Merge branch 'add-warning-about-scheduled-with-dependency-scanning' into 'master'

Add warning about scheduled pipelines for Dependency Scanning See merge request gitlab-org/gitlab!35994

Merge branch 'add-warning-about-scheduled-with-dependency-scanning' into 'master'
Add warning about scheduled pipelines for Dependency Scanning See merge request gitlab-org/gitlab!35994
d6169420 · Nick Gaskill · e2e738a8 · 1a040fc7 · d6169420
Commit d6169420 authored Jul 14, 2020 by Nick Gaskill
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 0 deletions

doc/user/application_security/security_dashboard/index.md doc/user/application_security/security_dashboard/index.md +8 -0

No files found.
--- a/doc/user/application_security/security_dashboard/index.md
+++ b/doc/user/application_security/security_dashboard/index.md
@@ -177,6 +177,14 @@ Dashboard regardless of how often the default branch is updated.

 That way, reports are created even if no code change happens.

+CAUTION: **Warning:**
+Running Dependency Scanning from a scheduled pipeline might result in false negatives if your
+project doesn't have a lock file and isn't configured for Continuous Delivery. A lock file is a file
+that lists all transient dependencies and keeps track of their exact versions. The false negative
+can occur because the dependency version resolved during the scan might differ from the ones
+resolved when your project was built and released, in a previous pipeline. Java projects can't have
+lock files. Python projects can have lock files, but GitLab Secure tools don't support them.
+
 ## Security scans using Auto DevOps

 When using [Auto DevOps](../../../topics/autodevops/index.md), use