Add validity_check support to vulnerabilities GraphQL
What does this MR do and why?
Add token_status support to vulnerabilities GraphQL
References
- Issue Add GraphQL API argument for filtering vulnerab... (#570478 - closed)
- Migration MR: Add migration to backfill token_status for vuln... (!207065 - merged)
- Docs: https://docs.gitlab.com/user/application_security/vulnerabilities/validity_check/#secret-status
Screenshots or screen recordings
| Type | Project | Group | Not allowed |
|---|---|---|---|
| Vulnerabilities |  |
 |
 |
| Vulnerability Severity Counts |  |
 |
 |
Refresh
| Before | After |
|---|---|
 |
 |
How to set up and validate locally
-
Set up Elasticsearch and enable SaaS mode
-
Import the demo project
Import the project used for testing validity refresh checks:
https://gitlab.com/gitlab-org/govern/threat-insights-demos/verify-validity-refresh-check -
Enable the required feature flags
You can enable these flags through http://gdk.test:3000/rails/features:validity_checks_security_finding_status validity_checks advanced_vulnerability_management -
Run a new pipeline until successful on the imported project
-
Enable and setup Elasticsearch
Follow the official GDK Elasticsearch setup guide:
https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/howto/elasticsearch.md -
Simulate GitLab SaaS mode
Reference: https://gitlab.com/-/snippets/4834607.To test vulnerability management features locally, configure GDK to simulate GitLab SaaS.
You can either run the commands using:
GITLAB_SIMULATE_SAAS=1 bundle exec rails consoleOr add the following section to your
gdk.yml(see https://docs.gitlab.com/development/ee_features/#simulate-a-saas-instance):env: GITLAB_SIMULATE_SAAS: "1"Then restart GDK:
gdk restart -
Run migration and bookkeeping:
Elastic::DataMigrationService[20251001130713].migrate Elastic::ProcessInitialBookkeepingService.new.execute -
💡 Note: Verify SaaS feature availability
In the Rails console, check if the SaaS flag is active:gdk rails consoleGitlab::Saas.feature_available?(:advanced_search)If it still returns
false, edit the following file:ee/lib/search/elastic/vulnerability_indexing_helper.rbUpdate the method:
def sass_with_es? return true
-
-
Run GraphQL queries to verify vulnerability data
Once your environment is configured, you can run the following GraphQL queries to verify vulnerability data filtered by validity check status.
Vulnerabilities (nodes) GraphQL query
query {
# Project level
project(fullPath: "gitlab-org/verify-validity-refresh-check") {
id
name
fullPath
active: vulnerabilities(validityCheck: [ACTIVE]) {
nodes { id title severity }
}
inactive: vulnerabilities(validityCheck: [INACTIVE]) {
nodes { id title severity }
}
unknown: vulnerabilities(validityCheck: [UNKNOWN]) {
nodes { id title severity }
}
}
# Group level
group(fullPath: "gitlab-org") {
id
name
fullPath
active: vulnerabilities(validityCheck: [ACTIVE]) {
nodes { id title severity }
}
inactive: vulnerabilities(validityCheck: [INACTIVE]) {
nodes { id title severity }
}
unknown: vulnerabilities(validityCheck: [UNKNOWN]) {
nodes { id title severity }
}
}
# Instance level
instanceSecurityDashboard {
active: vulnerabilities(validityCheck: [ACTIVE]) {
nodes { id title severity }
}
inactive: vulnerabilities(validityCheck: [INACTIVE]) {
nodes { id title severity }
}
unknown: vulnerabilities(validityCheck: [UNKNOWN]) {
nodes { id title severity }
}
}
}Vulnerability Severity Counts
query {
# Project level
project(fullPath: "gitlab-org/verify-validity-refresh-check") {
id
name
fullPath
activeCount: vulnerabilitySeveritiesCount(validityCheck: [ACTIVE]) {
critical high medium low unknown info
}
inactiveCount: vulnerabilitySeveritiesCount(validityCheck: [INACTIVE]) {
critical high medium low unknown info
}
unknownCount: vulnerabilitySeveritiesCount(validityCheck: [UNKNOWN]) {
critical high medium low unknown info
}
}
# Group level
group(fullPath: "gitlab-org") {
id
name
fullPath
activeCount: vulnerabilitySeveritiesCount(validityCheck: [ACTIVE]) {
critical high medium low unknown info
}
inactiveCount: vulnerabilitySeveritiesCount(validityCheck: [INACTIVE]) {
critical high medium low unknown info
}
unknownCount: vulnerabilitySeveritiesCount(validityCheck: [UNKNOWN]) {
critical high medium low unknown info
}
}
# Instance level
instanceSecurityDashboard {
activeCount: vulnerabilitySeveritiesCount(validityCheck: [ACTIVE]) {
critical high medium low unknown info
}
inactiveCount: vulnerabilitySeveritiesCount(validityCheck: [INACTIVE]) {
critical high medium low unknown info
}
unknownCount: vulnerabilitySeveritiesCount(validityCheck: [UNKNOWN]) {
critical high medium low unknown info
}
}
}- Refresh test
-
Enable the required feature flag
secret_detection_validity_checks_refresh_token -
Follow Simulate GitLab SaaS mode steps
-
Retrieve the last vulnerability and finding
Run a successful pipeline on the imported project, then retrieve the last finding
finding = Vulnerability.last.findingThis fetches the latest vulnerability and its associated finding record.
-
Manually set the token status to active
finding_token_status = Vulnerabilities::FindingTokenStatus.find_or_initialize_by( vulnerability_occurrence_id: finding.id ) # Run until fts.reload has status: "active" finding_token_status.update!( status: :active, project_id: finding.project_id ) finding_token_status.reloadThis ensures a
Vulnerabilities::FindingTokenStatusrecord exists and sets it as active. -
Sync the finding into Elasticsearch (if needed)
::Vulnerabilities::EsHelper.sync_elasticsearch(finding.vulnerability_id) Elastic::ProcessBookkeepingService.new.execute # until => [0, 0]This updates the vulnerability record in Elasticsearch with the current database state.
Query the token status
query {
vulnerability(id: "gid://gitlab/Vulnerability/544") {
id
title
findingTokenStatus {
status
}
}
}GraphQL mutation: Refresh the finding token status
mutation {
refreshFindingTokenStatus(input: { vulnerabilityId: "gid://gitlab/Vulnerability/544" }) {
errors
findingTokenStatus {
status
}
}
}MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.