Skip to content

G
gitlab-ce
Commit 5c7767cd authored by Russell Dickenson's avatar Russell Dickenson Committed by Amy Qualls
Browse files
Options

Remove future tense from Secure docs

parent 06c0abe6
Hide whitespace changes
Inline Side-by-side
Showing with 46 additions and 45 deletions
doc/api/vulnerabilities.md
View file @ 5c7767cd
...@@ -23,7 +23,7 @@ Every API call to vulnerabilities must be [authenticated](README.md#authenticati ...@@ -23,7 +23,7 @@ Every API call to vulnerabilities must be [authenticated](README.md#authenticati
Vulnerability permissions inherit permissions from their project. If a project is Vulnerability permissions inherit permissions from their project. If a project is
private, and a user isn't a member of the project to which the vulnerability private, and a user isn't a member of the project to which the vulnerability
belongs, requests to that project will return a `404 Not Found` status code. belongs, requests to that project returns a `404 Not Found` status code.
## Single vulnerability ## Single vulnerability
...@@ -77,7 +77,7 @@ Confirms a given vulnerability. Returns status code `304` if the vulnerability i ...@@ -77,7 +77,7 @@ Confirms a given vulnerability. Returns status code `304` if the vulnerability i
If an authenticated user does not have permission to If an authenticated user does not have permission to
[confirm vulnerabilities](../user/permissions.md#project-members-permissions), [confirm vulnerabilities](../user/permissions.md#project-members-permissions),
this request will result in a `403` status code. this request results in a `403` status code.
```plaintext ```plaintext
POST /vulnerabilities/:id/confirm POST /vulnerabilities/:id/confirm
...@@ -127,7 +127,7 @@ Resolves a given vulnerability. Returns status code `304` if the vulnerability i ...@@ -127,7 +127,7 @@ Resolves a given vulnerability. Returns status code `304` if the vulnerability i
If an authenticated user does not have permission to If an authenticated user does not have permission to
[resolve vulnerabilities](../user/permissions.md#project-members-permissions), [resolve vulnerabilities](../user/permissions.md#project-members-permissions),
this request will result in a `403` status code. this request results in a `403` status code.
```plaintext ```plaintext
POST /vulnerabilities/:id/resolve POST /vulnerabilities/:id/resolve
...@@ -177,7 +177,7 @@ Dismisses a given vulnerability. Returns status code `304` if the vulnerability ...@@ -177,7 +177,7 @@ Dismisses a given vulnerability. Returns status code `304` if the vulnerability
If an authenticated user does not have permission to If an authenticated user does not have permission to
[dismiss vulnerabilities](../user/permissions.md#project-members-permissions), [dismiss vulnerabilities](../user/permissions.md#project-members-permissions),
this request will result in a `403` status code. this request results in a `403` status code.
```plaintext ```plaintext
POST /vulnerabilities/:id/dismiss POST /vulnerabilities/:id/dismiss
...@@ -227,7 +227,7 @@ Reverts a given vulnerability to detected state. Returns status code `304` if th ...@@ -227,7 +227,7 @@ Reverts a given vulnerability to detected state. Returns status code `304` if th
If an authenticated user does not have permission to If an authenticated user does not have permission to
[revert vulnerability to detected state](../user/permissions.md#project-members-permissions), [revert vulnerability to detected state](../user/permissions.md#project-members-permissions),
this request will result in a `403` status code. this request results in a `403` status code.
```plaintext ```plaintext
POST /vulnerabilities/:id/revert POST /vulnerabilities/:id/revert
......
doc/api/vulnerability_exports.md
View file @ 5c7767cd
...@@ -193,7 +193,7 @@ GET /security/vulnerability_exports/:id/download ...@@ -193,7 +193,7 @@ GET /security/vulnerability_exports/:id/download
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/security/vulnerability_exports/2/download" curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/security/vulnerability_exports/2/download"
``` ```
The response will be `404 Not Found` if the vulnerability export is not finished yet or was not found. The response is `404 Not Found` if the vulnerability export is not finished yet or was not found.
Example response: Example response:
......
doc/api/vulnerability_findings.md
View file @ 5c7767cd
...@@ -18,11 +18,11 @@ Every API call to vulnerability findings must be [authenticated](README.md#authe ...@@ -18,11 +18,11 @@ Every API call to vulnerability findings must be [authenticated](README.md#authe
Vulnerability findings are project-bound entities. If a user is not Vulnerability findings are project-bound entities. If a user is not
a member of a project and the project is private, a request on a member of a project and the project is private, a request on
that project will result in a `404` status code. that project results in a `404` status code.
If a user is able to access the project but does not have permission to If a user is able to access the project but does not have permission to
[use the Project Security Dashboard](../user/permissions.md#project-members-permissions), [use the Project Security Dashboard](../user/permissions.md#project-members-permissions),
any request for vulnerability findings of this project will result in a `403` status code. any request for vulnerability findings of this project results in a `403` status code.
CAUTION: **Caution:** CAUTION: **Caution:**
This API is in an alpha stage and considered unstable. This API is in an alpha stage and considered unstable.
......
doc/development/integrations/secure_partner_integration.md
View file @ 5c7767cd
...@@ -7,7 +7,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w ...@@ -7,7 +7,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
# Secure Partner Integration - Onboarding Process # Secure Partner Integration - Onboarding Process
If you want to integrate your product with the [Secure Stage](https://about.gitlab.com/direction/secure/), If you want to integrate your product with the [Secure Stage](https://about.gitlab.com/direction/secure/),
this page will help you understand the developer workflow GitLab intends for this page describes the developer workflow GitLab intends for
our users to follow with regards to security results. These should be used as our users to follow with regards to security results. These should be used as
guidelines so you can build an integration that fits with the workflow GitLab guidelines so you can build an integration that fits with the workflow GitLab
users are already familiar with. users are already familiar with.
...@@ -29,7 +29,7 @@ tiers so that we can provide the most value to our mutual customers. ...@@ -29,7 +29,7 @@ tiers so that we can provide the most value to our mutual customers.
## What is the GitLab Developer Workflow? ## What is the GitLab Developer Workflow?
This workflow is how GitLab users interact with our product and expect it to This workflow is how GitLab users interact with our product and expect it to
function. Understanding how users use GitLab today will help you choose the function. Understanding how users use GitLab today helps you choose the
best place to integrate your own product and its results into GitLab. best place to integrate your own product and its results into GitLab.
- Developers want to write code without using a new tool to consume results - Developers want to write code without using a new tool to consume results
...@@ -101,7 +101,7 @@ and complete an integration with the Secure stage. ...@@ -101,7 +101,7 @@ and complete an integration with the Secure stage.
- Users can interact with the findings from your artifact within their workflow. They can dismiss the findings or accept them and create a backlog issue. - Users can interact with the findings from your artifact within their workflow. They can dismiss the findings or accept them and create a backlog issue.
- To automatically create issues without user interaction, use the [issue API](../../api/issues.md). This will be replaced by [Standalone Vulnerabilities](https://gitlab.com/groups/gitlab-org/-/epics/634) in the future. - To automatically create issues without user interaction, use the [issue API](../../api/issues.md). This will be replaced by [Standalone Vulnerabilities](https://gitlab.com/groups/gitlab-org/-/epics/634) in the future.
1. Optional: Provide auto-remediation steps: 1. Optional: Provide auto-remediation steps:
- If you specified `remediations` in your artifact, it is proposed through our [auto-remediation](../../user/application_security/index.md#automatic-remediation-for-vulnerabilities) - If you specified `remediations` in your artifact, it is proposed through our [automatic remediation](../../user/application_security/index.md#automatic-remediation-for-vulnerabilities)
interface. interface.
1. Demo the integration to GitLab: 1. Demo the integration to GitLab:
- After you have tested and are ready to demo your integration please - After you have tested and are ready to demo your integration please
...@@ -112,7 +112,7 @@ and complete an integration with the Secure stage. ...@@ -112,7 +112,7 @@ and complete an integration with the Secure stage.
to support your go-to-market as appropriate. to support your go-to-market as appropriate.
- Examples of supported marketing could include being listed on our [Security Partner page](https://about.gitlab.com/partners/#security), - Examples of supported marketing could include being listed on our [Security Partner page](https://about.gitlab.com/partners/#security),
doing an [Unfiltered blog post](https://about.gitlab.com/handbook/marketing/blog/unfiltered/), doing an [Unfiltered blog post](https://about.gitlab.com/handbook/marketing/blog/unfiltered/),
doing a co-branded webinar, or producing a co-branded whitepaper. doing a co-branded webinar, or producing a co-branded white paper.
We have a [video playlist](https://www.youtube.com/playlist?list=PL05JrBw4t0KpMqYxJiOLz-uBIr5w-yP4A) We have a [video playlist](https://www.youtube.com/playlist?list=PL05JrBw4t0KpMqYxJiOLz-uBIr5w-yP4A)
that may be helpful as part of this process. This covers various topics related to integrating your that may be helpful as part of this process. This covers various topics related to integrating your
......
doc/user/application_security/dast/index.md
View file @ 5c7767cd
...@@ -161,8 +161,9 @@ headers whose values you want masked. For details on how to mask headers, see ...@@ -161,8 +161,9 @@ headers whose values you want masked. For details on how to mask headers, see
It's also possible to authenticate the user before performing the DAST checks. It's also possible to authenticate the user before performing the DAST checks.
