gitlab-vulnerability
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseVulnerability Skill
漏洞管理技能
Security vulnerability management for GitLab using raw endpoint calls.
glab api使用原始端点调用进行GitLab安全漏洞管理。
glab apiQuick Reference
快速参考
| Operation | Command Pattern | Risk |
|---|---|---|
| List vulnerabilities | | - |
| Get vulnerability | | - |
| Confirm vulnerability | | ⚠️ |
| Dismiss vulnerability | | ⚠️ |
| Resolve vulnerability | | ⚠️ |
| Revert to detected | | ⚠️ |
| List findings | | - |
Risk Legend: - Safe | ⚠️ Caution | ⚠️⚠️ Warning | ⚠️⚠️⚠️ Danger
| 操作 | 命令模式 | 风险 |
|---|---|---|
| 列出漏洞 | | - |
| 获取漏洞详情 | | - |
| 确认漏洞 | | ⚠️ |
| 驳回漏洞 | | ⚠️ |
| 解决漏洞 | | ⚠️ |
| 恢复为已检测状态 | | ⚠️ |
| 列出检测结果 | | - |
风险说明: - 安全 | ⚠️ 注意 | ⚠️⚠️ 警告 | ⚠️⚠️⚠️ 危险
When to Use This Skill
何时使用此技能
ALWAYS use when:
- User mentions "vulnerability", "security issue", "CVE"
- User wants to view security scan results
- User mentions "SAST", "DAST", "dependency scanning", "container scanning"
- User wants to dismiss or resolve security findings
- User asks about security dashboard
NEVER use when:
- User wants to run security scans (use gitlab-ci)
- User wants to configure security settings (use project settings)
- User wants general issue tracking (use gitlab-issue)
务必在以下场景使用:
- 用户提及“漏洞”、“安全问题”、“CVE”
- 用户想要查看安全扫描结果
- 用户提及“SAST”、“DAST”、“依赖项扫描”、“容器扫描”
- 用户想要驳回或解决安全检测结果
- 用户询问安全仪表板相关内容
请勿在以下场景使用:
- 用户想要运行安全扫描(请使用gitlab-ci)
- 用户想要配置安全设置(请使用项目设置)
- 用户需要通用问题追踪(请使用gitlab-issue)
API Prerequisites
API 前置条件
Required Token Scopes: or
read_apiapiPermissions:
- Read vulnerabilities: Developer+
- Manage vulnerabilities: Developer+
GitLab Tier: Ultimate required for full vulnerability management features
所需令牌权限范围: 或
read_apiapi权限要求:
- 读取漏洞:开发者及以上权限
- 管理漏洞:开发者及以上权限
GitLab 版本: 完整漏洞管理功能需要Ultimate版本
Vulnerability States
漏洞状态
| State | Description |
|---|---|
| New, unreviewed vulnerability |
| Verified as real vulnerability |
| Marked as false positive or won't fix |
| Fixed and no longer present |
| 状态 | 描述 |
|---|---|
| 新的、未审核的漏洞 |
| 已验证为真实漏洞 |
| 标记为误报或无需修复 |
| 已修复且不再存在 |
Severity Levels
严重等级
| Severity | Description |
|---|---|
| Highest severity, immediate action needed |
| Significant risk |
| Moderate risk |
| Minor risk |
| Informational finding |
| Severity not determined |
| 严重程度 | 描述 |
|---|---|
| 最高严重等级,需立即处理 |
| 重大风险 |
| 中等风险 |
| 轻微风险 |
| 信息性检测结果 |
| 未确定严重程度 |
Available Commands
可用命令
List Project Vulnerabilities
列出项目漏洞
bash
undefinedbash
undefinedList all vulnerabilities
List all vulnerabilities
glab api projects/123/vulnerabilities --method GET
glab api projects/123/vulnerabilities --method GET
Filter by state
Filter by state
glab api "projects/123/vulnerabilities?state=detected" --method GET
glab api "projects/123/vulnerabilities?state=detected" --method GET
Filter by severity
Filter by severity
glab api "projects/123/vulnerabilities?severity=critical,high" --method GET
glab api "projects/123/vulnerabilities?severity=critical,high" --method GET
Filter by multiple criteria
Filter by multiple criteria
glab api "projects/123/vulnerabilities?state=detected&severity=critical,high" --method GET
glab api "projects/123/vulnerabilities?state=detected&severity=critical,high" --method GET
With pagination
With pagination
glab api projects/123/vulnerabilities --paginate
glab api projects/123/vulnerabilities --paginate
Using project path
Using project path
glab api "projects/$(echo 'mygroup/myproject' | jq -Rr @uri)/vulnerabilities"
undefinedglab api "projects/$(echo 'mygroup/myproject' | jq -Rr @uri)/vulnerabilities"
undefinedGet Vulnerability Details
获取漏洞详情
bash
undefinedbash
undefinedGet specific vulnerability
Get specific vulnerability
glab api projects/123/vulnerabilities/456 --method GET
undefinedglab api projects/123/vulnerabilities/456 --method GET
undefinedConfirm Vulnerability
确认漏洞
Marks a detected vulnerability as confirmed (real security issue).
