feat: Include resolution comment when auto-resolving vulnerabilities
What does this MR do and why?
As a follow-up to !95422 (merged), we now have the capability to auto-resolve vulnerabilities when an analyzer has removed their vulnerability type from our default scanner rulesets. To better describe the automation we should include a clear comment describing the auto-resolution.
This feature is currently behind feature flag see rollout issue: #375128 (closed)
Screenshots or screen recordings
Before | After |
---|---|
![]() |
![]() |
How to set up and validate locally
Test project export using modified fixtures: 2022-08-16_16-45-709_root_go_export.tar.gz
- Enable the feature flag:
Feature.enable(:sec_mark_dropped_findings_as_resolved)
- Run default pipeline
- Confirm presence of 3 vulnerabilities on dashboard
- Update
.gitlab-ci.yml
to referencegl-sast-report.tests-go-with-scan-primary-identifiers.json
- Confirm no change in behavior (still 3 vulnerabilities on dashboard)
- Update
.gitlab-ci.yml
to referencegl-sast-report.tests-go-with-scan-primary-identifiers-dropping-G104.json
- Confirm auto-resolution of dropped identifier (2 remaining detected vulnerabilities, 1 resolved and no longer detected)
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Lucas Charles