Skip to content

Draft: Add rake task to lint AI workflows scope

What does this MR do and why?

This is a very rough prototype of new command bundle exec rake gitlab:graphql:validate_ai_workflows_scope It verifies that certain graphql query command has all required things:

  • authorization_scopes on types
  • scopes on fields

Theoretically this is a first step which could be fed in the chain to our duo agent so we can add required things semi-automatically based on single query

How to set up and validate locally

Create a new graphql file in root (lets name it './test.graphql')

Real world example
fragment Url on VulnerabilityDetailUrl {
  name
  href
}

fragment Diff on VulnerabilityDetailDiff {
  name
  before
  after
}

fragment Code on VulnerabilityDetailCode {
  name
  value
}

fragment FileLocation on VulnerabilityDetailFileLocation {
  name
  fileName
  lineStart
  lineEnd
}

fragment ModuleLocation on VulnerabilityDetailModuleLocation {
  name
  moduleName
  offset
}

fragment Commit on VulnerabilityDetailCommit {
  type: __typename
  name
  value
}

fragment Text on VulnerabilityDetailText {
  name
  value
}

fragment Markdown on VulnerabilityDetailMarkdown {
  name
  value
}

fragment Boolean on VulnerabilityDetailBoolean {
  name
  value
}

fragment Int on VulnerabilityDetailInt {
  name
  value
}

fragment NonNestedReportTypes on VulnerabilityDetail {
  ...FileLocation
  ...Url
  ...Diff
  ...Code
  ...Commit
  ...Markdown
  ...Text
  ...Int
  ...Boolean
  ...ModuleLocation
}

{
  vulnerability(id: "gid://gitlab/Vulnerability/567") {
    id
    title
    description
    reachability
    cveEnrichment {
      cve
      epssScore
      isKnownExploit
    }
    detectedAt
    initialDetectedPipeline {
      id
      name
      createdAt

    }
    location {
      __typename
      ... on VulnerabilityLocationClusterImageScanning {
        image
        kubernetesResource {
          agent {
            id
            name
            webPath
          }
        }
      }
      ... on VulnerabilityLocationContainerScanning {
        image
        containerRepositoryUrl
      }
      ... on VulnerabilityLocationCoverageFuzzing {
        blobPath
        crashAddress
        crashType
        endLine
        file
        stacktraceSnippet
        startLine
        vulnerableClass
        vulnerableMethod
      }
      ... on VulnerabilityLocationDast {
        path
      }
      ... on VulnerabilityLocationDependencyScanning {
        blobPath
        file
      }
      ... on VulnerabilityLocationGeneric {
        description
      }
      ... on VulnerabilityLocationSast {
        blobPath
        file
        startLine
      }
      ... on VulnerabilityLocationSecretDetection {
        blobPath
        file
        startLine
      }
    }
    details {
      __typename

      ...NonNestedReportTypes
    }
  }
}
  • run bundle exec rake gitlab:graphql:validate_ai_workflows_scope[./test.graphql]
  • observe the output
Example output
AI workflows scope validation failed for ./test.graphql:

* type Vulnerability
  * fields missing ai_workflows scope:
    * cveEnrichment
    * details
    * detectedAt
    * initialDetectedPipeline
    * reachability

* type CveEnrichmentType (missing authorization scope)
  * fields missing ai_workflows scope:
    * cve
    * epssScore
    * isKnownExploit

* type Pipeline (missing authorization scope)
  * fields missing ai_workflows scope:
    * createdAt
    * id
    * name

* type VulnerabilityLocationClusterImageScanning (missing authorization scope)
  * fields missing ai_workflows scope:
    * image
    * kubernetesResource

* type VulnerableKubernetesResource (missing authorization scope)
  * fields missing ai_workflows scope:
    * agent

* type ClusterAgent (missing authorization scope)
  * fields missing ai_workflows scope:
    * id
    * name
    * webPath

* type VulnerabilityLocationContainerScanning (missing authorization scope)
  * fields missing ai_workflows scope:
    * containerRepositoryUrl
    * image

* type VulnerabilityLocationCoverageFuzzing (missing authorization scope)
  * fields missing ai_workflows scope:
    * blobPath
    * crashAddress
    * crashType
    * endLine
    * file
    * stacktraceSnippet
    * startLine
    * vulnerableClass
    * vulnerableMethod

* type VulnerabilityLocationDast (missing authorization scope)
  * fields missing ai_workflows scope:
    * path

* type VulnerabilityLocationDependencyScanning (missing authorization scope)
  * fields missing ai_workflows scope:
    * blobPath
    * file

* type VulnerabilityLocationGeneric (missing authorization scope)
  * fields missing ai_workflows scope:
    * description

* type VulnerabilityLocationSast
  * fields missing ai_workflows scope:
    * blobPath

* type VulnerabilityLocationSecretDetection (missing authorization scope)
  * fields missing ai_workflows scope:
    * blobPath
    * file
    * startLine

* type VulnerabilityDetailFileLocation (missing authorization scope)
  * fields missing ai_workflows scope:
    * fileName
    * lineEnd
    * lineStart
    * name

* type VulnerabilityDetailUrl (missing authorization scope)
  * fields missing ai_workflows scope:
    * href
    * name

* type VulnerabilityDetailDiff (missing authorization scope)
  * fields missing ai_workflows scope:
    * after
    * before
    * name

* type VulnerabilityDetailCode (missing authorization scope)
  * fields missing ai_workflows scope:
    * name
    * value

* type VulnerabilityDetailCommit (missing authorization scope)
  * fields missing ai_workflows scope:
    * name
    * value

* type VulnerabilityDetailMarkdown (missing authorization scope)
  * fields missing ai_workflows scope:
    * name
    * value

* type VulnerabilityDetailText (missing authorization scope)
  * fields missing ai_workflows scope:
    * name
    * value

* type VulnerabilityDetailInt (missing authorization scope)
  * fields missing ai_workflows scope:
    * name
    * value

* type VulnerabilityDetailBoolean (missing authorization scope)
  * fields missing ai_workflows scope:
    * name
    * value

* type VulnerabilityDetailModuleLocation (missing authorization scope)
  * fields missing ai_workflows scope:
    * moduleName
    * name
    * offset

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Merge request reports

Loading