Vulnerabilities API
DETAILS: Tier: Ultimate Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
last_edited_atdeprecated in GitLab 16.7.start_datedeprecated in GitLab 16.7.updated_by_iddeprecated in GitLab 16.7.last_edited_by_iddeprecated in GitLab 16.7.due_datedeprecated in GitLab 16.7.
NOTE: The former Vulnerabilities API was renamed to Vulnerability Findings API and its documentation was moved to a different location. This document now describes the new Vulnerabilities API that provides access to Vulnerabilities.
WARNING: This API is in the process of being deprecated and considered unstable. The response payload may be subject to change or breakage across GitLab releases. Use the GraphQL API instead. For more information, see GraphQL examples.
Every API call to vulnerabilities must be authenticated.
If an authenticated user does not have permission to
view vulnerability report,
this request returns a 403 Forbidden status code.
Single vulnerability
Gets a single vulnerability
GET /vulnerabilities/:id| Attribute | Type | Required | Description |
|---|---|---|---|
id |
integer or string | yes | The ID of a Vulnerability to get |
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/vulnerabilities/1"Example response:
{
"id": 1,
"title": "Predictable pseudorandom number generator",
"description": null,
"state": "opened",
"severity": "medium",
"confidence": "medium",
"report_type": "sast",
"project": {
"id": 32,
"name": "security-reports",
"full_path": "/gitlab-examples/security/security-reports",
"full_name": "gitlab-examples / security / security-reports"
},
"author_id": 1,
"closed_by_id": null,
"created_at": "2019-10-13T15:08:40.219Z",
"updated_at": "2019-10-13T15:09:40.382Z",
"closed_at": null
}Confirm vulnerability
Confirms a given vulnerability. Returns status code 304 if the vulnerability is already confirmed.
If an authenticated user does not have permission to
change vulnerability status,
this request results in a 403 status code.
POST /vulnerabilities/:id/confirm| Attribute | Type | Required | Description |
|---|---|---|---|
id |
integer or string | yes | The ID of a vulnerability to confirm |
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/vulnerabilities/5/confirm"Example response:
{
"id": 2,
"title": "Predictable pseudorandom number generator",
"description": null,
"state": "confirmed",
"severity": "medium",
"confidence": "medium",
"report_type": "sast",
"project": {
"id": 32,
"name": "security-reports",
"full_path": "/gitlab-examples/security/security-reports",
"full_name": "gitlab-examples / security / security-reports"
},
"author_id": 1,
"closed_by_id": null,
"created_at": "2019-10-13T15:08:40.219Z",
"updated_at": "2019-10-13T15:09:40.382Z",
"closed_at": null
}Resolve vulnerability
Resolves a given vulnerability. Returns status code 304 if the vulnerability is already resolved.
If an authenticated user does not have permission to
change vulnerability status,
this request results in a 403 status code.
POST /vulnerabilities/:id/resolve| Attribute | Type | Required | Description |
|---|---|---|---|
id |
integer or string | yes | The ID of a Vulnerability to resolve |
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/vulnerabilities/5/resolve"Example response:
{
"id": 2,
"title": "Predictable pseudorandom number generator",
"description": null,
"state": "resolved",
"severity": "medium",
"confidence": "medium",
"report_type": "sast",
"project": {
"id": 32,
"name": "security-reports",
"full_path": "/gitlab-examples/security/security-reports",
"full_name": "gitlab-examples / security / security-reports"
},
"author_id": 1,
"closed_by_id": null,
"created_at": "2019-10-13T15:08:40.219Z",
"updated_at": "2019-10-13T15:09:40.382Z",
"closed_at": null
}Dismiss vulnerability
Dismisses a given vulnerability. Returns status code 304 if the vulnerability is already dismissed.
If an authenticated user does not have permission to
change vulnerability status,
this request results in a 403 status code.
POST /vulnerabilities/:id/dismiss| Attribute | Type | Required | Description |
|---|---|---|---|
id |
integer or string | yes | The ID of a vulnerability to dismiss |
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/vulnerabilities/1"
```0
Example response:
```shell
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/vulnerabilities/1"
```1
## Revert vulnerability to detected state
Reverts a given vulnerability to detected state. Returns status code `304` if the vulnerability is already in detected state.
If an authenticated user does not have permission to
[change vulnerability status](../user/permissions.md#application-security),
this request results in a `403` status code.
