Add user docs for sast:image feature

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

doc/user/project/merge_requests/index.md

@@ -189,7 +189,6 @@ list of approvers that will need to approve every merge request in a project.
 
 [Read more about merge request approvals.](merge_request_approvals.md)
 
-
 ## Code Quality reports
 
 > Introduced in [GitLab Enterprise Edition Starter][products] 9.3.
@@ -221,6 +220,17 @@ GitLab runs the [Sitespeed.io container][sitespeed-container] and displays the d
 
 [Read more about Browser Performance Testing.](browser_performance_testing.md)
 
+## Static Application Security Testing for Docker images
+
+> Introduced in [GitLab Enterprise Edition Ultimate][products] 10.4.
+
+If you are using [GitLab CI/CD][ci], you can analyze your Docker images for known
+vulnerabilities.
+Going a step further, GitLab can show the vulnerability report right in the
+merge request widget area.
+
+[Read more about SAST Docker image reports.](sast_docker.md)
+
 ## Live preview with Review Apps
 
 If you configured [Review Apps](https://about.gitlab.com/features/review-apps/) for your project,
@@ -346,9 +356,8 @@ And to check out a particular merge request:
 git checkout origin/merge-requests/1
 ```
 
-[protected branches]: ../protected_branches.md
-
 [products]: https://about.gitlab.com/products/ "GitLab products page"
+[protected branches]: ../protected_branches.md
 [ci]: ../../../ci/README.md
 [cc]: https://codeclimate.com/
 [cd]: https://hub.docker.com/r/codeclimate/codeclimate/

doc/user/project/merge_requests/sast-image.md

+# Static Application Security Testing (SAST)
+
+> [Introduced][ee-3781] in [GitLab Enterprise Edition Ultimate][ee] 10.4.
+
+## Overview
+
+If you are using [GitLab CI/CD][ci], you can analyze your docker for known
+vulnerabilities using [Clair](https://github.com/coreos/clair), 
+a Vulnerability Static Analysis for Containers.
+
+Going a step further, GitLab can show the vulnerability list right in the merge
+request widget area:
+
+![SAST Widget](img/sast-image.png)
+
+## Use cases
+
+TODO: write
+
+## How it works
+
+In order for the report to show in the merge request, you need to specify a
+`sast:image` job (exact name) that will analyze the code and upload the resulting
+`gl-sast-image-report.json` file as an artifact. GitLab will then check this file and
+show the information inside the merge request.
+
+This JSON file needs to be the only artifact file for the job. If you try
+to also include other files, it will break the vulnerability display in the
+merge request.
+
+For more information on how the `sast:image` job should look like, check the
+example on [analyzing a project's code for vulnerabilities][cc-docs].
+
+[ee-3781]: https://gitlab.com/gitlab-org/gitlab-ee/issues/3781
+[ee]: https://about.gitlab.com/gitlab-ee/
+[ci]: ../../../ci/README.md
+[cc-docs]: ../../../ci/examples/sast.md