Skip to content

G
gitlab-ce
Commit e788a809 authored by Fabien Catteau's avatar Fabien Catteau
Browse files
Options

Doc no-DinD new default for SAST 

Update the documentation of SAST
and tell it now runs without the Docker-in-Docker
orchestrator by default.
parent f3a96939
Hide whitespace changes
Inline Side-by-side
Showing with 36 additions and 62 deletions
doc/user/application_security/index.md
View file @ e788a809
...@@ -319,7 +319,8 @@ You can do it quickly by following the hyperlink given to run a new pipeline. ...@@ -319,7 +319,8 @@ You can do it quickly by following the hyperlink given to run a new pipeline.
### Getting error message `sast job: stage parameter should be [some stage name here]` ### Getting error message `sast job: stage parameter should be [some stage name here]`
When including a security job template like [`SAST`](sast/index.md#configuration), When [including](../../ci/yaml/README.md#includetemplate) a `.gitlab-ci.yml` template
like [`SAST.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml),
the following error may occur, depending on your GitLab CI/CD configuration: the following error may occur, depending on your GitLab CI/CD configuration:
```plaintext ```plaintext
...@@ -332,22 +333,23 @@ This error appears when the included job's stage (named `test`) isn't declared i ...@@ -332,22 +333,23 @@ This error appears when the included job's stage (named `test`) isn't declared i
To fix this issue, you can either: To fix this issue, you can either:
- Add a `test` stage in your `.gitlab-ci.yml`. - Add a `test` stage in your `.gitlab-ci.yml`.
- Change the default stage of the included security jobs. For example, with `SAST`: - Change the default stage of the included security jobs. For example, with SpotBugs (SAST):
```yaml ```yaml
include: include:
template: SAST.gitlab-ci.yml template: SAST.gitlab-ci.yml
sast: spotbugs-sast:
stage: unit-tests stage: unit-tests
``` ```
[Learn more on overriding the SAST template](sast/index.md#overriding-the-sast-template). [Learn more on overriding SAST jobs](sast/index.md#overriding-sast-jobs).
All the security scanning tools define their stage, so this error can occur with all of them. All the security scanning tools define their stage, so this error can occur with all of them.
### Getting error message `sast job: config key may not be used with 'rules': only/except` ### Getting error message `sast job: config key may not be used with 'rules': only/except`
When including a security job template like [`SAST`](sast/index.md#overriding-the-sast-template), When [including](../../ci/yaml/README.md#includetemplate) a `.gitlab-ci.yml` template
like [`SAST.gitlab-ci.yml`](https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml),
the following error may occur, depending on your GitLab CI/CD configuration: the following error may occur, depending on your GitLab CI/CD configuration:
```plaintext ```plaintext
...@@ -356,14 +358,14 @@ Found errors in your .gitlab-ci.yml: ...@@ -356,14 +358,14 @@ Found errors in your .gitlab-ci.yml:
jobs:sast config key may not be used with `rules`: only/except jobs:sast config key may not be used with `rules`: only/except
``` ```
This error appears when the included job's `rules` configuration has been [overridden](sast/index.md#overriding-the-sast-template) This error appears when the included job's `rules` configuration has been [overridden](sast/index.md#overriding-sast-jobs)
with [the deprecated `only` or `except` syntax.](../../ci/yaml/README.md#onlyexcept-basic) with [the deprecated `only` or `except` syntax.](../../ci/yaml/README.md#onlyexcept-basic)
To fix this issue, you must either: To fix this issue, you must either:
- [Transition your `only/except` syntax to `rules`](#transitioning-your-onlyexcept-syntax-to-rules). - [Transition your `only/except` syntax to `rules`](#transitioning-your-onlyexcept-syntax-to-rules).
- (Temporarily) [Pin your templates to the deprecated versions](#pin-your-templates-to-the-deprecated-versions) - (Temporarily) [Pin your templates to the deprecated versions](#pin-your-templates-to-the-deprecated-versions)
[Learn more on overriding the SAST template](sast/index.md#overriding-the-sast-template). [Learn more on overriding SAST jobs](sast/index.md#overriding-sast-jobs).
#### Transitioning your `only/except` syntax to `rules` #### Transitioning your `only/except` syntax to `rules`
......
doc/user/application_security/sast/index.md
View file @ e788a809
...@@ -48,14 +48,12 @@ A pipeline consists of multiple jobs, including SAST and DAST scanning. If any j ...@@ -48,14 +48,12 @@ A pipeline consists of multiple jobs, including SAST and DAST scanning. If any j
## Requirements ## Requirements
To run a SAST job, by default, you need GitLab Runner with the To run SAST jobs, by default, you need GitLab Runner with the
[`docker`](https://docs.gitlab.com/runner/executors/docker.html#use-docker-in-docker-with-privileged-mode) or [`docker`](https://docs.gitlab.com/runner/executors/docker.html) or
[`kubernetes`](https://docs.gitlab.com/runner/install/kubernetes.html#running-privileged-containers-for-the-runners) [`kubernetes`](https://docs.gitlab.com/runner/install/kubernetes.html) executor.
executor running in privileged mode. If you're using the shared Runners on GitLab.com, If you're using the shared Runners on GitLab.com, this is enabled by default.
this is enabled by default.
Privileged mode is not necessary if you've [disabled Docker in Docker Beginning with GitLab 13.0, Docker privileged mode is necessary only if you've [enabled Docker-in-Docker for SAST](#enabling-docker-in-docker).
for SAST](#disabling-docker-in-docker-for-sast).
CAUTION: **Caution:** Our SAST jobs currently expect a Linux container type. Windows containers are not yet supported. CAUTION: **Caution:** Our SAST jobs currently expect a Linux container type. Windows containers are not yet supported.
...@@ -114,15 +112,13 @@ include: ...@@ -114,15 +112,13 @@ include:
- template: SAST.gitlab-ci.yml - template: SAST.gitlab-ci.yml
``` ```
The included template will create a `sast` job in your CI/CD pipeline and scan The included template will create SAST jobs in your CI/CD pipeline and scan
your project's source code for possible vulnerabilities. your project's source code for possible vulnerabilities.
The results will be saved as a The results will be saved as a
[SAST report artifact](../../../ci/pipelines/job_artifacts.md#artifactsreportssast-ultimate) [SAST report artifact](../../../ci/pipelines/job_artifacts.md#artifactsreportssast-ultimate)
that you can later download and analyze. Due to implementation limitations, we that you can later download and analyze. Due to implementation limitations, we
always take the latest SAST artifact available. Behind the scenes, the always take the latest SAST artifact available.
[GitLab SAST Docker image](https://gitlab.com/gitlab-org/security-products/sast)
is used to detect the languages or frameworks used, and in turn runs the matching scan tools.
### Customizing the SAST settings ### Customizing the SAST settings
...@@ -143,23 +139,24 @@ variables: ...@@ -143,23 +139,24 @@ variables:
Because the template is [evaluated before](../../../ci/yaml/README.md#include) Because the template is [evaluated before](../../../ci/yaml/README.md#include)
the pipeline configuration, the last mention of the variable takes precedence. the pipeline configuration, the last mention of the variable takes precedence.
### Overriding the SAST template ### Overriding SAST jobs
CAUTION: **Deprecation:** CAUTION: **Deprecation:**
Beginning in GitLab 13.0, the use of [`only` and `except`](../../../ci/yaml/README.md#onlyexcept-basic) Beginning in GitLab 13.0, the use of [`only` and `except`](../../../ci/yaml/README.md#onlyexcept-basic)
is no longer supported. When overriding the template, you must use [`rules`](../../../ci/yaml/README.md#rules) instead. is no longer supported. When overriding the template, you must use [`rules`](../../../ci/yaml/README.md#rules) instead.
If you want to override the job definition (for example, change properties like If you want to override a job definition (for example, change properties like
`variables` or `dependencies`), you need to declare a `sast` job after the `variables` or `dependencies`), you need to declare a job with the same name as the SAST job to override, after the
template inclusion and specify any additional keys under it. For example: template inclusion and specify any additional keys under it.
For example, this enables `FAIL_NEVER` for the `spotbugs` analyzer:
```yaml ```yaml
include: include:
- template: SAST.gitlab-ci.yml - template: SAST.gitlab-ci.yml
sast: spotbugs-sast:
variables: variables:
CI_DEBUG_TRACE: "true" FAIL_NEVER: 1
``` ```
### Using environment variables to pass credentials for private repositories ### Using environment variables to pass credentials for private repositories
...@@ -177,44 +174,27 @@ you can use the `MAVEN_CLI_OPTS` environment variable. ...@@ -177,44 +174,27 @@ you can use the `MAVEN_CLI_OPTS` environment variable.
Read more on [how to use private Maven repositories](../index.md#using-private-maven-repos). Read more on [how to use private Maven repositories](../index.md#using-private-maven-repos).
### Disabling Docker in Docker for SAST ### Enabling Docker-in-Docker
You can avoid the need for Docker in Docker by running the individual analyzers. If needed, you can restore the behavior of SAST prior to %13.0 by enabling back Docker-in-Docker.
This does not require running the executor in privileged mode. For example: You need GitLab Runner with the [`docker`](https://docs.gitlab.com/runner/executors/docker.html#use-docker-in-docker-with-privileged-mode), and the variable `SAST_DISABLE_DIND` set to `false`:
```yaml ```yaml
include: include:
- template: SAST.gitlab-ci.yml - template: SAST.gitlab-ci.yml
variables: variables:
SAST_DISABLE_DIND: "true" SAST_DISABLE_DIND: "false"
``` ```
This will create individual `<analyzer-name>-sast` jobs for each analyzer that runs in your CI/CD pipeline. This will create a single `sast` job in your CI/CD pipeline
instead of multiple `<analyzer-name>-sast` jobs.
By removing Docker-in-Docker (DIND), GitLab relies on [Linguist](https://github.com/github/linguist)
to start relevant analyzers depending on the detected repository language(s) instead of the
[orchestrator](https://gitlab.com/gitlab-org/security-products/dependency-scanning/). However, there
are some differences in the way repository languages are detected between DIND and non-DIND. You can
observe these differences by checking both Linguist and the common library. For instance, Linguist
looks for `*.java` files to spin up the [SpotBugs](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs)
image, while orchestrator only looks for the existence of `pom.xml`, `build.xml`, `gradlew`,
`grailsw`, or `mvnw`. GitLab uses Linguist to detect new file types in the default branch.
When introducing files or dependencies for a new language or package manager, the
corresponding scans won't be triggered in the MR, and will only run on the default branch once the
MR is merged. This will be addressed by [#211702](https://gitlab.com/gitlab-org/gitlab/-/issues/211702).
NOTE: **Note:**
With the current language detection logic, any new languages or frameworks introduced within the
context of a merge request don't trigger a corresponding scan. These scans only occur once the code
is committed to the default branch.
#### Enabling Kubesec analyzer #### Enabling Kubesec analyzer
> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/12752) in GitLab Ultimate 12.6. > [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/12752) in GitLab Ultimate 12.6.
When [Docker in Docker is disabled](#disabling-docker-in-docker-for-sast), You need to set `SCAN_KUBERNETES_MANIFESTS` to `"true"` to enable the
you will need to set `SCAN_KUBERNETES_MANIFESTS` to `"true"` to enable the
Kubesec analyzer. In `.gitlab-ci.yml`, define: Kubesec analyzer. In `.gitlab-ci.yml`, define:
```yaml ```yaml
...@@ -222,7 +202,6 @@ include: ...@@ -222,7 +202,6 @@ include:
- template: SAST.gitlab-ci.yml - template: SAST.gitlab-ci.yml
variables: variables:
SAST_DISABLE_DIND: "true"
SCAN_KUBERNETES_MANIFESTS: "true" SCAN_KUBERNETES_MANIFESTS: "true"
``` ```
...@@ -248,9 +227,6 @@ stages: ...@@ -248,9 +227,6 @@ stages:
include: include:
- template: SAST.gitlab-ci.yml - template: SAST.gitlab-ci.yml
variables:
SAST_DISABLE_DIND: "true"
build: build:
stage: build stage: build
script: script:
...@@ -297,7 +273,7 @@ The following are Docker image-related variables. ...@@ -297,7 +273,7 @@ The following are Docker image-related variables.
| `SAST_ANALYZER_IMAGE_PREFIX` | **DEPRECATED**: Use `SECURE_ANALYZERS_PREFIX` instead. | | `SAST_ANALYZER_IMAGE_PREFIX` | **DEPRECATED**: Use `SECURE_ANALYZERS_PREFIX` instead. |
| `SAST_ANALYZER_IMAGE_TAG` | **DEPRECATED:** Override the Docker tag of the default images. Read more about [customizing analyzers](analyzers.md). | | `SAST_ANALYZER_IMAGE_TAG` | **DEPRECATED:** Override the Docker tag of the default images. Read more about [customizing analyzers](analyzers.md). |
| `SAST_DEFAULT_ANALYZERS` | Override the names of default images. Read more about [customizing analyzers](analyzers.md). | | `SAST_DEFAULT_ANALYZERS` | Override the names of default images. Read more about [customizing analyzers](analyzers.md). |
| `SAST_DISABLE_DIND` | Disable Docker in Docker and run analyzers [individually](#disabling-docker-in-docker-for-sast). | | `SAST_DISABLE_DIND` | Disable Docker-in-Docker and run analyzers [individually](#enabling-docker-in-docker). This variable is `true` by default. |
#### Vulnerability filters #### Vulnerability filters
...@@ -317,26 +293,23 @@ Some analyzers make it possible to filter out vulnerabilities under a given thre ...@@ -317,26 +293,23 @@ Some analyzers make it possible to filter out vulnerabilities under a given thre
#### Docker-in-Docker orchestrator #### Docker-in-Docker orchestrator
The following variables configure the Docker-in-Docker orchestrator. The following variables configure the Docker-in-Docker orchestrator, and therefore are only used when the Docker-in-Docker mode is [enabled](#enabling-docker-in-docker).
| Environment variable | Default value | Description | | Environment variable | Default value | Description |
|------------------------------------------|---------------|-------------| |------------------------------------------|---------------|-------------|
| `SAST_ANALYZER_IMAGES` | | Comma-separated list of custom images. Default images are still enabled. Read more about [customizing analyzers](analyzers.md). Not available when [Docker-in-Docker is disabled](#disabling-docker-in-docker-for-sast). | | `SAST_ANALYZER_IMAGES` | | Comma-separated list of custom images. Default images are still enabled. Read more about [customizing analyzers](analyzers.md). |
| `SAST_PULL_ANALYZER_IMAGES` | 1 | Pull the images from the Docker registry (set to 0 to disable). Read more about [customizing analyzers](analyzers.md). Not available when [Docker-in-Docker is disabled](#disabling-docker-in-docker-for-sast). | | `SAST_PULL_ANALYZER_IMAGES` | 1 | Pull the images from the Docker registry (set to 0 to disable). Read more about [customizing analyzers](analyzers.md). |
| `SAST_DOCKER_CLIENT_NEGOTIATION_TIMEOUT` | 2m | Time limit for Docker client negotiation. Timeouts are parsed using Go's [`ParseDuration`](https://golang.org/pkg/time/#ParseDuration). Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. For example, `300ms`, `1.5h` or `2h45m`. | | `SAST_DOCKER_CLIENT_NEGOTIATION_TIMEOUT` | 2m | Time limit for Docker client negotiation. Timeouts are parsed using Go's [`ParseDuration`](https://golang.org/pkg/time/#ParseDuration). Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. For example, `300ms`, `1.5h` or `2h45m`. |
| `SAST_PULL_ANALYZER_IMAGE_TIMEOUT` | 5m | Time limit when pulling the image of an analyzer. Timeouts are parsed using Go's [`ParseDuration`](https://golang.org/pkg/time/#ParseDuration). Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. For example, `300ms`, `1.5h` or `2h45m`. | | `SAST_PULL_ANALYZER_IMAGE_TIMEOUT` | 5m | Time limit when pulling the image of an analyzer. Timeouts are parsed using Go's [`ParseDuration`](https://golang.org/pkg/time/#ParseDuration). Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. For example, `300ms`, `1.5h` or `2h45m`. |
| `SAST_RUN_ANALYZER_TIMEOUT` | 20m | Time limit when running an analyzer. Timeouts are parsed using Go's [`ParseDuration`](https://golang.org/pkg/time/#ParseDuration). Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. For example, `300ms`, `1.5h` or `2h45m`.| | `SAST_RUN_ANALYZER_TIMEOUT` | 20m | Time limit when running an analyzer. Timeouts are parsed using Go's [`ParseDuration`](https://golang.org/pkg/time/#ParseDuration). Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. For example, `300ms`, `1.5h` or `2h45m`.|
NOTE: **Note:**
Timeout variables are not applicable for setups with [disabled Docker In Docker](index.md#disabling-docker-in-docker-for-sast).
#### Analyzer settings #### Analyzer settings
Some analyzers can be customized with environment variables. Some analyzers can be customized with environment variables.
| Environment variable | Analyzer | Description | | Environment variable | Analyzer | Description |
|-----------------------------|----------|-------------| |-----------------------------|----------|-------------|
| `SCAN_KUBERNETES_MANIFESTS` | Kubesec | Set to `"true"` to scan Kubernetes manifests when [Docker in Docker](#disabling-docker-in-docker-for-sast) is disabled. | | `SCAN_KUBERNETES_MANIFESTS` | Kubesec | Set to `"true"` to scan Kubernetes manifests. |
| `ANT_HOME` | SpotBugs | The `ANT_HOME` environment variable. | | `ANT_HOME` | SpotBugs | The `ANT_HOME` environment variable. |
| `ANT_PATH` | SpotBugs | Path to the `ant` executable. | | `ANT_PATH` | SpotBugs | Path to the `ant` executable. |
| `GRADLE_PATH` | SpotBugs | Path to the `gradle` executable. | | `GRADLE_PATH` | SpotBugs | Path to the `gradle` executable. |
...@@ -521,7 +494,7 @@ run successfully. For more information, see [Offline environments](../offline_de ...@@ -521,7 +494,7 @@ run successfully. For more information, see [Offline environments](../offline_de
To use SAST in an offline environment, you need: To use SAST in an offline environment, you need:
- To [disable Docker-In-Docker](#disabling-docker-in-docker-for-sast). - To keep Docker-In-Docker disabled (default).
- GitLab Runner with the [`docker` or `kubernetes` executor](#requirements). - GitLab Runner with the [`docker` or `kubernetes` executor](#requirements).
- Docker Container Registry with locally available copies of SAST [analyzer](https://gitlab.com/gitlab-org/security-products/analyzers) images. - Docker Container Registry with locally available copies of SAST [analyzer](https://gitlab.com/gitlab-org/security-products/analyzers) images.
...@@ -577,7 +550,6 @@ include: ...@@ -577,7 +550,6 @@ include:
variables: variables:
SECURE_ANALYZERS_PREFIX: "localhost:5000/analyzers" SECURE_ANALYZERS_PREFIX: "localhost:5000/analyzers"
SAST_DISABLE_DIND: "true"
``` ```
The SAST job should now use local copies of the SAST analyzers to scan your code and generate The SAST job should now use local copies of the SAST analyzers to scan your code and generate
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7