```shell
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/vulnerabilities/1"
```2
| Attribute | Type | Required | Description |
| --------- | ---- | -------- | ----------- |
| `id` | integer or string | yes | The ID of a vulnerability to revert to detected state |
```shell
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/vulnerabilities/1"
```3
Example response:
```shell
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/vulnerabilities/1"
```4
## Replace Vulnerability REST API with GraphQL
To prepare for the [upcoming deprecation](https://gitlab.com/groups/gitlab-org/-/epics/5118) of
the Vulnerability REST API endpoint, use the examples below to perform the equivalent operations
with the GraphQL API.
### GraphQL - Single vulnerability
Use [`Query.vulnerability`](graphql/reference/index.md#queryvulnerability).
```shell
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/vulnerabilities/1"
```5
Example response:
```shell
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/vulnerabilities/1"
```6
### GraphQL - Confirm vulnerability
Use [`Mutation.vulnerabilityConfirm`](graphql/reference/index.md#mutationvulnerabilityconfirm).
```shell
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/vulnerabilities/1"
```7
Example response:
```shell
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/vulnerabilities/1"
```8
### GraphQL - Resolve vulnerability
Use [`Mutation.vulnerabilityResolve`](graphql/reference/index.md#mutationvulnerabilityresolve).
```shell
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/vulnerabilities/1"
```9
Example response:
```json
{
"id": 1,
"title": "Predictable pseudorandom number generator",
"description": null,
"state": "opened",
"severity": "medium",
"confidence": "medium",
"report_type": "sast",
"project": {
"id": 32,
"name": "security-reports",
"full_path": "/gitlab-examples/security/security-reports",
"full_name": "gitlab-examples / security / security-reports"
},
"author_id": 1,
"closed_by_id": null,
"created_at": "2019-10-13T15:08:40.219Z",
"updated_at": "2019-10-13T15:09:40.382Z",
"closed_at": null
}
```0
### GraphQL - Dismiss vulnerability
Use [`Mutation.vulnerabilityDismiss`](graphql/reference/index.md#mutationvulnerabilitydismiss).
```json
{
"id": 1,
"title": "Predictable pseudorandom number generator",
"description": null,
"state": "opened",
"severity": "medium",
"confidence": "medium",
"report_type": "sast",
"project": {
"id": 32,
"name": "security-reports",
"full_path": "/gitlab-examples/security/security-reports",
"full_name": "gitlab-examples / security / security-reports"
},
"author_id": 1,
"closed_by_id": null,
"created_at": "2019-10-13T15:08:40.219Z",
"updated_at": "2019-10-13T15:09:40.382Z",
"closed_at": null
}
```1
Example response:
```json
{
"id": 1,
"title": "Predictable pseudorandom number generator",
"description": null,
"state": "opened",
"severity": "medium",
"confidence": "medium",
"report_type": "sast",
"project": {
"id": 32,
"name": "security-reports",
"full_path": "/gitlab-examples/security/security-reports",
"full_name": "gitlab-examples / security / security-reports"
},
"author_id": 1,
"closed_by_id": null,
"created_at": "2019-10-13T15:08:40.219Z",
"updated_at": "2019-10-13T15:09:40.382Z",
"closed_at": null
}
```2
### GraphQL - Revert vulnerability to detected state
Use [`Mutation.vulnerabilityRevertToDetected`](graphql/reference/index.md#mutationvulnerabilityreverttodetected).
```json
{
"id": 1,
"title": "Predictable pseudorandom number generator",
"description": null,
"state": "opened",
"severity": "medium",
"confidence": "medium",
"report_type": "sast",
"project": {
"id": 32,
"name": "security-reports",
"full_path": "/gitlab-examples/security/security-reports",
"full_name": "gitlab-examples / security / security-reports"
},
"author_id": 1,
"closed_by_id": null,
"created_at": "2019-10-13T15:08:40.219Z",
"updated_at": "2019-10-13T15:09:40.382Z",
"closed_at": null
}
```3
Example response:
```json
{
"id": 1,
"title": "Predictable pseudorandom number generator",
"description": null,
"state": "opened",
"severity": "medium",
"confidence": "medium",
"report_type": "sast",
"project": {
"id": 32,
"name": "security-reports",
"full_path": "/gitlab-examples/security/security-reports",
"full_name": "gitlab-examples / security / security-reports"
},
"author_id": 1,
"closed_by_id": null,
"created_at": "2019-10-13T15:08:40.219Z",
"updated_at": "2019-10-13T15:09:40.382Z",
"closed_at": null
}
```4