Document kubesec

2d7a3c04 · rossfuhrman · Achilleas Pipinellis · f6dc618e · 2d7a3c04 · 2d7a3c04
Commit 2d7a3c04 authored Nov 22, 2019 by rossfuhrman Committed by Achilleas Pipinellis Nov 22, 2019
Showing with 50 additions and 31 deletions

doc/user/application_security/sast/analyzers.md doc/user/application_security/sast/analyzers.md +19 -18

doc/user/application_security/sast/index.md doc/user/application_security/sast/index.md +31 -13

No files found.
--- a/doc/user/application_security/sast/analyzers.md
+++ b/doc/user/application_security/sast/analyzers.md
--- a/doc/user/application_security/sast/index.md
+++ b/doc/user/application_security/sast/index.md
@@ -73,6 +73,7 @@ The following table shows which languages, package managers and frameworks are s
 | Groovy ([Ant](https://ant.apache.org/), [Gradle](https://gradle.org/), [Maven](https://maven.apache.org/) and [SBT](https://www.scala-sbt.org/)) | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 11.3 (Gradle) & 11.9 (Ant, Maven, SBT) |
 | Java ([Ant](https://ant.apache.org/), [Gradle](https://gradle.org/), [Maven](https://maven.apache.org/) and [SBT](https://www.scala-sbt.org/)) | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 10.6 (Maven), 10.8 (Gradle) & 11.9 (Ant, SBT) |
 | JavaScript                                                                  | [ESLint security plugin](https://github.com/nodesecurity/eslint-plugin-security)       | 11.8                         |
+| Kubernetes manifests                                                        | [Kubesec](https://github.com/controlplaneio/kubesec)                                   | 12.6                         |
 | Node.js                                                                     | [NodeJsScan](https://github.com/ajinabraham/NodeJsScan)                                | 11.1                         |
 | PHP                                                                         | [phpcs-security-audit](https://github.com/FloeDesignTechnologies/phpcs-security-audit) | 10.8                         |
 | Python ([pip](https://pip.pypa.io/en/stable/))                              | [bandit](https://github.com/PyCQA/bandit)                                              | 10.3                         |
@@ -185,6 +186,22 @@ variables:
 This will create individual `<analyzer-name>-sast` jobs for each analyzer that runs in your CI/CD pipeline.
+#### Enabling kubesec analyzer
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/12752) in GitLab Ultimate 12.6.
+When [Docker in Docker is disabled](#disabling-docker-in-docker-for-sast),
+you will need to set `SCAN_KUBERNETES_MANIFESTS` to `"true"` to enable the
+kubesec analyzer. In `.gitlab-ci.yml`, define:
+```yaml
+include:
+  template: SAST.gitlab-ci.yml
+variables:
+  SCAN_KUBERNETES_MANIFESTS: "true"
+```
 ### Available variables
 SAST can be [configured](#customizing-the-sast-settings) using environment variables.
@@ -232,19 +249,20 @@ Timeout variables are not applicable for setups with [disabled Docker In Docker]
 Some analyzers can be customized with environment variables.
-| Environment variable    | Analyzer | Description |
+| Environment variable        | Analyzer | Description |
-|-------------------------|----------|----------|
+|-----------------------------|----------|-------------|
-| `ANT_HOME`              | spotbugs | The `ANT_HOME` environment variable. |
+| `SCAN_KUBERNETES_MANIFESTS` | kubesec  | Set to `"true"` to scan Kubernetes manifests when [Docker in Docker](#disabling-docker-in-docker-for-sast) is disabled. |
-| `ANT_PATH`              | spotbugs | Path to the `ant` executable. |
+| `ANT_HOME`                  | spotbugs | The `ANT_HOME` environment variable. |
-| `GRADLE_PATH`           | spotbugs | Path to the `gradle` executable. |
+| `ANT_PATH`                  | spotbugs | Path to the `ant` executable. |
-| `JAVA_OPTS`             | spotbugs | Additional arguments for the `java` executable. |
+| `GRADLE_PATH`               | spotbugs | Path to the `gradle` executable. |
-| `JAVA_PATH`             | spotbugs | Path to the `java` executable. |
+| `JAVA_OPTS`                 | spotbugs | Additional arguments for the `java` executable. |
-| `SAST_JAVA_VERSION`     | spotbugs | Which Java version to use. Supported versions are `8` and `11`. Defaults to `8`. |
+| `JAVA_PATH`                 | spotbugs | Path to the `java` executable. |
-| `MAVEN_CLI_OPTS`        | spotbugs | Additional arguments for the `mvn` or `mvnw` executable. |
+| `SAST_JAVA_VERSION`         | spotbugs | Which Java version to use. Supported versions are `8` and `11`. Defaults to `8`. |
-| `MAVEN_PATH`            | spotbugs | Path to the `mvn` executable. |
+| `MAVEN_CLI_OPTS`            | spotbugs | Additional arguments for the `mvn` or `mvnw` executable. |
-| `MAVEN_REPO_PATH`       | spotbugs | Path to the Maven local repository (shortcut for the `maven.repo.local` property). |
+| `MAVEN_PATH`                | spotbugs | Path to the `mvn` executable. |
-| `SBT_PATH`              | spotbugs | Path to the `sbt` executable. |
+| `MAVEN_REPO_PATH`           | spotbugs | Path to the Maven local repository (shortcut for the `maven.repo.local` property). |
-| `FAIL_NEVER`            | spotbugs | Set to `1` to ignore compilation failure. |
+| `SBT_PATH`                  | spotbugs | Path to the `sbt` executable. |
+| `FAIL_NEVER`                | spotbugs | Set to `1` to ignore compilation failure. |
 #### Custom environment variables