debian-mirror-gitlab/doc/user/application_security/configuration/index.md

---
type: reference, howto
stage: Secure
group: Static Analysis
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---

# Security Configuration **(FREE)**

> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20711) in GitLab 12.6.
> - SAST configuration was [enabled](https://gitlab.com/groups/gitlab-org/-/epics/3659) in 13.3 and [improved](https://gitlab.com/gitlab-org/gitlab/-/issues/232862) in 13.4.
> - DAST Profiles feature was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40474) in 13.4.
> - A simplified version was made [available in all tiers](https://gitlab.com/gitlab-org/gitlab/-/issues/294076) in GitLab 13.10.
> - [Redesigned](https://gitlab.com/gitlab-org/gitlab/-/issues/326926) in 14.2.

The Security Configuration page lists the following for the security testing and compliance tools:

- Name, description, and a documentation link.
- Whether or not it is available.
- A configuration button or a link to its configuration guide.

The status of each security control is determined by the project's latest default branch
[CI pipeline](../../../ci/pipelines/index.md).
If a job with the expected security report artifact exists in the pipeline, the feature's status is
_enabled_.

If the latest pipeline used [Auto DevOps](../../../topics/autodevops/index.md),
all security features are configured by default.

To view a project's security configuration:

1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **Security & Compliance > Configuration**.

Select **Configuration history** to see the `.gitlab-ci.yml` file's history.

## Security testing

You can configure the following security controls:

- [Static Application Security Testing](../sast/index.md) (SAST)
  - Select **Enable SAST** to configure SAST for the current project.
    For more details, read [Configure SAST in the UI](../sast/index.md#configure-sast-in-the-ui).
- [Dynamic Application Security Testing](../dast/index.md) (DAST)
  - Select **Enable DAST** to configure DAST for the current project.
  - Select **Manage scans** to manage the saved DAST scans, site profiles, and scanner profiles.
    For more details, read [DAST on-demand scans](../dast/index.md#on-demand-scans).
- [Dependency Scanning](../dependency_scanning/index.md)
  - Select **Configure with a merge request** to create a merge request with the changes required to
    enable Dependency Scanning. For more details, see [Enable Dependency Scanning via an automatic merge request](../dependency_scanning/index.md#enable-dependency-scanning-via-an-automatic-merge-request).
- [Container Scanning](../container_scanning/index.md)
  - Can be configured with `.gitlab-ci.yml`. For more details, read [Container Scanning](../../../user/application_security/container_scanning/index.md#configuration).
- [Cluster Image Scanning](../cluster_image_scanning/index.md)
  - Can be configured with `.gitlab-ci.yml`. For more details, read [Cluster Image Scanning](../../../user/application_security/cluster_image_scanning/#configuration).
- [Secret Detection](../secret_detection/index.md)
  - Select **Configure with a merge request** to create a merge request with the changes required to
    enable Secret Detection. For more details, read [Enable Secret Detection via an automatic merge request](../secret_detection/index.md#enable-secret-detection-via-an-automatic-merge-request).
- [API Fuzzing](../api_fuzzing/index.md)
  - Select **Enable API Fuzzing** to use API Fuzzing for the current project. For more details, read [API Fuzzing](../../../user/application_security/api_fuzzing/index.md#enable-web-api-fuzzing).
- [Coverage Fuzzing](../coverage_fuzzing/index.md)
  - Can be configured with `.gitlab-ci.yml`. For more details, read [Coverage Fuzzing](../../../user/application_security/coverage_fuzzing/index.md#configuration).

## Compliance **(ULTIMATE)**

You can configure the following security controls:

- [License Compliance](../../../user/compliance/license_compliance/index.md)
  - Can be configured with `.gitlab-ci.yml`. For more details, read [License Compliance](../../../user/compliance/license_compliance/index.md#configuration).
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`---`
			`type: reference, howto`
New upstream version 13.1.0 2020-06-23 00:09:42 +05:30			`stage: Secure`
			`group: Static Analysis`
New upstream version 13.7.7 2021-02-22 17:27:13 +05:30			`info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`---`

New upstream version 13.10.3+ds1 2021-04-17 20:07:23 +05:30			`# Security Configuration (FREE)`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30
New upstream version 14.5.2+ds1 2021-12-11 22:18:48 +05:30			`> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20711) in GitLab 12.6.`
			`> - SAST configuration was [enabled](https://gitlab.com/groups/gitlab-org/-/epics/3659) in 13.3 and [improved](https://gitlab.com/gitlab-org/gitlab/-/issues/232862) in 13.4.`
			`> - DAST Profiles feature was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40474) in 13.4.`
New upstream version 13.12.3+ds1 2021-06-08 01:23:25 +05:30			`> - A simplified version was made [available in all tiers](https://gitlab.com/gitlab-org/gitlab/-/issues/294076) in GitLab 13.10.`
New upstream version 14.2.5+ds1 2021-10-27 15:23:28 +05:30			`> - [Redesigned](https://gitlab.com/gitlab-org/gitlab/-/issues/326926) in 14.2.`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30
New upstream version 14.3.4+ds1 2021-11-11 11:23:49 +05:30			`The Security Configuration page lists the following for the security testing and compliance tools:`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30
New upstream version 14.3.4+ds1 2021-11-11 11:23:49 +05:30			`- Name, description, and a documentation link.`
New upstream version 14.2.5+ds1 2021-10-27 15:23:28 +05:30			`- Whether or not it is available.`
			`- A configuration button or a link to its configuration guide.`
New upstream version 14.1.7+ds1 2021-09-30 23:02:18 +05:30
New upstream version 14.3.4+ds1 2021-11-11 11:23:49 +05:30			`The status of each security control is determined by the project's latest default branch`
			`[CI pipeline](../../../ci/pipelines/index.md).`
			`If a job with the expected security report artifact exists in the pipeline, the feature's status is`
			`_enabled_.`

			`If the latest pipeline used [Auto DevOps](../../../topics/autodevops/index.md),`
			`all security features are configured by default.`

			`To view a project's security configuration:`

			`1. On the top bar, select Menu > Projects and find your project.`
			`1. On the left sidebar, select Security & Compliance > Configuration.`

			Select Configuration history to see the `.gitlab-ci.yml` file's history.

