Skip to content

feat(vulnerabilities): expose Vulnerability Management (Ultimate)Β #438

Open
Open
feat(vulnerabilities): expose Vulnerability Management (Ultimate)#438
Labels
enhancementNew feature, new MCP tool, new capability
@polaz

Description

@polaz
polaz
opened on May 22, 2026

πŸ‘ React to this issue if you need this feature β€” helps us prioritise.

Problem

GitLab's Vulnerability Management surface is a major Ultimate-tier capability β€” list project vulnerabilities, dismiss false positives, confirm findings, revert dismissals. Critical for security teams, exposed by competing MCP servers (jmrplens, yoda-digital). We have nothing.

Investigation done (current state)

Verified against src/entities/:

  • ❌ grep -ri 'vulnerabilit' src/ returns 20 hits β€” but all are in utils/error-handler.ts, cli/init/wizard.ts, graphql/workItems.ts referencing the word in OTHER contexts (e.g. dependency vulnerabilities). No actual vulnerability entity
  • ❌ No entity vulnerabilities/ exists
  • βœ… Our test instance is Ultimate (git-test.private.systems) β€” we can integration-test

Re-verify before coding:

grep -rIni 'vulnerabilit' src/entities/ src/graphql/
ls src/entities/ | grep -i vuln

Acceptance criteria

  • New entity src/entities/vulnerabilities/ with:
    • browse_vulnerabilities actions: list (project / group / instance), get
    • manage_vulnerability actions: dismiss, confirm, resolve, revert (un-dismiss)
  • Tier-gated: requires Ultimate (return clear error on Free/Premium)
  • Integration test gated via describeIfTier('ultimate', ...) (helper already exists per test(integration): skip tier-gated suites when GitLab license unavailableΒ #428)
  • Consider both REST endpoints and GraphQL Vulnerability type β€” GraphQL likely richer for nested details

GitLab API

  • REST: /api/v4/projects/:id/vulnerabilities + /vulnerabilities/:id/dismiss/confirm/resolve/revert
  • GraphQL: Vulnerability type + vulnerabilityDismiss, vulnerabilityConfirm, etc. mutations
  • Tier: Ultimate
  • Docs: https://docs.gitlab.com/api/vulnerabilities/
  • New in 18.x: originalSeverity field on PipelineSecurityReportFinding GraphQL β€” additive, include in get response

Estimate

1.5d

Context

Found during GitLab 18β†’19 API landscape analysis. Real Ultimate-tier wedge β€” competitors mostly skip it.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature, new MCP tool, new capability

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions