feat: add link vulnerability to mr
What does this merge request do and why?
Updates the SAST VR workflow to use the tool implemented in feat: add LinkVulnerabilityToMergeRequest tool (!3392 - merged)
How to set up and validate locally
- Create a valid vulnerability under your project (can be imported from staging projects, or create your own)
- Run the resolve_sast_vulnerability flow
curl -X POST \
-H "Authorization: Bearer $GDK_API_TOKEN" \
-H "Content-Type: application/json" \
-d "{
\"project_id\": \"<PROJECT_ID>\",
\"agent_privileges\": [1, 2, 3, 4, 5],
\"goal\": \"Fix vulnerability ID: <VULNERABILITY_ID> \",
\"start_workflow\": true,
\"workflow_definition\": \"resolve_sast_vulnerability/v1\",
\"environment\": \"web\",
\"source_branch\": \"security/sast/resolve-vulnerability-<VULNERABILITY_ID>\"
}" \
http://gdk.test:3000/api/v4/ai/duo_workflows/workflows- After completion, you can double-check using the GitLab graphql endpoint that the vulnerability is linked to the merge request:
curl -H "Authorization: Bearer $GDK_API_TOKEN" \
"http://gdk.test:3000/api/graphql" \
-d '{
"query": "query { vulnerability(id: \"gid://gitlab/Vulnerability/<VULN_ID>\") { id mergeRequests { nodes { id title } } } }"
}'Merge request checklist
-
Tests added for new functionality. If not, please raise an issue to follow up. -
Documentation added/updated, if needed. -
If this change requires executor implementation: verified that issues/MRs exist for both Go executor and Node executor or confirmed that changes are backward-compatible and don't break existing executor functionality.
Edited by Nate Rosandich