diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-04-08 18:09:16 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-04-08 18:09:16 +0000 |
commit | 80e9fdc9682cfbcfb9202a2733605a6a6bd23f05 (patch) | |
tree | 168375ea13d1a1f01d4cbcf6f0513fc9883e9477 /doc/user/application_security | |
parent | 5372e109c0660e4670aa987568a51082beca1b3c (diff) | |
download | gitlab-ce-80e9fdc9682cfbcfb9202a2733605a6a6bd23f05.tar.gz |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc/user/application_security')
-rw-r--r-- | doc/user/application_security/dependency_scanning/index.md | 25 | ||||
-rw-r--r-- | doc/user/application_security/sast/index.md | 26 | ||||
-rw-r--r-- | doc/user/application_security/security_dashboard/index.md | 5 |
3 files changed, 38 insertions, 18 deletions
diff --git a/doc/user/application_security/dependency_scanning/index.md b/doc/user/application_security/dependency_scanning/index.md index a178751da7d..7032ec8c75e 100644 --- a/doc/user/application_security/dependency_scanning/index.md +++ b/doc/user/application_security/dependency_scanning/index.md @@ -16,7 +16,7 @@ If you are using [GitLab CI/CD](../../../ci/README.md), you can analyze your dep vulnerabilities using Dependency Scanning. All dependencies are scanned, including the transitive dependencies (also known as nested dependencies). -You can take advantage of Dependency Scanning by either [including the CI job](#configuration) +You can take advantage of Dependency Scanning by either [including the Dependency Scanning template](#configuration) in your existing `.gitlab-ci.yml` file or by implicitly using [Auto Dependency Scanning](../../../topics/autodevops/stages.md#auto-dependency-scanning-ultimate) that is provided by [Auto DevOps](../../../topics/autodevops/index.md). @@ -137,19 +137,26 @@ using environment variables. The following variables allow configuration of global dependency scanning settings. +| Environment variable | Description | +| --------------------------------------- |------------ | +| `DS_ANALYZER_IMAGE_PREFIX` | Override the name of the Docker registry providing the official default images (proxy). Read more about [customizing analyzers](analyzers.md). | +| `DS_DEFAULT_ANALYZERS` | Override the names of the official default images. Read more about [customizing analyzers](analyzers.md). | +| `DS_DISABLE_DIND` | Disable Docker-in-Docker and run analyzers [individually](#disabling-docker-in-docker-for-dependency-scanning).| +| `ADDITIONAL_CA_CERT_BUNDLE` | Bundle of CA certs to trust. | +| `DS_EXCLUDED_PATHS` | Exclude vulnerabilities from output based on the paths. A comma-separated list of patterns. Patterns can be globs, or file or folder paths (for example, `doc,spec`). Parent directories also match patterns. | + +#### Configuring Docker-in-Docker orchestrator + +The following variables configure the Docker-in-Docker orchestrator. + | Environment variable | Default | Description | | --------------------------------------- | ----------- | ----------- | | `DS_ANALYZER_IMAGES` | | Comma separated list of custom images. The official default images are still enabled. Read more about [customizing analyzers](analyzers.md). | -| `DS_ANALYZER_IMAGE_PREFIX` | | Override the name of the Docker registry providing the official default images (proxy). Read more about [customizing analyzers](analyzers.md). | | `DS_ANALYZER_IMAGE_TAG` | | Override the Docker tag of the official default images. Read more about [customizing analyzers](analyzers.md). | -| `DS_DEFAULT_ANALYZERS` | | Override the names of the official default images. Read more about [customizing analyzers](analyzers.md). | -| `DS_DISABLE_DIND` | | Disable Docker in Docker and run analyzers [individually](#disabling-docker-in-docker-for-dependency-scanning).| | `DS_PULL_ANALYZER_IMAGES` | | Pull the images from the Docker registry (set to `0` to disable). | -| `DS_EXCLUDED_PATHS` | | Exclude vulnerabilities from output based on the paths. A comma-separated list of patterns. Patterns can be globs, file or folder paths (for example, `doc,spec`). Parent directories will also match patterns. | | `DS_DOCKER_CLIENT_NEGOTIATION_TIMEOUT` | 2m | Time limit for Docker client negotiation. Timeouts are parsed using Go's [`ParseDuration`](https://golang.org/pkg/time/#ParseDuration). Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, or `h`. For example, `300ms`, `1.5h`, or `2h45m`. | | `DS_PULL_ANALYZER_IMAGE_TIMEOUT` | 5m | Time limit when pulling an analyzer's image. Timeouts are parsed using Go's [`ParseDuration`](https://golang.org/pkg/time/#ParseDuration). Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, or `h`. For example, `300ms`, `1.5h`, or `2h45m`. | | `DS_RUN_ANALYZER_TIMEOUT` | 20m | Time limit when running an analyzer. Timeouts are parsed using Go's [`ParseDuration`](https://golang.org/pkg/time/#ParseDuration). Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, or `h`. For example, `300ms`, `1.5h`, or `2h45m`. | -| `ADDITIONAL_CA_CERT_BUNDLE` | | Bundle of CA certs that you want to trust. | #### Configuring specific analyzers used by Dependency Scanning @@ -204,7 +211,11 @@ to start relevant analyzers depending on the detected repository language(s) ins are some differences in the way repository languages are detected between DIND and non-DIND. You can observe these differences by checking both Linguist and the common library. For instance, Linguist looks for `*.java` files to spin up the [gemnasium-maven](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven) -image, while orchestrator only looks for the existence of `pom.xml` or `build.gradle`. +image, while orchestrator only looks for the existence of `pom.xml` or `build.gradle`. GitLab uses +Linguist to detect new file types in the default branch. This means that when introducing files or +dependencies for a new language or package manager, the corresponding scans won't be triggered in +the MR and will only run on the default branch once the MR is merged. This will be addressed by +[#211702](https://gitlab.com/gitlab-org/gitlab/-/issues/211702). ## Interacting with the vulnerabilities diff --git a/doc/user/application_security/sast/index.md b/doc/user/application_security/sast/index.md index 9cd2e9d4e62..3f172285014 100644 --- a/doc/user/application_security/sast/index.md +++ b/doc/user/application_security/sast/index.md @@ -18,7 +18,7 @@ vulnerabilities using Static Application Security Testing (SAST). You can take advantage of SAST by doing one of the following: -- [Including the CI job](#configuration) in your existing `.gitlab-ci.yml` file. +- [Including the SAST template](#configuration) in your existing `.gitlab-ci.yml` file. - Implicitly using [Auto SAST](../../../topics/autodevops/stages.md#auto-sast-ultimate) provided by [Auto DevOps](../../../topics/autodevops/index.md). @@ -193,7 +193,15 @@ are some differences in the way repository languages are detected between DIND a observe these differences by checking both Linguist and the common library. For instance, Linguist looks for `*.java` files to spin up the [spotbugs](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) image, while orchestrator only looks for the existence of `pom.xml`, `build.xml`, `gradlew`, -`grailsw`, or `mvnw`. +`grailsw`, or `mvnw`. GitLab uses Linguist to detect new file types in the default branch. This +means that when introducing files or dependencies for a new language or package manager, the +corresponding scans won't be triggered in the MR and will only run on the default branch once the +MR is merged. This will be addressed by [#211702](https://gitlab.com/gitlab-org/gitlab/-/issues/211702). + +NOTE: **Note:** +With the current language detection logic, any new languages or frameworks introduced within the +context of a merge request don't trigger a corresponding scan. These scans only occur once the code +is committed to the default branch. #### Enabling kubesec analyzer @@ -279,12 +287,10 @@ The following are Docker image-related variables. | Environment variable | Description | |------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `SAST_ANALYZER_IMAGES` | Comma separated list of custom images. Default images are still enabled. Read more about [customizing analyzers](analyzers.md). Not available when [Docker in Docker is disabled](#disabling-docker-in-docker-for-sast). | | `SAST_ANALYZER_IMAGE_PREFIX` | Override the name of the Docker registry providing the default images (proxy). Read more about [customizing analyzers](analyzers.md). | -| `SAST_ANALYZER_IMAGE_TAG` | Override the Docker tag of the default images. Read more about [customizing analyzers](analyzers.md). | +| `SAST_ANALYZER_IMAGE_TAG` | **DEPRECATED:** Override the Docker tag of the default images. Read more about [customizing analyzers](analyzers.md). | | `SAST_DEFAULT_ANALYZERS` | Override the names of default images. Read more about [customizing analyzers](analyzers.md). | | `SAST_DISABLE_DIND` | Disable Docker in Docker and run analyzers [individually](#disabling-docker-in-docker-for-sast). | -| `SAST_PULL_ANALYZER_IMAGES` | Pull the images from the Docker registry (set to 0 to disable). Read more about [customizing analyzers](analyzers.md). Not available when [Docker in Docker is disabled](#disabling-docker-in-docker-for-sast). | #### Vulnerability filters @@ -302,12 +308,14 @@ Some analyzers make it possible to filter out vulnerabilities under a given thre | `SAST_GITLEAKS_COMMIT_TO` | - | The commit a gitleaks scan ends at. | | `SAST_GITLEAKS_HISTORIC_SCAN` | false | Flag to enable a historic gitleaks scan. | -#### Timeouts +#### Docker-in-Docker orchestrator -The following variables configure timeouts. +The following variables configure the Docker-in-Docker orchestrator. -| Environment variable | Default value | Description | -|----------------------|---------------|-------------| +| Environment variable | Default value | Description | +|------------------------------------------|---------------|-------------| +| `SAST_ANALYZER_IMAGES` | | Comma-separated list of custom images. Default images are still enabled. Read more about [customizing analyzers](analyzers.md). Not available when [Docker-in-Docker is disabled](#disabling-docker-in-docker-for-sast). | +| `SAST_PULL_ANALYZER_IMAGES` | 1 | Pull the images from the Docker registry (set to 0 to disable). Read more about [customizing analyzers](analyzers.md). Not available when [Docker-in-Docker is disabled](#disabling-docker-in-docker-for-sast). | | `SAST_DOCKER_CLIENT_NEGOTIATION_TIMEOUT` | 2m | Time limit for Docker client negotiation. Timeouts are parsed using Go's [`ParseDuration`](https://golang.org/pkg/time/#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". For example, "300ms", "1.5h" or "2h45m". | | `SAST_PULL_ANALYZER_IMAGE_TIMEOUT` | 5m | Time limit when pulling the image of an analyzer. Timeouts are parsed using Go's [`ParseDuration`](https://golang.org/pkg/time/#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". For example, "300ms", "1.5h" or "2h45m". | | `SAST_RUN_ANALYZER_TIMEOUT` | 20m | Time limit when running an analyzer. Timeouts are parsed using Go's [`ParseDuration`](https://golang.org/pkg/time/#ParseDuration). Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". For example, "300ms", "1.5h" or "2h45m".| diff --git a/doc/user/application_security/security_dashboard/index.md b/doc/user/application_security/security_dashboard/index.md index 93a325e6777..1eef6b9b696 100644 --- a/doc/user/application_security/security_dashboard/index.md +++ b/doc/user/application_security/security_dashboard/index.md @@ -49,7 +49,7 @@ Visit the page for any pipeline which has run any of the [supported reports](#su > [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/6165) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 11.1. At the project level, the Security Dashboard displays the latest security reports -for your project. Use it to find and fix vulnerabilities affecting the +for your project from the last successful pipeline. Use it to find and fix vulnerabilities affecting the [default branch](../../project/repository/branches/index.md#default-branch). ![Project Security Dashboard](img/project_security_dashboard_v12_3.png) @@ -74,7 +74,8 @@ Once you're on the dashboard, at the top you should see a series of filters for: To the right of the filters, you should see a **Hide dismissed** toggle button. NOTE: **Note:** -The dashboard only shows projects with [security reports](#supported-reports) enabled in a group. +The dashboard only shows projects with [security reports](#supported-reports) enabled in a group +according to the last successful projects' pipelines. ![dashboard with action buttons and metrics](img/group_security_dashboard_v12_6.png) |