Commit 8457cc91 authored by Amy Qualls's avatar Amy Qualls Committed by Craig Norris

Fix spelling issues in documentation

Take care of more spelling issues: edit the words, put them in code
tags, or add them to the spelling exceptions list.
parent f914306b
...@@ -70,6 +70,7 @@ burstable ...@@ -70,6 +70,7 @@ burstable
cacheable cacheable
callstack callstack
callstacks callstacks
Camo
CentOS CentOS
Certbot Certbot
changeset changeset
...@@ -105,6 +106,7 @@ crosslinks ...@@ -105,6 +106,7 @@ crosslinks
Crossplane Crossplane
CrowdIn CrowdIn
CSV CSV
cybersecurity
Dangerfile Dangerfile
datetime datetime
Debian Debian
...@@ -129,6 +131,7 @@ dequarantined ...@@ -129,6 +131,7 @@ dequarantined
dequarantining dequarantining
DevOps DevOps
discoverability discoverability
dismissable
Disqus Disqus
Divio Divio
Dockerfile Dockerfile
...@@ -233,6 +236,7 @@ issuables ...@@ -233,6 +236,7 @@ issuables
Istio Istio
Jaeger Jaeger
jasmine-jquery jasmine-jquery
Javafuzz
JavaScript JavaScript
Jenkins Jenkins
Jenkinsfile Jenkinsfile
...@@ -251,6 +255,7 @@ keytab ...@@ -251,6 +255,7 @@ keytab
keytabs keytabs
Kibana Kibana
Kinesis Kinesis
Klar
Knative Knative
Kramdown Kramdown
Kroki Kroki
...@@ -263,6 +268,7 @@ Laravel ...@@ -263,6 +268,7 @@ Laravel
ldapsearch ldapsearch
Lefthook Lefthook
Leiningen Leiningen
libFuzzer
Libravatar Libravatar
liveness liveness
Lograge Lograge
...@@ -479,6 +485,7 @@ serverless ...@@ -479,6 +485,7 @@ serverless
sharding sharding
shfmt shfmt
Shibboleth Shibboleth
Shopify
Sidekiq Sidekiq
Silverlight Silverlight
Sisense Sisense
...@@ -553,7 +560,10 @@ transpile ...@@ -553,7 +560,10 @@ transpile
transpiles transpiles
transpiling transpiling
Trello Trello
triaged
triages
triaging triaging
Truststore
Twilio Twilio
Twitter Twitter
TypeScript TypeScript
...@@ -586,6 +596,8 @@ unindexed ...@@ -586,6 +596,8 @@ unindexed
unlink unlink
unlinking unlinking
unlinks unlinks
unmappable
unmapped
unmergeable unmergeable
unmerged unmerged
unmerges unmerges
...@@ -595,6 +607,7 @@ unoptimize ...@@ -595,6 +607,7 @@ unoptimize
unoptimized unoptimized
unoptimizes unoptimizes
unoptimizing unoptimizing
unpatched
unprioritized unprioritized
unprotect unprotect
unprotected unprotected
......
...@@ -173,26 +173,26 @@ If there was an issue with SSL/TLS, this error message is generated. ...@@ -173,26 +173,26 @@ If there was an issue with SSL/TLS, this error message is generated.
as GitLab is the TLS client. as GitLab is the TLS client.
- The Jira Development Panel integration requires Jira to connect to GitLab, which - The Jira Development Panel integration requires Jira to connect to GitLab, which
causes Jira to be the TLS client. If your GitLab server's certificate is not causes Jira to be the TLS client. If your GitLab server's certificate is not
issued by a public certificate authority, the Java truststore on Jira's server issued by a public certificate authority, the Java Truststore on Jira's server
needs to have the appropriate certificate added to it (such as your organization's needs to have the appropriate certificate added to it (such as your organization's
root certificate). root certificate).
Refer to Atlassian's documentation and Atlassian Support for assistance setting up Jira correctly: Refer to Atlassian's documentation and Atlassian Support for assistance setting up Jira correctly:
- [Adding a certificate to the trust store](https://confluence.atlassian.com/kb/how-to-import-a-public-ssl-certificate-into-a-jvm-867025849.html). - [Adding a certificate to the trust store](https://confluence.atlassian.com/kb/how-to-import-a-public-ssl-certificate-into-a-jvm-867025849.html).
- Simplest approach is to use [keytool](https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html). - Simplest approach is to use [`keytool`](https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html).
- Add additional roots to Java's default truststore (`cacerts`) to allow Jira to - Add additional roots to Java's default Truststore (`cacerts`) to allow Jira to
also trust public certificate authorities. also trust public certificate authorities.
- If the integration stops working after upgrading Jira's Java runtime, this - If the integration stops working after upgrading Jira's Java runtime, this
might be because the `cacerts` truststore got replaced. might be because the `cacerts` Truststore got replaced.
- [Troubleshooting connectivity up to and including TLS handshaking](https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-error-779355358.html), - [Troubleshooting connectivity up to and including TLS handshaking](https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-error-779355358.html),
using the a java class called `SSLPoke`. using the a java class called `SSLPoke`.
- Download the class from Atlassian's knowledgebase to Jira's server, for example to `/tmp`. - Download the class from Atlassian's knowledge base to Jira's server, for example to `/tmp`.
- Use the same Java runtime as Jira. - Use the same Java runtime as Jira.
- Pass all networking-related parameters that Jira is called with, such as proxy - Pass all networking-related parameters that Jira is called with, such as proxy
settings or an alternative root truststore (`-Djavax.net.ssl.trustStore`): settings or an alternative root Truststore (`-Djavax.net.ssl.trustStore`):
```shell ```shell
${JAVA_HOME}/bin/java -Djavax.net.ssl.trustStore=/var/atlassian/application-data/jira/cacerts -classpath /tmp SSLPoke gitlab.example.com 443 ${JAVA_HOME}/bin/java -Djavax.net.ssl.trustStore=/var/atlassian/application-data/jira/cacerts -classpath /tmp SSLPoke gitlab.example.com 443
...@@ -211,7 +211,7 @@ The requested scope is invalid, unknown, or malformed. ...@@ -211,7 +211,7 @@ The requested scope is invalid, unknown, or malformed.
Potential resolutions: Potential resolutions:
- Verify the URL shown in the browser after being redirected from Jira in step 5 of [Jira DVCS Connector Setp](#jira-dvcs-connector-setup) includes `scope=api` within the query string. - Verify the URL shown in the browser after being redirected from Jira in step 5 of [Jira DVCS Connector Setup](#jira-dvcs-connector-setup) includes `scope=api` within the query string.
- If `scope=api` is missing from the URL, return to [GitLab account configuration](#gitlab-account-configuration-for-dvcs) and ensure the application you created in step 1 has the `api` box checked under scopes. - If `scope=api` is missing from the URL, return to [GitLab account configuration](#gitlab-account-configuration-for-dvcs) and ensure the application you created in step 1 has the `api` box checked under scopes.
##### Jira error adding account and no repositories listed ##### Jira error adding account and no repositories listed
...@@ -252,7 +252,7 @@ resynchronize the information. To do so: ...@@ -252,7 +252,7 @@ resynchronize the information. To do so:
You can integrate GitLab.com and Jira Cloud using the [GitLab for Jira](https://marketplace.atlassian.com/apps/1221011/gitlab-com-for-jira-cloud) app in the Atlassian Marketplace. You can integrate GitLab.com and Jira Cloud using the [GitLab for Jira](https://marketplace.atlassian.com/apps/1221011/gitlab-com-for-jira-cloud) app in the Atlassian Marketplace.
This method is recommended when using GitLab.com and Jira Cloud because data is synchronized in realtime, while the DVCS connector updates data only once per hour. If you are not using both of these environments, use the [Jira DVCS Connector](#jira-dvcs-configuration) method. This method is recommended when using GitLab.com and Jira Cloud because data is synchronized in real-time, while the DVCS connector updates data only once per hour. If you are not using both of these environments, use the [Jira DVCS Connector](#jira-dvcs-configuration) method.
<i class="fa fa-youtube-play youtube" aria-hidden="true"></i> <i class="fa fa-youtube-play youtube" aria-hidden="true"></i>
For a walkthrough of the integration with GitLab for Jira, watch [Configure GitLab Jira Integration using Marketplace App](https://youtu.be/SwR-g1s1zTo) on YouTube. For a walkthrough of the integration with GitLab for Jira, watch [Configure GitLab Jira Integration using Marketplace App](https://youtu.be/SwR-g1s1zTo) on YouTube.
......
...@@ -22,7 +22,7 @@ When applied to: ...@@ -22,7 +22,7 @@ When applied to:
- A **group**, the group, all subgroups, and all projects under the selected - A **group**, the group, all subgroups, and all projects under the selected
group on GitLab.com contains the features of the associated tier. GitLab recommends group on GitLab.com contains the features of the associated tier. GitLab recommends
choosing a group plan when managing an organization's projects and users. choosing a group plan when managing an organization's projects and users.
- A **personal userspace**, all projects contain features with the - A **personal user space**, all projects contain features with the
subscription applied, but as it's not a group, group features aren't available. subscription applied, but as it's not a group, group features aren't available.
You can read more about [common misconceptions](https://about.gitlab.com/handbook/marketing/strategic-marketing/enablement/dotcom-subscriptions/#common-misconceptions) regarding a GitLab.com subscription to help avoid issues. You can read more about [common misconceptions](https://about.gitlab.com/handbook/marketing/strategic-marketing/enablement/dotcom-subscriptions/#common-misconceptions) regarding a GitLab.com subscription to help avoid issues.
......
...@@ -163,7 +163,7 @@ to override the default chart values by setting `HELM_UPGRADE_EXTRA_ARGS` to `-- ...@@ -163,7 +163,7 @@ to override the default chart values by setting `HELM_UPGRADE_EXTRA_ARGS` to `--
You can customize the `helm upgrade` command used in the [auto-deploy-image](https://gitlab.com/gitlab-org/cluster-integration/auto-deploy-image) You can customize the `helm upgrade` command used in the [auto-deploy-image](https://gitlab.com/gitlab-org/cluster-integration/auto-deploy-image)
by passing options to the command with the `HELM_UPGRADE_EXTRA_ARGS` variable. by passing options to the command with the `HELM_UPGRADE_EXTRA_ARGS` variable.
For example, set the value of `HELM_UPGRADE_EXTRA_ARGS` to `--no-hooks` to disable For example, set the value of `HELM_UPGRADE_EXTRA_ARGS` to `--no-hooks` to disable
pre and post upgrade hooks when the command is executed. pre-upgrade and post-upgrade hooks when the command is executed.
See [the official documentation](https://helm.sh/docs/helm/helm_upgrade/) for the full See [the official documentation](https://helm.sh/docs/helm/helm_upgrade/) for the full
list of options. list of options.
......
...@@ -153,7 +153,7 @@ steps to upgrade to v2: ...@@ -153,7 +153,7 @@ steps to upgrade to v2:
### Use a specific version of Auto Deploy dependencies ### Use a specific version of Auto Deploy dependencies
To use a specifc version of Auto Deploy dependencies, specify the previous Auto Deploy To use a specific version of Auto Deploy dependencies, specify the previous Auto Deploy
stable template that contains the [desired version of `auto-deploy-image` and `auto-deploy-app`](#verify-dependency-versions). stable template that contains the [desired version of `auto-deploy-image` and `auto-deploy-app`](#verify-dependency-versions).
For example, if the template is bundled in GitLab v13.3, change your `.gitlab-ci.yml` to: For example, if the template is bundled in GitLab v13.3, change your `.gitlab-ci.yml` to:
......
...@@ -160,7 +160,7 @@ a macOS's `ZSH` shell, and you want to **squash** all the three commits ...@@ -160,7 +160,7 @@ a macOS's `ZSH` shell, and you want to **squash** all the three commits
from `pick` to `squash` (or `s`). Do the same to the **third** commit. from `pick` to `squash` (or `s`). Do the same to the **third** commit.
The first commit should be left **unchanged** (`pick`) as we want to squash The first commit should be left **unchanged** (`pick`) as we want to squash
the second and third into the first. the second and third into the first.
1. Press <kbd>Esc</kbd> to leave the editing mode. 1. Press <kbd>Escape</kbd> to leave the editing mode.
1. Type `:wq` to "write" (save) and "quit". 1. Type `:wq` to "write" (save) and "quit".
1. Git outputs the commit message so you have a chance to edit it: 1. Git outputs the commit message so you have a chance to edit it:
- All lines starting with `#` will be ignored and not included in the commit - All lines starting with `#` will be ignored and not included in the commit
......
...@@ -38,8 +38,12 @@ For a video introduction of how this works in GitLab, see [GitLab Flow](https:// ...@@ -38,8 +38,12 @@ For a video introduction of how this works in GitLab, see [GitLab Flow](https://
## Git flow and its problems ## Git flow and its problems
<!-- vale gitlab.Spelling = NO -->
![Git Flow timeline by Vincent Driessen, used with permission](img/gitlab_flow_gitdashflow.png) ![Git Flow timeline by Vincent Driessen, used with permission](img/gitlab_flow_gitdashflow.png)
<!-- vale gitlab.Spelling = YES -->
Git flow was one of the first proposals to use Git branches, and it has received a lot of attention. Git flow was one of the first proposals to use Git branches, and it has received a lot of attention.
It suggests a `master` branch and a separate `develop` branch, as well as supporting branches for features, releases, and hotfixes. It suggests a `master` branch and a separate `develop` branch, as well as supporting branches for features, releases, and hotfixes.
The development happens on the `develop` branch, moves to a release branch, and is finally merged into the `master` branch. The development happens on the `develop` branch, moves to a release branch, and is finally merged into the `master` branch.
......
...@@ -21,7 +21,7 @@ comments: false ...@@ -21,7 +21,7 @@ comments: false
git clone <url> git clone <url>
``` ```
## Central Repos ## Central Repositories
- To instantiate a central repository a `--bare` flag is required. - To instantiate a central repository a `--bare` flag is required.
- Bare repositories don't allow file editing or committing changes. - Bare repositories don't allow file editing or committing changes.
...@@ -34,7 +34,7 @@ comments: false ...@@ -34,7 +34,7 @@ comments: false
## Instantiate workflow with clone ## Instantiate workflow with clone
1. Create a project in your user namespace. 1. Create a project in your user namespace.
- Choose to import from 'Any Repo by URL' and use <https://gitlab.com/gitlab-org/training-examples.git>. - Choose to import from **Any Repository by URL** and use <https://gitlab.com/gitlab-org/training-examples.git>.
1. Create a '`Workspace`' directory in your home directory. 1. Create a '`Workspace`' directory in your home directory.
1. Clone the '`training-examples`' project. 1. Clone the '`training-examples`' project.
......
...@@ -102,7 +102,7 @@ ssh-rsa AAAAB3NzaC1yc2EAAAADAQEL17Ufacg8cDhlQMS5NhV8z3GHZdhCrZbl4gz you@example. ...@@ -102,7 +102,7 @@ ssh-rsa AAAAB3NzaC1yc2EAAAADAQEL17Ufacg8cDhlQMS5NhV8z3GHZdhCrZbl4gz you@example.
## Create a project ## Create a project
- Create a project in your user namespace. - Create a project in your user namespace.
