- Vulnerability findings pagination
- List project vulnerability findings
- Replace Vulnerability Findings REST API with GraphQL
Vulnerability Findings API
Tier: Ultimate Offering: GitLab.com, Self-managed, GitLab Dedicated
This API resource is renamed from Vulnerabilities to Vulnerability Findings because the Vulnerabilities are reserved for serving Vulnerability objects. To fix any broken integrations with the former Vulnerabilities API, change the
vulnerabilities URL part to be vulnerability_findings.Every API call to vulnerability findings must be authenticated.
If a user does not have permission to use the Project Security Dashboard, any request for vulnerability findings of this project returns a 403 Forbidden status code.
This API is in the process of being deprecated and considered unstable. The response payload may be subject to change or breakage across GitLab releases. Use the GraphQL API instead. For more information, see GraphQL examples
Vulnerability findings pagination
By default, GET requests return 20 results at a time because the API results are paginated.
Read more on pagination.
List project vulnerability findings
List all of a project’s vulnerability findings.
GET /projects/:id/vulnerability_findings GET /projects/:id/vulnerability_findings?report_type=sast GET /projects/:id/vulnerability_findings?report_type=container_scanning GET /projects/:id/vulnerability_findings?report_type=sast,dast GET /projects/:id/vulnerability_findings?scope=all GET /projects/:id/vulnerability_findings?scope=dismissed GET /projects/:id/vulnerability_findings?severity=high GET /projects/:id/vulnerability_findings?confidence=unknown,experimental GET /projects/:id/vulnerability_findings?pipeline_id=42 | Attribute | Type | Required | Description |
|---|---|---|---|
id | integer/string | yes | The ID or URL-encoded path of the project which the authenticated user is a member of. |
report_type | string array | no | Returns vulnerability findings belonging to specified report type. Valid values: sast, dast, dependency_scanning, or container_scanning. Defaults to all. |
scope | string | no | Returns vulnerability findings for the given scope: all or dismissed. Defaults to dismissed. |
severity | string array | no | Returns vulnerability findings belonging to specified severity level: info, unknown, low, medium, high, or critical. Defaults to all. |
confidence | string array | no | Returns vulnerability findings belonging to specified confidence level: ignore, unknown, experimental, low, medium, high, or confirmed. Defaults to all. |
pipeline_id | integer/string | no | Returns vulnerability findings belonging to specified pipeline. |
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/4/vulnerability_findings" Example response:
[ { "id": null, "report_type": "sast", "name": "Possible command injection", "severity": "high", "confidence": "high", "scanner": { "external_id": "brakeman", "name": "Brakeman", "vendor": "GitLab" }, "identifiers": [ { "external_type": "brakeman_warning_code", "external_id": "14", "name": "Brakeman Warning Code 14", "url": "https://brakemanscanner.org/docs/warning_types/command_injection/" } ], "project_fingerprint": "ac218b1770af030cfeef967752ab803c55afb36d", "uuid": "ad5e3be3-a193-55f5-a200-bc12865fb09c", "create_jira_issue_url": null, "false_positive": true, "create_vulnerability_feedback_issue_path": "/root/test-false-positive/-/vulnerability_feedback", "create_vulnerability_feedback_merge_request_path": "/root/test-false-positive/-/vulnerability_feedback", "create_vulnerability_feedback_dismissal_path": "/root/test-false-positive/-/vulnerability_feedback", "project": { "id": 2, "name": "Test False Positive", "full_path": "/root/test-false-positive", "full_name": "Administrator / Test False Positive" }, "dismissal_feedback": null, "issue_feedback": null, "merge_request_feedback": null, "description": null, "links": [], "location": { "file": "app/controllers/users_controller.rb", "start_line": 42, "class": "UsersController", "method": "list_users" }, "remediations": [ null ], "solution": null, "evidence": null, "request": null, "response": null, "evidence_source": null, "supporting_messages": [], "assets": [], "details": {}, "state": "detected", "scan": { "type": "sast", "status": "success", "start_time": "2021-09-02T20:55:48", "end_time": "2021-09-02T20:55:48" }, "blob_path": "/root/test-false-positive/-/blob/dfd75607752a839bbc9c7362d111effaa470fecd/app/controllers/users_controller.rb#L42" } ] Replace Vulnerability Findings REST API with GraphQL
To prepare for the upcoming deprecation of the Vulnerability Findings REST API endpoint, use the examples below to perform the equivalent operations with the GraphQL API.
GraphQL - Project vulnerability findings
Use Pipeline.securityReportFindings.
query VulnerabilityFindings { project(fullPath: "gitlab-examples/security/security-reports") { pipelines(first:1) { nodes { securityReportFindings(first:1) { nodes { title severity state scanner { externalId name vendor } identifiers { externalType externalId name url } uuid falsePositive description location { ... on VulnerabilityLocationSast { file startLine endLine vulnerableClass vulnerableMethod blobPath } ... on VulnerabilityLocationContainerScanning { dependency { package { name } version } image operatingSystem } ... on VulnerabilityLocationDependencyScanning { file blobPath dependency { version } } } remediations { diff summary } solution evidence { request { body headers { name value } method url } } } } } } } } Example response:
{ "data": { "project": { "pipelines": { "nodes": [ { "securityReportFindings": { "nodes": [ { "title": "Deserialization of Untrusted Data", "severity": "CRITICAL", "state": "CONFIRMED", "scanner": { "externalId": "gemnasium", "name": "Gemnasium", "vendor": "GitLab" }, "identifiers": [ { "externalType": "gemnasium", "externalId": "b60c2d6b-9083-4a97-a1b2-f7dc79bff74c", "name": "Gemnasium-b60c2d6b-9083-4a97-a1b2-f7dc79bff74c", "url": "https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/gem/activerecord/CVE-2022-32224.yml" }, { "externalType": "cve", "externalId": "CVE-2022-32224", "name": "CVE-2022-32224", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32224" }, { "externalType": "ghsa", "externalId": "GHSA-3hhc-qp5v-9p2j", "name": "GHSA-3hhc-qp5v-9p2j", "url": "https://github.com/advisories/GHSA-3hhc-qp5v-9p2j" } ], "uuid": "c9e40395-72cd-54f5-962f-e1d52c0dffab", "falsePositive": false, "description": "A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and <5.2.8.1 which could allow an attacker, that can manipulate data in the database (via means like SQL injection), the ability to escalate to an RCE.", "location": { "file": "dependency-scanning-files/Gemfile.lock", "blobPath": null, "dependency": { "version": "5.0.0" } }, "remediations": [], "solution": "Upgrade to versions 5.2.8.1, 6.0.5.1, 6.1.6.1, 7.0.3.1 or above.", "evidence": null } ] } } ] } } } }