GitLab's Vulnerability Report makes it easy to triage security scan results without ever having to leave the platform. You can manage your code, run security scans against it, and fix vulnerabilities all in one place. That being said, some teams prefer to manage their vulnerabilities in a separate tool like Jira. They may also need to present the vulnerability report to leadership in a digestible format.
Out of the box, GitLab's Vulnerability Report can be exported to CSV with a single click, for easy analysis in other tools. In some cases though, a simple PDF of the report is all that's needed.
With GitLab's API, it's easy to query vulnerability info and send the report details elsewhere, such as a PDF file or a Jira project. In this blog, we'll show you how to export to HTML/PDF and Jira. Note that the scripts used in this tutorial are provided for educational purposes and they are not supported by GitLab.
Exporting to HTML/PDF
To export your vulnerability reports to HTML or PDF, head to the Custom Vulnerability Reporting project.
This project contains a script that queries a project's vulnerability report, and then generates an HTML file from that data. The pipeline configured in the project runs this script and converts the HTML file to PDF as well.
To use the exporter, first fork the project or import it into a new project (select “Repository by URL” and paste the git URL of the original project).
Set the CI/CD variables as described in the readme. You'll need the following from GitLab:
- GitLab project/personal access token with permissions to access vulnerability info (read_api scope)
- GitLab GraphQL API URL (for SaaS this is https://gitlab.com/api/graphql)
- GitLab project path (e.g. smathur/custom-vulnerability-reporting)
After you've set the required CI/CD variables, manually run a pipeline from your project's Pipelines page. Once the pipeline is complete, you'll see your file export by going to the “build_report” (for HTML) or “pdf_conversion” job and selecting “Download” or “Browse” on the sidebar under "Job artifacts." And there you have it! A shareable, easy-to-read export of your project's vulnerabilities.
Exporting vulnerability info to Jira
GitLab lets you create Jira tickets from vulnerabilities through the UI using our Jira integration. While you can do this individually for vulnerabilities that need actioning, sometimes teams need to bulk-create Jira tickets for all their vulnerabilities. We can leverage GitLab and Jira's APIs to achieve this.
To get started, head to the External Vulnerability Tracking project. This script fetches vulnerabilities in the same way as the script above, but it uses the Jira API to create a ticket for each vulnerability. Each ticket's description is also populated with details from GitLab's vulnerability report.
To use the exporter, simply fork the project or import it into a new project (select “Repository by URL” and paste the git URL of the original project), and set the CI/CD variables as described in the readme. You'll need the following from GitLab:
- GitLab project/personal access token with permissions to access vulnerability info (read_api scope)
- GitLab GraphQL API URL (for SaaS this is https://gitlab.com/api/graphql)
- GitLab project path (e.g. smathur/external-vulnerability-tracking)
You will also need the following from Jira:
- Jira personal access token
- Jira API issue endpoint URL (for SaaS this is https://ORG_NAME.atlassian.net/rest/api/latest/issue/)
- Jira user email ID
- Jira project key where you want to create vulnerability tickets (e.g. ABC)
Once you have set your CI/CD variables as described in the project readme, simply run a pipeline from your project's Pipelines page, and watch as your tickets get created in Jira!
If you run the pipeline again in the future, the script will run a search query against your Jira project to prevent duplicate tickets from being created. It will create tickets for new vulnerabilities that aren't already in Jira.