Commit 06c1ef45 authored by Russell Dickenson's avatar Russell Dickenson

Merge branch 'autodevops-secrets' into 'master'

Initial AutoDevops doc changes for Auto Secret

See merge request gitlab-org/gitlab!34467
parents d7916c0e 8b085009
---
title: Add secret detection template to Auto DevOps
merge_request: 34467
author:
type: changed
...@@ -85,6 +85,7 @@ project in a simple and automatic way: ...@@ -85,6 +85,7 @@ project in a simple and automatic way:
1. [Auto Test](stages.md#auto-test) 1. [Auto Test](stages.md#auto-test)
1. [Auto Code Quality](stages.md#auto-code-quality-starter) **(STARTER)** 1. [Auto Code Quality](stages.md#auto-code-quality-starter) **(STARTER)**
1. [Auto SAST (Static Application Security Testing)](stages.md#auto-sast-ultimate) **(ULTIMATE)** 1. [Auto SAST (Static Application Security Testing)](stages.md#auto-sast-ultimate) **(ULTIMATE)**
1. [Auto Secret Detection](stages.md#auto-secret-detection-ultimate) **(ULTIMATE)**
1. [Auto Dependency Scanning](stages.md#auto-dependency-scanning-ultimate) **(ULTIMATE)** 1. [Auto Dependency Scanning](stages.md#auto-dependency-scanning-ultimate) **(ULTIMATE)**
1. [Auto License Compliance](stages.md#auto-license-compliance-ultimate) **(ULTIMATE)** 1. [Auto License Compliance](stages.md#auto-license-compliance-ultimate) **(ULTIMATE)**
1. [Auto Container Scanning](stages.md#auto-container-scanning-ultimate) **(ULTIMATE)** 1. [Auto Container Scanning](stages.md#auto-container-scanning-ultimate) **(ULTIMATE)**
......
...@@ -182,6 +182,7 @@ The jobs are separated into stages: ...@@ -182,6 +182,7 @@ The jobs are separated into stages:
([Auto Dependency Scanning](stages.md#auto-dependency-scanning-ultimate)) **(ULTIMATE)** ([Auto Dependency Scanning](stages.md#auto-dependency-scanning-ultimate)) **(ULTIMATE)**
- Jobs suffixed with `-sast` run static analysis on the current code to check for potential - Jobs suffixed with `-sast` run static analysis on the current code to check for potential
security issues, and are allowed to fail ([Auto SAST](stages.md#auto-sast-ultimate)) **(ULTIMATE)** security issues, and are allowed to fail ([Auto SAST](stages.md#auto-sast-ultimate)) **(ULTIMATE)**
- The `secret-detection` job checks for leaked secrets and is allowed to fail ([Auto Secret Detection](stages.md#auto-secret-detection-ultimate)) **(ULTIMATE)**
- The `license_management` job searches the application's dependencies to determine each of their - The `license_management` job searches the application's dependencies to determine each of their
licenses and is allowed to fail licenses and is allowed to fail
([Auto License Compliance](stages.md#auto-license-compliance-ultimate)) **(ULTIMATE)** ([Auto License Compliance](stages.md#auto-license-compliance-ultimate)) **(ULTIMATE)**
......
...@@ -144,6 +144,22 @@ warnings. ...@@ -144,6 +144,22 @@ warnings.
To learn more about [how SAST works](../../user/application_security/sast/index.md), To learn more about [how SAST works](../../user/application_security/sast/index.md),
see the documentation. see the documentation.
## Auto Secret Detection **(ULTIMATE)**
> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.1.
Secret Detection uses the
[Secret Detection Docker image](https://gitlab.com/gitlab-org/security-products/analyzers/secrets) to run Secret Detection on the current code, and checks for leaked secrets. The
Auto Secret Detection stage runs only on the
[Ultimate](https://about.gitlab.com/pricing/) tier, and requires
[GitLab Runner](https://docs.gitlab.com/runner/) 11.5 or above.
After creating the report, it's uploaded as an artifact which you can later
download and evaluate. The merge request widget also displays any security
warnings.
To learn more, see [Secret Detection](../../user/application_security/secret_detection/index.md).
## Auto Dependency Scanning **(ULTIMATE)** ## Auto Dependency Scanning **(ULTIMATE)**
> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.7. > Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.7.
......
...@@ -17,14 +17,15 @@ For an overview of application security with GitLab, see ...@@ -17,14 +17,15 @@ For an overview of application security with GitLab, see
## Quick start ## Quick start
Get started quickly with Dependency Scanning, License Scanning, and Static Application Security Get started quickly with Dependency Scanning, License Scanning, Static Application Security
Testing (SAST) by adding the following to your `.gitlab-ci.yml`: Testing (SAST), and Secret Detection by adding the following to your `.gitlab-ci.yml`:
```yaml ```yaml
include: include:
- template: Dependency-Scanning.gitlab-ci.yml - template: Dependency-Scanning.gitlab-ci.yml
- template: License-Scanning.gitlab-ci.yml - template: License-Scanning.gitlab-ci.yml
- template: SAST.gitlab-ci.yml - template: SAST.gitlab-ci.yml
- template: Secret-Detection.gitlab-ci.yml
``` ```
To add Dynamic Application Security Testing (DAST) scanning, add the following to your To add Dynamic Application Security Testing (DAST) scanning, add the following to your
...@@ -64,6 +65,19 @@ GitLab uses the following tools to scan and report known vulnerabilities found i ...@@ -64,6 +65,19 @@ GitLab uses the following tools to scan and report known vulnerabilities found i
| [Security Dashboard](security_dashboard/index.md) **(ULTIMATE)** | View vulnerabilities in all your projects and groups. | | [Security Dashboard](security_dashboard/index.md) **(ULTIMATE)** | View vulnerabilities in all your projects and groups. |
| [Static Application Security Testing (SAST)](sast/index.md) **(ULTIMATE)** | Analyze source code for known vulnerabilities. | | [Static Application Security Testing (SAST)](sast/index.md) **(ULTIMATE)** | Analyze source code for known vulnerabilities. |
## Security Scanning with Auto DevOps
When [Auto DevOps](../../topics/autodevops/) is enabled, all GitLab Security scanning tools will be configured using default settings.
- [Auto SAST](../../topics/autodevops/stages.md#auto-sast-ultimate)
- [Auto Secret Detection](../../topics/autodevops/stages.md#auto-secret-detection-ultimate)
- [Auto DAST](../../topics/autodevops/stages.md#auto-dast-ultimate)
- [Auto Dependency Scanning](../../topics/autodevops/stages.md#auto-dependency-scanning-ultimate)
- [Auto License Compliance](../../topics/autodevops/stages.md#auto-license-compliance-ultimate)
- [Auto Container Scanning](../../topics/autodevops/stages.md#auto-container-scanning-ultimate)
While you cannot directly customize Auto DevOps, you can [include the Auto DevOps template in your project's `.gitlab-ci.yml` file](../../topics/autodevops/customize.md#customizing-gitlab-ciyml).
## Maintenance and update of the vulnerabilities database ## Maintenance and update of the vulnerabilities database
The scanning tools and vulnerabilities database are updated regularly. The scanning tools and vulnerabilities database are updated regularly.
......
...@@ -50,6 +50,10 @@ with a dollar sign (`$`) as this likely indicates the password being used is an ...@@ -50,6 +50,10 @@ with a dollar sign (`$`) as this likely indicates the password being used is an
variable. For example, `https://username:$password@example.com/path/to/repo` won't be variable. For example, `https://username:$password@example.com/path/to/repo` won't be
detected, whereas `https://username:password@example.com/path/to/repo` would be detected. detected, whereas `https://username:password@example.com/path/to/repo` would be detected.
NOTE: **Note:**
You don't have to configure Secret Detection manually as shown in this section if you're using [Auto Secret Detection](../../../topics/autodevops/stages.md#auto-secret-detection-ultimate)
provided by [Auto DevOps](../../../topics/autodevops/index.md).
## Full History Secret Scan ## Full History Secret Scan
GitLab 12.11 introduced support for scanning the full history of a repository. This new functionality GitLab 12.11 introduced support for scanning the full history of a repository. This new functionality
......
...@@ -13,6 +13,7 @@ ...@@ -13,6 +13,7 @@
# * license_management: LICENSE_MANAGEMENT_DISABLED # * license_management: LICENSE_MANAGEMENT_DISABLED
# * performance: PERFORMANCE_DISABLED # * performance: PERFORMANCE_DISABLED
# * sast: SAST_DISABLED # * sast: SAST_DISABLED
# * secret_detection: SECRET_DETECTION_DISABLED
# * dependency_scanning: DEPENDENCY_SCANNING_DISABLED # * dependency_scanning: DEPENDENCY_SCANNING_DISABLED
# * container_scanning: CONTAINER_SCANNING_DISABLED # * container_scanning: CONTAINER_SCANNING_DISABLED
# * dast: DAST_DISABLED # * dast: DAST_DISABLED
...@@ -160,3 +161,4 @@ include: ...@@ -160,3 +161,4 @@ include:
- template: Security/Dependency-Scanning.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml - template: Security/Dependency-Scanning.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
- template: Security/License-Scanning.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Security/License-Scanning.gitlab-ci.yml - template: Security/License-Scanning.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Security/License-Scanning.gitlab-ci.yml
- template: Security/SAST.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml - template: Security/SAST.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
- template: Security/Secret-Detection.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Security/Secret-Detection.gitlab-ci.yml
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment