Skip to content

Trigger webhook events on vulnerability dismissal

Imam Hossainrequested to merge
fix-webhook-event-not-triggrered-when-vulnerabilities-are-dismissed into master

What does this MR do and why?

feat: Trigger webhook events on vulnerability dismissal

Trigger webhook events after dismissing vulnerabilities.

References

#549727 (closed)

Screenshots or screen recordings

Monosnap_screencast_2025-07-17_6_PM-26-34

Before After

How to set up and validate locally

Prep work

  1. Ensure you have Docker running on your machine.
  2. Run the following to start up an instance of request basket docker run --pull always --rm -ti -p 1234:55555 darklynx/request-baskets.
  3. In a new tab, visit http://localhost:1234/web, click 'Create' and then 'Open Basket'.
  4. Copy into your clipboard the URL listed as part of This basket is empty, send requests to http://localhost:1234/<basket> and they will appear here..

GDK

  1. In a new tab, bring up your GDK, ensuringe you have an EE license configured.
  2. Create a new Project, calling it vulnerabilities-webhook-events.
  3. Visit Settings > Webhooks and click 'Add a new webhook'.
  4. In the 'URL' field, enter the URL obtained from Prep work step 4.
  5. Scroll down until you see 'Vulnerability events' and check the box.
  6. Uncheck the 'Enable SSL verification' checkbox unless you have HTTPS configured for your GDK and click 'Add webhook'.

Test 'Vulnerability events'

  1. Create an MR with introducing vulnerability in the project
  2. Merge the MR with vulnerability
  3. Go to "Secure" -> "Vulnerability report"
  4. Dismiss vulnerability in bulk or clicking on a vulnerability and select dismiss
Example event 
{
  "object_kind": "vulnerability",
  "object_attributes": {
    "url": "http://gdk.test:3000/gitlab-org/verifications/366770-add-vulnerabi-17Jul25/-/security/vulnerabilities/575",
    "title": "Improperly controlled modification of dynamically-determined object attributes",
    "state": "dismissed",
    "project_id": 50,
    "location": {
      "file": "test.rb",
      "start_line": 5
    },
    "cvss": [],
    "severity": "medium",
    "severity_overridden": false,
    "identifiers": [
      {
        "name": "A6:2017 - Security Misconfiguration",
        "external_id": "A6:2017",
        "external_type": "owasp",
        "url": null
      },
      {
        "name": "CWE-915",
        "external_id": "915",
        "external_type": "cwe",
        "url": "https://cwe.mitre.org/data/definitions/915.html"
      },
      {
        "name": "brakeman.ruby_mass_assignment_rule-UnprotectedMassAssign",
        "external_id": "brakeman.ruby_mass_assignment_rule-UnprotectedMassAssign",
        "external_type": "semgrep_id",
        "url": null
      },
      {
        "name": "A08:2021 - Software and Data Integrity Failures",
        "external_id": "A08:2021",
        "external_type": "owasp",
        "url": null
      },
      {
        "name": "Brakeman Warning Code 54",
        "external_id": "54",
        "external_type": "brakeman_warning_code",
        "url": null
      }
    ],
    "issues": [],
    "report_type": "sast",
    "confirmed_at": null,
    "confirmed_by_id": null,
    "dismissed_at": "2025-07-17 13:24:57 UTC",
    "dismissed_by_id": 1,
    "resolved_on_default_branch": false,
    "created_at": "2025-07-17 13:03:49 UTC",
    "updated_at": "2025-07-17 13:24:57 UTC"
  }
}

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Imam Hossain

Merge request reports