**Important:** It is highly recommended that you configure the scanner to authenticate to the application, NOTE: **Note:**
or it will not be able to check most of the application for security risks, as most We highly recommended that you configure the scanner to authenticate to the application,
otherwise it cannot check most of the application for security risks, as most
of your application is likely not accessible without authentication. It is also recommended of your application is likely not accessible without authentication. It is also recommended
that you periodically confirm the scanner's authentication is still working as this tends to break over that you periodically confirm the scanner's authentication is still working as this tends to break over
time due to authentication changes to the application. time due to authentication changes to the application.
...@@ -486,8 +487,8 @@ variables: ...@@ -486,8 +487,8 @@ variables:
When using `DAST_PATHS` and `DAST_PATHS_FILE`, note the following: When using `DAST_PATHS` and `DAST_PATHS_FILE`, note the following:
- `DAST_WEBSITE` must be defined when using either `DAST_PATHS_FILE` or `DAST_PATHS`. The paths listed in either will use `DAST_WEBSITE` to build the URLs to scan - `DAST_WEBSITE` must be defined when using either `DAST_PATHS_FILE` or `DAST_PATHS`. The paths listed in either use `DAST_WEBSITE` to build the URLs to scan
- Spidering is disabed when `DAST_PATHS` or `DAST_PATHS_FILE` are defined - Spidering is disabled when `DAST_PATHS` or `DAST_PATHS_FILE` are defined
- `DAST_PATHS_FILE` and `DAST_PATHS` can not be used together - `DAST_PATHS_FILE` and `DAST_PATHS` can not be used together
- The `DAST_PATHS` environment variable has a limit of about 130kb. If you have a list or paths - The `DAST_PATHS` environment variable has a limit of about 130kb. If you have a list or paths
greater than this, use `DAST_PATHS_FILE`. greater than this, use `DAST_PATHS_FILE`.
...@@ -529,7 +530,7 @@ DAST can be [configured](#customizing-the-dast-settings) using environment varia ...@@ -529,7 +530,7 @@ DAST can be [configured](#customizing-the-dast-settings) using environment varia
| `SECURE_ANALYZERS_PREFIX` | URL | Set the Docker registry base address from which to download the analyzer. | | `SECURE_ANALYZERS_PREFIX` | URL | Set the Docker registry base address from which to download the analyzer. |
| `DAST_WEBSITE` | URL | The URL of the website to scan. `DAST_API_SPECIFICATION` must be specified if this is omitted. | | `DAST_WEBSITE` | URL | The URL of the website to scan. `DAST_API_SPECIFICATION` must be specified if this is omitted. |
| `DAST_API_SPECIFICATION` | URL or string | The API specification to import. The specification can be hosted at a URL, or the name of a file present in the `/zap/wrk` directory. `DAST_WEBSITE` must be specified if this is omitted. | | `DAST_API_SPECIFICATION` | URL or string | The API specification to import. The specification can be hosted at a URL, or the name of a file present in the `/zap/wrk` directory. `DAST_WEBSITE` must be specified if this is omitted. |
| `DAST_SPIDER_START_AT_HOST` | boolean | Set to `false` to prevent DAST from resetting the target to its host before scanning. When `true`, non-host targets `http://test.site/some_path` will be reset to `http://test.site` before scan. Default: `true`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/258805) in GitLab 13.6. | | `DAST_SPIDER_START_AT_HOST` | boolean | Set to `false` to prevent DAST from resetting the target to its host before scanning. When `true`, non-host targets `http://test.site/some_path` is reset to `http://test.site` before scan. Default: `true`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/258805) in GitLab 13.6. |
| `DAST_AUTH_URL` | URL | The URL of the page containing the sign-in HTML form on the target website. `DAST_USERNAME` and `DAST_PASSWORD` are submitted with the login form to create an authenticated scan. Not supported for API scans. | | `DAST_AUTH_URL` | URL | The URL of the page containing the sign-in HTML form on the target website. `DAST_USERNAME` and `DAST_PASSWORD` are submitted with the login form to create an authenticated scan. Not supported for API scans. |
| `DAST_USERNAME` | string | The username to authenticate to in the website. | | `DAST_USERNAME` | string | The username to authenticate to in the website. |
| `DAST_PASSWORD` | string | The password to authenticate to in the website. | | `DAST_PASSWORD` | string | The password to authenticate to in the website. |
...@@ -821,8 +822,8 @@ sample reports can be found in the ...@@ -821,8 +822,8 @@ sample reports can be found in the
There are two formats of data in the JSON report that are used side by side: There are two formats of data in the JSON report that are used side by side:
- The proprietary ZAP format that will be eventually deprecated. - The proprietary ZAP format, which is planned to be deprecated.
- A common format that will be the default in the future. - A common format that is planned to the default in the future.
### Other formats ### Other formats
......
doc/user/application_security/dependency_list/index.md
View file @ 5c7767cd
...@@ -62,7 +62,7 @@ Dependency Paths are supported for the following package managers: ...@@ -62,7 +62,7 @@ Dependency Paths are supported for the following package managers:
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10536) in GitLab Ultimate 12.3. > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10536) in GitLab Ultimate 12.3.
If the [License Compliance](../../compliance/license_compliance/index.md) CI job is configured, If the [License Compliance](../../compliance/license_compliance/index.md) CI job is configured,
the [discovered licenses](../../compliance/license_compliance/index.md#supported-languages-and-package-managers) will be displayed on this page. the [discovered licenses](../../compliance/license_compliance/index.md#supported-languages-and-package-managers) are displayed on this page.
## Downloading the Dependency List ## Downloading the Dependency List
......
doc/user/application_security/dependency_scanning/index.md
View file @ 5c7767cd
...@@ -356,10 +356,10 @@ Here are the requirements for using dependency scanning in an offline environmen ...@@ -356,10 +356,10 @@ Here are the requirements for using dependency scanning in an offline environmen
- GitLab Runner with the [`docker` or `kubernetes` executor](#requirements). - GitLab Runner with the [`docker` or `kubernetes` executor](#requirements).
- Docker Container Registry with locally available copies of dependency scanning [analyzer](https://gitlab.com/gitlab-org/security-products/analyzers) images. - Docker Container Registry with locally available copies of dependency scanning [analyzer](https://gitlab.com/gitlab-org/security-products/analyzers) images.
- If you have a limited access environment you will need to allow access, such as using a proxy, to the advisory database: `https://gitlab.com/gitlab-org/security-products/gemnasium-db.git`. - If you have a limited access environment you need to allow access, such as using a proxy, to the advisory database: `https://gitlab.com/gitlab-org/security-products/gemnasium-db.git`.
If you are unable to permit access to `https://gitlab.com/gitlab-org/security-products/gemnasium-db.git` you must host an offline copy of this `git` repository and set the `GEMNASIUM_DB_REMOTE_URL` variable to the URL of this repository. For more information on configuration variables, see [Dependency Scanning](#configuring-dependency-scanning). If you are unable to permit access to `https://gitlab.com/gitlab-org/security-products/gemnasium-db.git` you must host an offline copy of this `git` repository and set the `GEMNASIUM_DB_REMOTE_URL` variable to the URL of this repository. For more information on configuration variables, see [Dependency Scanning](#configuring-dependency-scanning).
This advisory database is constantly being updated, so you will need to periodically sync your local copy with GitLab's. This advisory database is constantly being updated, so you must periodically sync your local copy with GitLab's.
- _Only if scanning Ruby projects_: Host an offline Git copy of the [advisory database](https://github.com/rubysec/ruby-advisory-db). - _Only if scanning Ruby projects_: Host an offline Git copy of the [advisory database](https://github.com/rubysec/ruby-advisory-db).
- _Only if scanning npm/yarn projects_: Host an offline copy of the [retire.js](https://github.com/RetireJS/retire.js/) [node](https://github.com/RetireJS/retire.js/blob/master/repository/npmrepository.json) and [js](https://github.com/RetireJS/retire.js/blob/master/repository/jsrepository.json) advisory databases. - _Only if scanning npm/yarn projects_: Host an offline copy of the [retire.js](https://github.com/RetireJS/retire.js/) [node](https://github.com/RetireJS/retire.js/blob/master/repository/npmrepository.json) and [js](https://github.com/RetireJS/retire.js/blob/master/repository/jsrepository.json) advisory databases.
......
doc/user/application_security/offline_deployments/index.md
View file @ 5c7767cd
...@@ -34,7 +34,7 @@ must come in through physical media (USB drive, hard drive, writeable DVD, etc.) ...@@ -34,7 +34,7 @@ must come in through physical media (USB drive, hard drive, writeable DVD, etc.)
## Overview ## Overview
GitLab scanners generally will connect to the internet to download the GitLab scanners usually connect to the internet to download the
latest sets of signatures, rules, and patches. A few extra steps are necessary latest sets of signatures, rules, and patches. A few extra steps are necessary
to configure the tools to function properly by using resources available on your local network. to configure the tools to function properly by using resources available on your local network.
...@@ -73,7 +73,7 @@ hosting the latest versions of that dependency or image. ...@@ -73,7 +73,7 @@ hosting the latest versions of that dependency or image.
### Scanner signature and rule updates ### Scanner signature and rule updates
When connected to the internet, some scanners will reference public databases When connected to the internet, some scanners reference public databases
for the latest sets of signatures and rules to check against. Without connectivity, for the latest sets of signatures and rules to check against. Without connectivity,
this is not possible. Depending on the scanner, you must therefore disable this is not possible. Depending on the scanner, you must therefore disable
these automatic update checks and either use the databases that they came these automatic update checks and either use the databases that they came
...@@ -131,7 +131,7 @@ a bastion, and used only for this specific project. ...@@ -131,7 +131,7 @@ a bastion, and used only for this specific project.
#### Scheduling the updates #### Scheduling the updates
By default, this project's pipeline will run only once, when the `.gitlab-ci.yml` is added to the By default, this project's pipeline runs only once, when the `.gitlab-ci.yml` is added to the
repo. To update the GitLab security scanners and signatures, it's necessary to run this pipeline repo. To update the GitLab security scanners and signatures, it's necessary to run this pipeline
regularly. GitLab provides a way to [schedule pipelines](../../../ci/pipelines/schedules.md). For regularly. GitLab provides a way to [schedule pipelines](../../../ci/pipelines/schedules.md). For
example, you can set this up to download and store the Docker images every week. example, you can set this up to download and store the Docker images every week.
...@@ -139,7 +139,7 @@ example, you can set this up to download and store the Docker images every week. ...@@ -139,7 +139,7 @@ example, you can set this up to download and store the Docker images every week.
Some images can be updated more frequently than others. For example, the [vulnerability database](https://hub.docker.com/r/arminc/clair-db/tags) Some images can be updated more frequently than others. For example, the [vulnerability database](https://hub.docker.com/r/arminc/clair-db/tags)
for Container Scanning is updated daily. To update this single image, create a new Scheduled for Container Scanning is updated daily. To update this single image, create a new Scheduled
Pipeline that runs daily and set `SECURE_BINARIES_ANALYZERS` to `clair-vulnerabilities-db`. Only Pipeline that runs daily and set `SECURE_BINARIES_ANALYZERS` to `clair-vulnerabilities-db`. Only
this job will be triggered, and the image will be updated daily and made available in the project this job is triggered, and the image is updated daily and made available in the project
registry. registry.
#### Using the secure bundle created #### Using the secure bundle created
......
doc/user/application_security/sast/index.md
View file @ 5c7767cd
...@@ -59,7 +59,7 @@ is **not** `19.03.0`. See [troubleshooting information](#error-response-from-dae ...@@ -59,7 +59,7 @@ is **not** `19.03.0`. See [troubleshooting information](#error-response-from-dae
## Supported languages and frameworks ## Supported languages and frameworks
GitLab SAST supports a variety of languages, package managers, and frameworks. Our SAST security scanners also feature automatic language detection which works even for mixed-language projects. If any supported language is detected in project source code we will automatically run the appropriate SAST analyzers. GitLab SAST supports a variety of languages, package managers, and frameworks. Our SAST security scanners also feature automatic language detection which works even for mixed-language projects. If any supported language is detected in project source code we automatically run the appropriate SAST analyzers.
You can also [view our language roadmap](https://about.gitlab.com/direction/secure/static-analysis/sast/#language-support) and [request other language support by opening an issue](https://gitlab.com/groups/gitlab-org/-/epics/297). You can also [view our language roadmap](https://about.gitlab.com/direction/secure/static-analysis/sast/#language-support) and [request other language support by opening an issue](https://gitlab.com/groups/gitlab-org/-/epics/297).
...@@ -336,7 +336,7 @@ a `before_script` execution to prepare your scan job. ...@@ -336,7 +336,7 @@ a `before_script` execution to prepare your scan job.
To pass your project's dependencies as artifacts, the dependencies must be included To pass your project's dependencies as artifacts, the dependencies must be included
in the project's working directory and specified using the `artifacts:path` configuration. in the project's working directory and specified using the `artifacts:path` configuration.
If all dependencies are present, the `COMPILE=false` variable can be provided to the If all dependencies are present, the `COMPILE=false` variable can be provided to the
analyzer and compilation will be skipped: analyzer and compilation is skipped:
```yaml ```yaml
image: maven:3.6-jdk-8-alpine image: maven:3.6-jdk-8-alpine
...@@ -410,7 +410,7 @@ Some analyzers make it possible to filter out vulnerabilities under a given thre ...@@ -410,7 +410,7 @@ Some analyzers make it possible to filter out vulnerabilities under a given thre
| Environment variable | Default value | Description | | Environment variable | Default value | Description |
|-------------------------------|--------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |-------------------------------|--------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `SAST_EXCLUDED_PATHS` | `spec, test, tests, tmp` | Exclude vulnerabilities from output based on the paths. This is a comma-separated list of patterns. Patterns can be globs, or file or folder paths (for example, `doc,spec` ). Parent directories will also match patterns. | | `SAST_EXCLUDED_PATHS` | `spec, test, tests, tmp` | Exclude vulnerabilities from output based on the paths. This is a comma-separated list of patterns. Patterns can be globs, or file or folder paths (for example, `doc,spec` ). Parent directories also match patterns. |
| `SEARCH_MAX_DEPTH` | 4 | Maximum number of directories traversed when searching for source code files. | | `SEARCH_MAX_DEPTH` | 4 | Maximum number of directories traversed when searching for source code files. |
| `SAST_BANDIT_EXCLUDED_PATHS` | | Comma-separated list of paths to exclude from scan. Uses Python's [`fnmatch` syntax](https://docs.python.org/2/library/fnmatch.html); For example: `'*/tests/*, */venv/*'` | | `SAST_BANDIT_EXCLUDED_PATHS` | | Comma-separated list of paths to exclude from scan. Uses Python's [`fnmatch` syntax](https://docs.python.org/2/library/fnmatch.html); For example: `'*/tests/*, */venv/*'` |
| `SAST_BRAKEMAN_LEVEL` | 1 | Ignore Brakeman vulnerabilities under given confidence level. Integer, 1=Low 3=High. | | `SAST_BRAKEMAN_LEVEL` | 1 | Ignore Brakeman vulnerabilities under given confidence level. Integer, 1=Low 3=High. |
...@@ -424,7 +424,7 @@ Some analyzers can be customized with environment variables. ...@@ -424,7 +424,7 @@ Some analyzers can be customized with environment variables.
| Environment variable | Analyzer | Description | | Environment variable | Analyzer | Description |
|---------------------------------------|----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |---------------------------------------|----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `SCAN_KUBERNETES_MANIFESTS` | Kubesec | Set to `"true"` to scan Kubernetes manifests. | | `SCAN_KUBERNETES_MANIFESTS` | Kubesec | Set to `"true"` to scan Kubernetes manifests. |
| `KUBESEC_HELM_CHARTS_PATH` | Kubesec | Optional path to Helm charts that `helm` uses to generate a Kubernetes manifest that `kubesec` will scan. If dependencies are defined, `helm dependency build` should be ran in a `before_script` to fetch the necessary dependencies. | | `KUBESEC_HELM_CHARTS_PATH` | Kubesec | Optional path to Helm charts that `helm` uses to generate a Kubernetes manifest that `kubesec` scans. If dependencies are defined, `helm dependency build` should be ran in a `before_script` to fetch the necessary dependencies. |
| `KUBESEC_HELM_OPTIONS` | Kubesec | Additional arguments for the `helm` executable. | | `KUBESEC_HELM_OPTIONS` | Kubesec | Additional arguments for the `helm` executable. |
| `COMPILE` | SpotBugs | Set to `false` to disable project compilation and dependency fetching. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/195252) in GitLab 13.1. | | `COMPILE` | SpotBugs | Set to `false` to disable project compilation and dependency fetching. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/195252) in GitLab 13.1. |
| `ANT_HOME` | SpotBugs | The `ANT_HOME` environment variable. | | `ANT_HOME` | SpotBugs | The `ANT_HOME` environment variable. |
...@@ -459,7 +459,7 @@ analyzer containers: `DOCKER_`, `CI`, `GITLAB_`, `FF_`, `HOME`, `PWD`, `OLDPWD`, ...@@ -459,7 +459,7 @@ analyzer containers: `DOCKER_`, `CI`, `GITLAB_`, `FF_`, `HOME`, `PWD`, `OLDPWD`,
Receive early access to experimental features. Receive early access to experimental features.
Currently, this will enable scanning of iOS and Android apps via the [MobSF analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/mobsf/). Currently, this enables scanning of iOS and Android apps via the [MobSF analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/mobsf/).
To enable experimental features, add the following to your `.gitlab-ci.yml` file: To enable experimental features, add the following to your `.gitlab-ci.yml` file:
......
doc/user/application_security/security_dashboard/index.md
View file @ 5c7767cd
...@@ -87,7 +87,7 @@ display all detected and confirmed vulnerabilities. ...@@ -87,7 +87,7 @@ display all detected and confirmed vulnerabilities.
The Vulnerability Report first displays the time at which the last pipeline completed on the project's The Vulnerability Report first displays the time at which the last pipeline completed on the project's
default branch. There's also a link to view this in more detail. In the case of any pipeline failures, default branch. There's also a link to view this in more detail. In the case of any pipeline failures,
you will see the number of failures clearly indicated. The failure notification takes you directly to the number of failures is indicated. The failure notification takes you directly to
the **Failed jobs** tab of the pipeline page. the **Failed jobs** tab of the pipeline page.
The Vulnerability Report next displays the total number of vulnerabilities by severity (for example, The Vulnerability Report next displays the total number of vulnerabilities by severity (for example,
...@@ -142,7 +142,7 @@ Next to the timeline chart is a list of projects, grouped and sorted by the seve ...@@ -142,7 +142,7 @@ Next to the timeline chart is a list of projects, grouped and sorted by the seve
| B | One or more "low" | | B | One or more "low" |
| A | Zero vulnerabilities | | A | Zero vulnerabilities |
Projects with no vulnerability tests configured will not appear in the list. Additionally, dismissed Projects with no vulnerability tests configured don't appear in the list. Additionally, dismissed
vulnerabilities are excluded. vulnerabilities are excluded.
Navigate to the group's [vulnerability report](#vulnerability-report-1) to view the vulnerabilities found. Navigate to the group's [vulnerability report](#vulnerability-report-1) to view the vulnerabilities found.
...@@ -225,7 +225,7 @@ are discovered. ...@@ -225,7 +225,7 @@ are discovered.
To ensure the information on the Security Dashboard is regularly updated, To ensure the information on the Security Dashboard is regularly updated,
[configure a scheduled pipeline](../../../ci/pipelines/schedules.md) to run a [configure a scheduled pipeline](../../../ci/pipelines/schedules.md) to run a
daily security scan. This will update the information displayed on the Security daily security scan. This updates the information displayed on the Security
Dashboard regardless of how often the default branch is updated. Dashboard regardless of how often the default branch is updated.
That way, reports are created even if no code change happens. That way, reports are created even if no code change happens.
......
doc/user/application_security/vulnerabilities/index.md
View file @ 5c7767cd
...@@ -37,7 +37,7 @@ the following values: ...@@ -37,7 +37,7 @@ the following values:
|-----------|------------------------------------------------------------------------------------------------------------------| |-----------|------------------------------------------------------------------------------------------------------------------|
| Detected | The default state for a newly discovered vulnerability | | Detected | The default state for a newly discovered vulnerability |
| Confirmed | A user has seen this vulnerability and confirmed it to be accurate | | Confirmed | A user has seen this vulnerability and confirmed it to be accurate |
| Dismissed | A user has seen this vulnerability and dismissed it because it is not accurate or otherwise will not be resolved | | Dismissed | A user has seen this vulnerability and dismissed it because it is not accurate or otherwise not to be resolved |
| Resolved | The vulnerability has been fixed and is no longer valid | | Resolved | The vulnerability has been fixed and is no longer valid |
A timeline shows you when the vulnerability status has changed A timeline shows you when the vulnerability status has changed
......
doc/user/compliance/license_compliance/index.md
View file @ 5c7767cd
...@@ -21,7 +21,7 @@ that is provided by [Auto DevOps](../../../topics/autodevops/index.md). ...@@ -21,7 +21,7 @@ that is provided by [Auto DevOps](../../../topics/autodevops/index.md).
GitLab checks the License Compliance report, compares the licenses between the GitLab checks the License Compliance report, compares the licenses between the
source and target branches, and shows the information right on the merge request. source and target branches, and shows the information right on the merge request.
Denied licenses will be clearly visible with an `x` red icon next to them Denied licenses are notated with an `x` red icon next to them
as well as new licenses which need a decision from you. In addition, you can as well as new licenses which need a decision from you. In addition, you can
[manually allow or deny](#policies) [manually allow or deny](#policies)
licenses in your project's license compliance policy section. If GitLab detects a denied license licenses in your project's license compliance policy section. If GitLab detects a denied license
...@@ -30,10 +30,10 @@ to remove the license. ...@@ -30,10 +30,10 @@ to remove the license.
NOTE: **Note:** NOTE: **Note:**
If the license compliance report doesn't have anything to compare to, no information If the license compliance report doesn't have anything to compare to, no information
will be displayed in the merge request area. That is the case when you add the is displayed in the merge request area. That is the case when you add the
`license_scanning` job in your `.gitlab-ci.yml` for the first time. `license_scanning` job in your `.gitlab-ci.yml` for the first time.
Consecutive merge requests will have something to compare to and the license Consecutive merge requests have something to compare to and the license
compliance report will be shown properly. compliance report is shown properly.
![License Compliance Widget](img/license_compliance_v13_0.png) ![License Compliance Widget](img/license_compliance_v13_0.png)
...@@ -114,7 +114,7 @@ Before GitLab 12.8, the `license_scanning` job was named `license_management`. G ...@@ -114,7 +114,7 @@ Before GitLab 12.8, the `license_scanning` job was named `license_management`. G
the `license_management` job, so you must migrate to the `license_scanning` job and use the new the `license_management` job, so you must migrate to the `license_scanning` job and use the new
`License-Scanning.gitlab-ci.yml` template. `License-Scanning.gitlab-ci.yml` template.
The results will be saved as a The results are saved as a
[License Compliance report artifact](../../../ci/pipelines/job_artifacts.md#artifactsreportslicense_scanning) [License Compliance report artifact](../../../ci/pipelines/job_artifacts.md#artifactsreportslicense_scanning)
that you can later download and analyze. Due to implementation limitations, we that you can later download and analyze. Due to implementation limitations, we
always take the latest License Compliance artifact available. Behind the scenes, the always take the latest License Compliance artifact available. Behind the scenes, the
...@@ -160,7 +160,7 @@ in the project automated setup, like the download and installation of a certific ...@@ -160,7 +160,7 @@ in the project automated setup, like the download and installation of a certific
For that, a `LICENSE_MANAGEMENT_SETUP_CMD` environment variable can be passed to the container, For that, a `LICENSE_MANAGEMENT_SETUP_CMD` environment variable can be passed to the container,
with the required commands to run before the license detection. with the required commands to run before the license detection.
If present, this variable will override the setup step necessary to install all the packages If present, this variable overrides the setup step necessary to install all the packages
of your application (e.g.: for a project with a `Gemfile`, the setup step could be of your application (e.g.: for a project with a `Gemfile`, the setup step could be
`bundle install`). `bundle install`).
...@@ -695,7 +695,7 @@ requirements must be met: ...@@ -695,7 +695,7 @@ requirements must be met:
[supported languages and package managers](#supported-languages-and-package-managers). [supported languages and package managers](#supported-languages-and-package-managers).
Once everything is set, navigate to **Security & Compliance > License Compliance** Once everything is set, navigate to **Security & Compliance > License Compliance**
in your project's sidebar, and you'll see the licenses displayed, where: in your project's sidebar, and the licenses are displayed, where:
- **Name:** The name of the license. - **Name:** The name of the license.
- **Component:** The components which have this license. - **Component:** The components which have this license.
...@@ -708,8 +708,8 @@ in your project's sidebar, and you'll see the licenses displayed, where: ...@@ -708,8 +708,8 @@ in your project's sidebar, and you'll see the licenses displayed, where:
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/22465) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.9. > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/22465) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.9.
Policies allow you to specify licenses that are `allowed` or `denied` in a project. If a `denied` Policies allow you to specify licenses that are `allowed` or `denied` in a project. If a `denied`
license is newly committed it will disallow a merge request and instruct the developer to remove it. license is newly committed it blocks the merge request and instructs the developer to remove it.
Note, the merge request will not be able to be merged until the `denied` license is removed. Note, the merge request is not able to be merged until the `denied` license is removed.
You may add a [`License-Check` approval rule](#enabling-license-approvals-within-a-project), You may add a [`License-Check` approval rule](#enabling-license-approvals-within-a-project),
which enables a designated approver that can approve and then merge a merge request with `denied` license. which enables a designated approver that can approve and then merge a merge request with `denied` license.
...@@ -771,7 +771,7 @@ specify the desired version by adding a ...@@ -771,7 +771,7 @@ specify the desired version by adding a
or using the appropriate [`ASDF_<tool>_VERSION`](https://asdf-vm.com/#/core-configuration?id=environment-variables) environment variable to or using the appropriate [`ASDF_<tool>_VERSION`](https://asdf-vm.com/#/core-configuration?id=environment-variables) environment variable to
activate the appropriate version. activate the appropriate version.
For example, the following `.tool-versions` file will activate version `12.16.3` of [Node.js](https://nodejs.org/) For example, the following `.tool-versions` file activates version `12.16.3` of [Node.js](https://nodejs.org/)
and version `2.7.2` of [Ruby](https://www.ruby-lang.org/). and version `2.7.2` of [Ruby](https://www.ruby-lang.org/).
```plaintext ```plaintext
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7