remediated/dismissed closed.  5. EPSS score changes are only captured during pipeline runs, the algorithm doesn’t run every day for performance reasons. This is assumed to be ‘close enough to real time’. 6. Only the vulnerabilities over time will be available at the project level. Other capabilities will be available at the group level only in the future. Project filters will of course be available to serve project-specific use cases.  7. Self-Managed will need to wait a short period of time after upgrading to 18.7 to see the risk score due to a background migration. The ‘period’ should just be a short number of days at most.
epic