- Choose to import from 'Any Repo by URL' and use <https://gitlab.com/gitlab-org/training-examples.git>. - Choose to import from **Any Repository by URL** and use <https://gitlab.com/gitlab-org/training-examples.git>.
- Create a '`development`' or '`workspace`' directory in your home directory. - Create a '`development`' or '`workspace`' directory in your home directory.
- Clone the '`training-examples`' project. - Clone the '`training-examples`' project.
...@@ -214,9 +214,13 @@ Create your first merge request: ...@@ -214,9 +214,13 @@ Create your first merge request:
## Feedback and Collaboration resources ## Feedback and Collaboration resources
<!-- vale gitlab.Spelling = NO -->
Review the Thoughtbot code-review guide for suggestions to follow when reviewing merge requests: Review the Thoughtbot code-review guide for suggestions to follow when reviewing merge requests:
<https://github.com/thoughtbot/guides/tree/master/code-review>. <https://github.com/thoughtbot/guides/tree/master/code-review>.
<!-- vale gitlab.Spelling = YES -->
See GitLab merge requests for examples: <https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests>. See GitLab merge requests for examples: <https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests>.
## Explore GitLab projects ## Explore GitLab projects
......
...@@ -94,7 +94,7 @@ Feature.enable(:admin_new_user_signups_cap) ...@@ -94,7 +94,7 @@ Feature.enable(:admin_new_user_signups_cap)
WARNING: WARNING:
This feature might not be available to you. Check the **version history** note above for details. This feature might not be available to you. Check the **version history** note above for details.
The soft email confirmation improves the signup experience for new users by allowing The soft email confirmation improves the sign-up experience for new users by allowing
them to sign in without an immediate confirmation when an email confirmation is required. them to sign in without an immediate confirmation when an email confirmation is required.
GitLab shows the user a reminder to confirm their email address, and the user can't GitLab shows the user a reminder to confirm their email address, and the user can't
create or update pipelines until their email address is confirmed. create or update pipelines until their email address is confirmed.
......
...@@ -27,7 +27,7 @@ View pipeline duration history: ...@@ -27,7 +27,7 @@ View pipeline duration history:
Customer experience is a key metric. Users want to measure platform stability and other Customer experience is a key metric. Users want to measure platform stability and other
post-deployment performance KPIs, and set targets for customer behavior, experience, and financial post-deployment performance KPIs, and set targets for customer behavior, experience, and financial
impact. Tracking and measuring these indicators solves an important pain point. Similarly, creating impact. Tracking and measuring these indicators solves an important pain point. Similarly, creating
views that manage products, not projects or repos, provides users with a more relevant data set. views that manage products, not projects or repositories, provides users with a more relevant data set.
Since GitLab is a tool for the entire DevOps life-cycle, information from different workflows is Since GitLab is a tool for the entire DevOps life-cycle, information from different workflows is
integrated and can be used to measure the success of the teams. integrated and can be used to measure the success of the teams.
......
...@@ -10,7 +10,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w ...@@ -10,7 +10,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/196561) in [GitLab Premium](https://about.gitlab.com/pricing/) 12.9. > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/196561) in [GitLab Premium](https://about.gitlab.com/pricing/) 12.9.
Issue Analytics is a bar graph which illustrates the number of issues created each month. Issue Analytics is a bar graph which illustrates the number of issues created each month.
The default timespan is 13 months, which includes the current month, and the 12 months The default time span is 13 months, which includes the current month, and the 12 months
prior. prior.
To access the chart, navigate to your project sidebar and select **{chart}** **Analytics > Issue Analytics**. To access the chart, navigate to your project sidebar and select **{chart}** **Analytics > Issue Analytics**.
......
...@@ -182,7 +182,7 @@ scanning by using the following environment variables: ...@@ -182,7 +182,7 @@ scanning by using the following environment variables:
| `CLAIR_DB_IMAGE` | `arminc/clair-db:latest` | The Docker image name and tag for the [PostgreSQL server hosting the vulnerabilities definitions](https://hub.docker.com/r/arminc/clair-db). It can be useful to override this value with a specific version, for example, to provide a consistent set of vulnerabilities for integration testing purposes, or to refer to a locally hosted vulnerabilities database for an on-premise offline installation. | | `CLAIR_DB_IMAGE` | `arminc/clair-db:latest` | The Docker image name and tag for the [PostgreSQL server hosting the vulnerabilities definitions](https://hub.docker.com/r/arminc/clair-db). It can be useful to override this value with a specific version, for example, to provide a consistent set of vulnerabilities for integration testing purposes, or to refer to a locally hosted vulnerabilities database for an on-premise offline installation. |
| `CLAIR_DB_IMAGE_TAG` | `latest` | (**DEPRECATED - use `CLAIR_DB_IMAGE` instead**) The Docker image tag for the [PostgreSQL server hosting the vulnerabilities definitions](https://hub.docker.com/r/arminc/clair-db). It can be useful to override this value with a specific version, for example, to provide a consistent set of vulnerabilities for integration testing purposes. | | `CLAIR_DB_IMAGE_TAG` | `latest` | (**DEPRECATED - use `CLAIR_DB_IMAGE` instead**) The Docker image tag for the [PostgreSQL server hosting the vulnerabilities definitions](https://hub.docker.com/r/arminc/clair-db). It can be useful to override this value with a specific version, for example, to provide a consistent set of vulnerabilities for integration testing purposes. |
| `CLAIR_OUTPUT` | `Unknown` | Severity level threshold. Vulnerabilities with severity level higher than or equal to this threshold are outputted. Supported levels are `Unknown`, `Negligible`, `Low`, `Medium`, `High`, `Critical` and `Defcon1`. | | `CLAIR_OUTPUT` | `Unknown` | Severity level threshold. Vulnerabilities with severity level higher than or equal to this threshold are outputted. Supported levels are `Unknown`, `Negligible`, `Low`, `Medium`, `High`, `Critical` and `Defcon1`. |
| `CLAIR_TRACE` | `"false"` | Set to true to enable more verbose output from the clair server process. | | `CLAIR_TRACE` | `"false"` | Set to true to enable more verbose output from the Clair server process. |
| `CLAIR_VULNERABILITIES_DB_URL` | `clair-vulnerabilities-db` | (**DEPRECATED - use `CLAIR_DB_CONNECTION_STRING` instead**) This variable is explicitly set in the [services section](https://gitlab.com/gitlab-org/gitlab/-/blob/898c5da43504eba87b749625da50098d345b60d6/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml#L23) of the `Container-Scanning.gitlab-ci.yml` file and defaults to `clair-vulnerabilities-db`. This value represents the address that the [PostgreSQL server hosting the vulnerabilities definitions](https://hub.docker.com/r/arminc/clair-db) is running on and **shouldn't be changed** unless you're running the image locally as described in the [Running the standalone container scanning tool](#running-the-standalone-container-scanning-tool) section. | | `CLAIR_VULNERABILITIES_DB_URL` | `clair-vulnerabilities-db` | (**DEPRECATED - use `CLAIR_DB_CONNECTION_STRING` instead**) This variable is explicitly set in the [services section](https://gitlab.com/gitlab-org/gitlab/-/blob/898c5da43504eba87b749625da50098d345b60d6/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml#L23) of the `Container-Scanning.gitlab-ci.yml` file and defaults to `clair-vulnerabilities-db`. This value represents the address that the [PostgreSQL server hosting the vulnerabilities definitions](https://hub.docker.com/r/arminc/clair-db) is running on and **shouldn't be changed** unless you're running the image locally as described in the [Running the standalone container scanning tool](#running-the-standalone-container-scanning-tool) section. |
