Trigger webhook for auto-resolved vulnerabilities

Alan (Maciej) Paruszewskirequested to merge
561731-trigger-webhook-events-for-auto-resolved-vulnerabilities into master

What does this MR do and why?

This MR fixes a bug where webhook events were not being triggered when vulnerabilities were auto-resolved by GitLab Bot through vulnerability management policies. Previously, webhooks were only triggered for manual vulnerability status changes, breaking automation workflows that rely on webhook notifications.

Changes made:

  • Added trigger_webhook_events method to Vulnerabilities::AutoResolveService that triggers webhook events for auto-resolved vulnerabilities
  • Enhanced the vulnerability webhook payload to include resolved_at, resolved_by_id, and auto_resolved fields
  • Added comprehensive test coverage for both webhook triggering scenarios and payload data

Why this change is needed: When vulnerabilities are auto-resolved by policies (e.g., "auto-resolve vulnerabilities that are no longer detected"), the webhook events were not being triggered, causing inconsistent behavior compared to manual resolution. This broke automation workflows that depend on webhook notifications for vulnerability state changes.

Changelog: fixed EE: true

References

Closes #561731 (closed)

Screenshots or screen recordings

N/A - This is a backend service change with no UI impact.

How to set up and validate locally

  1. Set up a project with vulnerability management policies enabled
  2. Configure a webhook endpoint to receive vulnerability events
  3. Create a vulnerability in your project (e.g., add a secret to a file)
  4. Set up an auto-resolve policy for vulnerabilities no longer detected
  5. Remove the secret and push to trigger auto-resolution
  6. Verify that the webhook is now triggered with the vulnerability event payload including the new fields:
    • resolved_at: timestamp when resolved
    • resolved_by_id: ID of the user/bot that resolved it
    • auto_resolved: boolean indicating if it was auto-resolved

You can also test this by running the specs:

bundle exec rspec ee/spec/services/vulnerabilities/auto_resolve_service_spec.rb
bundle exec rspec ee/spec/lib/gitlab/data_builder/vulnerability_spec.rb

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

  • Added comprehensive test coverage for new functionality
  • Follows existing code patterns and conventions
  • Performance impact is minimal (only triggers webhooks when active hooks exist)
  • Maintains backward compatibility in webhook payload structure
Edited by Alan (Maciej) Paruszewski

Merge request reports