Commit 082a61c2 authored by Evan Read's avatar Evan Read

Merge branch 'russell/improve-application-security-overview' into 'master'

Improve Application Security overview

See merge request gitlab-org/gitlab!60688
parents 04be8d17 7af0f762
...@@ -7,9 +7,16 @@ type: reference, howto ...@@ -7,9 +7,16 @@ type: reference, howto
# Application security **(ULTIMATE)** # Application security **(ULTIMATE)**
GitLab can check your application for security vulnerabilities that may lead to unauthorized access, GitLab can check your application for security vulnerabilities including:
data leaks, denial of services, and more. GitLab reports vulnerabilities in the merge request so you
can fix them before you merge. - Unauthorized access.
- Data leaks.
- Denial of service attacks.
Statistics and details on vulnerabilities are included in the merge request. Providing
actionable information _before_ changes are merged enables you to be proactive.
GitLab also provides high-level statistics of vulnerabilities across projects and groups:
- The [Security Dashboard](security_dashboard/index.md) provides a - The [Security Dashboard](security_dashboard/index.md) provides a
high-level view of vulnerabilities detected in your projects, pipeline, and groups. high-level view of vulnerabilities detected in your projects, pipeline, and groups.
...@@ -18,13 +25,45 @@ can fix them before you merge. ...@@ -18,13 +25,45 @@ can fix them before you merge.
you can immediately begin risk analysis and remediation. you can immediately begin risk analysis and remediation.
<i class="fa fa-youtube-play youtube" aria-hidden="true"></i> <i class="fa fa-youtube-play youtube" aria-hidden="true"></i>
For an overview of GitLab application security, see For an overview of GitLab application security, see [Shifting Security Left](https://www.youtube.com/watch?v=XnYstHObqlA&t).
[Security Deep Dive](https://www.youtube.com/watch?v=k4vEJnGYy84).
## Security scanning tools
GitLab uses the following tools to scan and report known vulnerabilities found in your project.
| Secure scanning tool | Description |
|:-----------------------------------------------------------------------------|:-----------------------------------------------------------------------|
| [Container Scanning](container_scanning/index.md) **(ULTIMATE)** | Scan Docker containers for known vulnerabilities. |
| [Dependency List](dependency_list/index.md) **(ULTIMATE)** | View your project's dependencies and their known vulnerabilities. |
| [Dependency Scanning](dependency_scanning/index.md) **(ULTIMATE)** | Analyze your dependencies for known vulnerabilities. |
| [Dynamic Application Security Testing (DAST)](dast/index.md) **(ULTIMATE)** | Analyze running web applications for known vulnerabilities. |
| [API fuzzing](api_fuzzing/index.md) **(ULTIMATE)** | Find unknown bugs and vulnerabilities in web APIs with fuzzing. |
| [Secret Detection](secret_detection/index.md) | Analyze Git history for leaked secrets. |
| [Security Dashboard](security_dashboard/index.md) **(ULTIMATE)** | View vulnerabilities in all your projects and groups. |
| [Static Application Security Testing (SAST)](sast/index.md) | Analyze source code for known vulnerabilities. |
| [Coverage fuzzing](coverage_fuzzing/index.md) **(ULTIMATE)** | Find unknown bugs and vulnerabilities with coverage-guided fuzzing. |
## Security scanning with Auto DevOps
To enable all GitLab Security scanning tools, with default settings, enable
[Auto DevOps](../../topics/autodevops/):
- [Auto SAST](../../topics/autodevops/stages.md#auto-sast)
- [Auto Secret Detection](../../topics/autodevops/stages.md#auto-secret-detection)
- [Auto DAST](../../topics/autodevops/stages.md#auto-dast)
- [Auto Dependency Scanning](../../topics/autodevops/stages.md#auto-dependency-scanning)
- [Auto License Compliance](../../topics/autodevops/stages.md#auto-license-compliance)
- [Auto Container Scanning](../../topics/autodevops/stages.md#auto-container-scanning)
While you cannot directly customize Auto DevOps, you can [include the Auto DevOps template in your project's `.gitlab-ci.yml` file](../../topics/autodevops/customize.md#customizing-gitlab-ciyml).
## Quick start ## Security scanning without Auto DevOps
Get started quickly with Dependency Scanning, License Scanning, Static Application Security To enable all GitLab security scanning tools, with the option of customizing settings, add the
Testing (SAST), and Secret Detection by adding the following to your [`.gitlab-ci.yml`](../../ci/yaml/README.md): GitLab CI/CD templates to your `.gitlab-ci.yml` file.
To enable Static Application Security Testing, Dependency Scanning, License Scanning, and Secret
Detection, add:
```yaml ```yaml
include: include:
...@@ -34,8 +73,8 @@ include: ...@@ -34,8 +73,8 @@ include:
- template: Security/Secret-Detection.gitlab-ci.yml - template: Security/Secret-Detection.gitlab-ci.yml
``` ```
To add Dynamic Application Security Testing (DAST) scanning, add the following to your To enable Dynamic Application Security Testing (DAST) scanning, add the following to your
`.gitlab-ci.yml` and replace `https://staging.example.com` with a staging server's web address: `.gitlab-ci.yml`. Replace `https://staging.example.com` with a staging server's web address:
```yaml ```yaml
include: include:
...@@ -45,17 +84,8 @@ variables: ...@@ -45,17 +84,8 @@ variables:
DAST_WEBSITE: https://staging.example.com DAST_WEBSITE: https://staging.example.com
``` ```
To ensure the DAST scanner runs *after* deploying the application to the staging server, review the [DAST full documentation](dast/index.md). For more details about each of the security scanning tools, see their respective
[documentation sections](#security-scanning-tools).
To add Container Scanning, follow the steps listed in the [Container Scanning documentation](container_scanning/index.md#requirements).
To further configure any of the other scanners, refer to each scanner's documentation.
### SAST configuration
You can set up and configure Static Application Security Testing
(SAST) for your project, without opening a text editor. For more details,
see [configure SAST in the UI](sast/index.md#configure-sast-in-the-ui).
### Override the default registry base address ### Override the default registry base address
...@@ -63,27 +93,8 @@ By default, GitLab security scanners use `registry.gitlab.com/gitlab-org/securit ...@@ -63,27 +93,8 @@ By default, GitLab security scanners use `registry.gitlab.com/gitlab-org/securit
base address for Docker images. You can override this globally by setting the CI/CD variable base address for Docker images. You can override this globally by setting the CI/CD variable
`SECURE_ANALYZERS_PREFIX` to another location. Note that this affects all scanners at once. `SECURE_ANALYZERS_PREFIX` to another location. Note that this affects all scanners at once.
## Security scanning tools
GitLab uses the following tools to scan and report known vulnerabilities found in your project.
| Secure scanning tool | Description |
|:-----------------------------------------------------------------------------|:-----------------------------------------------------------------------|
| [Container Scanning](container_scanning/index.md) **(ULTIMATE)** | Scan Docker containers for known vulnerabilities. |
| [Dependency List](dependency_list/index.md) **(ULTIMATE)** | View your project's dependencies and their known vulnerabilities. |
| [Dependency Scanning](dependency_scanning/index.md) **(ULTIMATE)** | Analyze your dependencies for known vulnerabilities. |
| [Dynamic Application Security Testing (DAST)](dast/index.md) **(ULTIMATE)** | Analyze running web applications for known vulnerabilities. |
| [API fuzzing](api_fuzzing/index.md) **(ULTIMATE)** | Find unknown bugs and vulnerabilities in web APIs with fuzzing. |
| [Secret Detection](secret_detection/index.md) | Analyze Git history for leaked secrets. |
| [Security Dashboard](security_dashboard/index.md) **(ULTIMATE)** | View vulnerabilities in all your projects and groups. |
| [Static Application Security Testing (SAST)](sast/index.md) | Analyze source code for known vulnerabilities. |
| [Coverage fuzzing](coverage_fuzzing/index.md) **(ULTIMATE)** | Find unknown bugs and vulnerabilities with coverage-guided fuzzing. |
### Use security scanning tools with Pipelines for Merge Requests ### Use security scanning tools with Pipelines for Merge Requests
The security scanning tools can all be added to pipelines with [templates](https://gitlab.com/gitlab-org/gitlab/-/tree/master/lib/gitlab/ci/templates/Security).
See each tool for details on how to use include each template in your CI/CD configuration.
By default, the application security jobs are configured to run for branch pipelines only. By default, the application security jobs are configured to run for branch pipelines only.
To use them with [pipelines for merge requests](../../ci/merge_request_pipelines/index.md), To use them with [pipelines for merge requests](../../ci/merge_request_pipelines/index.md),
you may need to override the default `rules:` configuration to add: you may need to override the default `rules:` configuration to add:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment