Commit 943ec334 authored by Russell Dickenson's avatar Russell Dickenson Committed by Nick Gaskill

Improve security configuration docs

parent dd2d44cb
...@@ -7,23 +7,37 @@ info: To determine the technical writer assigned to the Stage/Group associated w ...@@ -7,23 +7,37 @@ info: To determine the technical writer assigned to the Stage/Group associated w
# Security Configuration **(ULTIMATE)** # Security Configuration **(ULTIMATE)**
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20711) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.6. > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20711) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.6.
> - SAST configuration was [enabled](https://gitlab.com/groups/gitlab-org/-/epics/3659) in 13.3 and [improved](https://gitlab.com/gitlab-org/gitlab/-/issues/232862) in 13.4.
> - DAST Profiles feature was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40474) in 13.4.
The Security Configuration page displays the configuration state of each security feature in the The Security Configuration page displays the configuration state of each security control in the
current project. The page uses the project's latest default branch [CI pipeline](../../../ci/pipelines/index.md) current project.
to determine each feature's configuration state. If a job with the expected security report artifact
exists in the pipeline, the feature is considered enabled.
You can only enable SAST from the Security Configuration page. Documentation links are included for To view a project's security configuration, go to the project's home page,
the other features. For details about configuring SAST, see [Configure SAST in the UI](../sast/index.md#configure-sast-in-the-ui). then in the left sidebar, go to **Security & Compliance** > **Configuration**.
## Status
For each security control, the page displays the status and either a management option or a
documentation link.
The status of each security control is determined by the project's latest default branch
[CI pipeline](../../../ci/pipelines/index.md).
If a job with the expected security report artifact exists in the pipeline, the feature's status is
_enabled_.
NOTE: **Note:** NOTE: **Note:**
If the latest pipeline used [Auto DevOps](../../../topics/autodevops/index.md), If the latest pipeline used [Auto DevOps](../../../topics/autodevops/index.md),
all security features are configured by default. all security features are configured by default.
## View Security Configuration ## Manage
To view a project's security configuration: You can configure the following security controls:
1. Go to the project's home page. - Auto DevOps
1. In the left sidebar, go to **Security & Compliance** > **Configuration**. - Click **Enable Auto DevOps** to enable it for the current project. For more details, see [Auto DevOps](../../../topics/autodevops/index.md).
- SAST
- Click either **Enable** or **Configure** to use SAST for the current project. For more details, see [Configure SAST in the UI](../sast/index.md#configure-sast-in-the-ui).
- DAST Profiles
- Click **Manage** to manage the available DAST profiles used for on-demand scans. For more details, see [DAST on-demand scans](../dast/index.md#on-demand-scans).
...@@ -367,7 +367,7 @@ dast: ...@@ -367,7 +367,7 @@ dast:
DAST_API_SPECIFICATION: api-specification.yml DAST_API_SPECIFICATION: api-specification.yml
``` ```
#### Full scan #### Full API scan
API scans support full scanning, which can be enabled by using the `DAST_FULL_SCAN_ENABLED` API scans support full scanning, which can be enabled by using the `DAST_FULL_SCAN_ENABLED`
environment variable. Domain validation is not supported for full API scans. environment variable. Domain validation is not supported for full API scans.
...@@ -622,9 +622,10 @@ project dashboard. ...@@ -622,9 +622,10 @@ project dashboard.
### Site profile ### Site profile
An on-demand scan requires a site profile, which includes a profile name and target URL. The profile An on-demand scan requires a site profile, which includes:
name allows you to describe the site to be scanned. The target URL specifies the URL against which
the DAST scan is run. - **Profile name**: A name you assign to the site to be scanned.
- **Target URL**: The URL against which the DAST scan runs.
### Run an on-demand scan ### Run an on-demand scan
...@@ -636,23 +637,31 @@ Running an on-demand scan requires an existing site profile. If a site profile f ...@@ -636,23 +637,31 @@ Running an on-demand scan requires an existing site profile. If a site profile f
doesn't exist, first [create a site profile](#create-a-site-profile). An on-demand DAST scan has doesn't exist, first [create a site profile](#create-a-site-profile). An on-demand DAST scan has
a fixed timeout of 60 seconds. a fixed timeout of 60 seconds.
- Navigate to your project's home page, then click **On-demand Scans** in the left sidebar. - From your project's home page, go to **Security & Compliance > On-demand Scans** in the left sidebar.
- Click **Create new DAST scan**. - Click **Create new DAST scan**.
- Select a site profile from the profiles dropdown. - Select a site profile from the profiles dropdown.
- Click **Run scan**. - Click **Run scan**.
#### Create a site profile #### Create a site profile
- Navigate to your project's home page, then click **On-demand Scans** in the left sidebar. - From your project's home page, go to **Security & Compliance > Configuration** in the left sidebar.
- Click **Create new DAST scan**. - Click **Manage** in the **DAST Profiles** row.
- Click **New Site Profile**. - Click **New Profile > Site Profile**.
- Type in a unique **Profile name** and **Target URL** then click **Save profile**. - Type in a unique **Profile name** and **Target URL** then click **Save profile**.
#### Edit a site profile
- From your project's home page, go to **Security & Compliance > Configuration** in the left sidebar.
- Click **Manage** in the **DAST Profiles** row.
- Click **Edit** in the row of the profile to edit.
- Edit the **Profile name** and **Target URL** then click **Save profile**.
#### Delete a site profile #### Delete a site profile
- Navigate to your project's home page, then click **On-demand Scans** in the left sidebar. - From your project's home page, go to **Security & Compliance > Configuration** in the left sidebar.
- Click **Create new DAST scan**. - Click **Manage** in the **DAST Profiles** row.
- Click **Delete** in the matching site profile's row. - Click **{remove}** in the row of the profile to delete.
- Click **Delete**.
### Enable or disable On-demand Scans ### Enable or disable On-demand Scans
...@@ -665,8 +674,6 @@ feature flag enabled. ...@@ -665,8 +674,6 @@ feature flag enabled.
[GitLab administrators with access to the GitLab Rails console](../../../administration/feature_flags.md) [GitLab administrators with access to the GitLab Rails console](../../../administration/feature_flags.md)
can disable or enable the feature flags. can disable or enable the feature flags.
#### Enable or disable On-demand Scans
To disable On-demand Scans: To disable On-demand Scans:
```ruby ```ruby
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment