Commit e07ce12b authored by Marcel Amirault's avatar Marcel Amirault

Merge branch 'russell/doc-avoid-temporary-build-directories' into 'master'

Document tip to exclude temporary build files' directories

See merge request gitlab-org/gitlab!49321
parents a23bc839 a7feec2b
...@@ -331,7 +331,7 @@ variables: ...@@ -331,7 +331,7 @@ variables:
If your project requires custom build configurations, it can be preferable to avoid If your project requires custom build configurations, it can be preferable to avoid
compilation during your SAST execution and instead pass all job artifacts from an compilation during your SAST execution and instead pass all job artifacts from an
earlier stage within the pipeline. This is the current strategy when requiring earlier stage in the pipeline. This is the current strategy when requiring
a `before_script` execution to prepare your scan job. a `before_script` execution to prepare your scan job.
To pass your project's dependencies as artifacts, the dependencies must be included To pass your project's dependencies as artifacts, the dependencies must be included
...@@ -380,7 +380,10 @@ SAST can be [configured](#customizing-the-sast-settings) using environment varia ...@@ -380,7 +380,10 @@ SAST can be [configured](#customizing-the-sast-settings) using environment varia
#### Logging level #### Logging level
To control the verbosity of logs set the `SECURE_LOG_LEVEL` environment variable. Messages of this logging level or higher are output. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10880) in GitLab 13.1. > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10880) in GitLab 13.1.
To control the verbosity of logs, set the `SECURE_LOG_LEVEL` environment variable. Messages of this
logging level or higher are output.
From highest to lowest severity, the logging levels are: From highest to lowest severity, the logging levels are:
...@@ -393,7 +396,7 @@ From highest to lowest severity, the logging levels are: ...@@ -393,7 +396,7 @@ From highest to lowest severity, the logging levels are:
#### Custom Certificate Authority #### Custom Certificate Authority
To trust a custom Certificate Authority, set the `ADDITIONAL_CA_CERT_BUNDLE` variable to the bundle To trust a custom Certificate Authority, set the `ADDITIONAL_CA_CERT_BUNDLE` variable to the bundle
of CA certs that you want to trust within the SAST environment. of CA certs that you want to trust in the SAST environment.
#### Docker images #### Docker images
...@@ -411,7 +414,7 @@ Some analyzers make it possible to filter out vulnerabilities under a given thre ...@@ -411,7 +414,7 @@ Some analyzers make it possible to filter out vulnerabilities under a given thre
| Environment variable | Default value | Description | | Environment variable | Default value | Description |
|-------------------------------|--------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |-------------------------------|--------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `SAST_EXCLUDED_PATHS` | `spec, test, tests, tmp` | Exclude vulnerabilities from output based on the paths. This is a comma-separated list of patterns. Patterns can be globs, or file or folder paths (for example, `doc,spec` ). Parent directories also match patterns. | | `SAST_EXCLUDED_PATHS` | `spec, test, tests, tmp` | Exclude vulnerabilities from output based on the paths. This is a comma-separated list of patterns. Patterns can be globs, or file or folder paths (for example, `doc,spec` ). Parent directories also match patterns. You might need to exclude temporary directories used by your build tool as these can generate false positives. |
| `SEARCH_MAX_DEPTH` | 4 | SAST searches the repository to detect the programming languages used, and selects the matching analyzers. Set the value of `SEARCH_MAX_DEPTH` to specify how many directory levels the search phase should span. After the analyzers have been selected, the _entire_ repository is analyzed. | | `SEARCH_MAX_DEPTH` | 4 | SAST searches the repository to detect the programming languages used, and selects the matching analyzers. Set the value of `SEARCH_MAX_DEPTH` to specify how many directory levels the search phase should span. After the analyzers have been selected, the _entire_ repository is analyzed. |
| `SAST_BANDIT_EXCLUDED_PATHS` | | Comma-separated list of paths to exclude from scan. Uses Python's [`fnmatch` syntax](https://docs.python.org/2/library/fnmatch.html); For example: `'*/tests/*, */venv/*'` | | `SAST_BANDIT_EXCLUDED_PATHS` | | Comma-separated list of paths to exclude from scan. Uses Python's [`fnmatch` syntax](https://docs.python.org/2/library/fnmatch.html); For example: `'*/tests/*, */venv/*'` |
| `SAST_BRAKEMAN_LEVEL` | 1 | Ignore Brakeman vulnerabilities under given confidence level. Integer, 1=Low 3=High. | | `SAST_BRAKEMAN_LEVEL` | 1 | Ignore Brakeman vulnerabilities under given confidence level. Integer, 1=Low 3=High. |
...@@ -458,9 +461,14 @@ analyzer containers: `DOCKER_`, `CI`, `GITLAB_`, `FF_`, `HOME`, `PWD`, `OLDPWD`, ...@@ -458,9 +461,14 @@ analyzer containers: `DOCKER_`, `CI`, `GITLAB_`, `FF_`, `HOME`, `PWD`, `OLDPWD`,
### Experimental features ### Experimental features
Receive early access to experimental features. You can receive early access to experimental features. Experimental features might be added,
removed, or promoted to regular features at any time.
Experimental features available are:
- Enable scanning of iOS and Android apps using the [MobSF analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/mobsf/).
Currently, this enables scanning of iOS and Android apps via the [MobSF analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/mobsf/). #### Enable experimental features
To enable experimental features, add the following to your `.gitlab-ci.yml` file: To enable experimental features, add the following to your `.gitlab-ci.yml` file:
...@@ -572,7 +580,7 @@ Once a vulnerability is found, you can interact with it. Read more on how to ...@@ -572,7 +580,7 @@ Once a vulnerability is found, you can interact with it. Read more on how to
## Vulnerabilities database ## Vulnerabilities database
Vulnerabilities contained within the vulnerability database can be searched Vulnerabilities contained in the vulnerability database can be searched
and viewed at the [GitLab vulnerability advisory database](https://advisories.gitlab.com). and viewed at the [GitLab vulnerability advisory database](https://advisories.gitlab.com).
### Vulnerabilities database update ### Vulnerabilities database update
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment