Auto-resolve vulnerabilities that are already no longer detected

Brian Williamsrequested to merge
bwill/fix-no-longer-detected-vulnerabilies-being-unable-to-be-auto-resolved into master

What does this MR do and why?

Auto-resolve vulnerabilities that are already no longer detected

The with_resolution(false) scope prevents us from auto-resolving vulnerabilities if they are already in the "no longer detected" state. This change removes the scope so that they can be transitioned. When updating resolved_on_default_branch, we filter out records that are already resolved_on_default_branch=true in order to prevent redundant database writes.

References

Screenshots or screen recordings

Screenshot_2025-08-26_at_11.28.18_AM

How to set up and validate locally

  1. Import https://gitlab.com/gitlab-examples/security/security-reports into your GDK.
  2. Run a new pipeline on the default branch to populate the vulnerability report
  3. Remove some vulnerabilities from a report
  4. Create a security policy that resolves all vulnerabilities
  5. Run another pipeline on the default branch
  6. Vulnerability should transition from "Needs Triage" to "Resolved"

Before: These vulnerabilities would remain in "Needs Triage" state

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Brian Williams

Merge request reports