Vulnerability Skill
漏洞管理技能
Security vulnerability management for GitLab using
raw endpoint calls.
| Operation | Command Pattern | Risk |
|---|
| List vulnerabilities | glab api projects/:id/vulnerabilities
| - |
| Get vulnerability | glab api projects/:id/vulnerabilities/:vuln_id
| - |
| Confirm vulnerability | glab api projects/:id/vulnerabilities/:vuln_id/confirm -X POST
| ⚠️ |
| Dismiss vulnerability | glab api projects/:id/vulnerabilities/:vuln_id/dismiss -X POST -f ...
| ⚠️ |
| Resolve vulnerability | glab api projects/:id/vulnerabilities/:vuln_id/resolve -X POST
| ⚠️ |
| Revert to detected | glab api projects/:id/vulnerabilities/:vuln_id/revert -X POST
| ⚠️ |
| List findings | glab api projects/:id/vulnerability_findings
| - |
Risk Legend: - Safe | ⚠️ Caution | ⚠️⚠️ Warning | ⚠️⚠️⚠️ Danger
| 操作 | 命令模式 | 风险 |
|---|
| 列出漏洞 | glab api projects/:id/vulnerabilities
| - |
| 获取漏洞详情 | glab api projects/:id/vulnerabilities/:vuln_id
| - |
| 确认漏洞 | glab api projects/:id/vulnerabilities/:vuln_id/confirm -X POST
| ⚠️ |
| 驳回漏洞 | glab api projects/:id/vulnerabilities/:vuln_id/dismiss -X POST -f ...
| ⚠️ |
| 解决漏洞 | glab api projects/:id/vulnerabilities/:vuln_id/resolve -X POST
| ⚠️ |
| 恢复为已检测状态 | glab api projects/:id/vulnerabilities/:vuln_id/revert -X POST
| ⚠️ |
| 列出检测结果 | glab api projects/:id/vulnerability_findings
| - |
风险说明: - 安全 | ⚠️ 注意 | ⚠️⚠️ 警告 | ⚠️⚠️⚠️ 危险
When to Use This Skill
何时使用此技能
ALWAYS use when:
- User mentions "vulnerability", "security issue", "CVE"
- User wants to view security scan results
- User mentions "SAST", "DAST", "dependency scanning", "container scanning"
- User wants to dismiss or resolve security findings
- User asks about security dashboard
NEVER use when:
- User wants to run security scans (use gitlab-ci)
- User wants to configure security settings (use project settings)
- User wants general issue tracking (use gitlab-issue)
务必在以下场景使用:
- 用户提及“漏洞”、“安全问题”、“CVE”
- 用户想要查看安全扫描结果
- 用户提及“SAST”、“DAST”、“依赖项扫描”、“容器扫描”
- 用户想要驳回或解决安全检测结果
- 用户询问安全仪表板相关内容
请勿在以下场景使用:
- 用户想要运行安全扫描(请使用gitlab-ci)
- 用户想要配置安全设置(请使用项目设置)
- 用户需要通用问题追踪(请使用gitlab-issue)
API Prerequisites
API 前置条件
Required Token Scopes: or
Permissions:
- Read vulnerabilities: Developer+
- Manage vulnerabilities: Developer+
GitLab Tier: Ultimate required for full vulnerability management features
权限要求:
- 读取漏洞:开发者及以上权限
- 管理漏洞:开发者及以上权限
GitLab 版本: 完整漏洞管理功能需要Ultimate版本
| State | Description |
|---|
| New, unreviewed vulnerability |
| Verified as real vulnerability |
| Marked as false positive or won't fix |
| Fixed and no longer present |
| 状态 | 描述 |
|---|
| 新的、未审核的漏洞 |
| 已验证为真实漏洞 |
| 标记为误报或无需修复 |
| 已修复且不再存在 |
| Severity | Description |
|---|
| Highest severity, immediate action needed |
| Significant risk |
| Moderate risk |
| Minor risk |
| Informational finding |
| Severity not determined |
| 严重程度 | 描述 |
|---|
| 最高严重等级,需立即处理 |
| 重大风险 |
| 中等风险 |
| 轻微风险 |
| 信息性检测结果 |
| 未确定严重程度 |
List Project Vulnerabilities
列出项目漏洞
List all vulnerabilities
List all vulnerabilities
glab api projects/123/vulnerabilities --method GET
glab api projects/123/vulnerabilities --method GET
Filter by state
Filter by state
glab api "projects/123/vulnerabilities?state=detected" --method GET
glab api "projects/123/vulnerabilities?state=detected" --method GET
Filter by severity
Filter by severity
glab api "projects/123/vulnerabilities?severity=critical,high" --method GET
glab api "projects/123/vulnerabilities?severity=critical,high" --method GET
Filter by multiple criteria
Filter by multiple criteria
glab api "projects/123/vulnerabilities?state=detected&severity=critical,high" --method GET
glab api "projects/123/vulnerabilities?state=detected&severity=critical,high" --method GET
With pagination
With pagination
glab api projects/123/vulnerabilities --paginate
glab api projects/123/vulnerabilities --paginate
Using project path
Using project path
glab api "projects/$(echo 'mygroup/myproject' | jq -Rr @uri)/vulnerabilities"
glab api "projects/$(echo 'mygroup/myproject' | jq -Rr @uri)/vulnerabilities"
Get Vulnerability Details
获取漏洞详情
Get specific vulnerability
Get specific vulnerability
glab api projects/123/vulnerabilities/456 --method GET
glab api projects/123/vulnerabilities/456 --method GET
Confirm Vulnerability
确认漏洞
Marks a detected vulnerability as confirmed (real security issue).
Confirm vulnerability
Confirm vulnerability
glab api projects/123/vulnerabilities/456/confirm --method POST
glab api projects/123/vulnerabilities/456/confirm --method POST
Dismiss Vulnerability
驳回漏洞
Marks a vulnerability as dismissed (false positive or accepted risk).
Dismiss as false positive
Dismiss as false positive
glab api projects/123/vulnerabilities/456/dismiss --method POST
-f comment="False positive - this code path is not reachable"
glab api projects/123/vulnerabilities/456/dismiss --method POST
-f comment="False positive - this code path is not reachable"
Dismiss as acceptable risk
Dismiss as acceptable risk
glab api projects/123/vulnerabilities/456/dismiss --method POST
-f comment="Accepted risk - mitigated by network controls"
glab api projects/123/vulnerabilities/456/dismiss --method POST
-f comment="Accepted risk - mitigated by network controls"
Dismiss with dismissal reason (if available)
Dismiss with dismissal reason (if available)
glab api projects/123/vulnerabilities/456/dismiss --method POST
-f comment="Not applicable to our use case"
-f dismissal_reason="used_in_tests"
glab api projects/123/vulnerabilities/456/dismiss --method POST
-f comment="Not applicable to our use case"
-f dismissal_reason="used_in_tests"
Resolve Vulnerability
解决漏洞
Marks a vulnerability as resolved (fixed).
Resolve vulnerability
Resolve vulnerability
glab api projects/123/vulnerabilities/456/resolve --method POST
glab api projects/123/vulnerabilities/456/resolve --method POST
Revert to Detected State
恢复为已检测状态
Reverts a vulnerability back to detected state.
Revert to detected
Revert to detected
glab api projects/123/vulnerabilities/456/revert --method POST
glab api projects/123/vulnerabilities/456/revert --method POST
List Vulnerability Findings
列出漏洞检测结果
Findings are the raw results from security scanners.
List all findings
List all findings
glab api projects/123/vulnerability_findings --method GET
glab api projects/123/vulnerability_findings --method GET
Filter by severity
Filter by severity
glab api "projects/123/vulnerability_findings?severity=critical,high" --method GET
glab api "projects/123/vulnerability_findings?severity=critical,high" --method GET
Filter by scanner
Filter by scanner
glab api "projects/123/vulnerability_findings?scanner=sast" --method GET
glab api "projects/123/vulnerability_findings?scanner=sast" --method GET
Filter by pipeline
Filter by pipeline
glab api "projects/123/vulnerability_findings?pipeline_id=789" --method GET
glab api "projects/123/vulnerability_findings?pipeline_id=789" --method GET
With pagination
With pagination
glab api projects/123/vulnerability_findings --paginate
glab api projects/123/vulnerability_findings --paginate
Security Dashboard (Group Level)
安全仪表板(群组级别)
Get security statistics for group
Get security statistics for group
glab api groups/456/vulnerability_exports --method POST
-f export_format="csv"
glab api groups/456/vulnerability_exports --method POST
-f export_format="csv"
Get group vulnerability statistics
Get group vulnerability statistics
glab api "groups/456/vulnerability_statistics" --method GET
glab api "groups/456/vulnerability_statistics" --method GET
Workflow 1: Triage New Vulnerabilities
工作流1:分类新漏洞
Get all detected (new) vulnerabilities
Get all detected (new) vulnerabilities
glab api "projects/$project_id/vulnerabilities?state=detected" --paginate |
jq -r '.[] | "[(.severity)] (.title) - (.id)"'
glab api "projects/$project_id/vulnerabilities?state=detected" --paginate |
jq -r '.[] | "[(.severity)] (.title) - (.id)"'
Review critical/high first
Review critical/high first
glab api "projects/$project_id/vulnerabilities?state=detected&severity=critical,high" |
jq -r '.[] | "ID: (.id)\nTitle: (.title)\nSeverity: (.severity)\nScanner: (.scanner.name)\nLocation: (.location | @json)\n---"'
glab api "projects/$project_id/vulnerabilities?state=detected&severity=critical,high" |
jq -r '.[] | "ID: (.id)\nTitle: (.title)\nSeverity: (.severity)\nScanner: (.scanner.name)\nLocation: (.location | @json)\n---"'
Workflow 2: Generate Security Report
工作流2:生成安全报告
Summary by severity
Summary by severity
echo "=== Vulnerability Summary ==="
glab api "projects/$project_id/vulnerabilities" --paginate |
jq -r 'group_by(.severity) | map({severity: .[0].severity, count: length}) | .[] | "(.severity): (.count)"'
echo "=== Vulnerability Summary ==="
glab api "projects/$project_id/vulnerabilities" --paginate |
jq -r 'group_by(.severity) | map({severity: .[0].severity, count: length}) | .[] | "(.severity): (.count)"'
Summary by state
Summary by state
echo ""
echo "=== By State ==="
glab api "projects/$project_id/vulnerabilities" --paginate |
jq -r 'group_by(.state) | map({state: .[0].state, count: length}) | .[] | "(.state): (.count)"'
echo ""
echo "=== By State ==="
glab api "projects/$project_id/vulnerabilities" --paginate |
jq -r 'group_by(.state) | map({state: .[0].state, count: length}) | .[] | "(.state): (.count)"'
Summary by scanner
Summary by scanner
echo ""
echo "=== By Scanner ==="
glab api "projects/$project_id/vulnerabilities" --paginate |
jq -r 'group_by(.scanner.name) | map({scanner: .[0].scanner.name, count: length}) | .[] | "(.scanner): (.count)"'
echo ""
echo "=== By Scanner ==="
glab api "projects/$project_id/vulnerabilities" --paginate |
jq -r 'group_by(.scanner.name) | map({scanner: .[0].scanner.name, count: length}) | .[] | "(.scanner): (.count)"'
Workflow 3: Bulk Dismiss False Positives
工作流3:批量驳回误报
Dismiss all info-level findings from specific scanner
Dismiss all info-level findings from specific scanner
glab api "projects/$project_id/vulnerabilities?severity=info&state=detected" --paginate |
jq -r '.[].id' | while read vuln_id; do
echo "Dismissing $vuln_id"
glab api projects/$project_id/vulnerabilities/$vuln_id/dismiss --method POST
-f comment="Bulk dismissed - info level findings"
done
glab api "projects/$project_id/vulnerabilities?severity=info&state=detected" --paginate |
