Skip to content

feat: add missing prompt files for link_vulnerability and use create_merge_request tool

Andrew Jungrequested to merge
andrew-jung/add-models-resolve-sast-vr into main

What does this merge request do and why?

Adds claude, gpt, and vertex prompt base files for link_vulnerability_to_mr It also adds using the create_merge_request tool for making the merge request (separated the prompts as well) Updated the prompt to better parse the git commands/URLs

How to set up and validate locally

Steps outlined in the original MR: !3664 (merged)

  1. Enable GitLab Duo / Agentic flow, enable the import_vulnerabilities feature flag if importing a project.
  2. Import a project / or create a SAST vulnerability in a project (export projects can be found here: https://staging.gitlab.com/groups/ai-evaluation/etv with a vulnerability, eg., https://staging.gitlab.com/ai-evaluation/etv/gitlab-runner)
  • Check the Secure tab > Vulnerability Report > Filter by report_type SAST
  1. Afterwards, navigate to the Project, find the Vulnerability Report, example URL: http://gdk.test:3000/gitlab-duo/myproject/-/security/vulnerability_report/?reportType=SAST
  2. Click on a Vulnerability, and grab its ID (at the URL like http://gdk.test:3000/gitlab-duo/myproject/-/security/vulnerabilities/772 so 772
  3. Use the ID as part of the request:

export GDK_API_TOKEN=<>

#!/bin/bash

curl -X POST \
-H "Authorization: Bearer $GDK_API_TOKEN" \
-H "Content-Type: application/json" \
-d "{
\"project_id\": \"<PROJECT_ID>\",
\"agent_privileges\": [1, 2, 3, 4, 5],
\"pre_approved_agent_privileges\": [1, 2, 3, 4, 5],
\"goal\": \"Fix vulnerability ID: <VULN_ID>\",
\"start_workflow\": true,
\"workflow_definition\": \"resolve_sast_vulnerability/v1\",
\"environment\": \"web\",
\"allow_agent_to_request_user\": false
}" \
http://gdk.test:3000/api/v4/ai/duo_workflows/workflows
  1. Ensure it completes, following gdk tail duo-workflow-service
  2. Verify the merge request is linked to the vulnerability (API):
curl -H "Authorization: Bearer $GDK_API_TOKEN" \
  "http://gdk.test:3000/api/graphql" \
  -d '{
    "query": "query { vulnerability(id: \"gid://gitlab/Vulnerability/<VULN_ID>\") { id mergeRequests { nodes { id title } } } }"
  }'

Merge request checklist

  • Tests added for new functionality. If not, please raise an issue to follow up.
  • Documentation added/updated, if needed.
  • If this change requires executor implementation: verified that issues/MRs exist for both Go executor and Node executor or confirmed that changes are backward-compatible and don't break existing executor functionality.
Edited by Andrew Jung

Merge request reports