debian-mirror-gitlab/doc/api/vulnerabilities.md

---
stage: Secure
group: Threat Insights
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers
---

# Vulnerabilities API **(ULTIMATE)**

> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10242) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.6.

NOTE: **Note:**
The former Vulnerabilities API was renamed to Vulnerability Findings API
and its documentation was moved to [a different location](vulnerability_findings.md).
This document now describes the new Vulnerabilities API that provides access to
[Vulnerabilities](https://gitlab.com/groups/gitlab-org/-/epics/634).

CAUTION: **Caution:**
This API is in an alpha stage and considered unstable.
The response payload may be subject to change or breakage
across GitLab releases.

Every API call to vulnerabilities must be [authenticated](README.md#authentication).

Vulnerability permissions inherit permissions from their project. If a project is
private, and a user isn't a member of the project to which the vulnerability
belongs, requests to that project will return a `404 Not Found` status code.

## Single vulnerability

Gets a single vulnerability

```plaintext
GET /vulnerabilities/:id
```

| Attribute | Type | Required | Description |
| --------- | ---- | -------- | ----------- |
| `id` | integer or string | yes | The ID of a Vulnerability to get |

```shell
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/vulnerabilities/1"
```

Example response:

```json
{
  "id": 1,
  "title": "Predictable pseudorandom number generator",
  "description": null,
  "state": "opened",
  "severity": "medium",
  "confidence": "medium",
  "report_type": "sast",
  "project": {
    "id": 32,
    "name": "security-reports",
    "full_path": "/gitlab-examples/security/security-reports",
    "full_name": "gitlab-examples / security / security-reports"
  },
  "author_id": 1,
  "updated_by_id": null,
  "last_edited_by_id": null,
  "closed_by_id": null,
  "start_date": null,
  "due_date": null,
  "created_at": "2019-10-13T15:08:40.219Z",
  "updated_at": "2019-10-13T15:09:40.382Z",
  "last_edited_at": null,
  "closed_at": null
}
```

## Confirm vulnerability

Confirms a given vulnerability. Returns status code `304` if the vulnerability is already confirmed.

If an authenticated user does not have permission to
[confirm vulnerabilities](../user/permissions.md#project-members-permissions),
this request will result in a `403` status code.

```plaintext
POST /vulnerabilities/:id/confirm
```

| Attribute | Type | Required | Description |
| --------- | ---- | -------- | ----------- |
| `id` | integer or string | yes | The ID of a vulnerability to confirm |

```shell
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/vulnerabilities/5/confirm"
```

Example response:

```json
{
  "id": 2,
  "title": "Predictable pseudorandom number generator",
  "description": null,
  "state": "confirmed",
  "severity": "medium",
  "confidence": "medium",
  "report_type": "sast",
  "project": {
    "id": 32,
    "name": "security-reports",
    "full_path": "/gitlab-examples/security/security-reports",
    "full_name": "gitlab-examples / security / security-reports"
  },
  "author_id": 1,
  "updated_by_id": null,
  "last_edited_by_id": null,
  "closed_by_id": null,
  "start_date": null,
  "due_date": null,
  "created_at": "2019-10-13T15:08:40.219Z",
  "updated_at": "2019-10-13T15:09:40.382Z",
  "last_edited_at": null,
  "closed_at": null
}
```

## Resolve vulnerability

Resolves a given vulnerability. Returns status code `304` if the vulnerability is already resolved.

If an authenticated user does not have permission to
[resolve vulnerabilities](../user/permissions.md#project-members-permissions),
this request will result in a `403` status code.

```plaintext
POST /vulnerabilities/:id/resolve
```

| Attribute | Type | Required | Description |
| --------- | ---- | -------- | ----------- |
| `id` | integer or string | yes | The ID of a Vulnerability to resolve |

```shell
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/vulnerabilities/5/resolve"
```

Example response:

```json
{
  "id": 2,
  "title": "Predictable pseudorandom number generator",
  "description": null,
  "state": "resolved",
  "severity": "medium",
  "confidence": "medium",
  "report_type": "sast",
  "project": {
    "id": 32,
    "name": "security-reports",
    "full_path": "/gitlab-examples/security/security-reports",
    "full_name": "gitlab-examples / security / security-reports"
  },
  "author_id": 1,
  "updated_by_id": null,
  "last_edited_by_id": null,
  "closed_by_id": null,
  "start_date": null,
  "due_date": null,
  "created_at": "2019-10-13T15:08:40.219Z",
  "updated_at": "2019-10-13T15:09:40.382Z",
  "last_edited_at": null,
  "closed_at": null
}
```

## Dismiss vulnerability

Dismisses a given vulnerability. Returns status code `304` if the vulnerability is already dismissed.

