Merge branch 'add-sast-docs-on-pinning-to-minor' into 'master'

docs: Update SAST docs describing pinning to minor versions See merge request gitlab-org/gitlab!63921

Merge branch 'add-sast-docs-on-pinning-to-minor' into 'master'
docs: Update SAST docs describing pinning to minor versions See merge request gitlab-org/gitlab!63921
3679385e · Russell Dickenson · d97b8395 · c3982b52 · 3679385e
Commit 3679385e authored Jun 13, 2021 by Russell Dickenson
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 0 deletions

doc/user/application_security/sast/index.md doc/user/application_security/sast/index.md +18 -0

No files found.
--- a/doc/user/application_security/sast/index.md
+++ b/doc/user/application_security/sast/index.md
@@ -239,6 +239,24 @@ spotbugs-sast:
    FAIL_NEVER: 1
 ```

+#### Pinning to minor image version
+
+While our templates use `MAJOR` version pinning to always ensure the latest analyzer
+versions are pulled, there are certain cases where it can be beneficial to pin
+an analyzer to a specific release. To do so, override the `SAST_ANALYZER_IMAGE_TAG` CI/CD variable
+in the job template directly.
+
+In the example below, we are pinning to a specific patch version of the `spotbugs` analyzer:
+
+```yaml
+include:
+  - template: Security/SAST.gitlab-ci.yml
+
+spotbugs-sast:
+  variables:
+    SAST_ANALYZER_IMAGE_TAG: "2.28.1"
+```
+
 ### Customize rulesets **(ULTIMATE)**

 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/235382) in GitLab 13.5.