| [Compliance Dashboard](user/application_security/compliance_dashboard/index.md)**(ULTIMATE)** | View the most recent Merge Request activity in a group. |
| [Container Scanning](user/application_security/container_scanning/index.md)**(ULTIMATE)** | Use Clair to scan docker images for known vulnerabilities. |
| [Container Scanning](user/application_security/container_scanning/index.md)**(ULTIMATE)** | Use Clair to scan docker images for known vulnerabilities. |
| [Dependency List](user/application_security/dependency_list/index.md)**(ULTIMATE)** | View your project's dependencies and their known vulnerabilities. |
| [Dependency List](user/application_security/dependency_list/index.md)**(ULTIMATE)** | View your project's dependencies and their known vulnerabilities. |
| [Dependency Scanning](user/application_security/dependency_scanning/index.md)**(ULTIMATE)** | Analyze your dependencies for known vulnerabilities. |
| [Dependency Scanning](user/application_security/dependency_scanning/index.md)**(ULTIMATE)** | Analyze your dependencies for known vulnerabilities. |
› kubectl get cm --sort-by='{.metadata.creationTimestamp}' | grep 'review-' | grep -v 'dns-gitlab-review-app' | grep '[5-9]d$' | cut -d' ' -f1 | xargs kubectl delete cm
kubectl get cm --sort-by='{.metadata.creationTimestamp}' | grep'review-' | grep-v'dns-gitlab-review-app' | grep'[5-9]d$' | cut-d' '-f1 | xargs kubectl delete cm
# Delete all config maps that are 10 to 99 days old
# Delete all config maps that are 10 to 99 days old
› kubectl get cm --sort-by='{.metadata.creationTimestamp}' | grep 'review-' | grep -v 'dns-gitlab-review-app' | grep '[1-9][0-9]d$' | cut -d' ' -f1 | xargs kubectl delete cm
kubectl get cm --sort-by='{.metadata.creationTimestamp}' | grep'review-' | grep-v'dns-gitlab-review-app' | grep'[1-9][0-9]d$' | cut-d' '-f1 | xargs kubectl delete cm
```
```
### Using K9s
### Using K9s
...
@@ -294,7 +294,7 @@ This in turn prevented other components of the Review App to properly start
...
@@ -294,7 +294,7 @@ This in turn prevented other components of the Review App to properly start
After some digging, we found that new mounts were failing, when being performed
After some digging, we found that new mounts were failing, when being performed
with transient scopes (e.g. pods) of `systemd-mount`:
with transient scopes (e.g. pods) of `systemd-mount`:
```
```plaintext
MountVolume.SetUp failed for volume "dns-gitlab-review-app-external-dns-token-sj5jm" : mount failed: exit status 1
MountVolume.SetUp failed for volume "dns-gitlab-review-app-external-dns-token-sj5jm" : mount failed: exit status 1
Mounting command: systemd-run
Mounting command: systemd-run
Mounting arguments: --description=Kubernetes transient mount for /var/lib/kubelet/pods/06add1c3-87b4-11e9-80a9-42010a800107/volumes/kubernetes.io~secret/dns-gitlab-review-app-external-dns-token-sj5jm --scope -- mount -t tmpfs tmpfs /var/lib/kubelet/pods/06add1c3-87b4-11e9-80a9-42010a800107/volumes/kubernetes.io~secret/dns-gitlab-review-app-external-dns-token-sj5jm
Mounting arguments: --description=Kubernetes transient mount for /var/lib/kubelet/pods/06add1c3-87b4-11e9-80a9-42010a800107/volumes/kubernetes.io~secret/dns-gitlab-review-app-external-dns-token-sj5jm --scope -- mount -t tmpfs tmpfs /var/lib/kubelet/pods/06add1c3-87b4-11e9-80a9-42010a800107/volumes/kubernetes.io~secret/dns-gitlab-review-app-external-dns-token-sj5jm
...
@@ -342,7 +342,7 @@ clean up the list of non-`Running` pods.
...
@@ -342,7 +342,7 @@ clean up the list of non-`Running` pods.
Following is a command to delete Review Apps based on their last deployment date
Following is a command to delete Review Apps based on their last deployment date
| [Container Scanning](container_scanning/index.md) | Uses `clair` underneath and the latest `clair-db` version is used for each job run by running the [`latest` docker image tag](https://gitlab.com/gitlab-org/gitlab/blob/438a0a56dc0882f22bdd82e700554525f552d91b/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml#L37). The `clair-db` database [is updated daily according to the author](https://github.com/arminc/clair-local-scan#clair-server-or-local). |
| [Container Scanning](container_scanning/index.md) | Uses `clair`. The latest `clair-db` version is used for each job by running the [`latest` docker image tag](https://gitlab.com/gitlab-org/gitlab/blob/438a0a56dc0882f22bdd82e700554525f552d91b/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml#L37). The `clair-db` database [is updated daily according to the author](https://github.com/arminc/clair-local-scan#clair-server-or-local). |
| [Dependency Scanning](dependency_scanning/index.md) | Relies on `bundler-audit` (for Rubygems), `retire.js` (for NPM packages) and `gemnasium` (GitLab's own tool for all libraries). `bundler-audit` and `retire.js` both fetch their vulnerabilities data from GitHub repositories, so vulnerabilities added to `ruby-advisory-db` and `retire.js` are immediately available. The tools themselves are updated once per month if there's a new version. The [Gemnasium DB](https://gitlab.com/gitlab-org/security-products/gemnasium-db) is updated at least once a week. |
| [Dependency Scanning](dependency_scanning/index.md) | Relies on `bundler-audit` (for Rubygems), `retire.js` (for NPM packages), and `gemnasium` (GitLab's own tool for all libraries). Both `bundler-audit` and `retire.js` fetch their vulnerabilities data from GitHub repositories, so vulnerabilities added to `ruby-advisory-db` and `retire.js` are immediately available. The tools themselves are updated once per month if there's a new version. The [Gemnasium DB](https://gitlab.com/gitlab-org/security-products/gemnasium-db) is updated at least once a week. |
| [Dynamic Application Security Testing (DAST)](dast/index.md) | The scanning engine is updated on a periodic basis. See the [version of the underlying tool `zaproxy`](https://gitlab.com/gitlab-org/security-products/dast/blob/master/Dockerfile#L1). The scanning rules are downloaded at the runtime of the scan. |
| [Dynamic Application Security Testing (DAST)](dast/index.md) | The scanning engine is updated on a periodic basis. See the [version of the underlying tool `zaproxy`](https://gitlab.com/gitlab-org/security-products/dast/blob/master/Dockerfile#L1). The scanning rules are downloaded at scan runtime. |
| [Static Application Security Testing (SAST)](sast/index.md) | Relies exclusively on [the tools GitLab is wrapping](sast/index.md#supported-languages-and-frameworks). The underlying analyzers are updated at least once per month if a relevant update is available. The vulnerabilities database is updated by the upstream tools. |
| [Static Application Security Testing (SAST)](sast/index.md) | Relies exclusively on [the tools GitLab wraps](sast/index.md#supported-languages-and-frameworks). The underlying analyzers are updated at least once per month if a relevant update is available. The vulnerabilities database is updated by the upstream tools. |
You don't have to update GitLab to benefit from the latest vulnerabilities definitions,
Currently, you do not have to update GitLab to benefit from the latest vulnerabilities definitions.
but you may have to in the future.
The security tools are released as Docker images. The vendored job definitions to enable them use
the `x-y-stable` image tags that get overridden each time a new release of the tools is pushed. The
The security tools are released as Docker images, and the vendored job definitions
Docker images are updated to match the previous GitLab releases, so users automatically get the
to enable them are using the `x-y-stable` image tags that get overridden each time a new
latest versions of the scanning tools without having to do anything. There are some known issues
release of the tools is pushed. The Docker images are updated to match the
with this approach, however, and there is a
previous GitLab releases, so they automatically get the latest versions of the
[plan to resolve them](https://gitlab.com/gitlab-org/gitlab/issues/9725).
scanning tools without the user having to do anything.
This workflow comes with some drawbacks and there's a
[plan to change this](https://gitlab.com/gitlab-org/gitlab/issues/9725).
## Interacting with the vulnerabilities
## Interacting with the vulnerabilities
...
@@ -63,14 +55,14 @@ CAUTION: **Warning:**
...
@@ -63,14 +55,14 @@ CAUTION: **Warning:**
This feature is currently [Alpha](https://about.gitlab.com/handbook/product/#alpha-beta-ga) and while you can start using it, it may receive important changes in the future.
This feature is currently [Alpha](https://about.gitlab.com/handbook/product/#alpha-beta-ga) and while you can start using it, it may receive important changes in the future.
Each security vulnerability in the merge request report or the
Each security vulnerability in the merge request report or the
[Security Dashboard](security_dashboard/index.md) is actionable. Clicking on an
[Security Dashboard](security_dashboard/index.md) is actionable. Click an entry to view detailed
entry, a detailed information will pop up with different possible options:
information with several options:
-[Dismiss vulnerability](#dismissing-a-vulnerability): Dismissing a vulnerability
-[Dismiss vulnerability](#dismissing-a-vulnerability): Dismissing a vulnerability styles it in
will place a ~~strikethrough~~ styling on it.
strikethrough.
-[Create issue](#creating-an-issue-for-a-vulnerability): The new issue will
-[Create issue](#creating-an-issue-for-a-vulnerability): Create a new issue with the title and
have the title and description pre-populated with the information from the
description prepopulated with information from the vulnerability report. By default, such issues
vulnerability report and will be created as [confidential](../project/issues/confidential_issues.md) by default.
are [confidential](../project/issues/confidential_issues.md).
-[Solution](#solutions-for-vulnerabilities-auto-remediation): For some vulnerabilities,
-[Solution](#solutions-for-vulnerabilities-auto-remediation): For some vulnerabilities,
a solution is provided for how to fix the vulnerability.
a solution is provided for how to fix the vulnerability.
...
@@ -88,8 +80,8 @@ If you wish to undo this dismissal, you can click the **Undo dismiss** button.
...
@@ -88,8 +80,8 @@ If you wish to undo this dismissal, you can click the **Undo dismiss** button.
When dismissing a vulnerability, it's often helpful to provide a reason for doing so.
When dismissing a vulnerability, it's often helpful to provide a reason for doing so.
If you press the comment button next to **Dismiss vulnerability** in the modal,
If you press the comment button next to **Dismiss vulnerability** in the modal,
a text box will appear, allowing you to add a comment with your dismissal.
a text box appears for you to add a comment with your dismissal.
Once added, you can edit it or delete it. This allows you to add and update
Once added, you can edit or delete it. This allows you to add and update
context for a vulnerability as you learn more over time.
context for a vulnerability as you learn more over time.
> [Introduced](https://gitlab.com/gitlab-org/cluster-integration/cluster-applications/-/merge_requests/40) in GitLab 12.8.
Enable JupyterHub in the `.gitlab/managed-apps/config.yaml` file to install it:
```yaml
jupyterhub:
installed:true
gitlabProjectIdWhitelist:[]
gitlabGroupWhitelist:[]
```
`gitlabProjectIdWhitelist` restricts GitLab authentication to only members of the specified projects. `gitlabGroupWhitelist` restricts GitLab authentication to only members of the specified groups. Specifying an empty array for both will allow any user on the GitLab instance to log in.
JupyterHub is installed into the `gitlab-managed-apps` namespace of your
cluster.
In order for JupyterHub to function, you must setup an [OAuth Application](../../integration/oauth_provider.md). Using the following values:
- "Redirect URI" to `http://<JupyterHub Host>/hub/oauth_callback`
- "Scope" to `api read_repository write_repository`
In addition the following variables must be specified using [CI variables](../../ci/variables/README.md):
-`JUPYTERHUB_PROXY_SECRET_TOKEN` will set [`proxy.secretToken`](https://zero-to-jupyterhub.readthedocs.io/en/stable/reference.html#proxy-secrettoken). Generate this using `openssl rand -hex 32`.
-`JUPYTERHUB_COOKIE_SECRET` will set [`hub.cookieSecret`](https://zero-to-jupyterhub.readthedocs.io/en/stable/reference.html#hub-cookiesecret). Generate this using `openssl rand -hex 32`.
-`JUPYTERHUB_HOST` is the hostname used for the installation (e.g., `jupyter.example.gitlab.com`).
-`JUPYTERHUB_GITLAB_HOST` is the hostname of the GitLab instance used for authentication (e.g., `example.gitlab.com`).
-`JUPYTERHUB_AUTH_CRYPTO_KEY` will set [`auth.state.cryptoKey`](https://zero-to-jupyterhub.readthedocs.io/en/stable/reference.html#auth-state-cryptokey). Generate this using `openssl rand -hex 32`.
-`JUPYTERHUB_AUTH_GITLAB_CLIENT_ID` the "Application ID" for the OAuth Application.
-`JUPYTERHUB_AUTH_GITLAB_CLIENT_SECRET` the "Secret" for the OAuth Application.