bash
undefined将已检测的漏洞标记为已确认(真实安全问题)。
bash
undefinedConfirm vulnerability
Confirm vulnerability
glab api projects/123/vulnerabilities/456/confirm --method POST
undefinedglab api projects/123/vulnerabilities/456/confirm --method POST
undefinedDismiss Vulnerability
驳回漏洞
Marks a vulnerability as dismissed (false positive or accepted risk).
bash
undefined将漏洞标记为已驳回(误报或可接受风险)。
bash
undefinedDismiss as false positive
Dismiss as false positive
glab api projects/123/vulnerabilities/456/dismiss --method POST
-f comment="False positive - this code path is not reachable"
-f comment="False positive - this code path is not reachable"
glab api projects/123/vulnerabilities/456/dismiss --method POST
-f comment="False positive - this code path is not reachable"
-f comment="False positive - this code path is not reachable"
Dismiss as acceptable risk
Dismiss as acceptable risk
glab api projects/123/vulnerabilities/456/dismiss --method POST
-f comment="Accepted risk - mitigated by network controls"
-f comment="Accepted risk - mitigated by network controls"
glab api projects/123/vulnerabilities/456/dismiss --method POST
-f comment="Accepted risk - mitigated by network controls"
-f comment="Accepted risk - mitigated by network controls"
Dismiss with dismissal reason (if available)
Dismiss with dismissal reason (if available)
glab api projects/123/vulnerabilities/456/dismiss --method POST
-f comment="Not applicable to our use case"
-f dismissal_reason="used_in_tests"
-f comment="Not applicable to our use case"
-f dismissal_reason="used_in_tests"
undefinedglab api projects/123/vulnerabilities/456/dismiss --method POST
-f comment="Not applicable to our use case"
-f dismissal_reason="used_in_tests"
-f comment="Not applicable to our use case"
-f dismissal_reason="used_in_tests"
undefinedResolve Vulnerability
解决漏洞
Marks a vulnerability as resolved (fixed).
bash
undefined将漏洞标记为已解决(已修复)。
bash
undefinedResolve vulnerability
Resolve vulnerability
glab api projects/123/vulnerabilities/456/resolve --method POST
undefinedglab api projects/123/vulnerabilities/456/resolve --method POST
undefinedRevert to Detected State
恢复为已检测状态
Reverts a vulnerability back to detected state.
bash
undefined将漏洞恢复为已检测状态。
bash
undefinedRevert to detected
Revert to detected
glab api projects/123/vulnerabilities/456/revert --method POST
undefinedglab api projects/123/vulnerabilities/456/revert --method POST
undefinedList Vulnerability Findings
列出漏洞检测结果
Findings are the raw results from security scanners.
bash
undefined检测结果是安全扫描器生成的原始结果。
bash
undefinedList all findings
List all findings
glab api projects/123/vulnerability_findings --method GET
glab api projects/123/vulnerability_findings --method GET
Filter by severity
Filter by severity
glab api "projects/123/vulnerability_findings?severity=critical,high" --method GET
glab api "projects/123/vulnerability_findings?severity=critical,high" --method GET
Filter by scanner
Filter by scanner
glab api "projects/123/vulnerability_findings?scanner=sast" --method GET
glab api "projects/123/vulnerability_findings?scanner=sast" --method GET
Filter by pipeline
Filter by pipeline
glab api "projects/123/vulnerability_findings?pipeline_id=789" --method GET
glab api "projects/123/vulnerability_findings?pipeline_id=789" --method GET
With pagination
With pagination
glab api projects/123/vulnerability_findings --paginate
undefinedglab api projects/123/vulnerability_findings --paginate
undefinedSecurity Dashboard (Group Level)
安全仪表板(群组级别)
bash
undefinedbash
undefinedGet security statistics for group
Get security statistics for group
glab api groups/456/vulnerability_exports --method POST
-f export_format="csv"
-f export_format="csv"
glab api groups/456/vulnerability_exports --method POST
-f export_format="csv"
-f export_format="csv"
Get group vulnerability statistics
Get group vulnerability statistics
glab api "groups/456/vulnerability_statistics" --method GET
undefinedglab api "groups/456/vulnerability_statistics" --method GET
undefinedCommon Workflows
常见工作流
Workflow 1: Triage New Vulnerabilities
工作流1:分类新漏洞
bash
project_id=123bash
project_id=123Get all detected (new) vulnerabilities
Get all detected (new) vulnerabilities
glab api "projects/$project_id/vulnerabilities?state=detected" --paginate |
jq -r '.[] | "[(.severity)] (.title) - (.id)"'
jq -r '.[] | "[(.severity)] (.title) - (.id)"'
glab api "projects/$project_id/vulnerabilities?state=detected" --paginate |
jq -r '.[] | "[(.severity)] (.title) - (.id)"'
jq -r '.[] | "[(.severity)] (.title) - (.id)"'
Review critical/high first
Review critical/high first
glab api "projects/$project_id/vulnerabilities?state=detected&severity=critical,high" |
jq -r '.[] | "ID: (.id)\nTitle: (.title)\nSeverity: (.severity)\nScanner: (.scanner.name)\nLocation: (.location | @json)\n---"'
jq -r '.[] | "ID: (.id)\nTitle: (.title)\nSeverity: (.severity)\nScanner: (.scanner.name)\nLocation: (.location | @json)\n---"'
undefinedglab api "projects/$project_id/vulnerabilities?state=detected&severity=critical,high" |
jq -r '.[] | "ID: (.id)\nTitle: (.title)\nSeverity: (.severity)\nScanner: (.scanner.name)\nLocation: (.location | @json)\n---"'
jq -r '.[] | "ID: (.id)\nTitle: (.title)\nSeverity: (.severity)\nScanner: (.scanner.name)\nLocation: (.location | @json)\n---"'
undefinedWorkflow 2: Generate Security Report
工作流2:生成安全报告
bash
project_id=123bash
project_id=123Summary by severity
Summary by severity
echo "=== Vulnerability Summary ==="
glab api "projects/$project_id/vulnerabilities" --paginate |
jq -r 'group_by(.severity) | map({severity: .[0].severity, count: length}) | .[] | "(.severity): (.count)"'
jq -r 'group_by(.severity) | map({severity: .[0].severity, count: length}) | .[] | "(.severity): (.count)"'
echo "=== Vulnerability Summary ==="
glab api "projects/$project_id/vulnerabilities" --paginate |
jq -r 'group_by(.severity) | map({severity: .[0].severity, count: length}) | .[] | "(.severity): (.count)"'
jq -r 'group_by(.severity) | map({severity: .[0].severity, count: length}) | .[] | "(.severity): (.count)"'
Summary by state
Summary by state
echo ""
echo "=== By State ==="
glab api "projects/$project_id/vulnerabilities" --paginate |
jq -r 'group_by(.state) | map({state: .[0].state, count: length}) | .[] | "(.state): (.count)"'
jq -r 'group_by(.state) | map({state: .[0].state, count: length}) | .[] | "(.state): (.count)"'
echo ""
echo "=== By State ==="
glab api "projects/$project_id/vulnerabilities" --paginate |
jq -r 'group_by(.state) | map({state: .[0].state, count: length}) | .[] | "(.state): (.count)"'
jq -r 'group_by(.state) | map({state: .[0].state, count: length}) | .[] | "(.state): (.count)"'
Summary by scanner
Summary by scanner
echo ""
echo "=== By Scanner ==="
glab api "projects/$project_id/vulnerabilities" --paginate |
jq -r 'group_by(.scanner.name) | map({scanner: .[0].scanner.name, count: length}) | .[] | "(.scanner): (.count)"'
jq -r 'group_by(.scanner.name) | map({scanner: .[0].scanner.name, count: length}) | .[] | "(.scanner): (.count)"'
undefinedecho ""
echo "=== By Scanner ==="
glab api "projects/$project_id/vulnerabilities" --paginate |
jq -r 'group_by(.scanner.name) | map({scanner: .[0].scanner.name, count: length}) | .[] | "(.scanner): (.count)"'
jq -r 'group_by(.scanner.name) | map({scanner: .[0].scanner.name, count: length}) | .[] | "(.scanner): (.count)"'
undefinedWorkflow 3: Bulk Dismiss False Positives
工作流3:批量驳回误报
bash
project_id=123bash
project_id=123Dismiss all info-level findings from specific scanner
Dismiss all info-level findings from specific scanner
glab api "projects/$project_id/vulnerabilities?severity=info&state=detected" --paginate |
jq -r '.[].id' | while read vuln_id; do echo "Dismissing $vuln_id" glab api projects/$project_id/vulnerabilities/$vuln_id/dismiss --method POST
-f comment="Bulk dismissed - info level findings" done
jq -r '.[].id' | while read vuln_id; do echo "Dismissing $vuln_id" glab api projects/$project_id/vulnerabilities/$vuln_id/dismiss --method POST
-f comment="Bulk dismissed - info level findings" done
undefinedglab api "projects/$project_id/vulnerabilities?severity=info&state=detected" --paginate |
jq -r '.[].id' | while read vuln_id; do echo "Dismissing $vuln_id" glab api projects/$project_id/vulnerabilities/$vuln_id/dismiss --method POST
-f comment="Bulk dismissed - info level findings" done
jq -r '.[].id' | while read vuln_id; do echo "Dismissing $vuln_id" glab api projects/$project_id/vulnerabilities/$vuln_id/dismiss --method POST
-f comment="Bulk dismissed - info level findings" done
undefinedWorkflow 4: Track Critical Vulnerabilities
工作流4:追踪关键漏洞
bash
project_id=123bash
project_id=123List critical vulnerabilities with details
List critical vulnerabilities with details
glab api "projects/$project_id/vulnerabilities?severity=critical" --paginate |
jq -r '.[] | { id: .id, title: .title, state: .state, detected_at: .detected_at, scanner: .scanner.name, identifiers: [.identifiers[]?.name] | join(", ") }'
jq -r '.[] | { id: .id, title: .title, state: .state, detected_at: .detected_at, scanner: .scanner.name, identifiers: [.identifiers[]?.name] | join(", ") }'
undefinedglab api "projects/$project_id/vulnerabilities?severity=critical" --paginate |
jq -r '.[] | { id: .id, title: .title, state: .state, detected_at: .detected_at, scanner: .scanner.name, identifiers: [.identifiers[]?.name] | join(", ") }'
jq -r '.[] | { id: .id, title: .title, state: .state, detected_at: .detected_at, scanner: .scanner.name, identifiers: [.identifiers[]?.name] | join(", ") }'
undefinedWorkflow 5: Check for CVEs
工作流5:检查CVE漏洞
bash
project_id=123
cve="CVE-2021-44228"bash
project_id=123
cve="CVE-2021-44228"Search for specific CVE
Search for specific CVE
glab api "projects/$project_id/vulnerabilities" --paginate |
jq -r ".[] | select(.identifiers[]?.name == "$cve") | "ID: (.id), State: (.state), Title: (.title)""
jq -r ".[] | select(.identifiers[]?.name == "$cve") | "ID: (.id), State: (.state), Title: (.title)""
undefinedglab api "projects/$project_id/vulnerabilities" --paginate |
