diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-06-18 11:18:50 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-06-18 11:18:50 +0000 |
commit | 8c7f4e9d5f36cff46365a7f8c4b9c21578c1e781 (patch) | |
tree | a77e7fe7a93de11213032ed4ab1f33a3db51b738 /doc/development/integrations | |
parent | 00b35af3db1abfe813a778f643dad221aad51fca (diff) | |
download | gitlab-ce-8c7f4e9d5f36cff46365a7f8c4b9c21578c1e781.tar.gz |
Add latest changes from gitlab-org/gitlab@13-1-stable-ee
Diffstat (limited to 'doc/development/integrations')
-rw-r--r-- | doc/development/integrations/jenkins.md | 2 | ||||
-rw-r--r-- | doc/development/integrations/secure.md | 38 | ||||
-rw-r--r-- | doc/development/integrations/secure_partner_integration.md | 14 |
3 files changed, 39 insertions, 15 deletions
diff --git a/doc/development/integrations/jenkins.md b/doc/development/integrations/jenkins.md index 001d1c21fd3..f2bc6532dde 100644 --- a/doc/development/integrations/jenkins.md +++ b/doc/development/integrations/jenkins.md @@ -1,6 +1,6 @@ # How to run Jenkins in development environment (on macOS) **(STARTER)** -This is a step by step guide on how to set up [Jenkins](https://jenkins.io/) on your local machine and connect to it from your GitLab instance. GitLab triggers webhooks on Jenkins, and Jenkins connects to GitLab using the API. By running both applications on the same machine, we can make sure they are able to access each other. +This is a step by step guide on how to set up [Jenkins](https://www.jenkins.io/) on your local machine and connect to it from your GitLab instance. GitLab triggers webhooks on Jenkins, and Jenkins connects to GitLab using the API. By running both applications on the same machine, we can make sure they are able to access each other. ## Install Jenkins diff --git a/doc/development/integrations/secure.md b/doc/development/integrations/secure.md index b0e1e28ba8b..1737daae0e0 100644 --- a/doc/development/integrations/secure.md +++ b/doc/development/integrations/secure.md @@ -15,7 +15,7 @@ scanner, as well as requirements and guidelines for the Docker image. ## Job definition -This section desribes several important fields to add to the security scanner's job +This section describes several important fields to add to the security scanner's job definition file. Full documentation on these and other available fields can be viewed in the [CI documentation](../../ci/yaml/README.md#image). @@ -69,7 +69,7 @@ For example, here is the definition of a SAST job that generates a file named `g and uploads it as a SAST report: ```yaml -mysec_sast_scanning: +mysec_sast: image: registry.gitlab.com/secure/mysec artifacts: reports: @@ -89,9 +89,9 @@ for variables such as `DEPENDENCY_SCANNING_DISABLED`, `CONTAINER_SCANNING_DISABL disable running the custom scanner. GitLab also defines a `CI_PROJECT_REPOSITORY_LANGUAGES` variable, which provides the list of -languages in the repo. Depending on this value, your scanner may or may not do something different. +languages in the repository. Depending on this value, your scanner may or may not do something different. Language detection currently relies on the [`linguist`](https://github.com/github/linguist) Ruby gem. -See [GitLab CI/CD prefined variables](../../ci/variables/predefined_variables.md#variables-reference). +See [GitLab CI/CD predefined variables](../../ci/variables/predefined_variables.md). #### Policy checking example @@ -124,9 +124,9 @@ regardless of the individual machine the scanner runs on. Depending on the CI infrastructure, the CI may have to fetch the Docker image every time the job runs. -To make the scanning job run fast, and to avoid wasting bandwidth, -it is important to make Docker images as small as possible, -ideally smaller than 50 MB. +For the scanning job to run fast and avoid wasting bandwidth, Docker images should be as small as +possible. You should aim for 50MB or smaller. If that isn't possible, try to keep it below 1.46 GB, +which is the size of a CD-ROM. If the scanner requires a fully functional Linux environment, it is recommended to use a [Debian](https://www.debian.org/intro/about) "slim" distribution or [Alpine Linux](https://www.alpinelinux.org/). @@ -135,11 +135,27 @@ and to compile the scanner with all the libraries it needs. [Multi-stage builds](https://docs.docker.com/develop/develop-images/multistage-build/) might also help with keeping the image small. +To keep an image size small, consider using [dive](https://github.com/wagoodman/dive#dive) to analyze layers in a Docker image to +identify where additional bloat might be originating from. + +In some cases, it might be difficult to remove files from an image. When this occurs, consider using +[Zstandard](https://github.com/facebook/zstd) +to compress files or large directories. Zstandard offers many different compression levels that can +decrease the size of your image with very little impact to decompression speed. It may be helpful to +automatically decompress any compressed directories as soon as an image launches. You can accomplish +this by adding a step to the Docker image's `/etc/bashrc` or to a specific user's `$HOME/.bashrc`. +Remember to change the entry point to launch a bash login shell if you chose the latter option. + +Here are some examples to get you started: + +- <https://gitlab.com/gitlab-org/security-products/license-management/-/blob/0b976fcffe0a9b8e80587adb076bcdf279c9331c/config/install.sh#L168-170> +- <https://gitlab.com/gitlab-org/security-products/license-management/-/blob/0b976fcffe0a9b8e80587adb076bcdf279c9331c/config/.bashrc#L49> + ### Image tag As documented in the [Docker Official Images](https://github.com/docker-library/official-images#tags-and-aliases) project, it is strongly encouraged that version number tags be given aliases which allows the user to easily refer to the "most recent" release of a particular series. -See also [Docker Tagging: Best practices for tagging and versioning docker images](https://docs.microsoft.com/en-us/archive/blogs/stevelasker/docker-tagging-best-practices-for-tagging-and-versioning-docker-images). +See also [Docker Tagging: Best practices for tagging and versioning Docker images](https://docs.microsoft.com/en-us/archive/blogs/stevelasker/docker-tagging-best-practices-for-tagging-and-versioning-docker-images). ## Command line @@ -448,7 +464,7 @@ Right now, GitLab cannot track a vulnerability if its location changes as new Git commits are pushed, and this results in user feedback being lost. For instance, user feedback on a SAST vulnerability is lost if the affected file is renamed or the affected line moves down. -This is addressed in [issue #7586](https://gitlab.com/gitlab-org/gitlab/issues/7586). +This is addressed in [issue #7586](https://gitlab.com/gitlab-org/gitlab/-/issues/7586). In some cases, the multiple scans executed in the same CI pipeline result in duplicates that are automatically merged using the vulnerability location and identifiers. @@ -470,6 +486,10 @@ The confidence ranges from `Low` to `Confirmed`, but it can also be `Unknown`, `Experimental` or even `Ignore` if the vulnerability is to be ignored. Valid values are: `Ignore`, `Unknown`, `Experimental`, `Low`, `Medium`, `High`, or `Confirmed` +`Unknown` values means that data is unavailable to determine it's actual value. Therefore, it may be `high`, `medium`, or `low`, +and needs to be investigated. We have [provided a chart](../../user/application_security/sast/analyzers.md#analyzers-data) +of the available SAST Analyzers and what data is currently available. + ### Remediations The `remediations` field of the report is an array of remediation objects. diff --git a/doc/development/integrations/secure_partner_integration.md b/doc/development/integrations/secure_partner_integration.md index 59336b0e6a1..22e1f8bf769 100644 --- a/doc/development/integrations/secure_partner_integration.md +++ b/doc/development/integrations/secure_partner_integration.md @@ -28,7 +28,7 @@ best place to integrate your own product and its results into GitLab. implications for app security, corporate policy, or compliance. When complete, the job reports back on its status and creates a [job artifact](../../user/project/pipelines/job_artifacts.md) as a result. -- The [Merge Request Security Widget](../../user/project/merge_requests/index.md#security-reports-ultimate) +- The [Merge Request Security Widget](../../user/project/merge_requests/testing_and_reports_in_merge_requests.md#security-reports-ultimate) displays the results of the pipeline's security checks and the developer can review them. The developer can review both a summary and a detailed version of the results. @@ -54,10 +54,10 @@ best place to integrate your own product and its results into GitLab. ## How to onboard This section describes the steps you need to complete to onboard as a partner -and complete an intgration with the Secure stage. +and complete an integration with the Secure stage. 1. Read about our [partnerships](https://about.gitlab.com/partners/integrate/). -1. [Create an issue](https://gitlab.com/gitlab-com/alliances/alliances/issues/new?issuable_template=new_partner) +1. [Create an issue](https://gitlab.com/gitlab-com/alliances/alliances/-/issues/new?issuable_template=new_partner) using our new partner issue template to begin the discussion. 1. Get a test account to begin developing your integration. You can request a [GitLab.com Gold Subscription Sandbox](https://about.gitlab.com/partners/integrate/#gitlabcom-gold-subscription-sandbox-request) @@ -76,10 +76,10 @@ and complete an intgration with the Secure stage. - Documentation for [Dependency Scanning reports](../../user/application_security/dependency_scanning/index.md#reports-json-format). - Documentation for [Container Scanning reports](../../user/application_security/container_scanning/index.md#reports-json-format). - See this [example secure job definition that also defines the artifact created](https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml). - - If you need a new kind of scan or report, [create an issue](https://gitlab.com/gitlab-org/gitlab/issues/new#) + - If you need a new kind of scan or report, [create an issue](https://gitlab.com/gitlab-org/gitlab/-/issues/new#) and add the label `devops::secure`. - Once the job is completed, the data can be seen: - - In the [Merge Request Security Report](../../user/project/merge_requests/index.md#security-reports-ultimate) ([MR Security Report data flow](https://gitlab.com/snippets/1910005#merge-request-view)). + - In the [Merge Request Security Report](../../user/project/merge_requests/testing_and_reports_in_merge_requests.md#security-reports-ultimate) ([MR Security Report data flow](https://gitlab.com/snippets/1910005#merge-request-view)). - While [browsing a Job Artifact](../../user/project/pipelines/job_artifacts.md). - In the [Security Dashboard](../../user/application_security/security_dashboard/index.md) ([Dashboard data flow](https://gitlab.com/snippets/1910005#project-and-group-dashboards)). 1. Optional: Provide a way to interact with results as Vulnerabilities: @@ -99,5 +99,9 @@ and complete an intgration with the Secure stage. doing an [Unfiltered blog post](https://about.gitlab.com/handbook/marketing/blog/unfiltered/), doing a co-branded webinar, or producing a co-branded whitepaper. +We have a [video playlist](https://www.youtube.com/playlist?list=PL05JrBw4t0KpMqYxJiOLz-uBIr5w-yP4A) +that may be helpful as part of this process. This covers various topics related to integrating your +tool. + If you have any issues while working through your integration or the steps above, please create an issue to discuss with us further. |