Skip to content

Backend graphql changes for security finding token status

Serena Fangrequested to merge
sfang-security-finding-token-status-backend-graphql into master

What does this MR do and why?

Issue: #556766 (closed)

Expose MR finding token status data via GraphQL API, corresponding changes to resolver, updates to refresh finding token status API to handle both default branch vulnerabilities and MR findings.

Branched off !198831 (merged), will rebase when merged.

References

Screenshots or screen recordings

Before After

How to set up and validate locally

  1. In gdk, ensure you have an Ultimate license

  2. In rails c, Feature.enable(:validity_checks) and Feature.enable(:secret_detection_validity_checks_refresh_token) and Feature.enable(:validity_checks_security_finding_status)

  3. In Project > Secure > Security configuration, enable Pipeline Secret Detection. Ensure that the secret_detection job passes. You may have to set up your runner to use docker, instructions here: https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/howto/runner.md#executing-a-runner-from-within-docker

  4. In Project > Secure > Security configuration > Validity Checks, toggle the Validity Checks feature to true (or in rails c, project.security_setting.update!(validity_checks_enabled: true)

  5. User > Edit profile > Access tokens > Add new token > Create a personal access token and copy the value to your clipboard. Ensure that it's a gitlab_personal_access_token or gitlab_personal_access_token_routable, and not gitlab_personal_access_token_routable_versioned which isn't in the config list. You can also create any type of token in the config list here instead of a PAT if that's easier.

  6. In your project, create an MR, create a file secrets.txt and paste your personal access token into it. Commit the file, skipping secret push protection if needed.

  7. Wait for the secret detection job to finish

  8. In rails c, Security::Finding.last to get the security finding you just committed. Copy the uuid value, looks something like this: "9403e97a-b8e1-5138-a397-51d06716b7e5"

  9. In gdk.test:3000/-/graphql-explorer, run the following mutation:

mutation {
  refreshFindingTokenStatus(
    input: { securityFindingUuid: <your-uuid-value> }
  ) {
    errors
    findingTokenStatus {
      id
      status
      createdAt
      updatedAt
    }
  }
}

You should see something like:

{
  "data": {
    "refreshFindingTokenStatus": {
      "errors": [],
      "findingTokenStatus": {
        "id": "gid://gitlab/Security::FindingTokenStatus/6",
        "status": "ACTIVE",
        "createdAt": "2025-08-12T03:22:14Z",
        "updatedAt": "2025-08-12T05:34:07Z"
      }
    }
  },
  "correlationId": "01K2ECB1DVWBNN9X0M1ZWVWHV4"
}
}
  1. Note that it says "status": "ACTIVE"
  2. In the personal access token section again, revoke the token
  3. In graphql explorer, run the above mutation again. Note that it now says "status": "INACTIVE", and updatedAt value should be some time after the createdAt value

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Serena Fang

Merge request reports