New upstream version 14.2.5+ds1 2021-10-27 15:23:28 +05:30			`## Security testing`
New upstream version 14.1.7+ds1 2021-09-30 23:02:18 +05:30
New upstream version 14.2.5+ds1 2021-10-27 15:23:28 +05:30			`You can configure the following security controls:`
New upstream version 14.1.7+ds1 2021-09-30 23:02:18 +05:30
New upstream version 14.5.2+ds1 2021-12-11 22:18:48 +05:30			`- [Static Application Security Testing](../sast/index.md) (SAST)`
New upstream version 14.3.4+ds1 2021-11-11 11:23:49 +05:30			`- Select Enable SAST to configure SAST for the current project.`
			`For more details, read [Configure SAST in the UI](../sast/index.md#configure-sast-in-the-ui).`
New upstream version 14.5.2+ds1 2021-12-11 22:18:48 +05:30			`- [Dynamic Application Security Testing](../dast/index.md) (DAST)`
New upstream version 14.3.4+ds1 2021-11-11 11:23:49 +05:30			`- Select Enable DAST to configure DAST for the current project.`
			`- Select Manage scans to manage the saved DAST scans, site profiles, and scanner profiles.`
			`For more details, read [DAST on-demand scans](../dast/index.md#on-demand-scans).`
New upstream version 14.5.2+ds1 2021-12-11 22:18:48 +05:30			`- [Dependency Scanning](../dependency_scanning/index.md)`
New upstream version 14.6.3+ds1 2022-01-26 12:08:38 +05:30			`- Select Configure with a merge request to create a merge request with the changes required to`
New upstream version 14.2.5+ds1 2021-10-27 15:23:28 +05:30			`enable Dependency Scanning. For more details, see [Enable Dependency Scanning via an automatic merge request](../dependency_scanning/index.md#enable-dependency-scanning-via-an-automatic-merge-request).`
New upstream version 14.5.2+ds1 2021-12-11 22:18:48 +05:30			`- [Container Scanning](../container_scanning/index.md)`
New upstream version 14.3.4+ds1 2021-11-11 11:23:49 +05:30			- Can be configured with `.gitlab-ci.yml`. For more details, read [Container Scanning](../../../user/application_security/container_scanning/index.md#configuration).
New upstream version 14.5.2+ds1 2021-12-11 22:18:48 +05:30			`- [Cluster Image Scanning](../cluster_image_scanning/index.md)`
New upstream version 14.3.4+ds1 2021-11-11 11:23:49 +05:30			- Can be configured with `.gitlab-ci.yml`. For more details, read [Cluster Image Scanning](../../../user/application_security/cluster_image_scanning/#configuration).
New upstream version 14.5.2+ds1 2021-12-11 22:18:48 +05:30			`- [Secret Detection](../secret_detection/index.md)`
New upstream version 14.6.3+ds1 2022-01-26 12:08:38 +05:30			`- Select Configure with a merge request to create a merge request with the changes required to`
New upstream version 14.3.4+ds1 2021-11-11 11:23:49 +05:30			`enable Secret Detection. For more details, read [Enable Secret Detection via an automatic merge request](../secret_detection/index.md#enable-secret-detection-via-an-automatic-merge-request).`
New upstream version 14.5.2+ds1 2021-12-11 22:18:48 +05:30			`- [API Fuzzing](../api_fuzzing/index.md)`
New upstream version 14.3.4+ds1 2021-11-11 11:23:49 +05:30			`- Select Enable API Fuzzing to use API Fuzzing for the current project. For more details, read [API Fuzzing](../../../user/application_security/api_fuzzing/index.md#enable-web-api-fuzzing).`
New upstream version 14.5.2+ds1 2021-12-11 22:18:48 +05:30			`- [Coverage Fuzzing](../coverage_fuzzing/index.md)`
New upstream version 14.3.4+ds1 2021-11-11 11:23:49 +05:30			- Can be configured with `.gitlab-ci.yml`. For more details, read [Coverage Fuzzing](../../../user/application_security/coverage_fuzzing/index.md#configuration).
New upstream version 13.5.5 2021-01-03 14:25:43 +05:30
New upstream version 14.2.5+ds1 2021-10-27 15:23:28 +05:30			`## Compliance (ULTIMATE)`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30
New upstream version 13.4.6 2020-11-24 15:15:51 +05:30			`You can configure the following security controls:`
New upstream version 13.2.1 2020-07-28 23:09:34 +05:30
New upstream version 14.5.2+ds1 2021-12-11 22:18:48 +05:30			`- [License Compliance](../../../user/compliance/license_compliance/index.md)`
New upstream version 14.3.4+ds1 2021-11-11 11:23:49 +05:30			- Can be configured with `.gitlab-ci.yml`. For more details, read [License Compliance](../../../user/compliance/license_compliance/index.md#configuration).