Skip to content

feat: add flow and tool for resolving security finding

Andrew Jungrequested to merge
569868/implement_security_findings_tools into main

What does this merge request do and why?

Adds tools for security findings by GET and LIST, for ephemeral vulnerabilities that are found in the pipeline. If a pipeline detects a finding, it may or may not be promoted to a vulnerability yet, hence no vulnerability ID. Once it is, we should be able to use this tool and resolve the vulnerability through an agentic flow.

It also adds specific wording to the security / vulnerability tools to check against int/uuid and pick one over the other.

Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/569868

Relies on this being merged first: !3592 (merged)

How to set up and validate locally

  1. Set-up AIGW/duo workflow service locally (EE License, feature flags , etc.)
  2. Have a GitLab runner running (e.g., Docker/Colima)
  3. Check out this branch and set it with gdk config set gitlab_ai_gateway.version 569868/implement_security_findings_tools
  4. Edit the curl command with a local pipeline security finding (uuid, ex: http://gdk.test:3000///-/pipelines//security
  5. Run the script -> workflow completes -> view merge request created.

curl command:

export GDK_API_TOKEN=<>

#!/bin/bash

curl -X POST \
-H "Authorization: Bearer $GDK_API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
  "project_id": "28",
  "agent_privileges": [1, 2, 3, 4, 5],
  "goal": "Analyze and fix the security finding",
  "start_workflow": true,
  "workflow_definition": "resolve_pipeline_security_finding/experimental",
  "environment": "web",
  "source_branch": "569868/implement_security_findings_tools",
  "additional_context": [
    {
      "Category": "pipeline_finding_info",
      "Content": "{\"pipeline_id\": 3626, \"finding_uuid\": \"1e9a2bf7-0450-5894-8db5-895c98e39deb\"}"
    }
  ]
}' \
http://gdk.test:3000/api/v4/ai/duo_workflows/workflows

Merge request checklist

  • Tests added for new functionality. If not, please raise an issue to follow up.
  • Documentation added/updated, if needed.
  • If this change requires executor implementation: verified that issues/MRs exist for both Go executor and Node executor or confirmed that changes are backward-compatible and don't break existing executor functionality.
Edited by Andrew Jung

Merge request reports