Draft: Adds policy_auto_dismissed to vulnerability reference
What does this MR do and why?
This MR adds policy_auto_dimissed population to the Vulnerabilities Elasticsearch reference class.
Vulnerability records are now enhanced with preloaded policy_auto_dimissed information.
References
Related to: #581391
Screenshots or screen recordings
How to set up and validate locally
Elasticsearch Setup
- Enable the
Elasticsearchin GDK
gdk config set elasticsearch.enabled true
gdk reconfigure
gdk start elasticsearchCreate a policy to auto dismiss a vulnerability
- Enable the feature flag
auto_dismiss_vulnerability_policiesusing the rails console
Feature.enable(:auto_dismiss_vulnerability_policies)- Create a new project
- Go to Secure > Policies
- Click on New policy
- Select Vulnerability management policy
- Switch to the
.yaml modeand paste the content below:
vulnerability_management_policy:
- name: Auto-dismiss acceptable secrets
description: Auto-dismiss secrets
enabled: true
actions:
- type: auto_dismiss
dismissal_reason: not_applicable
rules:
- type: detected
criteria:
- type: file_path
value: ".env"- Click on
Create new project with the new policy - Merge the new MR
- Go back to the project created in step 2
- Add
.gitlab-ci.ymlwith secret detection
include:
- template: Jobs/Secret-Detection.latest.gitlab-ci.yml - Add a new file
.envwith a secret in themainbranch:
AWS_TOKEN=AKIAZYONPI3G4JNCCWGQ- Wait until the pipeline on
mainfinishes
Update the ES index
- Using the rails console, load the
vulnerability_readassociated with the auto-dismissedvulnerability
vulnerability_read = Vulnerability.last.vulnerability_read
::Elastic::ProcessBookkeepingService.track!(Search::Elastic::References::Vulnerability.new(vulnerability_read.vulnerability.id, "group_#{vulnerability_read.project.namespace.root_ancestor.id}"))- Process the Redis refs into ES. Run the command below multiple times until the results show [0, 0]
Elastic::ProcessBookkeepingService.new.execute- Find the vulnerability_id
vulnerability_read.vulnerability_id- Using the
vulnerability_idfrom the previous step, verify that ES indexing has thepolicy_auto_dismissedfield populated using the query below in your terminal:
curl -s "http://localhost:9200/gitlab-development-vulnerabilities/_search?pretty" \
-H "Content-Type: application/json" \
-d '{
"query": {
"term": {
"vulnerability_id": {
"value": 834
}
}
}
}'The result would be like
{
"took" : 6,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 1,
"relation" : "eq"
},
"max_score" : 1.0,
"hits" : [
{
"_index" : "gitlab-development-vulnerabilities-20251212-1803",
"_id" : "543",
"_score" : 1.0,
"_routing" : "group_1",
"_source" : {
"schema_version" : 2550,
"type" : "vulnerability",
"vulnerability_id" : 543,
"project_id" : 21,
"scanner_id" : 20,
"uuid" : "9a1cc2c1-5bba-55da-9e74-b92e97833f68",
"location_image" : null,
"cluster_agent_id" : null,
"casted_cluster_agent_id" : null,
"has_issues" : false,
"resolved_on_default_branch" : false,
"has_merge_request" : false,
"has_remediations" : false,
"archived" : false,
"has_vulnerability_resolution" : false,
"auto_resolved" : false,
"identifier_names" : [
"Gitleaks rule ID AWS"
],
"report_type" : 4,
"severity" : 7,
"state" : 2,
"dismissal_reason" : 4,
"scanner_external_id" : "gitleaks",
"created_at" : "2025-12-16T21:19:28.114Z",
"updated_at" : "2025-12-16T21:19:28.256Z",
"traversal_ids" : "1-",
"epss_scores" : [ ],
"security_project_tracked_context_id" : null,
"detected_at" : "2025-12-16T21:14:32.381Z",
"risk_score" : 0.6,
"reachability" : 0,
"token_status" : 0,
"policy_violations" : 0,
"resolved_at" : null,
"dismissed_at" : "2025-12-16T21:19:28.256Z",
"false_positive" : false,
"policy_auto_dismissed" : true
}
}
]
}
}MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Edited by Marcos Rocha