Feature Request - Vulnerabilities Scan result API available before pipeline completes.
Submitting on behalf of a Federal Customer (available only to US citizen GitLab Employees) that has chosen to remain confidential.
Release notes
We require a pipeline configuration or GitLab API enhancement to enable pipelines to recognize when all security scans are completed, wait for their results to be processed, and utilize pipeline APIs to retrieve pipeline vulnerabilities accurately. This ensures that pipeline vulnerabilities are available for validation even before the pipeline completes.
Problem to solve
Currently, pipeline vulnerability APIs return zero vulnerabilities if the pipeline is not completed. This limitation prevents us from validating security scan results within the same pipeline and from automatically failing builds based on security findings.
This is a critical need for our trunk-based development strategy, where validation rules vary depending on the deployment environment. Directly reading scanner reports is insufficient as we require deduplication and inclusion of previously triaged findings. Implementing custom code for this functionality would duplicate GitLab's existing logic and risk breaking with GitLab upgrades.
Proposal
Introduce a mechanism (via pipeline configuration or GitLab API) to: Allow pipelines to determine when all security scans are completed. Wait for the pipeline to process and consolidate scan results. Retrieve deduplicated pipeline vulnerabilities through APIs even before pipeline completion.