diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-03 00:09:04 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-03 00:09:04 +0000 |
commit | 94aee277313c742f9b54b329fd4043cde7a50915 (patch) | |
tree | bd681f193c1648cc02dfe08928041b81559eb9e8 /doc | |
parent | 6ddc820225c148a923a154ab6d6f0a8c791a089d (diff) | |
download | gitlab-ce-94aee277313c742f9b54b329fd4043cde7a50915.tar.gz |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc')
4 files changed, 41 insertions, 2 deletions
diff --git a/doc/user/application_security/dast/checks/319.1.md b/doc/user/application_security/dast/checks/319.1.md new file mode 100644 index 00000000000..7eed0104809 --- /dev/null +++ b/doc/user/application_security/dast/checks/319.1.md @@ -0,0 +1,37 @@ +--- +stage: Secure +group: Dynamic Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# Mixed Content + +## Description + +The target application was found to request resources over insecure transport protocols (HTTP). This is usually due to HTML +elements which load resources using the `http://` scheme instead of `https://`. It should be noted that most modern browsers +block these requests automatically so there is limited risk. + +Some parts of the application may not behave correctly since these files are not being properly loaded. + +## Remediation + +Ensure all HTML elements which load resources from a URL (JavaScript, stylesheets, images, video and other media) are set to +use the `https://` scheme instead of `http://`. Alternatively, developers may use the `//` scheme, which will only load resources +over the same protocol that the originating page was loaded. + +A browser visiting the website `https://example.com` with the HTML loading a file using +`<script src="//example.com/cdn/bundle.js"></script>`, would ensure the `example.com/cdn/bundle.js` file was loaded over +HTTPS. + +## Details + +| ID | Aggregated | CWE | Type | Risk | +|:---|:--------|:--------|:--------|:--------| +| 319.1 | true | 319 | Passive | Info | + +## Links + +- [OWASP](https://owasp.org/www-community/vulnerabilities/Insecure_Transport) +- [CWE](https://cwe.mitre.org/data/definitions/319.html) +- [MDN](https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content) diff --git a/doc/user/application_security/dast/checks/index.md b/doc/user/application_security/dast/checks/index.md index a710bffdcfe..a6ff3512f8e 100644 --- a/doc/user/application_security/dast/checks/index.md +++ b/doc/user/application_security/dast/checks/index.md @@ -19,6 +19,7 @@ The [DAST browser-based crawler](../browser_based.md) provides a number of vulne | [16.6](16.6.md) | AspNetMvc header exposes version information | Low | Passive | | [16.7](16.7.md) | Strict-Transport-Security header missing or invalid | Low | Passive | | [200.1](200.1.md) | Exposure of sensitive information to an unauthorized actor (private IP address) | Low | Passive | +| [319.1](319.1.md) | Mixed Content | Info | Passive | | [352.1](352.1.md) | Absence of anti-CSRF tokens | Medium | Passive | | [359.1](359.1.md) | Exposure of Private Personal Information (PII) to an unauthorized actor (credit card) | Medium | Passive | | [359.2](359.2.md) | Exposure of Private Personal Information (PII) to an unauthorized actor (United States social security number) | Medium | Passive | diff --git a/doc/user/application_security/secret_detection/index.md b/doc/user/application_security/secret_detection/index.md index 3937cbd77b6..034188c682a 100644 --- a/doc/user/application_security/secret_detection/index.md +++ b/doc/user/application_security/secret_detection/index.md @@ -197,7 +197,8 @@ Secret Detection can be customized by defining available CI/CD variables: |-----------------------------------|---------------|-------------| | `SECRET_DETECTION_EXCLUDED_PATHS` | "" | Exclude vulnerabilities from output based on the paths. This is a comma-separated list of patterns. Patterns can be globs, or file or folder paths (for example, `doc,spec` ). Parent directories also match patterns. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/225273) in GitLab 13.3. | | `SECRET_DETECTION_HISTORIC_SCAN` | false | Flag to enable a historic Gitleaks scan. | -| `SECRET_DETECTION_IMAGE_SUFFIX` | Suffix added to the image name. If set to `-fips`, `FIPS-enabled` images are used for scan. See [FIPS-enabled images](#fips-enabled-images) for more details. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/355519) in GitLab 14.10. | +| `SECRET_DETECTION_IMAGE_SUFFIX` | "" | Suffix added to the image name. If set to `-fips`, `FIPS-enabled` images are used for scan. See [FIPS-enabled images](#fips-enabled-images) for more details. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/355519) in GitLab 14.10. | +| `SECRET_DETECTION_LOG_OPTS` | "" | [`git log`](https://git-scm.com/docs/git-log) options used to define commit ranges. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/350660) in GitLab 15.1.| In previous GitLab versions, the following variables were also available: diff --git a/doc/user/infrastructure/iac/terraform_state.md b/doc/user/infrastructure/iac/terraform_state.md index 0acb1acb66d..7abdbecf3d9 100644 --- a/doc/user/infrastructure/iac/terraform_state.md +++ b/doc/user/infrastructure/iac/terraform_state.md @@ -27,7 +27,7 @@ In GitLab, you can: For self-managed GitLab, before you can use GitLab for your Terraform state files: - An administrator must [set up Terraform state storage](../../../administration/terraform_state.md). -- You must enable [Operations](../../../operations/index.md) for your project. Go to **Settings > General**, +- You must enable the **Infrastructure** menu for your project. Go to **Settings > General**, expand **Visibility, project features, permissions**, and under **Operations**, turn on the toggle. ## Initialize a Terraform state as a backend by using GitLab CI/CD |