Add audit events for vulnerability false positive flag changes
What does this MR do and why?
This MR adds audit logging when users manually remove false positive flags from vulnerabilities. Since false positive flags are automatically added by AI agents in the background, we only need to audit when users explicitly remove them via the API.
The changes include:
- Creating a new audit event type (
remove_vulnerability_false_positive_flag) - Updating the
Vulnerabilities::Flags::UpdateAiDetectionServiceto generate an audit event when a user sets the confidence score to 0 (removing the flag) - Adding comprehensive tests to verify audit event creation only occurs when flags are removed
This ensures compliance and provides visibility into when users override AI-detected false positives.
Issue: #578903 (closed)
Screenshot
How to set up and validate locally
- Enable the
security_dashboardlicensed feature - Create a project with a vulnerability that has a finding
- Create a false positive flag on the vulnerability (simulating AI detection):
# In Rails console vulnerability = Vulnerability.last finding = vulnerability.findings.first finding.vulnerability_flags.create!( flag_type: :false_positive, origin: 'ai_sast_fp_detection', description: 'AI detected as false positive', confidence_score: 0.85, project_id: vulnerability.project_id ) - Remove the false positive flag via the GraphQL API:
mutation {
vulnerabilityDismissFalsePositiveFlag(input: {
id: "gid://gitlab/Vulnerability/123"
}) {
vulnerability {
id
title
}
errors
}
}- Go to the project's audit events page: Secure → Audit events
- You should see an audit event: "Removed false positive flag"
- Verify that adding a flag (setting confidence > 0) does NOT create an audit event, since that's done automatically by AI
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Closes #578903 (closed)
Edited by Nate Rosandich