debian-mirror-gitlab/doc/user/application_security/configuration/index.md

---
type: reference, howto
stage: Secure
group: Static Analysis
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---

# Security Configuration **(FREE)**

> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20711) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.6. **(ULTIMATE)**
> - SAST configuration was [enabled](https://gitlab.com/groups/gitlab-org/-/epics/3659) in 13.3 and [improved](https://gitlab.com/gitlab-org/gitlab/-/issues/232862) in 13.4. **(ULTIMATE)**
> - DAST Profiles feature was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40474) in 13.4. **(ULTIMATE)**
> - A simplified version was made [available in all tiers](https://gitlab.com/gitlab-org/gitlab/-/issues/294076) in GitLab 13.10.

WARNING:
This feature might not be available to you. Check the **version history** note above for details.

The Security Configuration page displays what security scans are available, links to documentation and also simple enablement tools for the current project.

To view a project's security configuration, go to the project's home page,
then in the left sidebar go to **Security & Compliance > Configuration**.

For each security control the page displays:

- **Security Control:** Name, description, and a documentation link.
- **Manage:** A management option or a documentation link.

## UI redesign

> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/326926) in 14.0 for GitLab Free and Premium, behind a feature flag, disabled by default.
> - Enabled on GitLab.com for Free & Premium.
> - Recommended for production use.
> - It can be enabled or disabled for a single project.
> - To use in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-ui-redesign). **(FREE SELF)**
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/333109) in 14.1 for GitLab Ultimate, behind a feature flag, disabled by default.
> - Disabled on GitLab.com.
> - Not recommended for production use.
> - It can be enabled or disabled for a single project.
> - To use in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-ui-redesign-for-ultimate). **(ULTIMATE SELF)**

WARNING:
This feature might not be available to you. Check the **version history** note above for details.

The Security Configuration page has been redesigned in GitLab Free and Premium.
The same functionality exists as before, but presented in a more extensible
way.

For each security control the page displays:

- Its name, description and a documentation link.
- Whether or not it is available.
- A configuration button or a link to its configuration guide.

## Status **(ULTIMATE)**

> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20711) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.6.

The status of each security control is determined by the project's latest default branch
[CI pipeline](../../../ci/pipelines/index.md).
If a job with the expected security report artifact exists in the pipeline, the feature's status is
_enabled_.

If the latest pipeline used [Auto DevOps](../../../topics/autodevops/index.md),
all security features are configured by default.

For SAST, click **View history** to see the `.gitlab-ci.yml` file's history.

## Manage **(ULTIMATE)**

You can configure the following security controls:

- Auto DevOps
  - Click **Enable Auto DevOps** to enable it for the current project. For more details, see [Auto DevOps](../../../topics/autodevops/index.md).
- SAST
  - Click either **Enable** or **Configure** to use SAST for the current project. For more details, see [Configure SAST in the UI](../sast/index.md#configure-sast-in-the-ui).
- DAST Profiles
  - Click **Manage** to manage the available DAST profiles used for on-demand scans. For more details, see [DAST on-demand scans](../dast/index.md#on-demand-scans).
- Secret Detection
  - Select **Configure via Merge Request** to create a merge request with the changes required to
    enable Secret Detection. For more details, see [Enable Secret Detection via an automatic merge request](../secret_detection/index.md#enable-secret-detection-via-an-automatic-merge-request).
- Dependency Scanning
  - Select **Configure via Merge Request** to create a merge request with the changes required to
    enable Dependency Scanning. For more details, see [Enable Dependency Scanning via an automatic merge request](../dependency_scanning/index.md#enable-dependency-scanning-via-an-automatic-merge-request).

## Enable or disable UI redesign **(FREE SELF)**

The Security Configuration redesign is under development, but is ready for
production use. It is deployed behind a feature flag that is **disabled by
default**.
[GitLab administrators with access to the GitLab Rails console](../../../administration/feature_flags.md) can enable it.