jq -r '.[].id' | while read vuln_id; do
echo "Dismissing $vuln_id"
glab api projects/$project_id/vulnerabilities/$vuln_id/dismiss --method POST
-f comment="Bulk dismissed - info level findings"
done
Workflow 4: Track Critical Vulnerabilities
工作流4:追踪关键漏洞
List critical vulnerabilities with details
List critical vulnerabilities with details
glab api "projects/$project_id/vulnerabilities?severity=critical" --paginate |
jq -r '.[] | {
id: .id,
title: .title,
state: .state,
detected_at: .detected_at,
scanner: .scanner.name,
identifiers: [.identifiers[]?.name] | join(", ")
}'
glab api "projects/$project_id/vulnerabilities?severity=critical" --paginate |
jq -r '.[] | {
id: .id,
title: .title,
state: .state,
detected_at: .detected_at,
scanner: .scanner.name,
identifiers: [.identifiers[]?.name] | join(", ")
}'
Workflow 5: Check for CVEs
工作流5:检查CVE漏洞
bash
project_id=123
cve="CVE-2021-44228"
bash
project_id=123
cve="CVE-2021-44228"
Search for specific CVE
Search for specific CVE
glab api "projects/$project_id/vulnerabilities" --paginate |
jq -r ".[] | select(.identifiers[]?.name == "$cve") | "ID: (.id), State: (.state), Title: (.title)""
glab api "projects/$project_id/vulnerabilities" --paginate |
jq -r ".[] | select(.identifiers[]?.name == "$cve") | "ID: (.id), State: (.state), Title: (.title)""
Workflow 6: Export Vulnerabilities
工作流6:导出漏洞数据
Export to JSON
Export to JSON
glab api "projects/$project_id/vulnerabilities" --paginate > vulnerabilities.json
glab api "projects/$project_id/vulnerabilities" --paginate > vulnerabilities.json
Export to CSV format
Export to CSV format
glab api "projects/$project_id/vulnerabilities" --paginate |
jq -r '["id","title","severity","state","scanner","detected_at"],
(.[] | [.id, .title, .severity, .state, .scanner.name, .detected_at]) | @csv' > vulnerabilities.csv
glab api "projects/$project_id/vulnerabilities" --paginate |
jq -r '["id","title","severity","state","scanner","detected_at"],
(.[] | [.id, .title, .severity, .state, .scanner.name, .detected_at]) | @csv' > vulnerabilities.csv
Workflow 7: Compare Pipeline Results
工作流7:对比流水线结果
Get findings from specific pipeline
Get findings from specific pipeline
pipeline_id=789
glab api "projects/$project_id/vulnerability_findings?pipeline_id=$pipeline_id" |
jq -r '.[] | "(.severity): (.name)"'
pipeline_id=789
glab api "projects/$project_id/vulnerability_findings?pipeline_id=$pipeline_id" |
jq -r '.[] | "(.severity): (.name)"'
| Scanner | Report Type | Description |
|---|
| SAST | Static Application Security Testing |
| DAST | Dynamic Application Security Testing |
| Dependency Scanning | Third-party dependency vulnerabilities |
| Container Scanning | Container image vulnerabilities |
| Secret Detection | Hardcoded secrets in code |
| Coverage Fuzzing | Fuzzing test results |
| API Fuzzing | API fuzzing results |
| 扫描器 | 报告类型 | 描述 |
|---|
| SAST | 静态应用安全测试 |
| DAST | 动态应用安全测试 |
| 依赖项扫描 | 第三方依赖漏洞检测 |
| 容器扫描 | 容器镜像漏洞检测 |
| 密钥检测 | 代码中的硬编码密钥检测 |
| 覆盖模糊测试 | 模糊测试结果 |
| API模糊测试 | API模糊测试结果 |
| Issue | Cause | Solution |
|---|
| 403 Forbidden | Ultimate required or no access | Check GitLab tier and permissions |
| Empty results | No scans run | Configure and run security scanners in CI |
| Old vulnerabilities | No recent pipeline | Run new pipeline with security jobs |
| Can't dismiss | Already dismissed or resolved | Check current state |
| Missing scanner type | Scanner not configured | Add scanner to CI configuration |
| 问题 | 原因 | 解决方案 |
|---|
| 403 禁止访问 | 需要Ultimate版本或无访问权限 | 检查GitLab版本和权限设置 |
| 结果为空 | 未运行扫描 | 在CI中配置并运行安全扫描器 |
| 漏洞数据过时 | 未运行最新流水线 | 运行包含安全任务的新流水线 |
| 无法驳回漏洞 | 漏洞已被驳回或解决 | 检查漏洞当前状态 |
| 缺少扫描器类型 | 未配置对应扫描器 | 在CI配置中添加扫描器 |
- Triage regularly: Review new vulnerabilities frequently
- Document dismissals: Always add comments explaining why
- Track critical issues: Monitor critical/high severity closely
- Integrate with issues: Create issues for confirmed vulnerabilities
- Automate where possible: Use CI to fail on new critical findings
- 定期分类: 定期审核新漏洞
- 记录驳回原因: 始终添加注释说明驳回理由
- 追踪关键问题: 密切监控严重等级为critical/high的漏洞
- 与问题追踪集成: 为已确认的漏洞创建问题
- 尽可能自动化: 在CI中配置新关键漏洞触发失败
Related Documentation
相关文档