jq -r ".[] | select(.identifiers[]?.name == "$cve") | "ID: (.id), State: (.state), Title: (.title)""
jq -r ".[] | select(.identifiers[]?.name == "$cve") | "ID: (.id), State: (.state), Title: (.title)""
undefinedWorkflow 6: Export Vulnerabilities
工作流6:导出漏洞数据
bash
project_id=123bash
project_id=123Export to JSON
Export to JSON
glab api "projects/$project_id/vulnerabilities" --paginate > vulnerabilities.json
glab api "projects/$project_id/vulnerabilities" --paginate > vulnerabilities.json
Export to CSV format
Export to CSV format
glab api "projects/$project_id/vulnerabilities" --paginate |
jq -r '["id","title","severity","state","scanner","detected_at"], (.[] | [.id, .title, .severity, .state, .scanner.name, .detected_at]) | @csv' > vulnerabilities.csv
jq -r '["id","title","severity","state","scanner","detected_at"], (.[] | [.id, .title, .severity, .state, .scanner.name, .detected_at]) | @csv' > vulnerabilities.csv
undefinedglab api "projects/$project_id/vulnerabilities" --paginate |
jq -r '["id","title","severity","state","scanner","detected_at"], (.[] | [.id, .title, .severity, .state, .scanner.name, .detected_at]) | @csv' > vulnerabilities.csv
jq -r '["id","title","severity","state","scanner","detected_at"], (.[] | [.id, .title, .severity, .state, .scanner.name, .detected_at]) | @csv' > vulnerabilities.csv
undefinedWorkflow 7: Compare Pipeline Results
工作流7:对比流水线结果
bash
project_id=123bash
project_id=123Get findings from specific pipeline
Get findings from specific pipeline
pipeline_id=789
glab api "projects/$project_id/vulnerability_findings?pipeline_id=$pipeline_id" |
jq -r '.[] | "(.severity): (.name)"'
jq -r '.[] | "(.severity): (.name)"'
undefinedpipeline_id=789
glab api "projects/$project_id/vulnerability_findings?pipeline_id=$pipeline_id" |
jq -r '.[] | "(.severity): (.name)"'
jq -r '.[] | "(.severity): (.name)"'
undefinedScanner Types
扫描器类型
| Scanner | Report Type | Description |
|---|---|---|
| SAST | Static Application Security Testing |
| DAST | Dynamic Application Security Testing |
| Dependency Scanning | Third-party dependency vulnerabilities |
| Container Scanning | Container image vulnerabilities |
| Secret Detection | Hardcoded secrets in code |
| Coverage Fuzzing | Fuzzing test results |
| API Fuzzing | API fuzzing results |
| 扫描器 | 报告类型 | 描述 |
|---|---|---|
| SAST | 静态应用安全测试 |
| DAST | 动态应用安全测试 |
| 依赖项扫描 | 第三方依赖漏洞检测 |
| 容器扫描 | 容器镜像漏洞检测 |
| 密钥检测 | 代码中的硬编码密钥检测 |
| 覆盖模糊测试 | 模糊测试结果 |
| API模糊测试 | API模糊测试结果 |
Troubleshooting
故障排除
| Issue | Cause | Solution |
|---|---|---|
| 403 Forbidden | Ultimate required or no access | Check GitLab tier and permissions |
| Empty results | No scans run | Configure and run security scanners in CI |
| Old vulnerabilities | No recent pipeline | Run new pipeline with security jobs |
| Can't dismiss | Already dismissed or resolved | Check current state |
| Missing scanner type | Scanner not configured | Add scanner to CI configuration |
| 问题 | 原因 | 解决方案 |
|---|---|---|
| 403 禁止访问 | 需要Ultimate版本或无访问权限 | 检查GitLab版本和权限设置 |
| 结果为空 | 未运行扫描 | 在CI中配置并运行安全扫描器 |
| 漏洞数据过时 | 未运行最新流水线 | 运行包含安全任务的新流水线 |
| 无法驳回漏洞 | 漏洞已被驳回或解决 | 检查漏洞当前状态 |
| 缺少扫描器类型 | 未配置对应扫描器 | 在CI配置中添加扫描器 |
Best Practices
最佳实践
- Triage regularly: Review new vulnerabilities frequently
- Document dismissals: Always add comments explaining why
- Track critical issues: Monitor critical/high severity closely
- Integrate with issues: Create issues for confirmed vulnerabilities
- Automate where possible: Use CI to fail on new critical findings
- 定期分类: 定期审核新漏洞
- 记录驳回原因: 始终添加注释说明驳回理由
- 追踪关键问题: 密切监控严重等级为critical/high的漏洞
- 与问题追踪集成: 为已确认的漏洞创建问题
- 尽可能自动化: 在CI中配置新关键漏洞触发失败
Related Documentation
相关文档
- API Helpers
- Safeguards
- Quick Reference
- GitLab Vulnerabilities API
- GitLab Vulnerability Findings API
- API 助手
- 安全防护
- 快速参考
- GitLab 漏洞 API
- GitLab 漏洞检测结果 API