| `CI_APPLICATION_REPOSITORY` | `$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG` | Docker repository URL for the image to be scanned. | | `CI_APPLICATION_REPOSITORY` | `$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG` | Docker repository URL for the image to be scanned. |
| `CI_APPLICATION_TAG` | `$CI_COMMIT_SHA` | Docker repository tag for the image to be scanned. | | `CI_APPLICATION_TAG` | `$CI_COMMIT_SHA` | Docker repository tag for the image to be scanned. |
...@@ -192,7 +192,7 @@ scanning by using the following environment variables: ...@@ -192,7 +192,7 @@ scanning by using the following environment variables:
| `DOCKER_PASSWORD` | `$CI_REGISTRY_PASSWORD` | Password for accessing a Docker registry requiring authentication. | | `DOCKER_PASSWORD` | `$CI_REGISTRY_PASSWORD` | Password for accessing a Docker registry requiring authentication. |
| `DOCKER_USER` | `$CI_REGISTRY_USER` | Username for accessing a Docker registry requiring authentication. | | `DOCKER_USER` | `$CI_REGISTRY_USER` | Username for accessing a Docker registry requiring authentication. |
| `DOCKERFILE_PATH` | `Dockerfile` | The path to the `Dockerfile` to be used for generating remediations. By default, the scanner looks for a file named `Dockerfile` in the root directory of the project, so this variable should only be configured if your `Dockerfile` is in a non-standard location, such as a subdirectory. See [Solutions for vulnerabilities](#solutions-for-vulnerabilities-auto-remediation) for more details. | | `DOCKERFILE_PATH` | `Dockerfile` | The path to the `Dockerfile` to be used for generating remediations. By default, the scanner looks for a file named `Dockerfile` in the root directory of the project, so this variable should only be configured if your `Dockerfile` is in a non-standard location, such as a subdirectory. See [Solutions for vulnerabilities](#solutions-for-vulnerabilities-auto-remediation) for more details. |
| `KLAR_TRACE` | `"false"` | Set to true to enable more verbose output from klar. | | `KLAR_TRACE` | `"false"` | Set to true to enable more verbose output from Klar. |
| `REGISTRY_INSECURE` | `"false"` | Allow [Klar](https://github.com/optiopay/klar) to access insecure registries (HTTP only). Should only be set to `true` when testing the image locally. | | `REGISTRY_INSECURE` | `"false"` | Allow [Klar](https://github.com/optiopay/klar) to access insecure registries (HTTP only). Should only be set to `true` when testing the image locally. |
| `SECURE_ANALYZERS_PREFIX` | `"registry.gitlab.com/gitlab-org/security-products/analyzers"` | Set the Docker registry base address from which to download the analyzer. | | `SECURE_ANALYZERS_PREFIX` | `"registry.gitlab.com/gitlab-org/security-products/analyzers"` | Set the Docker registry base address from which to download the analyzer. |
| `SECURE_LOG_LEVEL` | `info` | Set the minimum logging level. Messages of this logging level or higher are output. From highest to lowest severity, the logging levels are: `fatal`, `error`, `warn`, `info`, `debug`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10880) in GitLab 13.1. | | `SECURE_LOG_LEVEL` | `info` | Set the minimum logging level. Messages of this logging level or higher are output. From highest to lowest severity, the logging levels are: `fatal`, `error`, `warn`, `info`, `debug`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10880) in GitLab 13.1. |
......
...@@ -27,12 +27,12 @@ Docker image with the fuzz engine to run your app. ...@@ -27,12 +27,12 @@ Docker image with the fuzz engine to run your app.
|----------|----------------|---------| |----------|----------------|---------|
| C/C++ | [libFuzzer](https://llvm.org/docs/LibFuzzer.html) | [c-cpp-example](https://gitlab.com/gitlab-org/security-products/demos/coverage-fuzzing/c-cpp-fuzzing-example) | | C/C++ | [libFuzzer](https://llvm.org/docs/LibFuzzer.html) | [c-cpp-example](https://gitlab.com/gitlab-org/security-products/demos/coverage-fuzzing/c-cpp-fuzzing-example) |
| GoLang | [go-fuzz (libFuzzer support)](https://github.com/dvyukov/go-fuzz) | [go-fuzzing-example](https://gitlab.com/gitlab-org/security-products/demos/coverage-fuzzing/go-fuzzing-example) | | GoLang | [go-fuzz (libFuzzer support)](https://github.com/dvyukov/go-fuzz) | [go-fuzzing-example](https://gitlab.com/gitlab-org/security-products/demos/coverage-fuzzing/go-fuzzing-example) |
| Swift | [libfuzzer](https://github.com/apple/swift/blob/master/docs/libFuzzerIntegration.md) | [swift-fuzzing-example](https://gitlab.com/gitlab-org/security-products/demos/coverage-fuzzing/swift-fuzzing-example) | | Swift | [libFuzzer](https://github.com/apple/swift/blob/master/docs/libFuzzerIntegration.md) | [swift-fuzzing-example](https://gitlab.com/gitlab-org/security-products/demos/coverage-fuzzing/swift-fuzzing-example) |
| Rust | [cargo-fuzz (libFuzzer support)](https://github.com/rust-fuzz/cargo-fuzz) | [rust-fuzzing-example](https://gitlab.com/gitlab-org/security-products/demos/coverage-fuzzing/rust-fuzzing-example) | | Rust | [cargo-fuzz (libFuzzer support)](https://github.com/rust-fuzz/cargo-fuzz) | [rust-fuzzing-example](https://gitlab.com/gitlab-org/security-products/demos/coverage-fuzzing/rust-fuzzing-example) |
| Java | [javafuzz](https://gitlab.com/gitlab-org/security-products/analyzers/fuzzers/javafuzz) (recommended) | [javafuzz-fuzzing-example](https://gitlab.com/gitlab-org/security-products/demos/coverage-fuzzing/javafuzz-fuzzing-example) | | Java | [Javafuzz](https://gitlab.com/gitlab-org/security-products/analyzers/fuzzers/javafuzz) (recommended) | [javafuzz-fuzzing-example](https://gitlab.com/gitlab-org/security-products/demos/coverage-fuzzing/javafuzz-fuzzing-example) |
| Java | [JQF](https://github.com/rohanpadhye/JQF) (not preferred) | [jqf-fuzzing-example](https://gitlab.com/gitlab-org/security-products/demos/coverage-fuzzing/java-fuzzing-example) | | Java | [JQF](https://github.com/rohanpadhye/JQF) (not preferred) | [jqf-fuzzing-example](https://gitlab.com/gitlab-org/security-products/demos/coverage-fuzzing/java-fuzzing-example) |
| JavaScript | [jsfuzz](https://gitlab.com/gitlab-org/security-products/analyzers/fuzzers/jsfuzz)| [jsfuzz-fuzzing-example](https://gitlab.com/gitlab-org/security-products/demos/coverage-fuzzing/jsfuzz-fuzzing-example) | | JavaScript | [`jsfuzz`](https://gitlab.com/gitlab-org/security-products/analyzers/fuzzers/jsfuzz)| [jsfuzz-fuzzing-example](https://gitlab.com/gitlab-org/security-products/demos/coverage-fuzzing/jsfuzz-fuzzing-example) |
| Python | [pythonfuzz](https://gitlab.com/gitlab-org/security-products/analyzers/fuzzers/pythonfuzz)| [pythonfuzz-fuzzing-example](https://gitlab.com/gitlab-org/security-products/demos/coverage-fuzzing/pythonfuzz-fuzzing-example) | | Python | [`pythonfuzz`](https://gitlab.com/gitlab-org/security-products/analyzers/fuzzers/pythonfuzz)| [pythonfuzz-fuzzing-example](https://gitlab.com/gitlab-org/security-products/demos/coverage-fuzzing/pythonfuzz-fuzzing-example) |
## Configuration ## Configuration
...@@ -107,7 +107,7 @@ There are two types of jobs: ...@@ -107,7 +107,7 @@ There are two types of jobs:
Here's our current suggestion for configuring your fuzz target's timeout: Here's our current suggestion for configuring your fuzz target's timeout:
- Set `COVFUZZ_BRANCH` to the branch where you want to run long-running (async) fuzzing - Set `COVFUZZ_BRANCH` to the branch where you want to run long-running (asynchronous) fuzzing
jobs. This is `master` by default. jobs. This is `master` by default.
- Use regression or short-running fuzzing jobs for other branches or merge requests. - Use regression or short-running fuzzing jobs for other branches or merge requests.
...@@ -188,14 +188,14 @@ To use coverage fuzzing in an offline environment, follow these steps: ...@@ -188,14 +188,14 @@ To use coverage fuzzing in an offline environment, follow these steps:
`NEW_URL_GITLAB_COV_FUZ` is the URL of the private `gitlab-cov-fuzz` clone that you set up in the `NEW_URL_GITLAB_COV_FUZ` is the URL of the private `gitlab-cov-fuzz` clone that you set up in the
first step. first step.
### Continuous fuzzing (long-running async fuzzing jobs) ### Continuous fuzzing (long-running asynchronous fuzzing jobs)
It's also possible to run the fuzzing jobs longer and without blocking your main pipeline. This It's also possible to run the fuzzing jobs longer and without blocking your main pipeline. This
configuration uses the GitLab [parent-child pipelines](../../../ci/parent_child_pipelines.md). configuration uses the GitLab [parent-child pipelines](../../../ci/parent_child_pipelines.md).
The full example is available in the [repository](https://gitlab.com/gitlab-org/security-products/demos/coverage-fuzzing/go-fuzzing-example/-/tree/continuous_fuzzing#running-go-fuzz-from-ci). The full example is available in the [repository](https://gitlab.com/gitlab-org/security-products/demos/coverage-fuzzing/go-fuzzing-example/-/tree/continuous_fuzzing#running-go-fuzz-from-ci).
This example uses Go, but is applicable for any other supported languages. This example uses Go, but is applicable for any other supported languages.
The suggested workflow in this scenario is to have long-running, async fuzzing jobs on a The suggested workflow in this scenario is to have long-running, asynchronous fuzzing jobs on a
main/development branch, and short, blocking sync fuzzing jobs on all other branches and MRs. This main/development branch, and short, blocking sync fuzzing jobs on all other branches and MRs. This
is a good way to balance the needs of letting a developer's per-commit pipeline complete quickly, is a good way to balance the needs of letting a developer's per-commit pipeline complete quickly,
and also giving the fuzzer a large amount of time to fully explore and test the app. and also giving the fuzzer a large amount of time to fully explore and test the app.
...@@ -252,9 +252,9 @@ vulnerability: ...@@ -252,9 +252,9 @@ vulnerability:
vulnerability can be Detected, Confirmed, Dismissed, or Resolved. vulnerability can be Detected, Confirmed, Dismissed, or Resolved.
- Project: The project in which the vulnerability exists. - Project: The project in which the vulnerability exists.
- Crash type: The type of crash or weakness in the code. This typically maps to a [CWE](https://cwe.mitre.org/). - Crash type: The type of crash or weakness in the code. This typically maps to a [CWE](https://cwe.mitre.org/).
- Crash state: A normalized version of the stacktrace, containing the last three functions of the - Crash state: A normalized version of the stack trace, containing the last three functions of the
crash (without random addresses). crash (without random addresses).
- Stacktrace snippet: The last few lines of the stacktrace, which shows details about the crash. - Stack trace snippet: The last few lines of the stack trace, which shows details about the crash.
- Identifier: The vulnerability's identifier. This maps to either a [CVE](https://cve.mitre.org/) - Identifier: The vulnerability's identifier. This maps to either a [CVE](https://cve.mitre.org/)
or [CWE](https://cwe.mitre.org/). or [CWE](https://cwe.mitre.org/).
- Severity: The vulnerability's severity. This can be Critical, High, Medium, Low, Info, or Unknown. - Severity: The vulnerability's severity. This can be Critical, High, Medium, Low, Info, or Unknown.
......
...@@ -67,7 +67,7 @@ The following languages and dependency managers are supported: ...@@ -67,7 +67,7 @@ The following languages and dependency managers are supported:
| [npm](https://www.npmjs.com/), [yarn](https://classic.yarnpkg.com/en/) 1.x | JavaScript | `package-lock.json`, `npm-shrinkwrap.json`, `yarn.lock` | [Gemnasium](https://gitlab.com/gitlab-org/security-products/gemnasium) | | [npm](https://www.npmjs.com/), [yarn](https://classic.yarnpkg.com/en/) 1.x | JavaScript | `package-lock.json`, `npm-shrinkwrap.json`, `yarn.lock` | [Gemnasium](https://gitlab.com/gitlab-org/security-products/gemnasium) |
| [npm](https://www.npmjs.com/), [yarn](https://classic.yarnpkg.com/en/) 1.x | JavaScript | `package.json` | [Retire.js](https://retirejs.github.io/retire.js/) | | [npm](https://www.npmjs.com/), [yarn](https://classic.yarnpkg.com/en/) 1.x | JavaScript | `package.json` | [Retire.js](https://retirejs.github.io/retire.js/) |
| [NuGet](https://www.nuget.org/) 4.9+ | .NET, C# | [`packages.lock.json`](https://docs.microsoft.com/en-us/nuget/consume-packages/package-references-in-project-files#enabling-lock-file) | [Gemnasium](https://gitlab.com/gitlab-org/security-products/gemnasium) | | [NuGet](https://www.nuget.org/) 4.9+ | .NET, C# | [`packages.lock.json`](https://docs.microsoft.com/en-us/nuget/consume-packages/package-references-in-project-files#enabling-lock-file) | [Gemnasium](https://gitlab.com/gitlab-org/security-products/gemnasium) |
| [setuptools](https://setuptools.readthedocs.io/en/latest/), [pip](https://pip.pypa.io/en/stable/), [Pipenv](https://pipenv.pypa.io/en/latest/) (*1*) | Python | `setup.py`, `requirements.txt`, `requirements.pip`, `requires.txt`, `Pipfile`, `Pipfile.lock` | [Gemnasium](https://gitlab.com/gitlab-org/security-products/gemnasium) | | [`setuptools`](https://setuptools.readthedocs.io/en/latest/), [pip](https://pip.pypa.io/en/stable/), [Pipenv](https://pipenv.pypa.io/en/latest/) (*1*) | Python | `setup.py`, `requirements.txt`, `requirements.pip`, `requires.txt`, `Pipfile`, `Pipfile.lock` | [Gemnasium](https://gitlab.com/gitlab-org/security-products/gemnasium) |
| [sbt](https://www.scala-sbt.org/) 1.2 and below ([Ivy](http://ant.apache.org/ivy/)) | Scala | `build.sbt` | [Gemnasium](https://gitlab.com/gitlab-org/security-products/gemnasium) | | [sbt](https://www.scala-sbt.org/) 1.2 and below ([Ivy](http://ant.apache.org/ivy/)) | Scala | `build.sbt` | [Gemnasium](https://gitlab.com/gitlab-org/security-products/gemnasium) |
1. [Pipenv](https://pipenv.pypa.io/en/latest/) projects are scanned when a `Pipfile` is present. 1. [Pipenv](https://pipenv.pypa.io/en/latest/) projects are scanned when a `Pipfile` is present.