To enable it:

```ruby
# For the instance
Feature.enable(:security_configuration_redesign)
# For a single project
Feature.enable(:security_configuration_redesign, Project.find(<project id>))
```

To disable it:

```ruby
# For the instance
Feature.disable(:security_configuration_redesign)
# For a single project
Feature.disable(:security_configuration_redesign, Project.find(<project id>))
```

## Enable or disable UI redesign for Ultimate **(ULTIMATE SELF)**

The Security Configuration redesign is under development, and is not ready for
production use. It is deployed behind a feature flag that is **disabled by
default**.
[GitLab administrators with access to the GitLab Rails console](../../../administration/feature_flags.md) can enable it.

To enable it:

```ruby
# For the instance
Feature.enable(:security_configuration_redesign_ee)
# For a single project
Feature.enable(:security_configuration_redesign_ee, Project.find(<project id>))
```

To disable it:

```ruby
# For the instance
Feature.disable(:security_configuration_redesign_ee)
# For a single project
Feature.disable(:security_configuration_redesign_ee, Project.find(<project id>))
```
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`---`
			`type: reference, howto`
New upstream version 13.1.0 2020-06-23 00:09:42 +05:30			`stage: Secure`
			`group: Static Analysis`
New upstream version 13.7.7 2021-02-22 17:27:13 +05:30			`info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`---`

New upstream version 13.10.3+ds1 2021-04-17 20:07:23 +05:30			`# Security Configuration (FREE)`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30
New upstream version 13.10.3+ds1 2021-04-17 20:07:23 +05:30			`> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20711) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.6. (ULTIMATE)`
			`> - SAST configuration was [enabled](https://gitlab.com/groups/gitlab-org/-/epics/3659) in 13.3 and [improved](https://gitlab.com/gitlab-org/gitlab/-/issues/232862) in 13.4. (ULTIMATE)`
			`> - DAST Profiles feature was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40474) in 13.4. (ULTIMATE)`
New upstream version 13.12.3+ds1 2021-06-08 01:23:25 +05:30			`> - A simplified version was made [available in all tiers](https://gitlab.com/gitlab-org/gitlab/-/issues/294076) in GitLab 13.10.`
New upstream version 13.10.3+ds1 2021-04-17 20:07:23 +05:30
			`WARNING:`
			`This feature might not be available to you. Check the version history note above for details.`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30
New upstream version 13.10.3+ds1 2021-04-17 20:07:23 +05:30			`The Security Configuration page displays what security scans are available, links to documentation and also simple enablement tools for the current project.`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30
New upstream version 13.4.6 2020-11-24 15:15:51 +05:30			`To view a project's security configuration, go to the project's home page,`
			`then in the left sidebar go to Security & Compliance > Configuration.`

			`For each security control the page displays:`

New upstream version 13.5.5 2021-01-03 14:25:43 +05:30			`- Security Control: Name, description, and a documentation link.`
			`- Manage: A management option or a documentation link.`
New upstream version 13.4.6 2020-11-24 15:15:51 +05:30
New upstream version 14.1.7+ds1 2021-09-30 23:02:18 +05:30			`## UI redesign`

			`> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/326926) in 14.0 for GitLab Free and Premium, behind a feature flag, disabled by default.`
			`> - Enabled on GitLab.com for Free & Premium.`
			`> - Recommended for production use.`
			`> - It can be enabled or disabled for a single project.`
			`> - To use in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-ui-redesign). (FREE SELF)`
			`> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/333109) in 14.1 for GitLab Ultimate, behind a feature flag, disabled by default.`
			`> - Disabled on GitLab.com.`
			`> - Not recommended for production use.`
			`> - It can be enabled or disabled for a single project.`
			`> - To use in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-ui-redesign-for-ultimate). (ULTIMATE SELF)`

			`WARNING:`
			`This feature might not be available to you. Check the version history note above for details.`

			`The Security Configuration page has been redesigned in GitLab Free and Premium.`
			`The same functionality exists as before, but presented in a more extensible`
			`way.`

			`For each security control the page displays:`

			`- Its name, description and a documentation link.`
			`- Whether or not it is available.`
			`- A configuration button or a link to its configuration guide.`

