Commit 270c6c4a authored by Russell Dickenson's avatar Russell Dickenson

Merge branch 'fix/doc-user-application-security-static-analysis' into 'master'

Doc Consistency: user/application_security - static analysis

See merge request gitlab-org/gitlab!72644
parents 4d9c946d 9beeca4e
...@@ -7,9 +7,9 @@ info: To determine the technical writer assigned to the Stage/Group associated w ...@@ -7,9 +7,9 @@ info: To determine the technical writer assigned to the Stage/Group associated w
# Security Configuration **(FREE)** # Security Configuration **(FREE)**
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20711) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.6. **(ULTIMATE)** > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20711) in GitLab 12.6.
> - SAST configuration was [enabled](https://gitlab.com/groups/gitlab-org/-/epics/3659) in 13.3 and [improved](https://gitlab.com/gitlab-org/gitlab/-/issues/232862) in 13.4. **(ULTIMATE)** > - SAST configuration was [enabled](https://gitlab.com/groups/gitlab-org/-/epics/3659) in 13.3 and [improved](https://gitlab.com/gitlab-org/gitlab/-/issues/232862) in 13.4.
> - DAST Profiles feature was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40474) in 13.4. **(ULTIMATE)** > - DAST Profiles feature was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40474) in 13.4.
> - A simplified version was made [available in all tiers](https://gitlab.com/gitlab-org/gitlab/-/issues/294076) in GitLab 13.10. > - A simplified version was made [available in all tiers](https://gitlab.com/gitlab-org/gitlab/-/issues/294076) in GitLab 13.10.
> - [Redesigned](https://gitlab.com/gitlab-org/gitlab/-/issues/326926) in 14.2. > - [Redesigned](https://gitlab.com/gitlab-org/gitlab/-/issues/326926) in 14.2.
...@@ -38,31 +38,31 @@ Select **Configuration history** to see the `.gitlab-ci.yml` file's history. ...@@ -38,31 +38,31 @@ Select **Configuration history** to see the `.gitlab-ci.yml` file's history.
You can configure the following security controls: You can configure the following security controls:
- Static Application Security Testing (SAST) **(FREE)** - [Static Application Security Testing](../sast/index.md) (SAST)
- Select **Enable SAST** to configure SAST for the current project. - Select **Enable SAST** to configure SAST for the current project.
For more details, read [Configure SAST in the UI](../sast/index.md#configure-sast-in-the-ui). For more details, read [Configure SAST in the UI](../sast/index.md#configure-sast-in-the-ui).
- Dynamic Application Security Testing (DAST) **(ULTIMATE)** - [Dynamic Application Security Testing](../dast/index.md) (DAST)
- Select **Enable DAST** to configure DAST for the current project. - Select **Enable DAST** to configure DAST for the current project.
- Select **Manage scans** to manage the saved DAST scans, site profiles, and scanner profiles. - Select **Manage scans** to manage the saved DAST scans, site profiles, and scanner profiles.
For more details, read [DAST on-demand scans](../dast/index.md#on-demand-scans). For more details, read [DAST on-demand scans](../dast/index.md#on-demand-scans).
- Dependency Scanning **(ULTIMATE)** - [Dependency Scanning](../dependency_scanning/index.md)
- Select **Configure via Merge Request** to create a merge request with the changes required to - Select **Configure via Merge Request** to create a merge request with the changes required to
enable Dependency Scanning. For more details, see [Enable Dependency Scanning via an automatic merge request](../dependency_scanning/index.md#enable-dependency-scanning-via-an-automatic-merge-request). enable Dependency Scanning. For more details, see [Enable Dependency Scanning via an automatic merge request](../dependency_scanning/index.md#enable-dependency-scanning-via-an-automatic-merge-request).
- Container Scanning **(ULTIMATE)** - [Container Scanning](../container_scanning/index.md)
- Can be configured with `.gitlab-ci.yml`. For more details, read [Container Scanning](../../../user/application_security/container_scanning/index.md#configuration). - Can be configured with `.gitlab-ci.yml`. For more details, read [Container Scanning](../../../user/application_security/container_scanning/index.md#configuration).
- Cluster Image Scanning **(ULTIMATE)** - [Cluster Image Scanning](../cluster_image_scanning/index.md)
- Can be configured with `.gitlab-ci.yml`. For more details, read [Cluster Image Scanning](../../../user/application_security/cluster_image_scanning/#configuration). - Can be configured with `.gitlab-ci.yml`. For more details, read [Cluster Image Scanning](../../../user/application_security/cluster_image_scanning/#configuration).
- Secret Detection - [Secret Detection](../secret_detection/index.md)
- Select **Configure via Merge Request** to create a merge request with the changes required to - Select **Configure via Merge Request** to create a merge request with the changes required to
enable Secret Detection. For more details, read [Enable Secret Detection via an automatic merge request](../secret_detection/index.md#enable-secret-detection-via-an-automatic-merge-request). enable Secret Detection. For more details, read [Enable Secret Detection via an automatic merge request](../secret_detection/index.md#enable-secret-detection-via-an-automatic-merge-request).
- API Fuzzing **(ULTIMATE)** - [API Fuzzing](../api_fuzzing/index.md)
- Select **Enable API Fuzzing** to use API Fuzzing for the current project. For more details, read [API Fuzzing](../../../user/application_security/api_fuzzing/index.md#enable-web-api-fuzzing). - Select **Enable API Fuzzing** to use API Fuzzing for the current project. For more details, read [API Fuzzing](../../../user/application_security/api_fuzzing/index.md#enable-web-api-fuzzing).
- Coverage Fuzzing **(ULTIMATE)** - [Coverage Fuzzing](../coverage_fuzzing/index.md)
- Can be configured with `.gitlab-ci.yml`. For more details, read [Coverage Fuzzing](../../../user/application_security/coverage_fuzzing/index.md#configuration). - Can be configured with `.gitlab-ci.yml`. For more details, read [Coverage Fuzzing](../../../user/application_security/coverage_fuzzing/index.md#configuration).
## Compliance **(ULTIMATE)** ## Compliance **(ULTIMATE)**
You can configure the following security controls: You can configure the following security controls:
- License Compliance **(ULTIMATE)** - [License Compliance](../../../user/compliance/license_compliance/index.md)
- Can be configured with `.gitlab-ci.yml`. For more details, read [License Compliance](../../../user/compliance/license_compliance/index.md#configuration). - Can be configured with `.gitlab-ci.yml`. For more details, read [License Compliance](../../../user/compliance/license_compliance/index.md#configuration).
...@@ -33,17 +33,17 @@ GitLab uses the following tools to scan and report known vulnerabilities found i ...@@ -33,17 +33,17 @@ GitLab uses the following tools to scan and report known vulnerabilities found i
| Secure scanning tool | Description | | Secure scanning tool | Description |
|:-----------------------------------------------------------------------------|:-----------------------------------------------------------------------| |:-----------------------------------------------------------------------------|:-----------------------------------------------------------------------|
| [Container Scanning](container_scanning/index.md) **(ULTIMATE)** | Scan Docker containers for known vulnerabilities. | | [Container Scanning](container_scanning/index.md) | Scan Docker containers for known vulnerabilities. |
| [Dependency List](dependency_list/index.md) **(ULTIMATE)** | View your project's dependencies and their known vulnerabilities. | | [Dependency List](dependency_list/index.md) | View your project's dependencies and their known vulnerabilities. |
| [Dependency Scanning](dependency_scanning/index.md) **(ULTIMATE)** | Analyze your dependencies for known vulnerabilities. | | [Dependency Scanning](dependency_scanning/index.md) | Analyze your dependencies for known vulnerabilities. |
| [Dynamic Application Security Testing (DAST)](dast/index.md) **(ULTIMATE)** | Analyze running web applications for known vulnerabilities. | | [Dynamic Application Security Testing (DAST)](dast/index.md) | Analyze running web applications for known vulnerabilities. |
| [DAST API](dast_api/index.md) **(ULTIMATE)** | Analyze running web APIs for known vulnerabilities. | | [DAST API](dast_api/index.md) | Analyze running web APIs for known vulnerabilities. |
| [API fuzzing](api_fuzzing/index.md) **(ULTIMATE)** | Find unknown bugs and vulnerabilities in web APIs with fuzzing. | | [API fuzzing](api_fuzzing/index.md) | Find unknown bugs and vulnerabilities in web APIs with fuzzing. |
| [Secret Detection](secret_detection/index.md) | Analyze Git history for leaked secrets. | | [Secret Detection](secret_detection/index.md) | Analyze Git history for leaked secrets. |
| [Security Dashboard](security_dashboard/index.md) **(ULTIMATE)** | View vulnerabilities in all your projects and groups. | | [Security Dashboard](security_dashboard/index.md) | View vulnerabilities in all your projects and groups. |
| [Static Application Security Testing (SAST)](sast/index.md) | Analyze source code for known vulnerabilities. | | [Static Application Security Testing (SAST)](sast/index.md) | Analyze source code for known vulnerabilities. |
| [Coverage fuzzing](coverage_fuzzing/index.md) **(ULTIMATE)** | Find unknown bugs and vulnerabilities with coverage-guided fuzzing. | | [Coverage fuzzing](coverage_fuzzing/index.md) | Find unknown bugs and vulnerabilities with coverage-guided fuzzing. |
| [Cluster Image Scanning](cluster_image_scanning/index.md) **(ULTIMATE)** | Scan Kubernetes clusters for known vulnerabilities. | | [Cluster Image Scanning](cluster_image_scanning/index.md) | Scan Kubernetes clusters for known vulnerabilities. |
## Security scanning with Auto DevOps ## Security scanning with Auto DevOps
...@@ -185,7 +185,7 @@ By default, the vulnerability report does not show vulnerabilities of `dismissed ...@@ -185,7 +185,7 @@ By default, the vulnerability report does not show vulnerabilities of `dismissed
## Security approvals in merge requests ## Security approvals in merge requests
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/9928) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.2. > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/9928) in GitLab 12.2.
You can implement merge request approvals to require approval by selected users or a group when a You can implement merge request approvals to require approval by selected users or a group when a
merge request would introduce one of the following security issues: merge request would introduce one of the following security issues:
......
...@@ -6,8 +6,8 @@ info: To determine the technical writer assigned to the Stage/Group associated w ...@@ -6,8 +6,8 @@ info: To determine the technical writer assigned to the Stage/Group associated w
# SAST Analyzers **(FREE)** # SAST Analyzers **(FREE)**
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/3775) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.3. > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/3775) in GitLab 10.3.
> - [Moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) to GitLab Free in 13.3. > - [Moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) from GitLab Ultimate to GitLab Free in 13.3.
SAST relies on underlying third party tools that are wrapped into what we call SAST relies on underlying third party tools that are wrapped into what we call
"Analyzers". An analyzer is a "Analyzers". An analyzer is a
......
...@@ -7,8 +7,8 @@ type: reference, howto ...@@ -7,8 +7,8 @@ type: reference, howto
# Static Application Security Testing (SAST) **(FREE)** # Static Application Security Testing (SAST) **(FREE)**
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/3775) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.3. > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/3775) in GitLab 10.3.
> - All open source (OSS) analyzers were moved to GitLab Free in GitLab 13.3. > - All open source (OSS) analyzers were moved from GitLab Ultimate to GitLab Free in GitLab 13.3.
NOTE: NOTE:
The whitepaper ["A Seismic Shift in Application Security"](https://about.gitlab.com/resources/whitepaper-seismic-shift-application-security/) The whitepaper ["A Seismic Shift in Application Security"](https://about.gitlab.com/resources/whitepaper-seismic-shift-application-security/)
...@@ -20,7 +20,7 @@ Testing (SAST) to check your source code for known vulnerabilities. When a pipel ...@@ -20,7 +20,7 @@ Testing (SAST) to check your source code for known vulnerabilities. When a pipel
the results of the SAST analysis are processed and shown in the pipeline's Security tab. If the the results of the SAST analysis are processed and shown in the pipeline's Security tab. If the
pipeline is associated with a merge request, the SAST analysis is compared with the results of pipeline is associated with a merge request, the SAST analysis is compared with the results of
the target branch's analysis (if available). The results of that comparison are shown in the merge the target branch's analysis (if available). The results of that comparison are shown in the merge
request. **(ULTIMATE)** If the pipeline is running from the default branch, the results of the SAST request. If the pipeline is running from the default branch, the results of the SAST
analysis are available in the [security dashboards](../security_dashboard/index.md). analysis are available in the [security dashboards](../security_dashboard/index.md).
![SAST results shown in the MR widget](img/sast_results_in_mr_v14_0.png) ![SAST results shown in the MR widget](img/sast_results_in_mr_v14_0.png)
...@@ -197,7 +197,7 @@ Use the method that best meets your needs. ...@@ -197,7 +197,7 @@ Use the method that best meets your needs.
- [Configure SAST in the UI with default settings](#configure-sast-in-the-ui-with-default-settings) - [Configure SAST in the UI with default settings](#configure-sast-in-the-ui-with-default-settings)
- [Configure SAST in the UI with customizations](#configure-sast-in-the-ui-with-customizations) - [Configure SAST in the UI with customizations](#configure-sast-in-the-ui-with-customizations)
### Configure SAST in the UI with default settings **(FREE)** ### Configure SAST in the UI with default settings
> [Introduced](https://about.gitlab.com/releases/2021/02/22/gitlab-13-9-released/#security-configuration-page-for-all-users) in GitLab 13.9 > [Introduced](https://about.gitlab.com/releases/2021/02/22/gitlab-13-9-released/#security-configuration-page-for-all-users) in GitLab 13.9
...@@ -217,9 +217,9 @@ successfully, and an error may occur. ...@@ -217,9 +217,9 @@ successfully, and an error may occur.