...@@ -188,7 +188,7 @@ The following variables are used for configuring specific analyzers (used for a ...@@ -188,7 +188,7 @@ The following variables are used for configuring specific analyzers (used for a
| `DS_PIP_DEPENDENCY_PATH` | `gemnasium-python` | | Path to load Python pip dependencies from. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/12412) in GitLab 12.2) | | `DS_PIP_DEPENDENCY_PATH` | `gemnasium-python` | | Path to load Python pip dependencies from. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/12412) in GitLab 12.2) |
| `DS_PYTHON_VERSION` | `retire.js` | | Version of Python. If set to 2, dependencies are installed using Python 2.7 instead of Python 3.6. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/12296) in GitLab 12.1, [removed](https://www.python.org/doc/sunset-python-2/) in GitLab 13.7)| | `DS_PYTHON_VERSION` | `retire.js` | | Version of Python. If set to 2, dependencies are installed using Python 2.7 instead of Python 3.6. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/12296) in GitLab 12.1, [removed](https://www.python.org/doc/sunset-python-2/) in GitLab 13.7)|
| `DS_JAVA_VERSION` | `gemnasium-maven` | `11` | Version of Java. Available versions: `8`, `11`, `13`, `14`. Maven and Gradle use the Java version specified by this value. | | `DS_JAVA_VERSION` | `gemnasium-maven` | `11` | Version of Java. Available versions: `8`, `11`, `13`, `14`. Maven and Gradle use the Java version specified by this value. |
| `MAVEN_CLI_OPTS` | `gemnasium-maven` | `"-DskipTests --batch-mode"` | List of command line arguments that are passed to `maven` by the analyzer. See an example for [using private repositories](../index.md#using-private-maven-repos). | | `MAVEN_CLI_OPTS` | `gemnasium-maven` | `"-DskipTests --batch-mode"` | List of command line arguments that are passed to `maven` by the analyzer. See an example for [using private repositories](../index.md#using-private-maven-repositories). |
| `GRADLE_CLI_OPTS` | `gemnasium-maven` | | List of command line arguments that are passed to `gradle` by the analyzer. | | `GRADLE_CLI_OPTS` | `gemnasium-maven` | | List of command line arguments that are passed to `gradle` by the analyzer. |
| `SBT_CLI_OPTS` | `gemnasium-maven` | | List of command-line arguments that the analyzer passes to `sbt`. | | `SBT_CLI_OPTS` | `gemnasium-maven` | | List of command-line arguments that the analyzer passes to `sbt`. |
| `BUNDLER_AUDIT_UPDATE_DISABLED` | `bundler-audit` | `"false"` | Disable automatic updates for the `bundler-audit` analyzer. Useful if you're running dependency scanning in an offline, air-gapped environment.| | `BUNDLER_AUDIT_UPDATE_DISABLED` | `bundler-audit` | `"false"` | Disable automatic updates for the `bundler-audit` analyzer. Useful if you're running dependency scanning in an offline, air-gapped environment.|
...@@ -198,12 +198,12 @@ The following variables are used for configuring specific analyzers (used for a ...@@ -198,12 +198,12 @@ The following variables are used for configuring specific analyzers (used for a
| `RETIREJS_NODE_ADVISORY_DB` | `retire.js` | `https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/npmrepository.json` | Path or URL to `retire.js` node vulnerability data file. Note that if the URL hosting the data file uses a custom SSL certificate, for example in an offline installation, you can pass the certificate in the `ADDITIONAL_CA_CERT_BUNDLE` environment variable. | | `RETIREJS_NODE_ADVISORY_DB` | `retire.js` | `https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/npmrepository.json` | Path or URL to `retire.js` node vulnerability data file. Note that if the URL hosting the data file uses a custom SSL certificate, for example in an offline installation, you can pass the certificate in the `ADDITIONAL_CA_CERT_BUNDLE` environment variable. |
| `RETIREJS_ADVISORY_DB_INSECURE` | `retire.js` | `false` | Enable fetching remote JS and Node vulnerability data files (defined by the `RETIREJS_JS_ADVISORY_DB` and `RETIREJS_NODE_ADVISORY_DB` variables) from hosts using an insecure or self-signed SSL (TLS) certificate. | | `RETIREJS_ADVISORY_DB_INSECURE` | `retire.js` | `false` | Enable fetching remote JS and Node vulnerability data files (defined by the `RETIREJS_JS_ADVISORY_DB` and `RETIREJS_NODE_ADVISORY_DB` variables) from hosts using an insecure or self-signed SSL (TLS) certificate. |
### Using private Maven repos ### Using private Maven repositories
If your private Maven repository requires login credentials, If your private Maven repository requires login credentials,
you can use the `MAVEN_CLI_OPTS` environment variable. you can use the `MAVEN_CLI_OPTS` environment variable.
Read more on [how to use private Maven repositories](../index.md#using-private-maven-repos). Read more on [how to use private Maven repositories](../index.md#using-private-maven-repositories).
## Interacting with the vulnerabilities ## Interacting with the vulnerabilities
...@@ -375,7 +375,7 @@ Here are the requirements for using dependency scanning in an offline environmen ...@@ -375,7 +375,7 @@ Here are the requirements for using dependency scanning in an offline environmen
This advisory database is constantly being updated, so you must periodically sync your local copy with GitLab. This advisory database is constantly being updated, so you must periodically sync your local copy with GitLab.
- _Only if scanning Ruby projects_: Host an offline Git copy of the [advisory database](https://github.com/rubysec/ruby-advisory-db). - _Only if scanning Ruby projects_: Host an offline Git copy of the [advisory database](https://github.com/rubysec/ruby-advisory-db).
- _Only if scanning npm/yarn projects_: Host an offline copy of the [retire.js](https://github.com/RetireJS/retire.js/) [node](https://github.com/RetireJS/retire.js/blob/master/repository/npmrepository.json) and [js](https://github.com/RetireJS/retire.js/blob/master/repository/jsrepository.json) advisory databases. - _Only if scanning npm/yarn projects_: Host an offline copy of the [`retire.js`](https://github.com/RetireJS/retire.js/) [node](https://github.com/RetireJS/retire.js/blob/master/repository/npmrepository.json) and [`js`](https://github.com/RetireJS/retire.js/blob/master/repository/jsrepository.json) advisory databases.
Note that GitLab Runner has a [default `pull policy` of `always`](https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy), Note that GitLab Runner has a [default `pull policy` of `always`](https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy),
meaning the runner tries to pull Docker images from the GitLab container registry even if a local meaning the runner tries to pull Docker images from the GitLab container registry even if a local
...@@ -460,7 +460,7 @@ BUNDLER_AUDIT_ADVISORY_DB_REF_NAME: "master" ...@@ -460,7 +460,7 @@ BUNDLER_AUDIT_ADVISORY_DB_REF_NAME: "master"
BUNDLER_AUDIT_ADVISORY_DB_URL: "gitlab.example.com/ruby-advisory-db.git" BUNDLER_AUDIT_ADVISORY_DB_URL: "gitlab.example.com/ruby-advisory-db.git"
``` ```
#### Python (setuptools) #### Python (setup tools)
When using self-signed certificates for your private PyPi repository, no extra job configuration (aside When using self-signed certificates for your private PyPi repository, no extra job configuration (aside
from the template `.gitlab-ci.yml` above) is needed. However, you must update your `setup.py` to from the template `.gitlab-ci.yml` above) is needed. However, you must update your `setup.py` to
...@@ -526,5 +526,5 @@ scanning job might be triggered even if the scanner doesn't support your project ...@@ -526,5 +526,5 @@ scanning job might be triggered even if the scanner doesn't support your project
### Issues building projects with npm or yarn packages relying on Python 2 ### Issues building projects with npm or yarn packages relying on Python 2
Python 2 was removed (see: [Python 2 sunsetting](https://www.python.org/doc/sunset-python-2/)) from the `retire.js` analyzer in GitLab 13.7 (analyzer version 2.10.1). Projects using packages [Python 2 was removed](https://www.python.org/doc/sunset-python-2/) from the `retire.js` analyzer in GitLab 13.7 (analyzer version 2.10.1). Projects using packages
with a dependency on this version of Python should use `retire.js` version 2.10.0 or lower (for example, `registry.gitlab.com/gitlab-org/security-products/analyzers/retire.js:2.10.0`). with a dependency on this version of Python should use `retire.js` version 2.10.0 or lower (for example, `registry.gitlab.com/gitlab-org/security-products/analyzers/retire.js:2.10.0`).
...@@ -395,11 +395,11 @@ must be created. A [security scanner job](#security-scanning-tools) must be enab ...@@ -395,11 +395,11 @@ must be created. A [security scanner job](#security-scanning-tools) must be enab
job must be enabled for `License-Check`. When the proper jobs aren't configured, the following job must be enabled for `License-Check`. When the proper jobs aren't configured, the following
appears: appears:
![Unconfigured Approval Rules](img/unconfigured_security_approval_rules_and_jobs_v13_4.png) ![Un-configured Approval Rules](img/unconfigured_security_approval_rules_and_jobs_v13_4.png)
If at least one security scanner is enabled, you can enable the `Vulnerability-Check` approval rule. If a license scanning job is enabled, you can enable the `License-Check` rule. If at least one security scanner is enabled, you can enable the `Vulnerability-Check` approval rule. If a license scanning job is enabled, you can enable the `License-Check` rule.
![Unconfigured Approval Rules with valid pipeline jobs](img/unconfigured_security_approval_rules_and_enabled_jobs_v13_4.png) ![Un-configured Approval Rules with valid pipeline jobs](img/unconfigured_security_approval_rules_and_enabled_jobs_v13_4.png)
For this approval group, you must set the number of approvals required to greater than zero. You For this approval group, you must set the number of approvals required to greater than zero. You
must have Maintainer or Owner [permissions](../permissions.md#project-members-permissions) must have Maintainer or Owner [permissions](../permissions.md#project-members-permissions)
...@@ -446,7 +446,7 @@ environment. ...@@ -446,7 +446,7 @@ environment.
Read how to [operate the Secure scanners in an offline environment](offline_deployments/index.md). Read how to [operate the Secure scanners in an offline environment](offline_deployments/index.md).
## Using private Maven repos ## Using private Maven repositories
If you have a private Apache Maven repository that requires login credentials, If you have a private Apache Maven repository that requires login credentials,
you can use the `MAVEN_CLI_OPTS` environment variable you can use the `MAVEN_CLI_OPTS` environment variable
......
...@@ -53,7 +53,7 @@ internally-hosted registry or provide access to the individual scanner images. ...@@ -53,7 +53,7 @@ internally-hosted registry or provide access to the individual scanner images.
You must also ensure that your app has access to common package repositories You must also ensure that your app has access to common package repositories
that are not hosted on GitLab.com, such as npm, yarn, or Ruby gems. Packages that are not hosted on GitLab.com, such as npm, yarn, or Ruby gems. Packages
from these repos can be obtained by temporarily connecting to a network or by from these repositories can be obtained by temporarily connecting to a network or by
mirroring the packages inside your own offline network. mirroring the packages inside your own offline network.
### Interacting with the vulnerabilities ### Interacting with the vulnerabilities
...@@ -132,7 +132,7 @@ a bastion, and used only for this specific project. ...@@ -132,7 +132,7 @@ a bastion, and used only for this specific project.
#### Scheduling the updates #### Scheduling the updates
By default, this project's pipeline runs only once, when the `.gitlab-ci.yml` is added to the By default, this project's pipeline runs only once, when the `.gitlab-ci.yml` is added to the
repo. To update the GitLab security scanners and signatures, it's necessary to run this pipeline repository. To update the GitLab security scanners and signatures, it's necessary to run this pipeline
regularly. GitLab provides a way to [schedule pipelines](../../../ci/pipelines/schedules.md). For regularly. GitLab provides a way to [schedule pipelines](../../../ci/pipelines/schedules.md). For
example, you can set this up to download and store the Docker images every week. example, you can set this up to download and store the Docker images every week.
......
...@@ -335,7 +335,7 @@ it via [custom environment variables](#custom-environment-variables). ...@@ -335,7 +335,7 @@ it via [custom environment variables](#custom-environment-variables).
If your private Maven repository requires login credentials, If your private Maven repository requires login credentials,
you can use the `MAVEN_CLI_OPTS` environment variable. you can use the `MAVEN_CLI_OPTS` environment variable.
Read more on [how to use private Maven repositories](../index.md#using-private-maven-repos). Read more on [how to use private Maven repositories](../index.md#using-private-maven-repositories).
### Enabling Kubesec analyzer ### Enabling Kubesec analyzer
......
...@@ -37,33 +37,33 @@ the following tables: ...@@ -37,33 +37,33 @@ the following tables:
| GitLab analyzer | Outputs severity levels? | Native severity level type | Native severity level example | | GitLab analyzer | Outputs severity levels? | Native severity level type | Native severity level example |
|--------------------------------------------------------------------------------------------------------|--------------------------|----------------------------|------------------------------------| |--------------------------------------------------------------------------------------------------------|--------------------------|----------------------------|------------------------------------|
| [security-code-scan](https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan) | **{dotted-circle}** No | N/A | N/A | | [`security-code-scan`](https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan) | **{dotted-circle}** No | N/A | N/A |
| [brakeman](https://gitlab.com/gitlab-org/security-products/analyzers/brakeman) | **{dotted-circle}** No | N/A | N/A | | [`brakeman`](https://gitlab.com/gitlab-org/security-products/analyzers/brakeman) | **{dotted-circle}** No | N/A | N/A |
| [sobelow](https://gitlab.com/gitlab-org/security-products/analyzers/sobelow) | **{check-circle}** Yes | N/A | Hardcodes all severity levels to `Unknown` | | [`sobelow`](https://gitlab.com/gitlab-org/security-products/analyzers/sobelow) | **{check-circle}** Yes | N/A | Hardcodes all severity levels to `Unknown` |
| [nodejs-scan](https://gitlab.com/gitlab-org/security-products/analyzers/nodejs-scan) | **{check-circle}** Yes | String | `INFO`, `WARNING`, `ERROR` | | [`nodejs-scan`](https://gitlab.com/gitlab-org/security-products/analyzers/nodejs-scan) | **{check-circle}** Yes | String | `INFO`, `WARNING`, `ERROR` |
| [flawfinder](https://gitlab.com/gitlab-org/security-products/analyzers/flawfinder) | **{check-circle}** Yes | Integer | `0`, `1`, `2`, `3`, `4`, `5` | | [`flawfinder`](https://gitlab.com/gitlab-org/security-products/analyzers/flawfinder) | **{check-circle}** Yes | Integer | `0`, `1`, `2`, `3`, `4`, `5` |
| [eslint](https://gitlab.com/gitlab-org/security-products/analyzers/eslint) | **{check-circle}** Yes | N/A | Hardcodes all severity levels to `Unknown` | | [`eslint`](https://gitlab.com/gitlab-org/security-products/analyzers/eslint) | **{check-circle}** Yes | N/A | Hardcodes all severity levels to `Unknown` |
| [SpotBugs](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) | **{check-circle}** Yes | Integer | `1`, `2`, `3`, `11`, `12`, `18` | | [`SpotBugs`](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) | **{check-circle}** Yes | Integer | `1`, `2`, `3`, `11`, `12`, `18` |
| [gosec](https://gitlab.com/gitlab-org/security-products/analyzers/gosec) | **{check-circle}** Yes | String | `HIGH`, `MEDIUM`, `LOW` | | [`gosec`](https://gitlab.com/gitlab-org/security-products/analyzers/gosec) | **{check-circle}** Yes | String | `HIGH`, `MEDIUM`, `LOW` |
