Setup Guide for Vulnerability Explanation and Resolution

Setup Guide for Vulnerability Explanation and Resolution

Several setup steps are necessary in order to test and develop Vulnerability Explanation (VE) and Vulnerability Resolution (VR) features locally. This guide contains instructions for setting up and configuring the necessary components.

Setup Runner

To generate vulnerability reports you will need to run a CI pipeline. Follow the instructions below to install and configure the GitLab Runner.

https://gitlab.com/gitlab-org/gitlab-development-kit/blob/main/doc/howto/runner.md

Optionally, you can install Docker with Colima. The docs can be found here or you can follow the steps in this snippet.

Setup Vulnerability Report

The VE and VR features are designed to work on SAST vulnerabilities. Clone one or more of the following projects to use for local testing:

Run the pipeline on the main or master branch for any of the sample projects to generate the vulnerability report. Build > Pipelines > Run Pipeline

Once the pipeline is finished, the Vulnerability Report can be viewed by going to Secure > Vulnerability Report > Any SAST finding

Examples:

Setup AI

Follow this instructions here to configure your GDK access to AI features.

For GitLab Team members only:

  • An EE license is required, follow the steps here to request one.
  • Anthropic access is required. Create an access request if necessary (example).

Duo Access

Once you have AI set up locally, you will need to enable Duo features. Follow the steps below to ensure you have everything correctly configured.

Follow this instructions here to setup and run GDK.

Usage

With the configuration in place, you should expect to see the Explain with AI button for any SAST vulnerability. For example: https://gitlab.com/gitlab-org/security-products/tests/webgoat.net/-/security/vulnerabilities/105323245

You should expect to see the ‘Resolve with AI` button for any SAST vulnerability in the high confidence CWE list. For example: https://gitlab.com/gitlab-org/security-products/tests/webgoat.net/-/security/vulnerabilities/114941072

If you need assistance, please reach out in #g_govern_threat_insights_eng_ai

Last modified November 1, 2024: Remove trailing spaces (6f6d0996)