Create worker to sync security_finding_enrichments for existing vulnerabilites
Summary
When a security policy is created at the project or group level, existing vulnerabilities need to be enriched with KEV/EPSS data to enable policy evaluation against pre-existing findings.
Problem
Security policies that filter on KEV status or EPSS scores cannot evaluate pre-existing vulnerabilities because security_finding_enrichments records are only created when pipeline runs. This creates an inconsistent experience when security policy with KEV/EPSS filter has been deployed without default branch pipeline is run. This creates an inconsistent state as
- Pre-existing vulnerabilities lack enrichment data
- Policies cannot properly evaluate historical findings
Example Policy
approval_policy:
- name: ''
rules:
- type: scan_finding
vulnerability_states:
- detected
- confirmed
- dismissed
- resolved
vulnerability_attributes:
epss_score:
value: 0.1
operator: greater_thanSee discussion for context: &16311 (comment 2999757659)
Proposal
Enqueue a background worker when a security policy is created that:
- Identifies all existing vulnerabilities in the default branch for the scope (project or group)
Vulnerability.present_on_default_branch.joins(:findings).merge(Vulnerabilities::Finding.joins(:cve_identifiers))- Creates
security_finding_enrichmentsrecords with KEV/EPSS data - Handles bulk enrichment efficiently
Acceptance Criteria
- When a security policy is created at project level, a worker is enqueued to enrich existing project vulnerabilities
- When a security policy is created at group level, a worker is enqueued to enrich existing vulnerabilities across all group projects
-
Worker creates
security_finding_enrichmentsrecords for vulnerabilities with identifiable CVEs - Worker handles large volumes of vulnerabilities efficiently (batching/pagination)
- Worker is idempotent and handles re-runs safely
- Worker tracks completion status and handles failures gracefully
Edited by 🤖 GitLab Bot 🤖