Commit 7830ac04 authored by Russell Dickenson's avatar Russell Dickenson Committed by Nick Gaskill

Improve SAST configuration content

parent bb7b2a0b
......@@ -9,35 +9,21 @@ info: To determine the technical writer assigned to the Stage/Group associated w
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20711) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.6.
## Overview
The Security Configuration page displays the configuration state of each security feature in the
current project. The page uses the project's latest default branch [CI pipeline](../../../ci/pipelines/index.md)
to determine each feature's configuration state. If a job with the expected security report artifact
exists in the pipeline, the feature is considered enabled.
The security configuration page displays the configuration state of each of the security
features and can be accessed through a project's sidebar nav.
![Screenshot of security configuration page](../img/security_configuration_page_v13_2.png)
The page uses the project's latest default branch [CI pipeline](../../../ci/pipelines/index.md) to determine the configuration
state of each feature. If a job with the expected security report artifact exists in the pipeline,
the feature is considered configured.
You can only enable SAST from the Security Configuration page. Documentation links are included for
the other features. For details about configuring SAST, see [Configure SAST in the UI](../sast/index.md#configure-sast-in-the-ui).
NOTE: **Note:**
If the latest pipeline used [Auto DevOps](../../../topics/autodevops/index.md),
all security features will be configured by default.
## SAST Configuration
> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/3659) in GitLab Ultimate 13.3.
For projects that do not already have a `.gitlab-ci.yml` file,
[configure SAST in the UI](../sast/index.md#configure-sast-in-the-ui).
all security features are configured by default.
## Limitations
## View Security Configuration
It is not yet possible to enable or disable most features using the
configuration page. However, instructions on how to enable or disable a feature
can be found through the links next to each feature on that page.
To view a project's security configuration:
If a project does not have an existing CI configuration, then the SAST feature
can be enabled by clicking on the "Enable with Merge Request" button under the
"Manage" column. Future work will expand this to editing _existing_ CI
configurations, and to other security features.
1. Go to the project's home page.
1. In the left sidebar, go to **Security & Configuration** > **Configuration**.
......@@ -14,21 +14,9 @@ The whitepaper ["A Seismic Shift in Application Security"](https://about.gitlab.
explains how **4 of the top 6 attacks were application based**. Download it
to learn how to protect your organization.
## Overview
If you're using [GitLab CI/CD](../../../ci/README.md), you can analyze your source code for known
vulnerabilities using Static Application Security Testing (SAST).
You can take advantage of SAST by doing one of the following:
- [Including the SAST template](#configuration) in your existing `.gitlab-ci.yml` file.
- Implicitly using [Auto SAST](../../../topics/autodevops/stages.md#auto-sast-ultimate) provided by
[Auto DevOps](../../../topics/autodevops/index.md).
- Using the [SAST Configuration tool](#configure-sast-in-the-ui) to create the necessary
`.gitlab-ci.yml` file for you.
GitLab checks the SAST report, compares the found vulnerabilities between the
source and target branches.
vulnerabilities using Static Application Security Testing (SAST). GitLab checks the SAST report and
compares the found vulnerabilities between the source and target branches.
Details of the vulnerabilities found are included in the merge request. **(ULTIMATE)**
......@@ -44,7 +32,7 @@ The results are sorted by the priority of the vulnerability:
1. Everything else
NOTE: **Note:**
A pipeline consists of multiple jobs, including SAST and DAST scanning. If any job fails to finish for any reason, the security dashboard won't show SAST scanner output. For example, if the SAST job finishes but the DAST job fails, the security dashboard won't show SAST results. The analyzer will output an [exit code](../../../development/integrations/secure.md#exit-code) on failure.
A pipeline consists of multiple jobs, including SAST and DAST scanning. If any job fails to finish for any reason, the security dashboard doesn't show SAST scanner output. For example, if the SAST job finishes but the DAST job fails, the security dashboard doesn't show SAST results. The analyzer outputs an [exit code](../../../development/integrations/secure.md#exit-code) on failure.
## Use cases
......@@ -63,7 +51,7 @@ If you're using the shared Runners on GitLab.com, this is enabled by default.
Beginning with GitLab 13.0, Docker privileged mode is necessary only if you've [enabled Docker-in-Docker for SAST](#enabling-docker-in-docker-ultimate).
CAUTION: **Caution:**
Our SAST jobs currently expect a Linux container type. Windows containers are not yet supported.
Our SAST jobs require a Linux container type. Windows containers are not yet supported.
CAUTION: **Caution:**
If you use your own Runners, make sure the Docker version installed
......@@ -129,9 +117,14 @@ The [Security Scanner Integration](../../../development/integrations/secure.md)
## Configuration
NOTE: **Note:**
You don't have to configure SAST manually as shown in this section if you're using [Auto SAST](../../../topics/autodevops/stages.md#auto-sast-ultimate)
provided by [Auto DevOps](../../../topics/autodevops/index.md).
To configure SAST for a project you can:
- Use [Auto SAST](../../../topics/autodevops/stages.md#auto-sast-ultimate) provided by
[Auto DevOps](../../../topics/autodevops/index.md).
- [Configure SAST manually](#configure-sast-manually).
- [Configure SAST using the UI](#configure-sast-in-the-ui) (introduced in GitLab 13.3).
### Configure SAST manually
For GitLab 11.9 and later, to enable SAST you must [include](../../../ci/yaml/README.md#includetemplate)
the [`SAST.gitlab-ci.yml` template](https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml)
......@@ -145,10 +138,10 @@ include:
- template: SAST.gitlab-ci.yml
```
The included template will create SAST jobs in your CI/CD pipeline and scan
The included template creates SAST jobs in your CI/CD pipeline and scans
your project's source code for possible vulnerabilities.
The results will be saved as a
The results are saved as a
[SAST report artifact](../../../ci/pipelines/job_artifacts.md#artifactsreportssast-ultimate)
that you can later download and analyze. Due to implementation limitations, we
always take the latest SAST artifact available.
......@@ -157,14 +150,16 @@ always take the latest SAST artifact available.
> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/3659) in GitLab Ultimate 13.3.
For projects that do not already have a `.gitlab-ci.yml` file, the above
configuration can also be achieved by using the **SAST Configuration** tool.
1. Navigate to **Security & Compliance > Configuration**.
1. Click **Enable** on the Static Application Security Testing (SAST)
row.
For a project that does not have a `.gitlab-ci.yml` file, you can enable SAST with a basic
configuration using the **SAST Configuration** page:
A merge request is created, containing the necessary changes for you to review and merge.
1. From the project's home page, go to **Security & Configuration** > **Configuration** in the
left sidebar.
1. Click **Enable via Merge Request** on the Static Application Security Testing (SAST) row.
1. Enter the appropriate SAST details into the fields on the page. See [Available variables](#available-variables)
for a description of these variables.
1. Click **Create Merge Request**.
1. Review and merge the merge request.
### Customizing the SAST settings
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment