Adds policy_violations to vulnerability reference
What does this MR do and why?
This MR adds policy_violations population to the Vulnerabilities Elasticsearch reference class.
Vulnerability records are now enhanced with preloaded policy violations information.
References
Screenshots or screen recordings
How to set up and validate locally
Elasticsearch Setup
- Enable the
Elasticsearchin GDK
gdk config set elasticsearch.enabled true
gdk reconfigure
gdk start elasticsearchSimulate a security policy dismissal
- Import the security-reports project.
- Run a new pipeline on the default branch to create vulnerabilities
- Go to Secure > Policies and create a Merge Request Approval policy
- Create an MR editing the README file
- Create a record of
Security::PolicyDismissalto simulate a bypassed/dismissed policy using the security policy, merge request and one of the vulnerability UUIDs detected in the pipeline.
Security::PolicyDismissal.create(project: Project.second_to_last, merge_request: MergeRequest.last, security_policy: Security::Policy.last, user: User.first, dismissal_types: [0], security_findings_uuids: ["vulnerability-uuid"])Update the ES index
- In Rails console load the vulnerability read using the same dismissed UUID from the previous step
vulnerability_read = Vulnerabilities::Read.where(uuid:'vulnerability-uuid').first
::Elastic::ProcessBookkeepingService.track!(Search::Elastic::References::Vulnerability.new(vulnerability_read.vulnerability_id, "group_#{vulnerability_read.project.namespace.root_ancestor.id}"))- Process the Redis refs into ES, run below command multiple times unless the results show
[0, 0].
Elastic::ProcessBookkeepingService.new.execute
- Find the vulnerability_id
vulnerability_read.vulnerability_id-
For the found vulnerability_id's from the above step verify that ES indexing has reachability field populated.
-
On your terminal the query would be like:
curl -s "http://localhost:9200/gitlab-development-vulnerabilities/_search?pretty" \
-H "Content-Type: application/json" \
-d '{
"query": {
"term": {
"vulnerability_id": {
"value": 834
}
}
}
}'6 And the result would be like
{
"took" : 21,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 1,
"relation" : "eq"
},
"max_score" : 1.0,
"hits" : [
{
"_index" : "gitlab-development-vulnerabilities-20251003-2328",
"_id" : "834",
"_score" : 1.0,
"_routing" : "group_1",
"_source" : {
"schema_version" : 2538,
"type" : "vulnerability",
"vulnerability_id" : 834,
"project_id" : 157,
"scanner_id" : 596,
"uuid" : "84c1832e-294d-59f0-b3ff-b4414cc86c70",
"location_image" : null,
"cluster_agent_id" : null,
"casted_cluster_agent_id" : null,
"has_issues" : false,
"resolved_on_default_branch" : false,
"has_merge_request" : false,
"has_remediations" : false,
"archived" : false,
"has_vulnerability_resolution" : false,
"auto_resolved" : false,
"identifier_names" : [
"Gitleaks rule ID twitch-api-token"
],
"report_type" : 4,
"severity" : 7,
"state" : 1,
"dismissal_reason" : null,
"scanner_external_id" : "gitleaks",
"created_at" : "2025-07-17T18:28:02.848Z",
"updated_at" : "2025-07-17T18:28:02.848Z",
"traversal_ids" : "1-",
"epss_scores" : [ ],
"reachability" : 0,
"token_status" : 0,
"policy_violations" : 0,
"resolved_at" : null,
"dismissed_at" : null
}
}
]
}
}
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Edited by Marcos Rocha