Skip to content

Worker service populate token statuses for mr pipelines

Serena Fangrequested to merge
worker-service-populate-token-statuses-for-mr-pipelines into master

What does this MR do and why?

Issue: #556765 (closed)

Currently we run UpdateTokenStatusWorker worker from StoreSecurityReportsByProjectWorker, which only gets called when a security scan runs for a pipeline in the default branch. In order to perform validity checks for MR findings, also run 'UpdateTokenStatusWorker' from Security::StoreScansService. Make corresponding changes to UpdateTokenStatusService to handle updating token status for MR security pipelines and for a single MR finding (will be used in #556766 (closed))

More details: &16927 (comment 2626722649)

FF rollout issue: #560711

Queries: 
relation = Security::Finding
  .joins(scan: :build)
  .where(security_scans: { scan_type: 'secret_detection' })
  .where(builds: { pipeline_id: pipeline_id })



  Security::Finding Load (1.5ms)  SELECT "security_findings".* FROM "security_findings" INNER JOIN "security_scans" ON "security_scans"."id" = "security_findings"."scan_id" WHERE "security_scans"."scan_type" = 5 AND "security_scans"."build_id" = 346 /*application:console,db_config_database:gitlabhq_development,db_config_name:main,console_hostname:sfang--20220612-V49GC,console_username:serena,line:(pry):25:in `__pry__'*/
=> EXPLAIN SELECT "security_findings".* FROM "security_findings" INNER JOIN "security_scans" ON "security_scans"."id" = "security_findings"."scan_id" WHERE "security_scans"."scan_type" = 5 AND "security_scans"."build_id" = 346 /*application:console,db_config_database:gitlabhq_development,db_config_name:main,console_hostname:sfang--20220612-V49GC,console_username:serena,line:(pry):25:in `__pry__'*/
                                                               QUERY PLAN
----------------------------------------------------------------------------------------------------------------------------------------
 Nested Loop  (cost=0.30..6.40 rows=1 width=103)
   ->  Index Scan using idx_security_scans_on_build_and_scan_type on security_scans  (cost=0.15..2.17 rows=1 width=8)
         Index Cond: ((build_id = 346) AND (scan_type = 5))
   ->  Index Scan using security_findings_1_scan_id_id_idx on security_findings_1 security_findings  (cost=0.15..4.20 rows=3 width=103)
         Index Cond: (scan_id = security_scans.id)
(5 rows)
Security::Finding.by_uuid(security_finding.uuid).explain



  Security::Finding Load (0.6ms)  SELECT "security_findings".* FROM "security_findings" WHERE "security_findings"."uuid" = '6effc1a4-8e6b-5288-ba22-32b634250279' /*application:console,db_config_database:gitlabhq_development,db_config_name:main,console_hostname:sfang--20220612-V49GC,console_username:serena,line:(pry):28:in `__pry__'*/
=> EXPLAIN SELECT "security_findings".* FROM "security_findings" WHERE "security_findings"."uuid" = '6effc1a4-8e6b-5288-ba22-32b634250279' /*application:console,db_config_database:gitlabhq_development,db_config_name:main,console_hostname:sfang--20220612-V49GC,console_username:serena,line:(pry):28:in `__pry__'*/
                                                                     QUERY PLAN
-----------------------------------------------------------------------------------------------------------------------------------------------------
 Index Scan using security_findings_1_uuid_scan_id_partition_number_idx on security_findings_1 security_findings  (cost=0.15..4.20 rows=3 width=103)
   Index Cond: (uuid = '6effc1a4-8e6b-5288-ba22-32b634250279'::uuid)
(2 rows)
 Security::FindingTokenStatus.upsert_all(
  attributes,
  unique_by: :security_finding_id,
  update_only: [:status, :updated_at],
  record_timestamps: false
  Security::FindingTokenStatus Upsert (1.8ms)  INSERT INTO "security_finding_token_statuses" ("security_finding_id","project_id","status","created_at","updated_at") VALUES (1, 2, 0, '2025-08-11 22:57:57.415548', '2025-08-11 22:57:57.415742') ON CONFLICT ("security_finding_id") DO UPDATE SET "status"=excluded."status","updated_at"=excluded."updated_at" RETURNING "security_finding_id" 



Insert on security_finding_token_statuses  (cost=0.00..0.01 rows=0 width=0) (actual time=0.085..0.086 rows=0 loops=1)
  Conflict Resolution: UPDATE
  Conflict Arbiter Indexes: security_finding_token_statuses_pkey
  Tuples Inserted: 0
  Conflicting Tuples: 1
  ->  Result  (cost=0.00..0.01 rows=1 width=34) (actual time=0.001..0.001 rows=1 loops=1)
Planning Time: 0.039 ms
Execution Time: 0.099 ms
=> [["Insert on security_finding_token_statuses  (cost=0.00..0.01 rows=0 width=0) (actual time=0.085..0.086 rows=0 loops=1)"],
 ["  Conflict Resolution: UPDATE"],
 ["  Conflict Arbiter Indexes: security_finding_token_statuses_pkey"],
 ["  Tuples Inserted: 0"],
 ["  Conflicting Tuples: 1"],
 ["  ->  Result  (cost=0.00..0.01 rows=1 width=34) (actual time=0.001..0.001 rows=1 loops=1)"],
 ["Planning Time: 0.039 ms"],
 ["Execution Time: 0.099 ms"]]

References

Screenshots or screen recordings

Before After

How to set up and validate locally

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Serena Fang

Merge request reports