Backend graphql changes for security finding token status
What does this MR do and why?
Issue: #556766 (closed)
Expose MR finding token status data via GraphQL API, corresponding changes to resolver, updates to refresh finding token status API to handle both default branch vulnerabilities and MR findings.
Branched off !198831 (merged), will rebase when merged.
References
Screenshots or screen recordings
Before | After |
---|---|
How to set up and validate locally
-
In gdk, ensure you have an Ultimate license
-
In rails c,
Feature.enable(:validity_checks)
andFeature.enable(:secret_detection_validity_checks_refresh_token)
andFeature.enable(:validity_checks_security_finding_status)
-
In Project > Secure > Security configuration, enable Pipeline Secret Detection. Ensure that the
secret_detection
job passes. You may have to set up your runner to use docker, instructions here: https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/howto/runner.md#executing-a-runner-from-within-docker -
In Project > Secure > Security configuration > Validity Checks, toggle the Validity Checks feature to true (or in rails c,
project.security_setting.update!(validity_checks_enabled: true)
-
User > Edit profile > Access tokens > Add new token > Create a personal access token and copy the value to your clipboard. Ensure that it's a gitlab_personal_access_token or gitlab_personal_access_token_routable, and not
gitlab_personal_access_token_routable_versioned
which isn't in the config list. You can also create any type of token in the config list here instead of a PAT if that's easier. -
In your project, create an MR, create a file
secrets.txt
and paste your personal access token into it. Commit the file, skipping secret push protection if needed. -
Wait for the secret detection job to finish
-
In rails c,
Security::Finding.last
to get the security finding you just committed. Copy theuuid
value, looks something like this:"9403e97a-b8e1-5138-a397-51d06716b7e5"
-
In gdk.test:3000/-/graphql-explorer, run the following mutation:
mutation {
refreshFindingTokenStatus(
input: { securityFindingUuid: <your-uuid-value> }
) {
errors
findingTokenStatus {
id
status
createdAt
updatedAt
}
}
}
You should see something like:
{
"data": {
"refreshFindingTokenStatus": {
"errors": [],
"findingTokenStatus": {
"id": "gid://gitlab/Security::FindingTokenStatus/6",
"status": "ACTIVE",
"createdAt": "2025-08-12T03:22:14Z",
"updatedAt": "2025-08-12T05:34:07Z"
}
}
},
"correlationId": "01K2ECB1DVWBNN9X0M1ZWVWHV4"
}
}
- Note that it says
"status": "ACTIVE"
- In the personal access token section again, revoke the token
- In graphql explorer, run the above mutation again. Note that it now says
"status": "INACTIVE"
, andupdatedAt
value should be some time after thecreatedAt
value
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.