summaryrefslogtreecommitdiff
path: root/doc/development/integrations/secure.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/development/integrations/secure.md')
-rw-r--r--doc/development/integrations/secure.md34
1 files changed, 17 insertions, 17 deletions
diff --git a/doc/development/integrations/secure.md b/doc/development/integrations/secure.md
index 1d5aced5869..fda75dad119 100644
--- a/doc/development/integrations/secure.md
+++ b/doc/development/integrations/secure.md
@@ -89,7 +89,7 @@ it's declared under the `reports:sast` key in the job definition, not because of
### Policies
Certain GitLab workflows, such as [AutoDevOps](../../topics/autodevops/customize.md#disable-jobs),
-define variables to indicate that given scans should be disabled. You can check for this by looking
+define CI/CD variables to indicate that given scans should be disabled. You can check for this by looking
for variables such as `DEPENDENCY_SCANNING_DISABLED`, `CONTAINER_SCANNING_DISABLED`,
`SAST_DISABLED`, and `DAST_DISABLED`. If appropriate based on the scanner type, you should then
disable running the custom scanner.
@@ -97,7 +97,7 @@ disable running the custom scanner.
GitLab also defines a `CI_PROJECT_REPOSITORY_LANGUAGES` variable, which provides the list of
languages in the repository. Depending on this value, your scanner may or may not do something different.
Language detection currently relies on the [`linguist`](https://github.com/github/linguist) Ruby gem.
-See [GitLab CI/CD predefined variables](../../ci/variables/predefined_variables.md).
+See the [predefined CI/CD variables](../../ci/variables/predefined_variables.md).
#### Policy checking example
@@ -170,23 +170,23 @@ It also generates text output on the standard output and standard error streams,
### Variables
-All CI variables are passed to the scanner as environment variables.
-The scanned project is described by the [predefined CI variables](../../ci/variables/README.md).
+All CI/CD variables are passed to the scanner as environment variables.
+The scanned project is described by the [predefined CI/CD variables](../../ci/variables/README.md).
#### SAST and Dependency Scanning
-SAST and Dependency Scanning scanners must scan the files in the project directory, given by the `CI_PROJECT_DIR` variable.
+SAST and Dependency Scanning scanners must scan the files in the project directory, given by the `CI_PROJECT_DIR` CI/CD variable.
#### Container Scanning
In order to be consistent with the official Container Scanning for GitLab,
scanners must scan the Docker image whose name and tag are given by
`CI_APPLICATION_REPOSITORY` and `CI_APPLICATION_TAG`, respectively. If the `DOCKER_IMAGE`
-variable is provided, then the `CI_APPLICATION_REPOSITORY` and `CI_APPLICATION_TAG` variables
+CI/CD variable is provided, then the `CI_APPLICATION_REPOSITORY` and `CI_APPLICATION_TAG` variables
are ignored, and the image specified in the `DOCKER_IMAGE` variable is scanned instead.
If not provided, `CI_APPLICATION_REPOSITORY` should default to
-`$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG`, which is a combination of predefined CI variables.
+`$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG`, which is a combination of predefined CI/CD variables.
`CI_APPLICATION_TAG` should default to `CI_COMMIT_SHA`.
The scanner should sign in the Docker registry
@@ -197,13 +197,13 @@ If these are not defined, then the scanner should use
#### Configuration files
While scanners may use `CI_PROJECT_DIR` to load specific configuration files,
-it is recommended to expose configuration as environment variables, not files.
+it is recommended to expose configuration as CI/CD variables, not files.
### Output file
-Like any artifact uploaded to the GitLab CI/CD,
+Like any artifact uploaded to GitLab CI/CD,
the Secure report generated by the scanner must be written in the project directory,
-given by the `CI_PROJECT_DIR` environment variable.
+given by the `CI_PROJECT_DIR` CI/CD variable.
It is recommended to name the output file after the type of scanning, and to use `gl-` as a prefix.
Since all Secure reports are JSON files, it is recommended to use `.json` as a file extension.
@@ -242,7 +242,7 @@ Also, we recommend prefixing error messages with `[ERRO]`, warnings with `[WARN]
#### Logging level
The scanner should filter out a log message if its log level is lower than the
-one set in the `SECURE_LOG_LEVEL` variable. For instance, `info` and `warn`
+one set in the `SECURE_LOG_LEVEL` CI/CD variable. For instance, `info` and `warn`
messages should be skipped when `SECURE_LOG_LEVEL` is set to `error`. Accepted
values are as follows, listed from highest to lowest:
@@ -263,14 +263,14 @@ and what `bundle audit` writes to the standard output.
If the command line fails, then it should be logged with the `error` log level;
this makes it possible to debug the problem without having to change the log level to `debug` and rerun the scanning job.
-#### common logutil package
+#### common `logutil` package
If you are using [go](https://golang.org/) and
[common](https://gitlab.com/gitlab-org/security-products/analyzers/common),
-then it is suggested that you use [logrus](https://github.com/Sirupsen/logrus)
-and [common's logutil package](https://gitlab.com/gitlab-org/security-products/analyzers/common/-/tree/master/logutil)
-to configure the formatter for [logrus](https://github.com/Sirupsen/logrus).
-See the [logutil README.md](https://gitlab.com/gitlab-org/security-products/analyzers/common/-/tree/master/logutil/README.md)
+then it is suggested that you use [Logrus](https://github.com/Sirupsen/logrus)
+and [common's `logutil` package](https://gitlab.com/gitlab-org/security-products/analyzers/common/-/tree/master/logutil)
+to configure the formatter for [Logrus](https://github.com/Sirupsen/logrus).
+See the [`logutil` README](https://gitlab.com/gitlab-org/security-products/analyzers/common/-/tree/master/logutil/README.md)
## Report
@@ -548,7 +548,7 @@ of the available SAST Analyzers and what data is currently available.
The `remediations` field of the report is an array of remediation objects.
Each remediation describes a patch that can be applied to
-[automatically fix](../../user/application_security/#automatic-remediation-for-vulnerabilities)
+[automatically fix](../../user/application_security/#apply-an-automatic-remediation-for-a-vulnerability)
a set of vulnerabilities.
Here is an example of a report that contains remediations.