### Configure SAST in the UI with customizations **(ULTIMATE)** ### Configure SAST in the UI with customizations **(ULTIMATE)**
> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/3659) in GitLab Ultimate 13.3. > - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/3659) in GitLab 13.3.
> - [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/232862) in GitLab Ultimate 13.4. > - [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/232862) in GitLab 13.4.
> - [Improved](https://gitlab.com/groups/gitlab-org/-/epics/3635) in GitLab Ultimate 13.5. > - [Improved](https://gitlab.com/groups/gitlab-org/-/epics/3635) in GitLab 13.5.
To enable and configure SAST with customizations: To enable and configure SAST with customizations:
...@@ -402,7 +402,7 @@ To create a custom ruleset: ...@@ -402,7 +402,7 @@ To create a custom ruleset:
### False Positive Detection **(ULTIMATE)** ### False Positive Detection **(ULTIMATE)**
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/292686) in GitLab 14.2. > Introduced in GitLab 14.2.
Vulnerabilities that have been detected and are false positives will be flagged as false positives in the security dashboard. Vulnerabilities that have been detected and are false positives will be flagged as false positives in the security dashboard.
...@@ -423,7 +423,7 @@ Read more on [how to use private Maven repositories](../index.md#using-private-m ...@@ -423,7 +423,7 @@ Read more on [how to use private Maven repositories](../index.md#using-private-m
### Enabling Kubesec analyzer ### Enabling Kubesec analyzer
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/12752) in GitLab Ultimate 12.6. > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/12752) in GitLab 12.6.
You need to set `SCAN_KUBERNETES_MANIFESTS` to `"true"` to enable the You need to set `SCAN_KUBERNETES_MANIFESTS` to `"true"` to enable the
Kubesec analyzer. In `.gitlab-ci.yml`, define: Kubesec analyzer. In `.gitlab-ci.yml`, define:
...@@ -569,7 +569,7 @@ Some analyzers can be customized with CI/CD variables. ...@@ -569,7 +569,7 @@ Some analyzers can be customized with CI/CD variables.
#### Custom CI/CD variables #### Custom CI/CD variables
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/18193) in GitLab Ultimate 12.5. > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/18193) in GitLab 12.5.
In addition to the aforementioned SAST configuration CI/CD variables, In addition to the aforementioned SAST configuration CI/CD variables,
all [custom variables](../../../ci/variables/index.md#custom-cicd-variables) are propagated all [custom variables](../../../ci/variables/index.md#custom-cicd-variables) are propagated
......
...@@ -7,8 +7,8 @@ info: To determine the technical writer assigned to the Stage/Group associated w ...@@ -7,8 +7,8 @@ info: To determine the technical writer assigned to the Stage/Group associated w
# Secret Detection **(FREE)** # Secret Detection **(FREE)**
> - [Introduced](https://about.gitlab.com/releases/2019/03/22/gitlab-11-9-released/#detect-secrets-and-credentials-in-the-repository) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 11.9. > - [Introduced](https://about.gitlab.com/releases/2019/03/22/gitlab-11-9-released/#detect-secrets-and-credentials-in-the-repository) in GitLab 11.9.
> - Made [available in all tiers](https://gitlab.com/gitlab-org/gitlab/-/issues/222788) in 13.3. > - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/222788) from GitLab Ultimate to GitLab Free in 13.3.
A recurring problem when developing applications is that developers may unintentionally commit A recurring problem when developing applications is that developers may unintentionally commit
secrets and credentials to their remote repositories. If other people have access to the source, secrets and credentials to their remote repositories. If other people have access to the source,
...@@ -138,9 +138,9 @@ The results are saved as a ...@@ -138,9 +138,9 @@ The results are saved as a
that you can later download and analyze. Due to implementation limitations, we that you can later download and analyze. Due to implementation limitations, we
always take the latest Secret Detection artifact available. always take the latest Secret Detection artifact available.
### Enable Secret Detection via an automatic merge request **(FREE)** ### Enable Secret Detection via an automatic merge request
> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/4496) in GitLab 13.11, behind a feature flag, enabled by default. > - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/4496) in GitLab 13.11, deployed behind a feature flag, enabled by default.
> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/329886) in GitLab 14.1. > - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/329886) in GitLab 14.1.
To enable Secret Detection in a project, you can create a merge request To enable Secret Detection in a project, you can create a merge request
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment