Using the GitLab GraphQL API for vulnerability reporting

Feb 2, 2022 · 5 min read · Leave a comment
Fernando Diaz GitLab profile

As part of GitLab Ultimate, you have access to the Vulnerability Report, which provides information about vulnerabilities from scans of the default branch. It is available for projects, groups, and the Security Center. From the Vulnerability Report you can:

You also get to perform functions (create/read/update/delete) on vulnerabilities using the GitLab GraphQL API.

In this blog post, I'll go over some of the GitLab GraphQL API and show how vulnerabilities can be managed with the API. Then I'll go over how to create a custom page where a user can report a vulnerability.

GitLab GraphQL API

GraphQL is a query language for APIs that allows clients to request exactly the data they need, making it possible to get all required data in a limited number of requests.

With the GitLab GraphQL API, you can perform many different functions on vulnerabilities which can be seen in the Vulnerability Reports. You can perform queries for data retrieval or mutations for creating, updating, and deleting data.

There are many other functions that can be performed on vulnerabilities using the GraphQL API, such as querying for vulnerability data, changing a vulnerability's status, and much more. You can see the rest of the GraphQL API functions by viewing the graphql reference page.

Running a GraphQL query to create a vulnerability

You can run GraphQL queries in a curl request on the command line on your local computer. A GraphQL request can be made as a POST request to /api/graphql with the query as the payload. You can authorize your request by generating a personal access token to use as a bearer token.

We will be using Mutation.vulnerabilityCreate in order to create a vulnerability.

1. Create a new project or use an existing project.

2. Create a Personal Access Token.

Note: Make sure it is api scoped.

3. Set the Personal Access Token in the environment variables.

```
$ export ACCESS_TOKEN=<your-personal-access-token>
```

4. Get your Project ID to use in the curl request.

Note: Project ID can be found in your project page

5. Send a curl request to graphql api.

```
$ curl -g --header "Authorization: Bearer $ACCESS_TOKEN" --header "Content-Type: application/json" --request POST --data '{"query": "mutation { vulnerabilityCreate(input: {clientMutationId: \"Ferns-Vuln-Reporter-Xtreme\", name: \"YEETTT\", project: \"gid://gitlab/Project/30857578\", description: \"ax\", scanner: {name: \"dude-scanner2\", id: \"123456\", url: \"localhost\", version: \"1.0\"}, identifiers: [{name: \"dont worry about its ok\", url: \"localhost\"}]}) { clientMutationId \n vulnerability {  id  } \n errors } }" }' https://gitlab.com/api/graphql

{"data":{"vulnerabilityCreate":{"clientMutationId":"Ferns-Vuln-Reporter-Xtreme","vulnerability":{"id":"gid://gitlab/Vulnerability/29086674"},"errors":[]}}}
```

You can see that the resonse will provide some data. Let's save the provided vulnerability id, 29086674.

Note: You can see where I used the Project ID in the query above, by searching for "30857578". Also feel free to customize the strings in the request.

6. Go to your project and click on the Security & Compliance > Vulnerability Report.

7. Replace vulnerability_report in the url with /vulnerabilities/29086674, and you should see detailed information on the vulnerability you submitted.

Creating a Vulnerability Report site

Now let's put what we learned about the Vulnerability API into creating an application we can use for others to report vulnerabilities.

I created a basic application that uses the GraphQL API to create vulnerabilities for a given project. It's a little GoLang web-application that deploys to Kubernetes and contains a basic web-form.

Note: To continue with this section, you need a Kubernetes Cluster, GitLab Account, and knowledge of the GitLab Kubernetes-Agent.

1. Create a Personal Access Token.

Note: Make sure it is api scoped.

2. Create a new project and select import.

3. Import the Vuln-Reporter.

4. Connect to a Kubernetes Cluster using the Kubernetes-Agent.

5. Add the Ingress Controller as a Cluster Management Application.

Note: Once the Kubernetes Agent is installed, this can be done by simply adding the applications folder, helmfile.yaml, and apply job present in this Infrastrucuture project.

6. Add the following variables under Settings > CICD > Variables:

- PROJECT_ID: The id of the project you want to report on.
- ACCESS_TOKEN: Your personal access token created earlier.

7. Run the pipeline.

8. Connect to Kubernetes Cluster and find the Load Balancer IP.

```
$ kubectl get svc -n gitlab-managed-apps | grep ingress

ingress-ingress-nginx-controller             LoadBalancer   10.28.13.2    104.198.204.142   80:31853/TCP,443:31835/TCP   19d
ingress-ingress-nginx-controller-admission   ClusterIP      10.28.6.20    <none>            443/TCP                      19d
```

Note: It's the 104.198.204.142 address, but it may be different for you. Just make sure it's an external address.

9. Go to http://<Load-Balancer-IP>/reporter in your browser.

10. Add info and submit a Vulnerability.

After submitting you should get a link. Copy that link into your browser.

11. View the Vulnerability Report.


This is just one of the many cool things that can be done using the GitLab GraphQL API. I encourage you to check it out and get started on building your own integrations!

Read more on security:

Photo by Jeremy Bishop on Unsplash.

“Leverage the @gitlab GraphQL API to manage vulnerabilities programatically” – Fernando Diaz

Click to tweet

Open in Web IDE View source