Published on: March 12, 2025
6 min read
GitLab provides detailed vulnerability risk data to assess the potential impact of detected vulnerabilities. Learn how this enables teams to effectively prioritize remediation efforts.
Development and security teams are often overwhelmed by the number of vulnerabilities they need to remediate. Many organizations remediate less than 16% of their known vulnerabilities monthly. Vulnerability management teams face a constant challenge: which security flaws deserve immediate attention? Three key frameworks help answer this question: Common Vulnerability Scoring System (CVSS), Known Exploited Vulnerabilities (KEV), and Exploit Prediction Scoring System (EPSS). The GitLab 17.9 release adds support for these frameworks. In this article, you'll learn how to use these frameworks within GitLab to efficiently prioritize risk across your dependency and container image vulnerabilities using this data.
CVSS provides a standardized method for rating the severity of security vulnerabilities. Scores range from 0 to 10, with higher values indicating greater severity.
CVSS evaluates vulnerabilities across three dimension groups:
CVSS offers a consistent severity baseline and common language for security teams. Its comprehensive scoring methodology considers multiple aspects of a vulnerability's technical impact.
The Cybersecurity and Infrastructure Security Agency (CISA) maintains the KEV catalog, which identifies vulnerabilities actively exploited in the wild.
Unlike academic severity scores, KEV focuses on real-world threat intelligence. Each entry includes:
KEV provides actionable intelligence based on observed threat actor behavior. It cuts through scoring complexity with a binary signal: "This vulnerability is being actively exploited right now."
The EPSS uses machine learning to predict the likelihood a vulnerability will be exploited in the next 30 days. Scores range from 0 to 1 (or 0%-100%), representing probability.
EPSS analyzes hundreds of factors, including:
EPSS brings risk-based prioritization to vulnerability management. Rather than focusing solely on technical severity, it helps teams understand which vulnerabilities attackers are most likely to target.
Each framework serves a unique purpose:
An effective prioritization strategy leverages all three:
By combining these complementary frameworks, security teams can focus limited resources on the vulnerabilities that pose the greatest actual risk to their organizations. You can get started with prioritizing vulnerabilities with GitLab by:
Watch this video to learn more:
GitLab provides built-in security scanning tools through its templates that can be integrated directly into your CI/CD pipeline. GitLab offers several security scanners that address different aspects of your application security:
To add them to your pipeline, simply add the appropriate templates to .gitlab-ci.yml
file. For example, adding SAST and Dependency Scanning to your pipeline is as simple as:
include:
- template: Security/SAST.gitlab-ci.yml
- template: Security/Dependency-Scanning.gitlab-ci.yml
stages:
- test
Once you commit the above changes, security scanners will begin to run. These scanners can be further configured to meet the needs of your organization. To learn more about our various scanners, see the GitLab application security documentation.
Note: EPSS and KEV metrics are only provided for dependency and container image vulnerabilities.
Once a pipeline with your security scanners is run on the default branch, you can access the vulnerability report. The vulnerability report provides a consolidated view of all security vulnerabilities detected across your project by GitLab's security scanners. You can access it from your project by going to the side-tab and selecting Secure > Vulnerability Report.
From the vulnerability report, select a vulnerability to see its insights page, which includes the severity, EPSS, KEV, and CVSS along with the following:
This data can be used to effectively triage, remediate, or mitigate the vulnerability.
Note: From the insights page, you can also leverage GitLab Duo’s AI capabilities to explain and auto-resolve a vulnerability.
After examining the provided data, we can go ahead and change the status of our vulnerability by clicking the Change status button:
Then we'll see a popup that will allow you to change the status of a vulnerability:
When you dismiss a vulnerability you can choose one of the following reasons and optionally provide a comment:
And there you have it, quick and easy vulnerability risk prioritization with GitLab!
Get started today with a free, 60-day trial of GitLab Ultimate!
To learn more about GitLab security and governance features and how we can help enhance your security posture, check out the following resources: