Add validity_check support to vulnerabilities GraphQL

What does this MR do and why?

Add token_status support to vulnerabilities GraphQL

References

• Issue Add GraphQL API argument for filtering vulnerab... (#570478 - closed)
• Migration MR: Add migration to backfill token_status for vuln... (!207065 - merged)
• Docs: https://docs.gitlab.com/user/application_security/vulnerabilities/validity_check/#secret-status

Screenshots or screen recordings

Type	Project	Group	Not allowed
Vulnerabilities
Vulnerability Severity Counts

Refresh

Before	After

How to set up and validate locally

1. Set up Elasticsearch and enable SaaS mode

   • Import the demo project
     Import the project used for testing validity refresh checks:
     https://gitlab.com/gitlab-org/govern/threat-insights-demos/verify-validity-refresh-check

   • Enable the required feature flags
     You can enable these flags through http://gdk.test:3000/rails/features:

     validity_checks_security_finding_status
     validity_checks
     advanced_vulnerability_management

   • Run a new pipeline until successful on the imported project

   • Enable and setup Elasticsearch
     Follow the official GDK Elasticsearch setup guide:
     https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/howto/elasticsearch.md

   • Simulate GitLab SaaS mode
     Reference: https://gitlab.com/-/snippets/4834607.

     To test vulnerability management features locally, configure GDK to simulate GitLab SaaS.

     You can either run the commands using:

     GITLAB_SIMULATE_SAAS=1 bundle exec rails console

     Or add the following section to your gdk.yml (see https://docs.gitlab.com/development/ee_features/#simulate-a-saas-instance):

     env:
       GITLAB_SIMULATE_SAAS: "1"

     Then restart GDK:

     gdk restart

   • Run migration and bookkeeping:

     Elastic::DataMigrationService[20251001130713].migrate
     Elastic::ProcessInitialBookkeepingService.new.execute

   • 💡 Note: Verify SaaS feature availability
     In the Rails console, check if the SaaS flag is active:

     gdk rails console

     Gitlab::Saas.feature_available?(:advanced_search)

     If it still returns false, edit the following file:

     ee/lib/search/elastic/vulnerability_indexing_helper.rb

     Update the method:

     def sass_with_es?
       return true

---

---

2. Run GraphQL queries to verify vulnerability data

   Once your environment is configured, you can run the following GraphQL queries to verify vulnerability data filtered by validity check status.

Vulnerabilities (nodes) GraphQL query

query {
  # Project level
  project(fullPath: "gitlab-org/verify-validity-refresh-check") {
    id
    name
    fullPath

    active: vulnerabilities(validityCheck: [ACTIVE]) {
      nodes { id title severity }
    }
    inactive: vulnerabilities(validityCheck: [INACTIVE]) {
      nodes { id title severity }
    }
    unknown: vulnerabilities(validityCheck: [UNKNOWN]) {
      nodes { id title severity }
    }
  }

  # Group level
  group(fullPath: "gitlab-org") {
    id
    name
    fullPath

    active: vulnerabilities(validityCheck: [ACTIVE]) {
      nodes { id title severity }
    }
    inactive: vulnerabilities(validityCheck: [INACTIVE]) {
      nodes { id title severity }
    }
    unknown: vulnerabilities(validityCheck: [UNKNOWN]) {
      nodes { id title severity }
    }
  }

  # Instance level
  instanceSecurityDashboard {
    active: vulnerabilities(validityCheck: [ACTIVE]) {
      nodes { id title severity }
    }
    inactive: vulnerabilities(validityCheck: [INACTIVE]) {
      nodes { id title severity }
    }
    unknown: vulnerabilities(validityCheck: [UNKNOWN]) {
      nodes { id title severity }
    }
  }
}

Vulnerability Severity Counts

query {
  # Project level
  project(fullPath: "gitlab-org/verify-validity-refresh-check") {
    id
    name
    fullPath

    activeCount: vulnerabilitySeveritiesCount(validityCheck: [ACTIVE]) {
      critical high medium low unknown info
    }
    inactiveCount: vulnerabilitySeveritiesCount(validityCheck: [INACTIVE]) {
      critical high medium low unknown info
    }
    unknownCount: vulnerabilitySeveritiesCount(validityCheck: [UNKNOWN]) {
      critical high medium low unknown info
    }
  }

  # Group level
  group(fullPath: "gitlab-org") {
    id
    name
    fullPath

    activeCount: vulnerabilitySeveritiesCount(validityCheck: [ACTIVE]) {
      critical high medium low unknown info
    }
    inactiveCount: vulnerabilitySeveritiesCount(validityCheck: [INACTIVE]) {
      critical high medium low unknown info
    }
    unknownCount: vulnerabilitySeveritiesCount(validityCheck: [UNKNOWN]) {
      critical high medium low unknown info
    }
  }

  # Instance level
  instanceSecurityDashboard {
    activeCount: vulnerabilitySeveritiesCount(validityCheck: [ACTIVE]) {
      critical high medium low unknown info
    }
    inactiveCount: vulnerabilitySeveritiesCount(validityCheck: [INACTIVE]) {
      critical high medium low unknown info
    }
    unknownCount: vulnerabilitySeveritiesCount(validityCheck: [UNKNOWN]) {
      critical high medium low unknown info
    }
  }
}

---

---

3. Refresh test

• Enable the required feature flag

  secret_detection_validity_checks_refresh_token

• Follow Simulate GitLab SaaS mode steps

• Retrieve the last vulnerability and finding

  Run a successful pipeline on the imported project, then retrieve the last finding

  finding = Vulnerability.last.finding

  This fetches the latest vulnerability and its associated finding record.

• Manually set the token status to active

  finding_token_status = Vulnerabilities::FindingTokenStatus.find_or_initialize_by(
    vulnerability_occurrence_id: finding.id
  )
  
  # Run until fts.reload has status: "active"
  finding_token_status.update!(
    status: :active,
    project_id: finding.project_id
  )
  finding_token_status.reload

  This ensures a Vulnerabilities::FindingTokenStatus record exists and sets it as active.

• Sync the finding into Elasticsearch (if needed)

  ::Vulnerabilities::EsHelper.sync_elasticsearch(finding.vulnerability_id)
  Elastic::ProcessBookkeepingService.new.execute # until => [0, 0]

  This updates the vulnerability record in Elasticsearch with the current database state.

Query the token status

query {
  vulnerability(id: "gid://gitlab/Vulnerability/544") {
    id
    title
    findingTokenStatus {
      status
    }
  }
}

GraphQL mutation: Refresh the finding token status

mutation {
  refreshFindingTokenStatus(input: { vulnerabilityId: "gid://gitlab/Vulnerability/544" }) {
    errors
    findingTokenStatus {
      status
    }
  }
}

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.