Edits to SAST intro

f9e6644f · Nick Gaskill · Achilleas Pipinellis · 492a658b · f9e6644f
Commit f9e6644f authored Mar 19, 2020 by Nick Gaskill Committed by Achilleas Pipinellis Mar 19, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 12 deletions

doc/user/application_security/sast/index.md doc/user/application_security/sast/index.md +16 -12

No files found.
--- a/doc/user/application_security/sast/index.md
+++ b/doc/user/application_security/sast/index.md
@@ -17,10 +17,11 @@ to learn how to protect your organization.
 If you are using [GitLab CI/CD](../../../ci/README.md), you can analyze your source code for known
 vulnerabilities using Static Application Security Testing (SAST).

-You can take advantage of SAST by either [including the CI job](#configuration) in
-your existing `.gitlab-ci.yml` file or by implicitly using
-[Auto SAST](../../../topics/autodevops/index.md#auto-sast-ultimate)
-that is provided by [Auto DevOps](../../../topics/autodevops/index.md).
+You can take advantage of SAST by doing one of the following:
+
+- [Including the CI job](#configuration) in your existing `.gitlab-ci.yml` file.
+- Implicitly using [Auto SAST](../../../topics/autodevops/index.md#auto-sast-ultimate) provided by
+  [Auto DevOps](../../../topics/autodevops/index.md).

 GitLab checks the SAST report, compares the found vulnerabilities between the
 source and target branches, and shows the information right on the merge request.
@@ -91,12 +92,14 @@ The Java analyzers can also be used for variants like the

 ## Configuration

-For GitLab 11.9 and later, to enable SAST, you must
-[include](../../../ci/yaml/README.md#includetemplate) the
-[`SAST.gitlab-ci.yml` template](https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml)
-that's provided as a part of your GitLab installation.
-For GitLab versions earlier than 11.9, you can copy and use the job as defined
-that template.
+NOTE: **Note:**
+You don't have to configure SAST manually as shown in this section if you're using [Auto SAST](../../../topics/autodevops/index.md#auto-sast-ultimate)
+provided by [Auto DevOps](../../../topics/autodevops/index.md).
+
+For GitLab 11.9 and later, to enable SAST you must [include](../../../ci/yaml/README.md#includetemplate)
+the [`SAST.gitlab-ci.yml` template](https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml)
+that is provided as a part of your GitLab installation. For GitLab versions earlier than 11.9, you
+can copy and use the job as defined that template.

 Add the following to your `.gitlab-ci.yml` file:

@@ -448,8 +451,9 @@ the report JSON unless stated otherwise. Presence of optional fields depends on

 ## Secret detection

-GitLab is also able to detect secrets and credentials that have been unintentionally pushed to the repository.
-For example, an API key that allows write access to third-party deployment environments.
+GitLab is also able to detect secrets and credentials that have been unintentionally pushed to the
+repository (for example, an API key that allows write access to third-party deployment
+environments).

 This check is performed by a specific analyzer during the `sast` job. It runs regardless of the programming
 language of your app, and you don't need to change anything to your