Vulnerabilities API

  • Tier: Ultimate
  • Offering:, GitLab Self-Managed, GitLab Dedicated

The former Vulnerabilities API was renamed to Vulnerability Findings API and its documentation was moved to a different location. This document now describes the new Vulnerabilities API that provides access to Vulnerabilities.

This API is in the process of being deprecated and considered unstable. The response payload may be subject to change or breakage across GitLab releases. Use the GraphQL API instead. For more information, see GraphQL examples.

Every API call to vulnerabilities must be authenticated.

If an authenticated user does not have permission to view vulnerability report, this request returns a 403 Forbidden status code.

Single vulnerability

Gets a single vulnerability

Copy to clipboard
GET /vulnerabilities/:id
idinteger or stringyesThe ID of a Vulnerability to get
Shell Copy to clipboard
curl --header "PRIVATE-TOKEN: <your_access_token>" ""

Example response:

JSON Copy to clipboard
  "id": 1,
  "title": "Predictable pseudorandom number generator",
  "description": null,
  "state": "opened",
  "severity": "medium",
  "confidence": "medium",
  "report_type": "sast",
  "project": {
    "id": 32,
    "name": "security-reports",
    "full_path": "/gitlab-examples/security/security-reports",
    "full_name": "gitlab-examples / security / security-reports"
  "author_id": 1,
  "closed_by_id": null,
  "created_at": "2019-10-13T15:08:40.219Z",
  "updated_at": "2019-10-13T15:09:40.382Z",
  "closed_at": null

Confirm vulnerability

Confirms a given vulnerability. Returns status code 304 if the vulnerability is already confirmed.

If an authenticated user does not have permission to change vulnerability status, this request results in a 403 status code.

Copy to clipboard
POST /vulnerabilities/:id/confirm
idinteger or stringyesThe ID of a vulnerability to confirm
Shell Copy to clipboard
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" ""

Example response:

JSON Copy to clipboard
  "id": 2,
  "title": "Predictable pseudorandom number generator",
  "description": null,
  "state": "confirmed",
  "severity": "medium",
  "confidence": "medium",
  "report_type": "sast",
  "project": {
    "id": 32,
    "name": "security-reports",
    "full_path": "/gitlab-examples/security/security-reports",
    "full_name": "gitlab-examples / security / security-reports"
  "author_id": 1,
  "closed_by_id": null,
  "created_at": "2019-10-13T15:08:40.219Z",
  "updated_at": "2019-10-13T15:09:40.382Z",
  "closed_at": null

Resolve vulnerability

Resolves a given vulnerability. Returns status code 304 if the vulnerability is already resolved.

If an authenticated user does not have permission to change vulnerability status, this request results in a 403 status code.

Copy to clipboard
POST /vulnerabilities/:id/resolve
idinteger or stringyesThe ID of a Vulnerability to resolve
Shell Copy to clipboard
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" ""

Example response:

JSON Copy to clipboard
  "id": 2,
  "title": "Predictable pseudorandom number generator",
  "description": null,
  "state": "resolved",
  "severity": "medium",
  "confidence": "medium",
  "report_type": "sast",
  "project": {
    "id": 32,
    "name": "security-reports",
    "full_path": "/gitlab-examples/security/security-reports",
    "full_name": "gitlab-examples / security / security-reports"
  "author_id": 1,
  "closed_by_id": null,
  "created_at": "2019-10-13T15:08:40.219Z",
  "updated_at": "2019-10-13T15:09:40.382Z",
  "closed_at": null

Dismiss vulnerability

Dismisses a given vulnerability. Returns status code 304 if the vulnerability is already dismissed.

If an authenticated user does not have permission to change vulnerability status, this request results in a 403 status code.

Copy to clipboard
POST /vulnerabilities/:id/dismiss
idinteger or stringyesThe ID of a vulnerability to dismiss
Shell Copy to clipboard
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" ""

Example response:

JSON Copy to clipboard
  "id": 2,
  "title": "Predictable pseudorandom number generator",
  "description": null,
  "state": "closed",
  "severity": "medium",
  "confidence": "medium",
  "report_type": "sast",
  "project": {
    "id": 32,
    "name": "security-reports",
    "full_path": "/gitlab-examples/security/security-reports",
    "full_name": "gitlab-examples / security / security-reports"
  "author_id": 1,
  "closed_by_id": null,
  "created_at": "2019-10-13T15:08:40.219Z",
  "updated_at": "2019-10-13T15:09:40.382Z",
  "closed_at": null

Revert vulnerability to detected state

Reverts a given vulnerability to detected state. Returns status code 304 if the vulnerability is already in detected state.

If an authenticated user does not have permission to change vulnerability status, this request results in a 403 status code.

Copy to clipboard
POST /vulnerabilities/:id/revert
idinteger or stringyesThe ID of a vulnerability to revert to detected state
Shell Copy to clipboard
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" ""

Example response:

JSON Copy to clipboard
  "id": 2,
  "title": "Predictable pseudorandom number generator",
  "description": null,
  "state": "detected",
  "severity": "medium",
  "confidence": "medium",
  "report_type": "sast",
  "project": {
    "id": 32,
    "name": "security-reports",
    "full_path": "/gitlab-examples/security/security-reports",
    "full_name": "gitlab-examples / security / security-reports"
  "author_id": 1,
  "closed_by_id": null,
  "created_at": "2019-10-13T15:08:40.219Z",
  "updated_at": "2019-10-13T15:09:40.382Z",
  "closed_at": null

Replace Vulnerability REST API with GraphQL

To prepare for the upcoming deprecation of the Vulnerability REST API endpoint, use the examples below to perform the equivalent operations with the GraphQL API.

GraphQL - Single vulnerability

Use Query.vulnerability.

GraphQL Copy to clipboard
  vulnerability(id: "gid://gitlab/Vulnerability/20345379") {
    project {
    resolvedBy {

Example response:

JSON Copy to clipboard
  "data": {
    "vulnerability": {
      "title": "Improper Input Validation in railties",
      "description": "A remote code execution vulnerability in development mode Rails beta3 can allow an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit.",
      "state": "RESOLVED",
      "severity": "CRITICAL",
      "reportType": "DEPENDENCY_SCANNING",
      "project": {
        "id": "gid://gitlab/Project/6102100",
        "name": "security-reports",
        "fullPath": "gitlab-examples/security/security-reports"
      "detectedAt": "2021-10-14T03:13:41Z",
      "confirmedAt": "2021-12-14T01:45:56Z",
      "resolvedAt": "2021-12-14T01:45:59Z",
      "resolvedBy": {
        "id": "gid://gitlab/User/480804",
        "username": "thiagocsf"

GraphQL - Confirm vulnerability

Use Mutation.vulnerabilityConfirm.

GraphQL Copy to clipboard
mutation {
  vulnerabilityConfirm(input: { id: "gid://gitlab/Vulnerability/23577695"}) {
    vulnerability {

Example response:

JSON Copy to clipboard
  "data": {
    "vulnerabilityConfirm": {
      "vulnerability": {
        "state": "CONFIRMED"
      "errors": []

GraphQL - Resolve vulnerability

Use Mutation.vulnerabilityResolve.

GraphQL Copy to clipboard
mutation {
  vulnerabilityResolve(input: { id: "gid://gitlab/Vulnerability/23577695"}) {
    vulnerability {

Example response:

JSON Copy to clipboard
  "data": {
    "vulnerabilityConfirm": {
      "vulnerability": {
        "state": "RESOLVED"
      "errors": []

GraphQL - Dismiss vulnerability

Use Mutation.vulnerabilityDismiss.

GraphQL Copy to clipboard
mutation {
  vulnerabilityDismiss(input: { id: "gid://gitlab/Vulnerability/23577695"}) {
    vulnerability {

Example response:

JSON Copy to clipboard
  "data": {
    "vulnerabilityConfirm": {
      "vulnerability": {
        "state": "DISMISSED"
      "errors": []

GraphQL - Revert vulnerability to detected state

Use Mutation.vulnerabilityRevertToDetected.

GraphQL Copy to clipboard
mutation {
  vulnerabilityRevertToDetected(input: { id: "gid://gitlab/Vulnerability/20345379"}) {
    vulnerability {

Example response:

JSON Copy to clipboard
  "data": {
    "vulnerabilityConfirm": {
      "vulnerability": {
        "state": "DETECTED"
      "errors": []