New upstream version 13.10.3+ds1 2021-04-17 20:07:23 +05:30			`## Status (ULTIMATE)`

			`> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20711) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.6.`
New upstream version 13.4.6 2020-11-24 15:15:51 +05:30
			`The status of each security control is determined by the project's latest default branch`
			`[CI pipeline](../../../ci/pipelines/index.md).`
			`If a job with the expected security report artifact exists in the pipeline, the feature's status is`
			`_enabled_.`

New upstream version 13.2.1 2020-07-28 23:09:34 +05:30			`If the latest pipeline used [Auto DevOps](../../../topics/autodevops/index.md),`
New upstream version 13.3.8 2020-10-24 23:57:45 +05:30			`all security features are configured by default.`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30
New upstream version 13.5.5 2021-01-03 14:25:43 +05:30			For SAST, click View history to see the `.gitlab-ci.yml` file's history.

New upstream version 13.10.3+ds1 2021-04-17 20:07:23 +05:30			`## Manage (ULTIMATE)`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30
New upstream version 13.4.6 2020-11-24 15:15:51 +05:30			`You can configure the following security controls:`
New upstream version 13.2.1 2020-07-28 23:09:34 +05:30
New upstream version 13.4.6 2020-11-24 15:15:51 +05:30			`- Auto DevOps`
			`- Click Enable Auto DevOps to enable it for the current project. For more details, see [Auto DevOps](../../../topics/autodevops/index.md).`
			`- SAST`
			`- Click either Enable or Configure to use SAST for the current project. For more details, see [Configure SAST in the UI](../sast/index.md#configure-sast-in-the-ui).`
			`- DAST Profiles`
			`- Click Manage to manage the available DAST profiles used for on-demand scans. For more details, see [DAST on-demand scans](../dast/index.md#on-demand-scans).`
New upstream version 13.12.3+ds1 2021-06-08 01:23:25 +05:30			`- Secret Detection`
			`- Select Configure via Merge Request to create a merge request with the changes required to`
			`enable Secret Detection. For more details, see [Enable Secret Detection via an automatic merge request](../secret_detection/index.md#enable-secret-detection-via-an-automatic-merge-request).`
New upstream version 14.1.7+ds1 2021-09-30 23:02:18 +05:30			`- Dependency Scanning`
			`- Select Configure via Merge Request to create a merge request with the changes required to`
			`enable Dependency Scanning. For more details, see [Enable Dependency Scanning via an automatic merge request](../dependency_scanning/index.md#enable-dependency-scanning-via-an-automatic-merge-request).`

			`## Enable or disable UI redesign (FREE SELF)`

			`The Security Configuration redesign is under development, but is ready for`
			`production use. It is deployed behind a feature flag that is **disabled by`
			`default**.`
			`[GitLab administrators with access to the GitLab Rails console](../../../administration/feature_flags.md) can enable it.`

			`To enable it:`

			```ruby
			`# For the instance`
			`Feature.enable(:security_configuration_redesign)`
			`# For a single project`
			`Feature.enable(:security_configuration_redesign, Project.find(<project id>))`
			```

			`To disable it:`

			```ruby
			`# For the instance`
			`Feature.disable(:security_configuration_redesign)`
			`# For a single project`
			`Feature.disable(:security_configuration_redesign, Project.find(<project id>))`
			```

			`## Enable or disable UI redesign for Ultimate (ULTIMATE SELF)`

			`The Security Configuration redesign is under development, and is not ready for`
			`production use. It is deployed behind a feature flag that is **disabled by`
			`default**.`
			`[GitLab administrators with access to the GitLab Rails console](../../../administration/feature_flags.md) can enable it.`

			`To enable it:`

			```ruby
			`# For the instance`
			`Feature.enable(:security_configuration_redesign_ee)`
			`# For a single project`
			`Feature.enable(:security_configuration_redesign_ee, Project.find(<project id>))`
			```

			`To disable it:`

			```ruby
			`# For the instance`
			`Feature.disable(:security_configuration_redesign_ee)`
			`# For a single project`
			`Feature.disable(:security_configuration_redesign_ee, Project.find(<project id>))`
			```