Adds policy_violations to vulnerability reference
What does this MR do and why?
This MR adds policy_violations population to the Vulnerabilities Elasticsearch reference class.
Vulnerability records are now enhanced with preloaded policy violations information.
References
Related to: #561739 (closed), #549786 (closed)
Screenshots or screen recordings
How to set up and validate locally
Elasticsearch Setup
- Enable the
Elasticsearchin GDK
gdk config set elasticsearch.enabled true
gdk reconfigure
gdk start elasticsearchSimulate a security policy dismissal
- Import the security-reports project.
- Run a new pipeline on the default branch to create vulnerabilities
- Go to Secure > Policies and create a Merge Request Approval policy
- Create an MR editing the README file
- Create a record of
Security::PolicyDismissalto simulate a bypassed/dismissed policy using the security policy, merge request and one of the vulnerability UUIDs detected in the pipeline.
Security::PolicyDismissal.create(project: Project.second_to_last, merge_request: MergeRequest.last, security_policy: Security::Policy.last, user: User.first, dismissal_types: [0], security_findings_uuids: ["vulnerability-uuid"])Update the ES index
- In Rails console load the vulnerability read using the same dismissed UUID from the previous step
vulnerability_read = Vulnerabilities::Read.where(uuid:'vulnerability-uuid').first
::Elastic::ProcessBookkeepingService.track!(Search::Elastic::References::Vulnerability.new(vulnerability_read.vulnerability_id, "group_#{vulnerability_read.project.namespace.root_ancestor.id}"))- Process the Redis refs into ES, run below command multiple times unless the results show
[0, 0].
Elastic::ProcessBookkeepingService.new.execute
- Find the vulnerability_id
vulnerability_read.vulnerability_id-
For the found vulnerability_id's from the above step verify that ES indexing has reachability field populated.
-
On your terminal the query would be like:
curl -s "http://localhost:9200/gitlab-development-vulnerabilities/_search?pretty" \
-H "Content-Type: application/json" \
-d '{
"query": {
"term": {
"vulnerability_id": {
"value": 834
}
}
}
}'6 And the result would be like
{
"took" : 21,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 1,
"relation" : "eq"
},
"max_score" : 1.0,
"hits" : [
{
"_index" : "gitlab-development-vulnerabilities-20251003-2328",
"_id" : "834",
"_score" : 1.0,
"_routing" : "group_1",
"_source" : {
"schema_version" : 2538,
"type" : "vulnerability",
"vulnerability_id" : 834,
"project_id" : 157,
"scanner_id" : 596,
"uuid" : "84c1832e-294d-59f0-b3ff-b4414cc86c70",
"location_image" : null,
"cluster_agent_id" : null,
"casted_cluster_agent_id" : null,
"has_issues" : false,
"resolved_on_default_branch" : false,
"has_merge_request" : false,
"has_remediations" : false,
"archived" : false,
"has_vulnerability_resolution" : false,
"auto_resolved" : false,
"identifier_names" : [
"Gitleaks rule ID twitch-api-token"
],
"report_type" : 4,
"severity" : 7,
"state" : 1,
"dismissal_reason" : null,
"scanner_external_id" : "gitleaks",
"created_at" : "2025-07-17T18:28:02.848Z",
"updated_at" : "2025-07-17T18:28:02.848Z",
"traversal_ids" : "1-",
"epss_scores" : [ ],
"reachability" : 0,
"token_status" : 0,
"policy_violations" : 0,
"resolved_at" : null,
"dismissed_at" : null
}
}
]
}
}
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Edited by Marcos Rocha