debian-mirror-gitlab/doc/user/application_security/get-started-security.md

stage	group	info
DevSecOps	Technical writing	To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments

Get started with GitLab application security (ULTIMATE)

Complete the following steps to get the most from GitLab application security tools.

1. Enable Secret Detection scanning for your default branch.
2. Enable Dependency Scanning for your default branch so you can start identifying existing vulnerable packages in your codebase.
3. Add security scans to feature branch pipelines. The same scans should be enabled as are running on your default branch. Subsequent scans will show only new vulnerabilities by comparing the feature branch to the default branch results.
4. Let your team get comfortable with vulnerability reports and establish a vulnerability triage workflow.
5. Consider creating labels and issue boards to help manage issues created from vulnerabilities. Issue boards allow all stakeholders to have a common view of all issues.
6. Create a scan result policy to limit new vulnerabilities from being merged into your default branch.
7. Monitor the Security Dashboard trends to gauge success in remediating existing vulnerabilities and preventing the introduction of new ones.
8. Enable other scan types such as SAST, DAST, Fuzz testing, or Container Scanning. Be sure to add the same scan types to both feature pipelines and default branch pipelines.
9. Use Compliance Pipelines or Scan Execution Policies to enforce required scan types and ensure separation of duties between security and engineering.
10. Consider enabling Review Apps to allow for DAST and Web API fuzzing on ephemeral test environments.
11. Enable operational container scanning to scan container images in your production cluster for security vulnerabilities.