Resolve vulnerabilities with AI

  • Tier: Ultimate
  • Add-on: GitLab Duo Enterprise, GitLab Duo with Amazon Q
  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

GitLab Duo Vulnerability Resolution helps you automatically resolve security vulnerabilities.

Watch an overview

Use AI assistance responsibly

As with all AI-based systems, we can’t guarantee that the large language model produces correct results every time. You should always review the proposed change before merging it. When reviewing, check that:

  • Your application’s existing functionality is preserved.
  • The vulnerability is resolved in accordance with your organization’s standards.

Prerequisites

  • You must be a member of the project.
  • The vulnerability must be a SAST finding from a supported analyzer:
    • Any GitLab-supported analyzer.
    • A properly integrated third-party SAST scanner that reports the vulnerability location and a CWE Identifier for each vulnerability.
  • The vulnerability must be of a supported type.

Learn more about how to enable all GitLab Duo features.

Supported vulnerabilities for Vulnerability Resolution

To ensure that suggested resolutions are high-quality, Vulnerability Resolution is available for a specific set of vulnerabilities. The system decides whether to offer Vulnerability Resolution based on the vulnerability’s Common Weakness Enumeration (CWE) identifier.

We selected the current set of vulnerabilities based on testing by automated systems and security experts. We are actively working to expand coverage to more types of vulnerabilities.

View the complete list of supported CWEs for Vulnerability Resolution
  • CWE-23: Relative Path Traversal
  • CWE-73: External Control of File Name or Path
  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • CWE-116: Improper Encoding or Escaping of Output
  • CWE-118: Incorrect Access of Indexable Resource ('Range Error')
  • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
  • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
  • CWE-126: Buffer Over-read
  • CWE-190: Integer Overflow or Wraparound
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-208: Observable Timing Discrepancy
  • CWE-209: Generation of Error Message Containing Sensitive Information
  • CWE-272: Least Privilege Violation
  • CWE-287: Improper Authentication
  • CWE-295: Improper Certificate Validation
  • CWE-297: Improper Validation of Certificate with Host Mismatch
  • CWE-305: Authentication Bypass by Primary Weakness
  • CWE-310: Cryptographic Issues
  • CWE-311: Missing Encryption of Sensitive Data
  • CWE-323: Reusing a Nonce, Key Pair in Encryption
  • CWE-327: Use of a Broken or Risky Cryptographic Algorithm
  • CWE-328: Use of Weak Hash
  • CWE-330: Use of Insufficiently Random Values
  • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
  • CWE-345: Insufficient Verification of Data Authenticity
  • CWE-346: Origin Validation Error
  • CWE-352: Cross-Site Request Forgery
  • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
  • CWE-369: Divide By Zero
  • CWE-377: Insecure Temporary File
  • CWE-378: Creation of Temporary File With Insecure Permissions
  • CWE-400: Uncontrolled Resource Consumption
  • CWE-489: Active Debug Code
  • CWE-521: Weak Password Requirements
  • CWE-539: Use of Persistent Cookies Containing Sensitive Information
  • CWE-599: Missing Validation of OpenSSL Certificate
  • CWE-611: Improper Restriction of XML External Entity Reference
  • CWE-676: Use of potentially dangerous function
  • CWE-704: Incorrect Type Conversion or Cast
  • CWE-754: Improper Check for Unusual or Exceptional Conditions
  • CWE-770: Allocation of Resources Without Limits or Throttling
  • CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag
  • CWE-1275: Sensitive Cookie with Improper SameSite Attribute

Data shared with third-party AI APIs for Vulnerability Resolution

The following data is shared with third-party AI APIs:

  • Vulnerability name
  • Vulnerability description
  • Identifiers (CWE, OWASP)
  • Entire file that contains the vulnerable lines of code
  • Vulnerable lines of code (line numbers)

Workflows

Vulnerablilty Resolution is available in different workflows. You can:

  • Resolve existing vulnerabilities from the Vulnerability Report.
  • Resolve vulnerabilities in the context of a merge request.

Resolve an existing vulnerability from the Vulnerability Report

Find vulnerabilities that support Vulnerability Resolution

To resolve a vulnerability:

  1. On the left sidebar, select Search or go to and find your project.
  2. Select Secure > Vulnerability report.
  3. Optional. To remove the default filters, select Clear ( clear ).
  4. Above the list of vulnerabilities, select the filter bar.
  5. In the dropdown list that appears, select Activity, then select Vulnerability Resolution available in the GitLab Duo (AI) category.
  6. Select outside the filter field. The vulnerability severity totals and list of matching vulnerabilities are updated.
  7. Select the SAST vulnerability you want resolved.
    • A blue icon is shown next to vulnerabilities that support Vulnerability Resolution.

Resolve the selected vulnerability

After you’ve selected a vulnerability that supports resolution:

  1. In the upper-right corner, select Resolve with AI. If this project is a public project be aware that creating an MR will publicly expose the vulnerability and offered resolution. To create the MR privately, create a private fork, and repeat this process.
  2. Add an additional commit to the MR. This forces a new pipeline to run.
  3. After the pipeline is complete, on the pipeline security tab, confirm that the vulnerability no longer appears.
  4. On the vulnerability report, manually update the vulnerability.

A merge request containing the AI remediation suggestions is opened. Review the suggested changes, then process the merge request according to your standard workflow.

Provide feedback on this feature in issue 476553.

Resolve a vulnerability in a merge request

You can use GitLab Duo Vulnerability Resolution in a merge request to fix vulnerabilities before they’re merged. Vulnerability Resolution automatically creates a merge request suggestion comment that resolves the vulnerability finding.

To resolve a vulnerability finding:

  1. On the left sidebar, select Search or go to and find your project.
  2. Select Merge requests.
  3. Select a merge request.
    • Vulnerability findings supported by Vulnerability Resolution are indicated by the tanuki AI icon ( tanuki-ai ).
  4. Select the supported findings to open the security finding dialog.
  5. In the lower-right corner, select Resolve with AI.

A comment containing the AI remediation suggestions is opened in the merge request. Review the suggested changes, then apply the merge request suggestion according to your standard workflow.

Provide feedback on this feature in issue 476553.

Troubleshooting

Vulnerability Resolution sometimes cannot generate a suggested fix. Common causes include:

  • False positive detected:
    • Before proposing a fix, the AI model assesses whether the vulnerability is valid. It may judge that the vulnerability is not a true vulnerability, or isn’t worth fixing.
    • This can happen if the vulnerability occurs in test code. Your organization might still choose to fix vulnerabilities even if they happen in test code, but models sometimes assess these to be false positives.
    • If you agree that the vulnerability is a false-positive or is not worth fixing, you should dismiss the vulnerability and select a matching reason.
      • To customize your SAST configuration or report a problem with a GitLab SAST rule, see SAST rules.
  • Temporary or unexpected error:
    • The error message may state that an unexpected error has occurred, the upstream AI provider request timed out, something went wrong, or a similar cause.
    • These errors may be caused by temporary problems with the AI provider or with GitLab Duo.
    • A new request may succeed, so you can try to resolve the vulnerability again.
    • If you continue to see these errors, contact GitLab for assistance.
  • Resolution target could not be found in the merge request, unable to create suggestion error: