Unable to apply predefined security attributes to new group projects

Summary

In newly created groups, predefined security attributes such as “Business impact - Missing critical” appear in the UI but cannot be applied to projects. Attempts to apply them return a GraphQL error: “Invalid attribute.”

Steps to Reproduce

1. Log in as an administrator or root user.
2. Create a new group and a project in it (or use one without existing security attributes).
3. Go to Group → Security Inventory.
4. Click Add attributes and select Business impact - Missing Critical.
5. Save changes.
   Result: A GraphQL error appears, typically “Invalid attribute.”

Workaround

1. Create any custom security attribute category.
2. Retry applying the predefined attribute.
   Result: Predefined attributes such as “Business - Missing Critical” can now be applied successfully.

Error Details

Request:

{ "operationName": "UpdateProjectAttributesMutation", "variables": { "input": { "projectId": "gid://gitlab/Project/78", "addAttributeIds": [ "gid://gitlab/Security::Attribute/business_operational" ], "removeAttributeIds": [] } } }

Response:

{
"data": {
"securityAttributeProjectUpdate": {
"addedCount": null,
"removedCount": null,
"errors": ["Invalid attributes"]
}
}
}

bug_reproduce_fix.mov

Possible Fix

TBD