Add Partner Token Verification Support for Security Pipeline Workflow

Aditya Tiwarirequested to merge
567734-integrate-partner-verification-security into master

What does this MR do?

This MR extends partner token verification to support the security pipeline workflow (branch scans), completing the integration started in the related MR(!206905 (merged)) which handled the default branch scan workflow.

Key changes:

  • Extends Security::PartnerTokenService to process partner tokens (AWS, GCP, Postman) for security findings
  • Handles related security findings with the same UUID across different scans/partitions
  • Syncs token status to associated vulnerability findings when they exist
  • Integrates with execute_for_security_pipeline and execute_for_security_finding workflows

This is the second part of a two-part MR series for issue Integrate Partner Verification into UpdateToken... (#567734 - closed). The first part (!206905 (merged)) handled the default branch pipeline workflow, while this MR handles the merge request pipeline workflow.

The workflows and queries are nearly identical, with just one major difference: this implementation also updates related findings when a finding is updated, using the save_result_for_related_findings method.

What are "related findings"?

  • Findings with the same UUID in the same project
  • Findings associated with vulnerabilities

More details can be found in the diff: !207069 (diffs)

Note: This feature is behind a development FF, secret_detection_partner_token_verification

Why was this MR needed?

Context:

  • Related MR (!206905 (merged)) implemented partner token verification for the default branch workflow (execute_for_vulnerability_pipeline)
  • This MR completes the implementation by adding support for the pipeline branch workflow (execute_for_security_pipeline)

Problem: Without this change, partner tokens detected in branch scans (security findings) were not being verified, only tokens from default branch scans (vulnerability findings) were processed.

Solution: Follow the same pattern established for vulnerability findings, but adapted for security findings which have additional complexity:

  1. Security findings can have multiple related findings (same UUID, different scans/partitions)
  2. Security findings may be linked to vulnerability findings and need status synchronization

Related issues

Closes Integrate Partner Verification into UpdateToken... (#567734 - closed) Follows pattern from !206905 (merged) (Vulnerability findings support)

Implementation Details

Architecture

Security Pipeline → Security::PartnerTokenService
                    ├─ Save result for current finding
                    ├─ Process related security findings (same UUID)
                    └─ Sync to associated vulnerability findings

Data Flow Example

Scenario: AWS token detected in branch scan

1. Security scan completes

2. execute_for_security_pipeline called

3. Security::PartnerTokenService.process_finding_async(batch)

4. PartnerTokenVerificationWorker queued

5. Worker calls partner API (AWS)

6. save_result called:
   ├─ Saves to Security::FindingTokenStatus (current finding)
   ├─ Finds related findings (same UUID, different scans)
   ├─ Saves to Security::FindingTokenStatus (related findings)
   └─ If vulnerability finding exists, syncs to Vulnerabilities::FindingTokenStatus

Manual Testing

Prerequisites:

  • Enable FF: secret_detection_partner_token_verification
  • Configure partner token (AWS/GCP/Postman)

Test Steps:

  1. Create branch with AWS token
  2. Run security scan on branch
  3. Verify Security::FindingTokenStatus created with correct status
  4. Check related findings with same UUID also updated
  5. If merged to default branch, verify Vulnerabilities::FindingTokenStatus synced

Checklist

  • Code follows GitLab Ruby style guide
  • Tests added for all new functionality
  • Documentation updated (if applicable)
  • Feature flag exists and is referenced correctly
  • Database queries are optimized and indexed
  • No N+1 queries introduced
  • Error handling covers edge cases
  • Related to security? Label ~security
  • Follows established patterns from related MR !206905 (merged)

Related Merge Requests

  • !206905 (merged) - Add partner token verification for vulnerability findings (default branch workflow)
  • This MR - Add partner token verification for security findings (pipeline branch workflow)

/cc @atiwari71

Note: This MR completes the partner token verification feature by adding support for the security pipeline workflow. Combined with !206905 (merged), we now have full coverage of both default branch scans (vulnerability findings) and branch scans (security findings).

Edited by Aditya Tiwari

Merge request reports