If an authenticated user does not have permission to
[dismiss vulnerabilities](../user/permissions.md#project-members-permissions),
this request will result in a `403` status code.

```plaintext
POST /vulnerabilities/:id/dismiss
```

| Attribute | Type | Required | Description |
| --------- | ---- | -------- | ----------- |
| `id` | integer or string | yes | The ID of a vulnerability to dismiss |

```shell
curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/vulnerabilities/5/dismiss"
```

Example response:

```json
{
  "id": 2,
  "title": "Predictable pseudorandom number generator",
  "description": null,
  "state": "closed",
  "severity": "medium",
  "confidence": "medium",
  "report_type": "sast",
  "project": {
    "id": 32,
    "name": "security-reports",
    "full_path": "/gitlab-examples/security/security-reports",
    "full_name": "gitlab-examples / security / security-reports"
  },
  "author_id": 1,
  "updated_by_id": null,
  "last_edited_by_id": null,
  "closed_by_id": null,
  "start_date": null,
  "due_date": null,
  "created_at": "2019-10-13T15:08:40.219Z",
  "updated_at": "2019-10-13T15:09:40.382Z",
  "last_edited_at": null,
  "closed_at": null
}
```
New upstream version 13.4.6 2020-11-24 15:15:51 +05:30			`---`
			`stage: Secure`
			`group: Threat Insights`
			`info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers`
			`---`

New upstream version 12.1.11 2019-09-30 21:07:59 +05:30			`# Vulnerabilities API (ULTIMATE)`
New upstream version 12.0.8 2019-09-04 21:01:54 +05:30
New upstream version 13.1.0 2020-06-23 00:09:42 +05:30			`> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10242) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.6.`
New upstream version 12.10.0 2020-04-22 19:07:51 +05:30
			`NOTE: Note:`
			`The former Vulnerabilities API was renamed to Vulnerability Findings API`
			`and its documentation was moved to [a different location](vulnerability_findings.md).`
			`This document now describes the new Vulnerabilities API that provides access to`
New upstream version 13.3.8 2020-10-24 23:57:45 +05:30			`[Vulnerabilities](https://gitlab.com/groups/gitlab-org/-/epics/634).`
New upstream version 12.10.0 2020-04-22 19:07:51 +05:30
			`CAUTION: Caution:`
			`This API is in an alpha stage and considered unstable.`
			`The response payload may be subject to change or breakage`
			`across GitLab releases.`

			`Every API call to vulnerabilities must be [authenticated](README.md#authentication).`

			`Vulnerability permissions inherit permissions from their project. If a project is`
			`private, and a user isn't a member of the project to which the vulnerability`
			belongs, requests to that project will return a `404 Not Found` status code.

			`## Single vulnerability`

			`Gets a single vulnerability`

			```plaintext
			`GET /vulnerabilities/:id`
			```

			`\| Attribute \| Type \| Required \| Description \|`
			`\| --------- \| ---- \| -------- \| ----------- \|`
			\| `id` \| integer or string \| yes \| The ID of a Vulnerability to get \|

			```shell
New upstream version 13.1.0 2020-06-23 00:09:42 +05:30			`curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/vulnerabilities/1"`
New upstream version 12.10.0 2020-04-22 19:07:51 +05:30			```

			`Example response:`

			```json
			`{`
			`"id": 1,`
			`"title": "Predictable pseudorandom number generator",`
			`"description": null,`
			`"state": "opened",`
			`"severity": "medium",`
			`"confidence": "medium",`
			`"report_type": "sast",`
			`"project": {`
			`"id": 32,`
			`"name": "security-reports",`
			`"full_path": "/gitlab-examples/security/security-reports",`
			`"full_name": "gitlab-examples / security / security-reports"`
			`},`
			`"author_id": 1,`
			`"updated_by_id": null,`
			`"last_edited_by_id": null,`
			`"closed_by_id": null,`
			`"start_date": null,`
			`"due_date": null,`
			`"created_at": "2019-10-13T15:08:40.219Z",`
			`"updated_at": "2019-10-13T15:09:40.382Z",`
			`"last_edited_at": null,`
			`"closed_at": null`
			`}`
			```

			`## Confirm vulnerability`

			Confirms a given vulnerability. Returns status code `304` if the vulnerability is already confirmed.

			`If an authenticated user does not have permission to`
			`[confirm vulnerabilities](../user/permissions.md#project-members-permissions),`
			this request will result in a `403` status code.

			```plaintext
			`POST /vulnerabilities/:id/confirm`
			```

			`\| Attribute \| Type \| Required \| Description \|`
			`\| --------- \| ---- \| -------- \| ----------- \|`
			\| `id` \| integer or string \| yes \| The ID of a vulnerability to confirm \|

			```shell
			`curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/vulnerabilities/5/confirm"`
			```

			`Example response:`

			```json
			`{`
			`"id": 2,`
			`"title": "Predictable pseudorandom number generator",`
			`"description": null,`
			`"state": "confirmed",`
			`"severity": "medium",`
			`"confidence": "medium",`
			`"report_type": "sast",`
			`"project": {`
			`"id": 32,`
			`"name": "security-reports",`
			`"full_path": "/gitlab-examples/security/security-reports",`
			`"full_name": "gitlab-examples / security / security-reports"`
			`},`
			`"author_id": 1,`
			`"updated_by_id": null,`
			`"last_edited_by_id": null,`
			`"closed_by_id": null,`
			`"start_date": null,`
			`"due_date": null,`
			`"created_at": "2019-10-13T15:08:40.219Z",`
			`"updated_at": "2019-10-13T15:09:40.382Z",`
			`"last_edited_at": null,`
			`"closed_at": null`
			`}`
			```

			`## Resolve vulnerability`

			Resolves a given vulnerability. Returns status code `304` if the vulnerability is already resolved.

			`If an authenticated user does not have permission to`
			`[resolve vulnerabilities](../user/permissions.md#project-members-permissions),`
			this request will result in a `403` status code.

			```plaintext
			`POST /vulnerabilities/:id/resolve`
			```

			`\| Attribute \| Type \| Required \| Description \|`
			`\| --------- \| ---- \| -------- \| ----------- \|`
			\| `id` \| integer or string \| yes \| The ID of a Vulnerability to resolve \|

			```shell
			`curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/vulnerabilities/5/resolve"`
			```

			`Example response:`

			```json
			`{`
			`"id": 2,`
			`"title": "Predictable pseudorandom number generator",`
			`"description": null,`
			`"state": "resolved",`
			`"severity": "medium",`
			`"confidence": "medium",`
			`"report_type": "sast",`
			`"project": {`
			`"id": 32,`
			`"name": "security-reports",`
			`"full_path": "/gitlab-examples/security/security-reports",`
			`"full_name": "gitlab-examples / security / security-reports"`
			`},`
			`"author_id": 1,`
			`"updated_by_id": null,`
			`"last_edited_by_id": null,`
			`"closed_by_id": null,`
			`"start_date": null,`
			`"due_date": null,`
			`"created_at": "2019-10-13T15:08:40.219Z",`
			`"updated_at": "2019-10-13T15:09:40.382Z",`
			`"last_edited_at": null,`
			`"closed_at": null`
			`}`
			```

			`## Dismiss vulnerability`

			Dismisses a given vulnerability. Returns status code `304` if the vulnerability is already dismissed.

			`If an authenticated user does not have permission to`
			`[dismiss vulnerabilities](../user/permissions.md#project-members-permissions),`
			this request will result in a `403` status code.

			```plaintext
			`POST /vulnerabilities/:id/dismiss`
			```

			`\| Attribute \| Type \| Required \| Description \|`
			`\| --------- \| ---- \| -------- \| ----------- \|`
			\| `id` \| integer or string \| yes \| The ID of a vulnerability to dismiss \|

			```shell
			`curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/vulnerabilities/5/dismiss"`
			```

			`Example response:`

			```json
			`{`
			`"id": 2,`
			`"title": "Predictable pseudorandom number generator",`
			`"description": null,`
			`"state": "closed",`
			`"severity": "medium",`
			`"confidence": "medium",`
			`"report_type": "sast",`
			`"project": {`
			`"id": 32,`
			`"name": "security-reports",`
			`"full_path": "/gitlab-examples/security/security-reports",`
			`"full_name": "gitlab-examples / security / security-reports"`
			`},`
			`"author_id": 1,`
			`"updated_by_id": null,`
			`"last_edited_by_id": null,`
			`"closed_by_id": null,`
			`"start_date": null,`
			`"due_date": null,`
			`"created_at": "2019-10-13T15:08:40.219Z",`
			`"updated_at": "2019-10-13T15:09:40.382Z",`
			`"last_edited_at": null,`
			`"closed_at": null`
			`}`
			```