| [bandit](https://gitlab.com/gitlab-org/security-products/analyzers/bandit) | **{check-circle}** Yes | String | `HIGH`, `MEDIUM`, `LOW` | | [`bandit`](https://gitlab.com/gitlab-org/security-products/analyzers/bandit) | **{check-circle}** Yes | String | `HIGH`, `MEDIUM`, `LOW` |
| [phpcs-security-audit](https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit) | **{check-circle}** Yes | String | `ERROR`, `WARNING` | | [`phpcs-security-audit`](https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit) | **{check-circle}** Yes | String | `ERROR`, `WARNING` |
| [pmd-apex](https://gitlab.com/gitlab-org/security-products/analyzers/pmd-apex) | **{check-circle}** Yes | Integer | `1`, `2`, `3`, `4`, `5` | | [`pmd-apex`](https://gitlab.com/gitlab-org/security-products/analyzers/pmd-apex) | **{check-circle}** Yes | Integer | `1`, `2`, `3`, `4`, `5` |
| [kubesec](https://gitlab.com/gitlab-org/security-products/analyzers/kubesec) | **{check-circle}** Yes | String | `CriticalSeverity`, `InfoSeverity` | | [`kubesec`](https://gitlab.com/gitlab-org/security-products/analyzers/kubesec) | **{check-circle}** Yes | String | `CriticalSeverity`, `InfoSeverity` |
| [secrets](https://gitlab.com/gitlab-org/security-products/analyzers/secrets) | **{check-circle}** Yes | N/A | Hardcodes all severity levels to `Critical` | | [`secrets`](https://gitlab.com/gitlab-org/security-products/analyzers/secrets) | **{check-circle}** Yes | N/A | Hardcodes all severity levels to `Critical` |
## Dependency Scanning ## Dependency Scanning
| GitLab analyzer | Outputs severity levels? | Native severity level type | Native severity level example | | GitLab analyzer | Outputs severity levels? | Native severity level type | Native severity level example |
|------------------------------------------------------------------------------------------|------------------------------|----------------------------|-------------------------------------| |------------------------------------------------------------------------------------------|------------------------------|----------------------------|-------------------------------------|
| [bundler-audit](https://gitlab.com/gitlab-org/security-products/analyzers/bundler-audit) | **{check-circle}** Yes | String | `low`, `medium`, `high`, `critical` | | [`bundler-audit`](https://gitlab.com/gitlab-org/security-products/analyzers/bundler-audit) | **{check-circle}** Yes | String | `low`, `medium`, `high`, `critical` |
| [retire.js](https://gitlab.com/gitlab-org/security-products/analyzers/retire.js) | **{check-circle}** Yes | String | `low`, `medium`, `high`, `critical` | | [`retire.js`](https://gitlab.com/gitlab-org/security-products/analyzers/retire.js) | **{check-circle}** Yes | String | `low`, `medium`, `high`, `critical` |
| [gemnasium](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium) | **{check-circle}** Yes | CVSS v2.0 Rating and CVSS v3.1 Qualitative Severity Rating | `(AV:N/AC:L/Au:S/C:P/I:P/A:N)`, `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` | | [`gemnasium`](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium) | **{check-circle}** Yes | CVSS v2.0 Rating and CVSS v3.1 Qualitative Severity Rating | `(AV:N/AC:L/Au:S/C:P/I:P/A:N)`, `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` |
## Container Scanning ## Container Scanning
| GitLab analyzer | Outputs severity levels? | Native severity level type | Native severity level example | | GitLab analyzer | Outputs severity levels? | Native severity level type | Native severity level example |
|------------------------------------------------------------------------|--------------------------|----------------------------|--------------------------------------------------------------| |------------------------------------------------------------------------|--------------------------|----------------------------|--------------------------------------------------------------|
| [klar](https://gitlab.com/gitlab-org/security-products/analyzers/klar) | **{check-circle}** Yes | String | `Negligible`, `Low`, `Medium`, `High`, `Critical`, `Defcon1` | | [`klar`](https://gitlab.com/gitlab-org/security-products/analyzers/klar) | **{check-circle}** Yes | String | `Negligible`, `Low`, `Medium`, `High`, `Critical`, `Defcon1` |
## Fuzz Testing ## Fuzz Testing
......
...@@ -186,8 +186,12 @@ Attach a block or paragraph to a list item using a list continuation (which you ...@@ -186,8 +186,12 @@ Attach a block or paragraph to a list item using a list continuation (which you
* [ ] not checked * [ ] not checked
``` ```
<!-- vale gitlab.Spelling = NO -->
#### Callout #### Callout
<!-- vale gitlab.Spelling = YES -->
```plaintext ```plaintext
// enable callout bubbles by adding `:icons: font` to the document header // enable callout bubbles by adding `:icons: font` to the document header
[,ruby] [,ruby]
......
...@@ -222,7 +222,7 @@ If you still need to run tests during `mvn install`, add `-DskipTests=false` to ...@@ -222,7 +222,7 @@ If you still need to run tests during `mvn install`, add `-DskipTests=false` to
If you have a private Maven repository which requires login credentials, If you have a private Maven repository which requires login credentials,
you can use the `MAVEN_CLI_OPTS` environment variable. you can use the `MAVEN_CLI_OPTS` environment variable.
Read more on [how to use private Maven repositories](../../application_security/index.md#using-private-maven-repos). Read more on [how to use private Maven repositories](../../application_security/index.md#using-private-maven-repositories).
You can also use `MAVEN_CLI_OPTS` to connect to a trusted Maven repository that uses a self-signed You can also use `MAVEN_CLI_OPTS` to connect to a trusted Maven repository that uses a self-signed
or internally trusted certificate. For example: or internally trusted certificate. For example:
......
...@@ -632,7 +632,7 @@ rate limits that are not configurable, and therefore also used on GitLab.com. ...@@ -632,7 +632,7 @@ rate limits that are not configurable, and therefore also used on GitLab.com.
We use [Fluentd](https://gitlab.com/gitlab-com/runbooks/tree/master/logging/doc#fluentd) to parse our logs. Fluentd sends our logs to We use [Fluentd](https://gitlab.com/gitlab-com/runbooks/tree/master/logging/doc#fluentd) to parse our logs. Fluentd sends our logs to
[Stackdriver Logging](https://gitlab.com/gitlab-com/runbooks/tree/master/logging/doc#stackdriver) and [Cloud Pub/Sub](https://gitlab.com/gitlab-com/runbooks/tree/master/logging/doc#cloud-pubsub). [Stackdriver Logging](https://gitlab.com/gitlab-com/runbooks/tree/master/logging/doc#stackdriver) and [Cloud Pub/Sub](https://gitlab.com/gitlab-com/runbooks/tree/master/logging/doc#cloud-pubsub).
Stackdriver is used for storing logs long-term in Google Cold Storage (GCS). Cloud Pub/Sub Stackdriver is used for storing logs long-term in Google Cold Storage (GCS). Cloud Pub/Sub
is used to forward logs to an [Elastic cluster](https://gitlab.com/gitlab-com/runbooks/tree/master/logging/doc#elastic) using [pubsubbeat](https://gitlab.com/gitlab-com/runbooks/tree/master/logging/doc#pubsubbeat-vms). is used to forward logs to an [Elastic cluster](https://gitlab.com/gitlab-com/runbooks/tree/master/logging/doc#elastic) using [`pubsubbeat`](https://gitlab.com/gitlab-com/runbooks/tree/master/logging/doc#pubsubbeat-vms).
You can view more information in our runbooks such as: You can view more information in our runbooks such as:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment