@@ -219,8 +218,7 @@ To use container scanning in an offline environment, you need:
...
@@ -219,8 +218,7 @@ To use container scanning in an offline environment, you need:
- GitLab Runner with the [`docker` or `kubernetes` executor](#requirements).
- GitLab Runner with the [`docker` or `kubernetes` executor](#requirements).
- To configure a local Docker container registry with copies of the container scanning [analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/klar) images, found in the [container scanning container registry](https://gitlab.com/gitlab-org/security-products/analyzers/klar/container_registry).
- To configure a local Docker container registry with copies of the container scanning [analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/klar) images, found in the [container scanning container registry](https://gitlab.com/gitlab-org/security-products/analyzers/klar/container_registry).
NOTE: **Note:**
Note that GitLab Runner has a [default `pull policy` of `always`](https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy),
GitLab Runner has a [default `pull policy` of `always`](https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy),
meaning the runner tries to pull Docker images from the GitLab container registry even if a local
meaning the runner tries to pull Docker images from the GitLab container registry even if a local
copy is available. The GitLab Runner [`pull_policy` can be set to `if-not-present`](https://docs.gitlab.com/runner/executors/docker.html#using-the-if-not-present-pull-policy)
copy is available. The GitLab Runner [`pull_policy` can be set to `if-not-present`](https://docs.gitlab.com/runner/executors/docker.html#using-the-if-not-present-pull-policy)
in an offline environment if you prefer using only locally available Docker images. However, we
in an offline environment if you prefer using only locally available Docker images. However, we
[exit code](../../../development/integrations/secure.md#exit-code) on failure.
## Use cases
## Use cases
...
@@ -206,8 +204,8 @@ variables:
...
@@ -206,8 +204,8 @@ variables:
DAST_FULL_SCAN_ENABLED:"true"
DAST_FULL_SCAN_ENABLED:"true"
```
```
NOTE: **Note:**
If your DAST job exceeds the job timeout and you need to reduce the scan duration, we shared some
If your DAST job exceeds the job timeout and you need to reduce the scan duration, we shared some tips for optimizing DAST scans in a [blog post](https://about.gitlab.com/blog/2020/08/31/how-to-configure-dast-full-scans-for-complex-web-applications/).
tips for optimizing DAST scans in a [blog post](https://about.gitlab.com/blog/2020/08/31/how-to-configure-dast-full-scans-for-complex-web-applications/).
#### Domain validation
#### Domain validation
...
@@ -398,11 +396,9 @@ variables:
...
@@ -398,11 +396,9 @@ variables:
DAST_API_HOST_OVERRIDE:api-test.host.com
DAST_API_HOST_OVERRIDE:api-test.host.com
```
```
NOTE: **Note:**
Note that using a host override is ONLY supported when importing the API specification from a URL.
Using a host override is ONLY supported when importing the API
It doesn't work and is ignored when importing the specification from a file. This is due to a
specification from a URL. It does not work and will be ignored when importing
limitation in the ZAP OpenAPI extension.
the specification from a file. This is due to a limitation in the ZAP OpenAPI
extension.
#### Authentication using headers
#### Authentication using headers
...
@@ -427,7 +423,8 @@ A URL scan allows you to specify which parts of a website are scanned by DAST.
...
@@ -427,7 +423,8 @@ A URL scan allows you to specify which parts of a website are scanned by DAST.
#### Define the URLs to scan
#### Define the URLs to scan
To specify the paths to be scanned, add a comma-separated list of the paths to the `DAST_PATHS` environment variable. Note that you can only scan paths of a single host.
To specify the paths to scan, add a comma-separated list of the paths to the `DAST_PATHS`
environment variable. Note that you can only scan paths of a single host.
- The `DAST_PATHS` environment variable has a limit of about 130kb. If you have a list or paths greater than this it is recommended creating multiple DAST jobs and split the paths over each.
- The `DAST_PATHS` environment variable has a limit of about 130kb. If you have a list or paths
greater than this, you should create multiple DAST jobs and split the paths over each job.
- The `DAST_AUTH_EXCLUDE_URLS` environment variable is ignored when `DAST_PATHS` is set.
- The `DAST_AUTH_EXCLUDE_URLS` environment variable is ignored when `DAST_PATHS` is set.
#### Full Scan
#### Full Scan
...
@@ -592,8 +590,7 @@ To use DAST in an offline environment, you need:
...
@@ -592,8 +590,7 @@ To use DAST in an offline environment, you need:
[container image](https://gitlab.com/gitlab-org/security-products/dast), found in the
[container image](https://gitlab.com/gitlab-org/security-products/dast), found in the
Note that GitLab Runner has a [default `pull policy` of `always`](https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy),
GitLab Runner has a [default `pull policy` of `always`](https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy),
meaning the runner tries to pull Docker images from the GitLab container registry even if a local
meaning the runner tries to pull Docker images from the GitLab container registry even if a local
copy is available. The GitLab Runner [`pull_policy` can be set to `if-not-present`](https://docs.gitlab.com/runner/executors/docker.html#using-the-if-not-present-pull-policy)
copy is available. The GitLab Runner [`pull_policy` can be set to `if-not-present`](https://docs.gitlab.com/runner/executors/docker.html#using-the-if-not-present-pull-policy)
in an offline environment if you prefer using only locally available Docker images. However, we
in an offline environment if you prefer using only locally available Docker images. However, we
...
@@ -730,7 +727,8 @@ An on-demand DAST scan:
...
@@ -730,7 +727,8 @@ An on-demand DAST scan:
NOTE: **Note:**
NOTE: **Note:**
You must have permission to run an on-demand DAST scan against a protected branch.
You must have permission to run an on-demand DAST scan against a protected branch.
The default branch is automatically protected. For more details, see [Pipeline security on protected branches](../../../ci/pipelines/index.md#pipeline-security-on-protected-branches).
The default branch is automatically protected. For more information, see
[Pipeline security on protected branches](../../../ci/pipelines/index.md#pipeline-security-on-protected-branches).
@@ -361,8 +361,7 @@ Here are the requirements for using dependency scanning in an offline environmen
...
@@ -361,8 +361,7 @@ Here are the requirements for using dependency scanning in an offline environmen
- _Only if scanning Ruby projects_: Host an offline Git copy of the [advisory database](https://github.com/rubysec/ruby-advisory-db).
- _Only if scanning Ruby projects_: Host an offline Git copy of the [advisory database](https://github.com/rubysec/ruby-advisory-db).
- _Only if scanning npm/yarn projects_: Host an offline copy of the [retire.js](https://github.com/RetireJS/retire.js/)[node](https://github.com/RetireJS/retire.js/blob/master/repository/npmrepository.json) and [js](https://github.com/RetireJS/retire.js/blob/master/repository/jsrepository.json) advisory databases.
- _Only if scanning npm/yarn projects_: Host an offline copy of the [retire.js](https://github.com/RetireJS/retire.js/)[node](https://github.com/RetireJS/retire.js/blob/master/repository/npmrepository.json) and [js](https://github.com/RetireJS/retire.js/blob/master/repository/jsrepository.json) advisory databases.
NOTE: **Note:**
Note that GitLab Runner has a [default `pull policy` of `always`](https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy),
GitLab Runner has a [default `pull policy` of `always`](https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy),
meaning the runner tries to pull Docker images from the GitLab container registry even if a local
meaning the runner tries to pull Docker images from the GitLab container registry even if a local
copy is available. The GitLab Runner [`pull_policy` can be set to `if-not-present`](https://docs.gitlab.com/runner/executors/docker.html#using-the-if-not-present-pull-policy)
copy is available. The GitLab Runner [`pull_policy` can be set to `if-not-present`](https://docs.gitlab.com/runner/executors/docker.html#using-the-if-not-present-pull-policy)
in an offline environment if you prefer using only locally available Docker images. However, we
in an offline environment if you prefer using only locally available Docker images. However, we
The whitepaper ["A Seismic Shift in Application Security"](https://about.gitlab.com/resources/whitepaper-seismic-shift-application-security/)
The whitepaper ["A Seismic Shift in Application Security"](https://about.gitlab.com/resources/whitepaper-seismic-shift-application-security/)
explains how **4 of the top 6 attacks were application based**. Download it
explains how 4 of the top 6 attacks were application based. Download it to learn how to protect your
to learn how to protect your organization.
organization.
