debian-mirror-gitlab/doc/user/application_security/configuration/index.md

85 lines
5.6 KiB
Markdown
Raw Normal View History

2020-01-01 13:55:28 +05:30
---
type: reference, howto
2020-06-23 00:09:42 +05:30
stage: Secure
group: Static Analysis
2022-11-25 23:54:43 +05:30
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
2020-01-01 13:55:28 +05:30
---
2021-04-17 20:07:23 +05:30
# Security Configuration **(FREE)**
2020-01-01 13:55:28 +05:30
2021-12-11 22:18:48 +05:30
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20711) in GitLab 12.6.
> - SAST configuration was [enabled](https://gitlab.com/groups/gitlab-org/-/epics/3659) in 13.3 and [improved](https://gitlab.com/gitlab-org/gitlab/-/issues/232862) in 13.4.
> - DAST Profiles feature was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40474) in 13.4.
2021-06-08 01:23:25 +05:30
> - A simplified version was made [available in all tiers](https://gitlab.com/gitlab-org/gitlab/-/issues/294076) in GitLab 13.10.
2021-10-27 15:23:28 +05:30
> - [Redesigned](https://gitlab.com/gitlab-org/gitlab/-/issues/326926) in 14.2.
2020-01-01 13:55:28 +05:30
2021-11-11 11:23:49 +05:30
The Security Configuration page lists the following for the security testing and compliance tools:
2020-01-01 13:55:28 +05:30
2021-11-11 11:23:49 +05:30
- Name, description, and a documentation link.
2021-10-27 15:23:28 +05:30
- Whether or not it is available.
- A configuration button or a link to its configuration guide.
2021-09-30 23:02:18 +05:30
2022-11-25 23:54:43 +05:30
To determine the status of each security control, GitLab checks for a [CI/CD pipeline](../../../ci/pipelines/index.md)
in the most recent commit on the default branch.
2021-11-11 11:23:49 +05:30
2022-11-25 23:54:43 +05:30
If GitLab finds a CI/CD pipeline, then it inspects each job in the `.gitlab-ci.yml` file.
- If a job defines an [`artifacts:reports` keyword](../../../ci/yaml/artifacts_reports.md)
for a security scanner, then GitLab considers the security scanner enabled and shows the **Enabled** status.
- If no jobs define an `artifacts:reports` keyword for a security scanner, then GitLab considers
the security scanner disabled and shows the **Not enabled** status.
If GitLab does not find a CI/CD pipeline, then it considers all security scanners disabled and shows the **Not enabled** status.
Failed pipelines and jobs are included in this process. If a scanner is configured but the job fails,
that scanner is still considered enabled. This process also determines the scanners and statuses
returned through the [API](../../../api/graphql/reference/index.md#securityscanners).
If the latest pipeline uses [Auto DevOps](../../../topics/autodevops/index.md),
2021-11-11 11:23:49 +05:30
all security features are configured by default.
To view a project's security configuration:
2022-10-11 01:57:18 +05:30
1. On the top bar, select **Main menu > Projects** and find your project.
2021-11-11 11:23:49 +05:30
1. On the left sidebar, select **Security & Compliance > Configuration**.
Select **Configuration history** to see the `.gitlab-ci.yml` file's history.
2021-10-27 15:23:28 +05:30
## Security testing
2021-09-30 23:02:18 +05:30
2021-10-27 15:23:28 +05:30
You can configure the following security controls:
2021-09-30 23:02:18 +05:30
2021-12-11 22:18:48 +05:30
- [Static Application Security Testing](../sast/index.md) (SAST)
2021-11-11 11:23:49 +05:30
- Select **Enable SAST** to configure SAST for the current project.
For more details, read [Configure SAST in the UI](../sast/index.md#configure-sast-in-the-ui).
2021-12-11 22:18:48 +05:30
- [Dynamic Application Security Testing](../dast/index.md) (DAST)
2021-11-11 11:23:49 +05:30
- Select **Enable DAST** to configure DAST for the current project.
- Select **Manage scans** to manage the saved DAST scans, site profiles, and scanner profiles.
For more details, read [DAST on-demand scans](../dast/index.md#on-demand-scans).
2021-12-11 22:18:48 +05:30
- [Dependency Scanning](../dependency_scanning/index.md)
2022-01-26 12:08:38 +05:30
- Select **Configure with a merge request** to create a merge request with the changes required to
2021-10-27 15:23:28 +05:30
enable Dependency Scanning. For more details, see [Enable Dependency Scanning via an automatic merge request](../dependency_scanning/index.md#enable-dependency-scanning-via-an-automatic-merge-request).
2021-12-11 22:18:48 +05:30
- [Container Scanning](../container_scanning/index.md)
2022-05-07 20:08:51 +05:30
- Select **Configure with a merge request** to create a merge request with the changes required to
enable Container Scanning. For more details, see
[Enable Container Scanning through an automatic merge request](../container_scanning/index.md#enable-container-scanning-through-an-automatic-merge-request).
2022-07-23 23:45:48 +05:30
- [Operational Container Scanning](../../clusters/agent/vulnerabilities.md)
2022-08-13 15:12:31 +05:30
- Can be configured by adding a configuration block to your agent configuration. For more details, read [Operational Container Scanning](../../clusters/agent/vulnerabilities.md#enable-operational-container-scanning).
2021-12-11 22:18:48 +05:30
- [Secret Detection](../secret_detection/index.md)
2022-01-26 12:08:38 +05:30
- Select **Configure with a merge request** to create a merge request with the changes required to
2022-10-11 01:57:18 +05:30
enable Secret Detection. For more details, read [Enable Secret Detection using a merge request](../secret_detection/index.md#enable-secret-detection-using-a-merge-request).
2021-12-11 22:18:48 +05:30
- [API Fuzzing](../api_fuzzing/index.md)
2021-11-11 11:23:49 +05:30
- Select **Enable API Fuzzing** to use API Fuzzing for the current project. For more details, read [API Fuzzing](../../../user/application_security/api_fuzzing/index.md#enable-web-api-fuzzing).
2021-12-11 22:18:48 +05:30
- [Coverage Fuzzing](../coverage_fuzzing/index.md)
2022-04-04 11:22:00 +05:30
- Can be configured with `.gitlab-ci.yml`. For more details, read [Coverage Fuzzing](../../../user/application_security/coverage_fuzzing/index.md#enable-coverage-guided-fuzz-testing).
2021-01-03 14:25:43 +05:30
2021-10-27 15:23:28 +05:30
## Compliance **(ULTIMATE)**
2020-01-01 13:55:28 +05:30
2020-11-24 15:15:51 +05:30
You can configure the following security controls:
2020-07-28 23:09:34 +05:30
2021-12-11 22:18:48 +05:30
- [License Compliance](../../../user/compliance/license_compliance/index.md)
2022-04-04 11:22:00 +05:30
- Can be configured with `.gitlab-ci.yml`. For more details, read [License Compliance](../../../user/compliance/license_compliance/index.md#enable-license-compliance).
2022-05-07 20:08:51 +05:30
- [Security Training](../../../user/application_security/vulnerabilities/index.md#enable-security-training-for-vulnerabilities)
- Enable **Security training** for the current project. For more details, read [security training](../../../user/application_security/vulnerabilities/index.md#enable-security-training-for-vulnerabilities).