GitLab has introduced a new feature that addresses two significant challenges in vulnerability management: code volatility and double reporting. Code volatility refers to the frequent changes in codebases that can reintroduce previously resolved vulnerabilities, while double reporting occurs when multiple security tools identify the same vulnerability. This new feature integrates advanced tracking mechanisms to tackle these issues, enhancing the accuracy and efficiency of vulnerability detection and management.
Julian Thome, Staff Backend Engineer at GitLab summarised the announcement in a blog post. Highlighting the challenges of tracking vulnerabilities in dynamic codebases and heterogeneous environments, Thome mentioned that this new feature is particularly useful for teams practicing DevSecOps.
In modern software development, DevSecOps integrates security into the development lifecycle, enabling teams to deliver features quickly while maintaining security standards. However, the dynamic nature of CI/CD pipelines and the use of multiple Static Application Security Testing (SAST) tools create two significant challenges. The first is code volatility, where frequent changes in codebases can reintroduce previously resolved vulnerabilities. The second is double reporting, where multiple tools report the same vulnerability, leading to duplication and inefficiency. These challenges make vulnerability management difficult for developers and security teams to identify unique issues and prioritize fixes effectively.
GitLab’s Advanced Vulnerability Tracking is designed to address these challenges by improving the accuracy and efficiency of vulnerability identification. The feature uses contextual information from generated syntax trees to scope vulnerabilities more precisely.
Traditional methods often rely on <file, line number> pairs to identify vulnerabilities. The new feature utilizes a method called “location fingerprinting,” which generates identifiers for vulnerabilities that are less fragile across code changes compared to traditional tracking methods.
A study conducted by GitLab demonstrated that its Advanced Vulnerability Tracking method is 30% more effective than traditional line-based tracking. The study also found that the benefits of this approach increase over time.
We saw an interesting conversation on Reddit about Centralized Vulnerability Management tools. The original poster invited suggestions for centralised vulnerability management tools from the tech community. The responses on the post included tools such as Qualsys, Tenable, Vanta, Plextrac, etc.
About narrowing down the vulnerability management tool, one of the Reddit users, Beneficial_West_7821, gave an insightful response,
…I highly recommend running a technical PoV and making sure you pay attention to things like compatibility in practise with your security tool landscape, as well as aggregation, de-duplication, configurability, dashboarding, reporting etc.
There is a very wide range of capability and maturity in the market, and performance can vary significantly (for example in ingestion and processing, as well as in responsiveness of the UI).
The findings from the study related to Advanced Vulnerability Tracking method will be presented at the 47th International Conference on Software Engineering (ICSE) 2025 in the Software Engineering in Practice Track. The preprint of the study is named “A Scalable, Effective, and Simple Vulnerability Tracking Approach for Heterogeneous SAST Setups Based on Scope+Offset,” authored by Lucas Charles, Jason Leasure, and Hua Yan.
