### Problem to solve We need to enable vulnerability resolution in the merge request so that developers can use it to fix vulnerabilities before they merge to main. Today it only works after a developer has merged to main, which means that it isn't part of the main DevSecOps use case. ### Desired workflow A developer can view their security pipeline findings in the merge request and use vulnerability resolution to automatically create a commit with a suggested fix. ### Resources 1. Designs https://gitlab.com/gitlab-org/gitlab/-/issues/480255+ # Scope MR Security widget | Area | Function | Details | BE/FE | Issue | Complete | |------|----------|---------|-------|-------|----------| | **MR page** | | | | | | | | Feature Flag | Add `resolve_vulnerability_in_mr` feature flag | ~backend | https://gitlab.com/gitlab-org/gitlab/-/issues/481532+ https://gitlab.com/gitlab-org/gitlab/-/issues/482753+ | :white_check_mark: | | **MR Security Widget** | | | | | | | | Permission check | Add `canResolveVulnerabilityWithAi` field to list [API (REST)](https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/lib/gitlab/ci/reports/security/vulnerability_reports_comparer.rb#L59). Based on unit primitives and CWE allowlist | ~backend | https://gitlab.com/gitlab-org/gitlab/-/issues/481540 | :white_check_mark: | | | Display AI badge | For findings with `canResolveVulnerabilityWithAi=true` | ~frontend | https://gitlab.com/gitlab-org/gitlab/-/issues/482900 | :white_check_mark: | | **Finding modal** | | | | | | | | Permission check | Add `canResolveVulnerabilityWithAi` field to finding API (GraphQL). Based on unit primitives and CWE allowlist | ~backend | https://gitlab.com/gitlab-org/gitlab/-/issues/481533 | :white_check_mark: | | | Resolve with AI button | Loading state, error handling | ~frontend | https://gitlab.com/gitlab-org/gitlab/-/issues/481782 | :white_check_mark: | | | Trigger GraphQL mutation | With finding and MR details | ~frontend | https://gitlab.com/gitlab-org/gitlab/-/issues/481789 | :white_check_mark: | | | GraphQL mutation | Schema, subscription. | ~backend | https://gitlab.com/gitlab-org/gitlab/-/issues/481535 | :white_check_mark: | | | LLM Completion | LLM request. Addition of new `resolve_vulnerability` llm_method. | ~backend | https://gitlab.com/gitlab-org/gitlab/-/issues/481537 | :white_check_mark: | | | Create suggestion | Convert LLM into suggestion. Return full URL of MR with #comment | ~backend | https://gitlab.com/gitlab-org/gitlab/-/issues/480773 | :white_check_mark: | | | GraphQL mutation | Enable AI-resolve for findings without vulnerabilities | ~backend ~frontend | https://gitlab.com/gitlab-org/gitlab/-/issues/497804 | :white_check_mark: | | **MR Page** | | | | | | | | Redirect user and scroll to suggestion | Though we aren't including the pipeline page in scope, the finding modal will be accessed from there. Therefore we should use standard location redirect for first iteration. | ~frontend | https://gitlab.com/gitlab-org/gitlab/-/issues/481792 https://gitlab.com/gitlab-org/gitlab/-/issues/481791 | :white_check_mark: | | **Documentation** | | | | | | | | Docs | | ~documentation | https://gitlab.com/gitlab-org/gitlab/-/issues/480233 | :white_check_mark: | ## Out of scope 1. Pipeline security tab