Draft: Add rake task to lint AI workflows scope
What does this MR do and why?
This is a very rough prototype of new command bundle exec rake gitlab:graphql:validate_ai_workflows_scope
It verifies that certain graphql query command has all required things:
- authorization_scopes on types
- scopes on fields
Theoretically this is a first step which could be fed in the chain to our duo agent so we can add required things semi-automatically based on single query
How to set up and validate locally
Create a new graphql file in root (lets name it './test.graphql')
Real world example
fragment Url on VulnerabilityDetailUrl {
name
href
}
fragment Diff on VulnerabilityDetailDiff {
name
before
after
}
fragment Code on VulnerabilityDetailCode {
name
value
}
fragment FileLocation on VulnerabilityDetailFileLocation {
name
fileName
lineStart
lineEnd
}
fragment ModuleLocation on VulnerabilityDetailModuleLocation {
name
moduleName
offset
}
fragment Commit on VulnerabilityDetailCommit {
type: __typename
name
value
}
fragment Text on VulnerabilityDetailText {
name
value
}
fragment Markdown on VulnerabilityDetailMarkdown {
name
value
}
fragment Boolean on VulnerabilityDetailBoolean {
name
value
}
fragment Int on VulnerabilityDetailInt {
name
value
}
fragment NonNestedReportTypes on VulnerabilityDetail {
...FileLocation
...Url
...Diff
...Code
...Commit
...Markdown
...Text
...Int
...Boolean
...ModuleLocation
}
{
vulnerability(id: "gid://gitlab/Vulnerability/567") {
id
title
description
reachability
cveEnrichment {
cve
epssScore
isKnownExploit
}
detectedAt
initialDetectedPipeline {
id
name
createdAt
}
location {
__typename
... on VulnerabilityLocationClusterImageScanning {
image
kubernetesResource {
agent {
id
name
webPath
}
}
}
... on VulnerabilityLocationContainerScanning {
image
containerRepositoryUrl
}
... on VulnerabilityLocationCoverageFuzzing {
blobPath
crashAddress
crashType
endLine
file
stacktraceSnippet
startLine
vulnerableClass
vulnerableMethod
}
... on VulnerabilityLocationDast {
path
}
... on VulnerabilityLocationDependencyScanning {
blobPath
file
}
... on VulnerabilityLocationGeneric {
description
}
... on VulnerabilityLocationSast {
blobPath
file
startLine
}
... on VulnerabilityLocationSecretDetection {
blobPath
file
startLine
}
}
details {
__typename
...NonNestedReportTypes
}
}
}
- run
bundle exec rake gitlab:graphql:validate_ai_workflows_scope[./test.graphql]
- observe the output
Example output
AI workflows scope validation failed for ./test.graphql:
* type Vulnerability
* fields missing ai_workflows scope:
* cveEnrichment
* details
* detectedAt
* initialDetectedPipeline
* reachability
* type CveEnrichmentType (missing authorization scope)
* fields missing ai_workflows scope:
* cve
* epssScore
* isKnownExploit
* type Pipeline (missing authorization scope)
* fields missing ai_workflows scope:
* createdAt
* id
* name
* type VulnerabilityLocationClusterImageScanning (missing authorization scope)
* fields missing ai_workflows scope:
* image
* kubernetesResource
* type VulnerableKubernetesResource (missing authorization scope)
* fields missing ai_workflows scope:
* agent
* type ClusterAgent (missing authorization scope)
* fields missing ai_workflows scope:
* id
* name
* webPath
* type VulnerabilityLocationContainerScanning (missing authorization scope)
* fields missing ai_workflows scope:
* containerRepositoryUrl
* image
* type VulnerabilityLocationCoverageFuzzing (missing authorization scope)
* fields missing ai_workflows scope:
* blobPath
* crashAddress
* crashType
* endLine
* file
* stacktraceSnippet
* startLine
* vulnerableClass
* vulnerableMethod
* type VulnerabilityLocationDast (missing authorization scope)
* fields missing ai_workflows scope:
* path
* type VulnerabilityLocationDependencyScanning (missing authorization scope)
* fields missing ai_workflows scope:
* blobPath
* file
* type VulnerabilityLocationGeneric (missing authorization scope)
* fields missing ai_workflows scope:
* description
* type VulnerabilityLocationSast
* fields missing ai_workflows scope:
* blobPath
* type VulnerabilityLocationSecretDetection (missing authorization scope)
* fields missing ai_workflows scope:
* blobPath
* file
* startLine
* type VulnerabilityDetailFileLocation (missing authorization scope)
* fields missing ai_workflows scope:
* fileName
* lineEnd
* lineStart
* name
* type VulnerabilityDetailUrl (missing authorization scope)
* fields missing ai_workflows scope:
* href
* name
* type VulnerabilityDetailDiff (missing authorization scope)
* fields missing ai_workflows scope:
* after
* before
* name
* type VulnerabilityDetailCode (missing authorization scope)
* fields missing ai_workflows scope:
* name
* value
* type VulnerabilityDetailCommit (missing authorization scope)
* fields missing ai_workflows scope:
* name
* value
* type VulnerabilityDetailMarkdown (missing authorization scope)
* fields missing ai_workflows scope:
* name
* value
* type VulnerabilityDetailText (missing authorization scope)
* fields missing ai_workflows scope:
* name
* value
* type VulnerabilityDetailInt (missing authorization scope)
* fields missing ai_workflows scope:
* name
* value
* type VulnerabilityDetailBoolean (missing authorization scope)
* fields missing ai_workflows scope:
* name
* value
* type VulnerabilityDetailModuleLocation (missing authorization scope)
* fields missing ai_workflows scope:
* moduleName
* name
* offset
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.