Responding to customers security scanners review requests

We scan our own product using our security scanners. Our Engineering teams are remediating vulnerabilities detected by our scanners on a regular basis. This is done when a patch is available and we prioritize remediation of vulnerabilities that can be exploited in our context.

We often receive inquiries from customers regarding findings detected by their own scanning tools or those integrated into GitLab. We value our customers’ trust in our expertise to assess these issues. Therefore, we aim to provide finding annotations with contextual information about the findings.

Scope

GitLab Images

We are accepting requests to review vulnerabilities detected in GitLab first-party images, including:

  • GitLab Omnibus - gitlab/gitlab-ee (Docker Hub)
  • GitLab Runner - gitlab/gitlab-runner (Docker Hub)
  • GitLab CNG Images
  • GitLab Security Scanners

The annotations provided will be based on the latest released version of GitLab. For requests of previous versions of GitLab, we will annotate if a finding is fixed in the latest version, and what contextual information we have about open findings.

What scanners results are we accepting?

We accept results from any scanner, though the annotations will be based on the scanners we use in our environment. If a third-party security scanners is being used, we ask that you provide the following information for each vulnerability submitted to us:

  • Container(s) Name and Tag
  • Scanner Used

Finding Data Fields

For each finding, please include:

  • Package Name
  • Version
  • CVE id
  • Severity
  • Fix State
  • Fix Version, if available
  • Location/File Path
  • Artifact Type (OS Package, Library, etc..), if available

Please be sure to add any helpful context to your requests including environment details and specific security risks that you’re concerned about.

The format needs to be in an editable file format, for example in CSV, JSON or in an internal spreadsheet.

Will GitLab review scanner results for vulnerabilities of all severity?

At this time, we will be able to provide annotations for scanner results for critical and high vulnerabilities. We are working to expand this to Medium and Low findings, but for now they will be provided as best-effort.

SLO

Our goal is to reply to customer requests within 10 business days.

Where do I submit scanner findings that adhere to the standards outlined above?

If you are a customer, our Field Security team can open an issue in our issue tracker for you using this template to follow-up on the request internally. Internal team members can directly open issues as long as guidelines outlined above are followed.

Last modified January 7, 2026: Move customer annotation requests page to Vulnerability Management (75d275b4)
View page source - Edit this page - please contribute. Creative Commons License