If you're using [GitLab CI/CD](../../../ci/README.md), you can analyze your source code for known
If you're using [GitLab CI/CD](../../../ci/README.md), you can analyze your source code for known
vulnerabilities using Static Application Security Testing (SAST). GitLab checks the SAST report and
vulnerabilities using Static Application Security Testing (SAST). GitLab checks the SAST report and
...
@@ -31,8 +31,10 @@ The results are sorted by the priority of the vulnerability:
...
@@ -31,8 +31,10 @@ The results are sorted by the priority of the vulnerability:
1. Unknown
1. Unknown
1. Everything else
1. Everything else
NOTE: **Note:**
A pipeline consists of multiple jobs, including SAST and DAST scanning. If any job fails to finish
A pipeline consists of multiple jobs, including SAST and DAST scanning. If any job fails to finish for any reason, the security dashboard doesn't show SAST scanner output. For example, if the SAST job finishes but the DAST job fails, the security dashboard doesn't show SAST results. The analyzer outputs an [exit code](../../../development/integrations/secure.md#exit-code) on failure.
for any reason, the security dashboard doesn't show SAST scanner output. For example, if the SAST
job finishes but the DAST job fails, the security dashboard doesn't show SAST results. On failure,
the analyzer outputs an [exit code](../../../development/integrations/secure.md#exit-code).
## Use cases
## Use cases
...
@@ -82,10 +84,10 @@ You can also [view our language roadmap](https://about.gitlab.com/direction/secu
...
@@ -82,10 +84,10 @@ You can also [view our language roadmap](https://about.gitlab.com/direction/secu
| Scala ([Ant](https://ant.apache.org/), [Gradle](https://gradle.org/), [Maven](https://maven.apache.org/) and [SBT](https://www.scala-sbt.org/)) | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 11.0 (SBT) & 11.9 (Ant, Gradle, Maven) |
| Scala ([Ant](https://ant.apache.org/), [Gradle](https://gradle.org/), [Maven](https://maven.apache.org/) and [SBT](https://www.scala-sbt.org/)) | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 11.0 (SBT) & 11.9 (Ant, Gradle, Maven) |
| TypeScript | [ESLint security plugin](https://github.com/nodesecurity/eslint-plugin-security) | 11.9, [merged](https://gitlab.com/gitlab-org/gitlab/-/issues/36059) with ESLint in 13.2 |
| TypeScript | [ESLint security plugin](https://github.com/nodesecurity/eslint-plugin-security) | 11.9, [merged](https://gitlab.com/gitlab-org/gitlab/-/issues/36059) with ESLint in 13.2 |
NOTE: **Note:**
Note that the Java analyzers can also be used for variants like the
The Java analyzers can also be used for variants like the
[Grails](https://grails.org/) and the [Maven wrapper](https://github.com/takari/maven-wrapper).
[Grails](https://grails.org/),
and the [Maven wrapper](https://github.com/takari/maven-wrapper).
### Making SAST analyzers available to all GitLab tiers
### Making SAST analyzers available to all GitLab tiers
...
@@ -268,11 +270,10 @@ spotbugs-sast:
...
@@ -268,11 +270,10 @@ spotbugs-sast:
sast:gl-sast-report.json
sast:gl-sast-report.json
```
```
NOTE: **Note:**
To allow the analyzer to recognize the compiled artifacts, you must explicitly specify the path to
The path to the vendored directory must be specified explicitly to allow
the vendored directory. This configuration can vary per analyzer but in the case of Java above, you
the analyzer to recognize the compiled artifacts. This configuration can vary per
can use `MAVEN_REPO_PATH`. See
analyzer but in the case of Java above, `MAVEN_REPO_PATH` can be used.
[Analyzer settings](#analyzer-settings) for the complete list of available options.
See [Analyzer settings](#analyzer-settings) for the complete list of available options.
### Available variables
### Available variables
...
@@ -478,7 +479,6 @@ To use SAST in an offline environment, you need:
...
@@ -478,7 +479,6 @@ To use SAST in an offline environment, you need:
- A Docker Container Registry with locally available copies of SAST [analyzer](https://gitlab.com/gitlab-org/security-products/analyzers) images.
- A Docker Container Registry with locally available copies of SAST [analyzer](https://gitlab.com/gitlab-org/security-products/analyzers) images.
- Configure certificate checking of packages (optional).
- Configure certificate checking of packages (optional).
NOTE: **Note:**
GitLab Runner has a [default `pull policy` of `always`](https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy),
GitLab Runner has a [default `pull policy` of `always`](https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy),
meaning the runner tries to pull Docker images from the GitLab container registry even if a local
meaning the runner tries to pull Docker images from the GitLab container registry even if a local
copy is available. The GitLab Runner [`pull_policy` can be set to `if-not-present`](https://docs.gitlab.com/runner/executors/docker.html#using-the-if-not-present-pull-policy)
copy is available. The GitLab Runner [`pull_policy` can be set to `if-not-present`](https://docs.gitlab.com/runner/executors/docker.html#using-the-if-not-present-pull-policy)
@@ -67,26 +67,27 @@ as shown in the following table:
...
@@ -67,26 +67,27 @@ as shown in the following table:
## Configuration
## Configuration
NOTE: **Note:**
> GitLab 13.1 splits Secret Detection from the [SAST configuration](../sast#configuration) into its own CI/CD template. If you're using GitLab 13.0 or earlier and SAST is enabled, then Secret Detection is already enabled.
From GitLab 13.1, Secret Detection was split from the [SAST configuration](../sast#configuration) into its own CI/CD template. If using GitLab 13.1 or earlier, and SAST is enabled, Secret Detection is already enabled.
Secret Detection is performed by a [specific analyzer](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/Secret-Detection.gitlab-ci.yml)
Secret Detection is performed by a [specific analyzer](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/Secret-Detection.gitlab-ci.yml)
during the `secret-detection` job. It runs regardless of the programming
during the `secret-detection` job. It runs regardless of your app's programming language.
language of your app.
The Secret Detection analyzer includes [Gitleaks](https://github.com/zricethezav/gitleaks) and [TruffleHog](https://github.com/dxa4481/truffleHog) checks.
The Secret Detection analyzer includes [Gitleaks](https://github.com/zricethezav/gitleaks) and
Note that the Secret Detection analyzer ignores Password-in-URL vulnerabilities if the password
The Secret Detection analyzer will ignore "Password in URL" vulnerabilities if the password begins
begins with a dollar sign (`$`), as this likely indicates the password is an environment variable.
with a dollar sign (`$`) as this likely indicates the password being used is an environment
For example, `https://username:$password@example.com/path/to/repo` isn't detected, while
variable. For example, `https://username:$password@example.com/path/to/repo` won't be
`https://username:password@example.com/path/to/repo` is.
detected, whereas `https://username:password@example.com/path/to/repo` would be detected.
NOTE: **Note:**
NOTE: **Note:**
You don't have to configure Secret Detection manually as shown in this section if you're using [Auto Secret Detection](../../../topics/autodevops/stages.md#auto-secret-detection)
You don't have to configure Secret Detection manually as shown in this section if you're using
provided by [Auto DevOps](../../../topics/autodevops/index.md).
provided by [Auto DevOps](../../../topics/autodevops/index.md).
To enable Secret Detection for GitLab 13.1 and later, you must include the `Secret-Detection.gitlab-ci.yml` template that’s provided as a part of your GitLab installation. For GitLab versions earlier than 11.9, you can copy and use the job as defined in that template.
To enable Secret Detection for GitLab 13.1 and later, you must include the
`Secret-Detection.gitlab-ci.yml` template that's provided as a part of your GitLab installation. For
GitLab versions earlier than 11.9, you can copy and use the job as defined in that template.
Visit the page for any pipeline that ran any of the [supported reports](#supported-reports). To view
Visit the page for any pipeline that ran any of the [supported reports](#supported-reports). To view
the pipeline's security findings, select the **Security** tab when viewing the pipeline.
the pipeline's security findings, select the **Security** tab when viewing the pipeline.
NOTE: **Note:**
A pipeline consists of multiple jobs, including SAST and DAST scanning. If any job fails to finish
A pipeline consists of multiple jobs, including SAST and DAST scanning. If any job fails to finish for any reason, the security dashboard will not show SAST scanner output. For example, if the SAST job finishes but the DAST job fails, the security dashboard will not show SAST results. The analyzer will output an [exit code](../../../development/integrations/secure.md#exit-code) on failure.
for any reason, the security dashboard doesn't show SAST scanner output. For example, if the SAST
job finishes but the DAST job fails, the security dashboard doesn't show SAST results. On failure,