Add a badge for vulnerabilities auto-dismissed by a policy
What does this MR do and why?
When a vulnerability gets auto-dismissed by a vulnerability management policy, display a badge in the activity column of the Vulnerability Report.
References
- GraphQL field added in Add policyAutoDismissed GraphQL field for vulne... (!214704 - merged)
- Worker that triggers
AutoDismissServicebased on SBOM vulnerability creation: Add `AutoDismissWorker` to trigger based on Vul... (!214531 - merged) - Integration of
AutoDismissServiceintoIngestReportsService: Integrate AutoDismissService into IngestReports... (!214673 - merged)
Screenshots or screen recordings
| Before (or without FF) | After |
|---|---|
|
|
How to set up and validate locally
- In rails console enable the feature flag
Feature.enable(:auto_dismiss_vulnerability_policies) - Create a project
- Create an auto-dismiss policy:
vulnerability_management_policy: - name: Auto-dismiss acceptable secrets description: Auto-dismiss secrets enabled: true actions: - type: auto_dismiss dismissal_reason: not_applicable rules: - type: detected criteria: - type: file_path value: ".env" - Add
.gitlab-ci.ymlwith secret detectioninclude: - template: Jobs/Secret-Detection.latest.gitlab-ci.yml - Add two secrets in the
mainbranch:-
.env:AWS_TOKEN=AKIAZYONPI3G4JNCCWGQ -
.env2:AWS_TOKEN=AKIAZYONPI3G4JNCCWGA
-
- Wait until the pipeline on
mainfinishes - In the rails console, run the service manually, passing the latest pipeline ID and the two vulnerability IDs:
Vulnerabilities::AutoDismissService.new(Ci::Pipeline.find(<pipeline_id>), [vuln_1_id, vuln_2_id]).execute - Open the
Vulnerability Report, remove the default state filter and verify that the secret from.envgot dismissed and there is an activity comment stating the details.
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #581388
Edited by Martin Cavoj