Skip to content

Add VR resolution to pipeline security report

David Pisekrequested to merge
dpisek/add-vr-resolution-to-pipeline-security-report into master

What does this MR do and why?

This change adds the ability to resolve vulnerabilities with AI directly from the pipeline security report, similar to functionality that already existed in merge requests.

The code adds a "Resolve with AI" button to the vulnerability finding modal in the pipeline view, which allows users to generate AI-based fixes for security issues.

When a user successfully resolves a vulnerability with AI, they are automatically redirected to the resulting page (likely a merge request with the fix).

The implementation includes proper handling for cases where there is no merge request ID yet, updates to GraphQL queries to check if AI resolution is available for a vulnerability, and addition of the necessary user permission checks. Tests were updated to verify this new functionality works correctly.

References

Screenshots or screen recordings

Before After
Screenshot_2025-06-11_at_10.21.26_am Screenshot_2025-06-11_at_10.20.10_am
Screenshot_2025-06-11_at_10.22.01_am Screenshot_2025-06-11_at_10.20.20_am

How to set up and validate locally

Prerequisites: Local Duo setup: https://docs.gitlab.com/development/duo_workflow/

  1. Enable the feature flag: http://gdk.test:3000/rails/features/pipeline_security_ai_vr
  2. Clone a project with resolvable findings (e.g.: https://gitlab.com/gitlab-org/govern/threat-insights-demos/verification-projects/cwe-samples)
  3. Follow the instructions to introduce a vulnerability: https://gitlab.com/gitlab-org/govern/threat-insights-demos/verification-projects/cwe-samples#how-to-create-a-new-merge-request-to-test-with
  4. Run a pipeline and once finished, navigate to its security report tab
  5. Verify the following:
    1. The report includes the correct badge (within the activity column) for resolvable findings
    2. When clicking on a resolvable finding the "Resolve with AI" button is displayed within the modal
    3. When clicking the "Resolve with AI" button it first shows a loading spinner and on completion redirects to the newly created MR

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #546418

Edited by David Pisek

Merge request reports