Gitlab hero border pattern left svg Gitlab hero border pattern right svg

VUL.1.01 - Vulnerability Scans Control Guidance

On this page

VUL.1.01 - Vulnerability Scans

Control Statement

GitLab conducts vulnerability scans against the production environment; scan tools are updated prior to running scans.


This control is fairly straightforward. We have flexibility in how we perform these scans, but the burden of proof will be on GitLab to show that we are scanning all systems and that we are checking for the more relevant vulnerabilities. This control is meant to ensure we regularly assessing the state of all production systems. The update part of this control ensures we are always checking for the most recent vulnerabilities we know about. When properly applied, this control will help us generate a list of the risk associated with each GitLab system and help us prioritize security resources dedicated to remediation. This control can also be valuable in validating the device inventory (see control # AM.1.01).


This control applies to all systems within the GitLab production environment.



Implementation Guidance

For detailed implementation guidance relevant to GitLab team-members, refer to the full guidance documentation.

For all reference links relevant to this control, refer to the full guidance documentation.

Examples of evidence an auditor might request to satisfy this control

For examples of evidence an auditor might request, refer to the full guidance documentation.

Framework Mapping