| [Container Scanning](user/project/merge_requests/container_scanning.md)**[ULTIMATE]** | Use Clair to scan docker images for known vulnerabilities. |
| [Dependency Scanning](user/project/merge_requests/dependency_scanning.md)**[ULTIMATE]** | Analyze your dependencies for known vulnerabilities. |
| [Dynamic Application Security Testing (DAST)](user/project/merge_requests/dast.md)**[ULTIMATE]** | Analyze running web applications for known vulnerabilities. |
| [Group Security Dashboard](user/group/security_dashboard/index.md)**[ULTIMATE]** | View vulnerabilities in all the projects in a group and its subgroups. |
| [License Management](user/project/merge_requests/license_management.md)**[ULTIMATE]** | Search your project's dependencies for their licenses. |
| [Project Security Dashboard](user/project/security_dashboard.md)**[ULTIMATE]** | View the latest security reports for your project. |
| [Static Application Security Testing (SAST)](user/project/merge_requests/sast.md)**[ULTIMATE]** | Analyze source code for known vulnerabilities. |
| [Container Scanning](user/application_security/container_scanning/index.md)**[ULTIMATE]** | Use Clair to scan docker images for known vulnerabilities. |
| [Dependency Scanning](user/application_security/dependency_scanning/index.md)**[ULTIMATE]** | Analyze your dependencies for known vulnerabilities. |
| [Dynamic Application Security Testing (DAST)](user/application_security/dast/index.md)**[ULTIMATE]** | Analyze running web applications for known vulnerabilities. |
| [Group Security Dashboard](user/application_security/security_dashboard/index.md)**[ULTIMATE]** | View vulnerabilities in all the projects in a group and its subgroups. |
| [License Management](user/application_security/license_management/index.md)**[ULTIMATE]** | Search your project's dependencies for their licenses. |
| [Project Security Dashboard](user/application_security/security_dashboard/index.md)**[ULTIMATE]** | View the latest security reports for your project. |
| [Static Application Security Testing (SAST)](user/application_security/sast/index.md)**[ULTIMATE]** | Analyze source code for known vulnerabilities. |
- to [build and push](../../ci/docker/using_docker_build.md#container-registry-examples) your Docker image
using the [Container Registry](https://docs.gitlab.com/ee/user/project/container_registry.html) running within your GitLab installation.
## Configuring with templates
Since GitLab 11.9, a CI/CD template with the default Container Scanning job definition is provided as a part of your GitLab installation.
This section describes how to use it and customize its execution.
### Using job definition template
CAUTION: **Caution:**
The CI/CD template for job definition is supported on GitLab 11.9 and later versions.
For earlier versions, use the [manual job definition](#manual-job-definition).
Once you set up the Runner, add a new job to `.gitlab-ci.yml` using [the CI/CD template](../../ci/yaml/README.md#includetemplate) for Container Scanning:
```yaml
include:
template:Container-Scanning.gitlab-ci.yml
```
If you want to whitelist some specific vulnerabilities, you can do so by defining
them in a [YAML file](https://github.com/arminc/clair-scanner/blob/master/README.md#example-whitelist-yaml-file),
in our case its named `clair-whitelist.yml`.
### Scanning results
The above example will create a `container_scanning` job in your CI/CD pipeline, pull
the image from the [Container Registry](../../user/project/container_registry.md)
(whose name is defined from the two `CI_APPLICATION_` variables) and scan it
for possible vulnerabilities. The report will be saved as a
Since GitLab 11.9, a CI/CD template with the default Dependency Scanning job definition is provided as a part of your GitLab installation.
This section describes how to use it and customize its execution.
### Using job definition template
CAUTION: **Caution:**
The CI/CD template for job definition is supported on GitLab 11.9 and later versions.
For earlier versions, use the [manual job definition](#manual-job-definition).
Once you set up the Runner, add a new job to `.gitlab-ci.yml` using [the CI/CD template](../../ci/yaml/README.md#includetemplate) for Dependency Scanning:
```yaml
include:
template:Dependency-Scanning.gitlab-ci.yml
```
### Scanning results
The above example will create a `dependency_scanning` job in your CI/CD pipeline
and scan your dependencies for possible vulnerabilities. The report will be saved as a
See [the full list of supported languages and package managers](../../user/project/merge_requests/dependency_scanning.md#supported-languages-and-dependency-managers).
[ee]:https://about.gitlab.com/pricing/
This document was moved to [another location](../../user/application_security/dependency_scanning/index.md).
Since GitLab 11.9, a CI/CD template with the default License Management scanning job definition is provided as a part of your GitLab installation.
This section describes how to use it and customize its execution.
### Using job definition template
CAUTION: **Caution:**
The CI/CD template for job definition is supported on GitLab 11.9 and later versions.
For earlier versions, use the [manual job definition](#manual-job-definition).
Once you set up the Runner, add a new job to `.gitlab-ci.yml` using [the CI/CD template](../../ci/yaml/README.md#includetemplate) for License Management:
```yaml
include:
template:License-Management.gitlab-ci.yml
```
### Scanning results
The above example will create a `license_management` job in your CI/CD pipeline
and scan your dependencies to find their licenses. The report will be saved as a
The Group Security Dashboard gives an overview of the vulnerabilities of all the
projects in a group and its subgroups.
## Overview
To use the Group Security Dashboard, you need a group that has at least one
project with [Static Application Security Testing](../../project/merge_requests/sast.md) or [Dependency Scanning](../../project/merge_requests/dependency_scanning.md)
enabled.
The Dashboard is a good place to get an overview of the security vulnerabilities in your projects.
You can also drill down into a vulnerability and get extra information, see which
project it comes from, the file it's in, and various metadata to help you analyze
the risk. You can also action these vulnerabilities by creating an issue for them, or by dismissing them.
Having your vulnerabilities in GitLab allows you to keep track of them and action them, all in the same application.
![dashboard with action buttons and metrics](img/dashboard.png)
## Use cases
You want to measure how secure your projects are without having to look into
each one separately.
## Supported features
The group security dashboard supports [SAST](../../project/merge_requests/sast.md),
1. At least one project inside a group must be configured with
[Static Application Security Testing](../../project/merge_requests/sast.md), or [Dependency Scanning](../../project/merge_requests/dependency_scanning.md),
or [Container Scanning](../../project/merge_requests/container_scanning.md), or [Dynamic Application Security Testing](../../project/merge_requests/dast.md).
2. The configured jobs must use the [new `reports` syntax](../../../ci/yaml/README.md#artifactsreports)(see an [example job](../../../ci/examples/sast.md)).
3.[GitLab Runner](https://docs.gitlab.com/runner/) 11.5 or above must be used to execute the jobs.
## Keeping the dashboard up to date
Vulnerabilities are spotted during CI/CD pipelines, so having up-to-date results
depends on how often security jobs are run.
In order to have the latest results displayed in the dashboard, you can
[schedule a daily pipeline](../../project/pipelines/schedules.md), so reports
are created even if no code change happens.
## Viewing the vulnerabilities
First, navigate to the Security Dashboard found under your group's
**Overview > Security Dashboard**.
Once you're on the dashboard, at the top you should see a series of filters for:
- Severity
- Report type
- Project
Selecting one or more filters will filter the results in this page.
The first section is an overview of all the vulnerabilities, grouped by severity.
Underneath this overview is a timeline chart that shows how many open
vulnerabilities your projects had at various points in time. You can filter among 30, 60, and
90 days, with the default being 90. Hover over the chart to get more details about
the open vulnerabilities at a specific time.
Finally, there is a list of all the vulnerabilities in the group, sorted by severity.
In that list, you can see the severity of the vulnerability, its name, its
confidence (likelihood of the vulnerability to be a positive one), and the project
it's from.
If you hover over a row, there will appear some actions you can take:
- "More info"
- "Create issue"
- "Dismiss vulnerability"
### Getting more information for a vulnerability
Clicking the "More info" button opens a modal with more information about the
selected vulnerability where you can get a better description, as well as the
file it came from, and a possible solution. You get access to the
Some scanners require to send a list of project dependencies to GitLab central servers to check for vulnerabilities. To learn more about this or to disable it please
@@ -37,11 +37,11 @@ With **[GitLab Enterprise Edition][ee]**, you can also:
- View the deployment process across projects with [Multi-Project Pipelines](../../../ci/multi_project_pipelines.md)**[PREMIUM]**
- Request [approvals](merge_request_approvals.md) from your managers **[STARTER]**
- Analyze the impact of your changes with [Code Quality reports](code_quality.md)**[STARTER]**
- Manage the licenses of your dependencies with [License Management](#license-management-ultimate)**[ULTIMATE]**
- Analyze your source code for vulnerabilities with [Static Application Security Testing](sast.md)**[ULTIMATE]**
- Analyze your running web applications for vulnerabilities with [Dynamic Application Security Testing](dast.md)**[ULTIMATE]**
- Analyze your dependencies for vulnerabilities with [Dependency Scanning](dependency_scanning.md)**[ULTIMATE]**
- Analyze your Docker images for vulnerabilities with [Container Scanning](container_scanning.md)**[ULTIMATE]**
- Manage the licenses of your dependencies with [License Management](../../application_security/license_management/index.md)**[ULTIMATE]**
- Analyze your source code for vulnerabilities with [Static Application Security Testing](../../application_security/sast/index.md)**[ULTIMATE]**
- Analyze your running web applications for vulnerabilities with [Dynamic Application Security Testing](../../application_security/dast/index.md)**[ULTIMATE]**
- Analyze your dependencies for vulnerabilities with [Dependency Scanning](../../application_security/dependency_scanning/index.md)**[ULTIMATE]**
- Analyze your Docker images for vulnerabilities with [Container Scanning](../../application_security/container_scanning/index.md)**[ULTIMATE]**
- Determine the performance impact of changes with [Browser Performance Testing](#browser-performance-testing-premium)**[PREMIUM]**
## Use cases
...
...
@@ -369,83 +369,11 @@ GitLab runs the [Sitespeed.io container][sitespeed-container] and displays the d
[Read more about Browser Performance Testing.](browser_performance_testing.md)
## License Management **[ULTIMATE]**
> Introduced in [GitLab Ultimate][products] 11.0.
If you are using [GitLab CI/CD][ci], you can search your dependencies for their
licenses using License Management.
Going a step further, GitLab can show the licenses report right in the
merge request widget area.
[Read more about License Management reports.](license_management.md)
## Security reports **[ULTIMATE]**
GitLab can scan and report any vulnerabilities found in your project. The
following security reports are available:
-[Static Application Security Testing reports](sast.md) - Analyze your source
code for known vulnerabilities using Static Application Security Testing (SAST)
and see the security report right in your merge requests.
-[Dynamic Application Security Testing reports](dast.md) - Analyze your running
web application(s) for known vulnerabilities using Dynamic Application Security
Testing (DAST) and see the security report right in your merge requests.
-[Dependency Scanning reports](dependency_scanning.md) - Analyze your
dependencies for known vulnerabilities using Dependency Scanning and see the
security report right in your merge requests.
-[Container Scanning reports](container_scanning.md) - Analyze your Docker
images for known vulnerabilities and see the security report right in your
merge requests.
### Interacting with security reports **[ULTIMATE]**
> Introduced in [GitLab Ultimate][products] 10.8.
CAUTION: **Warning:**
This feature is currently [Alpha](https://about.gitlab.com/handbook/product/#alpha-beta-ga) and while you can start using it, it may receive important changes in the future.
Each security vulnerability in the report is actionable. Clicking on an entry,
a detailed information will pop up with two different possible options:
-**Dismiss vulnerability** - Dismissing a vulnerability will place a <s>strikethrough</s> styling on it.
-**Create issue** - The new issue will have the title and description
pre-populated with the information from the vulnerability report and is created as [confidential](../issues/confidential_issues.md) by default.
-**Solution** - For some vulnerabilities ([Dependency Scanning](dependency_scanning.md) and [Container Scanning](container_scanning.md))
a solution is provided for how to fix the vulnerability.
![Interacting with security reports](img/interactive_reports.png)
You can also revert your dismissal or see the linked issue after the action has
been taken.
### Solutions for Dependency Scanning **[ULTIMATE]**
> Introduced in [GitLab Ultimate][products] 11.7.
CAUTION: **Warning:** Automatic Patch creation is only available for a subset of [Dependency Scanning](dependency_scanning.md). At the moment only Node.JS projects managed with yarn are supported.
Some Vulnerabilities can be fixed by applying a patch that is automatically generated by GitLab. To apply the fix:
1. Download and review the patch file `remediation.patch`.
2. Ensure your local project has the same commit checked out that was used to generate the patch.
3. Run `git apply remediation.patch`.
4. Verify and commit the changes to your branch.
![Solutions for dependency scanning](img/vulnerability_solution.png)
### Create a merge request from a vulnerability **[ULTIMATE]**
> Introduced in [GitLab Ultimate][products] 11.9.
CAUTION: **Warning:** Automatic Patch creation is only available for a subset of [Dependency Scanning](dependency_scanning.md). At the moment only Node.JS projects managed with yarn are supported.
Any vulnerability that has a [solution](#solutions-for-dependency-scanning-ultimate) can have a merge request created to automatically solve the issue.
If this action is available there will be a "Create merge request" button in the vulnerability modal.
Clicking on this button will create a merge request to apply the solution onto the source branch.
GitLab can scan and report any vulnerabilities found in your project.
![Create merge request from vulnerability](img/create-issue-with-list-hover.png)
[Read more about security reports.](../../application_security/index.md)
To benefit from the Security Dashboard you must first configure the [Security Reports](merge_requests/index.md#security-reports-ultimate).
The Security Dashboard will then list security vulnerabilities from the latest pipeline run on the default branch (e.g., `master`).
You will also be able to interact with the reports [the same way you can on a merge request](merge_requests/index.md#interacting-with-security-reports-ultimate).
## Keeping the Security Dashboard updated
The Security Dashboard displays information from the results of the most recent security scan on the default branch. Security scans are performed every time the branch is updated.
If the default branch is updated infrequently, scans are run infrequently and the information on the Security Dashboard can become outdated as new vulnerabilities are discovered.
To ensure the information on the Security Dashboard is regularly updated, configure a [scheduled pipeline](pipelines/schedules.md) to run a daily security scan. This will update the information displayed on the Security Dashboard regardless of how often the default branch is updated.
A daily security scan can be configured to only execute jobs that to relate to security. For more information on configuring security-related jobs, see:
-[Static Application Security Testing](merge_requests/sast.md) and [example](../../ci/examples/sast.md).
-[Dynamic Application Security Testing](merge_requests/dast.md) and [example](../../ci/examples/dast.md).
-[Dependency Scanning](merge_requests/dependency_scanning.md) and [example](../../ci/examples/dependency_scanning.md).
-[Container Scanning](merge_requests/container_scanning.md) and [example](../../ci/examples/container_scanning.md).
### Security scans using Auto DevOps
When using [Auto DevOps](../../topics/autodevops/index.md), use [special environment variables](../../topics/autodevops/index.md#environment-variables) to configure daily security scans.
This document was moved to [another location](../application_security/security_dashboard/index.md).