diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2024-01-19 09:08:56 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2024-01-19 09:08:56 +0300 |
| commit | 3ca9052426b4646d28d3862f9c90f1c84910857d (patch) | |
| tree | 9ca6c62823385caedf78010a1de43391f4a2c2b2 | |
| parent | 5d3fb47a057b7a2bfc03676d3fdeaa9138424c2f (diff) | |
Add latest changes from gitlab-org/gitlab@master
28 files changed, 378 insertions, 70 deletions
diff --git a/app/views/shared/_clone_panel.html.haml b/app/views/shared/_clone_panel.html.haml index 7dce8737eb4..878e396205c 100644 --- a/app/views/shared/_clone_panel.html.haml +++ b/app/views/shared/_clone_panel.html.haml @@ -5,7 +5,7 @@ %span.js-clone-dropdown-label = enabled_protocol_button(container, enabled_protocol) - else - %a#clone-dropdown.input-group-text.gl-button.btn.btn-default.btn-icon.clone-dropdown-btn{ href: '#', data: { toggle: 'dropdown', testid: 'clone-dropdown' } } + = render Pajamas::ButtonComponent.new(href: '#', button_options: { id: 'clone-dropdown', class: 'input-group-text btn-icon clone-dropdown-btn', data: { toggle: 'dropdown', testid: 'clone-dropdown' } }) do %span.js-clone-dropdown-label = default_clone_protocol.upcase = sprite_icon('chevron-down', css_class: 'gl-icon') diff --git a/db/docs/board_group_recent_visits.yml b/db/docs/board_group_recent_visits.yml index 5615620567c..dce764719e5 100644 --- a/db/docs/board_group_recent_visits.yml +++ b/db/docs/board_group_recent_visits.yml @@ -4,7 +4,16 @@ classes: - BoardGroupRecentVisit feature_categories: - team_planning -description: The last group issue board visited by a user, used to redirect them from the default boards page +description: The last group issue board visited by a user, used to redirect them from + the default boards page introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/commit/7aeab58f4861144fcc1d334907cb1b465c645001 milestone: '11.5' -gitlab_schema: gitlab_main +gitlab_schema: gitlab_main_cell +allow_cross_joins: +- gitlab_main_clusterwide +allow_cross_transactions: +- gitlab_main_clusterwide +allow_cross_foreign_keys: +- gitlab_main_clusterwide +sharding_key: + group_id: namespaces diff --git a/db/docs/board_project_recent_visits.yml b/db/docs/board_project_recent_visits.yml index 336be808517..e2cc4813de0 100644 --- a/db/docs/board_project_recent_visits.yml +++ b/db/docs/board_project_recent_visits.yml @@ -4,7 +4,16 @@ classes: - BoardProjectRecentVisit feature_categories: - team_planning -description: The last project issue board visited by a user, used to redirect them from the default boards page +description: The last project issue board visited by a user, used to redirect them + from the default boards page introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/commit/7aeab58f4861144fcc1d334907cb1b465c645001 milestone: '11.5' -gitlab_schema: gitlab_main +gitlab_schema: gitlab_main_cell +allow_cross_joins: +- gitlab_main_clusterwide +allow_cross_transactions: +- gitlab_main_clusterwide +allow_cross_foreign_keys: +- gitlab_main_clusterwide +sharding_key: + project_id: projects diff --git a/db/docs/custom_emoji.yml b/db/docs/custom_emoji.yml index 2b20ea014f4..a871f1945b4 100644 --- a/db/docs/custom_emoji.yml +++ b/db/docs/custom_emoji.yml @@ -7,4 +7,12 @@ feature_categories: description: Filename and name of custom emoji created by users introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/24229 milestone: '13.2' -gitlab_schema: gitlab_main +gitlab_schema: gitlab_main_cell +allow_cross_joins: +- gitlab_main_clusterwide +allow_cross_transactions: +- gitlab_main_clusterwide +allow_cross_foreign_keys: +- gitlab_main_clusterwide +sharding_key: + namespace_id: namespaces diff --git a/db/docs/customer_relations_organizations.yml b/db/docs/customer_relations_organizations.yml index 07f9ed01ca6..3e396812a64 100644 --- a/db/docs/customer_relations_organizations.yml +++ b/db/docs/customer_relations_organizations.yml @@ -4,7 +4,16 @@ classes: - CustomerRelations::Organization feature_categories: - team_planning -description: Organizations, against which time can be spent by users on issues using the CRM functionality +description: Organizations, against which time can be spent by users on issues using + the CRM functionality introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/67551 milestone: '14.2' -gitlab_schema: gitlab_main +gitlab_schema: gitlab_main_cell +allow_cross_joins: +- gitlab_main_clusterwide +allow_cross_transactions: +- gitlab_main_clusterwide +allow_cross_foreign_keys: +- gitlab_main_clusterwide +sharding_key: + group_id: namespaces diff --git a/db/docs/design_management_designs.yml b/db/docs/design_management_designs.yml index ea284c8bee4..1e7591ccbd2 100644 --- a/db/docs/design_management_designs.yml +++ b/db/docs/design_management_designs.yml @@ -4,7 +4,16 @@ classes: - DesignManagement::Design feature_categories: - design_management -description: Information about Designs, image files under management by the Design Management tool +description: Information about Designs, image files under management by the Design + Management tool introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/9801 milestone: '11.10' -gitlab_schema: gitlab_main +gitlab_schema: gitlab_main_cell +allow_cross_joins: +- gitlab_main_clusterwide +allow_cross_transactions: +- gitlab_main_clusterwide +allow_cross_foreign_keys: +- gitlab_main_clusterwide +sharding_key: + project_id: projects diff --git a/db/docs/design_management_repositories.yml b/db/docs/design_management_repositories.yml index 61d905c2703..cd719afad51 100644 --- a/db/docs/design_management_repositories.yml +++ b/db/docs/design_management_repositories.yml @@ -5,6 +5,14 @@ classes: feature_categories: - design_management description: Holds information about Design Management Repositories -introduced_by_url: 'https://gitlab.com/gitlab-org/gitlab/-/merge_requests/111555' +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/111555 milestone: '15.11' -gitlab_schema: gitlab_main
\ No newline at end of file +gitlab_schema: gitlab_main_cell +allow_cross_joins: +- gitlab_main_clusterwide +allow_cross_transactions: +- gitlab_main_clusterwide +allow_cross_foreign_keys: +- gitlab_main_clusterwide +sharding_key: + project_id: projects diff --git a/db/docs/issues.yml b/db/docs/issues.yml index a7f24665677..3cd8d59a520 100644 --- a/db/docs/issues.yml +++ b/db/docs/issues.yml @@ -9,3 +9,5 @@ description: Information describing issues, which is also used by the WorkItem c introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/commit/9ba1224867665844b117fa037e1465bb706b3685 milestone: "<6.0" gitlab_schema: gitlab_main_cell +sharding_key: + namespace_id: namespaces diff --git a/db/docs/iterations_cadences.yml b/db/docs/iterations_cadences.yml index 972e577a788..46b596b303e 100644 --- a/db/docs/iterations_cadences.yml +++ b/db/docs/iterations_cadences.yml @@ -4,7 +4,16 @@ classes: - Iterations::Cadence feature_categories: - team_planning -description: Defines an iteration cadence for a group, used to define how iterations should act +description: Defines an iteration cadence for a group, used to define how iterations + should act introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/50707 milestone: '13.9' -gitlab_schema: gitlab_main +gitlab_schema: gitlab_main_cell +allow_cross_joins: +- gitlab_main_clusterwide +allow_cross_transactions: +- gitlab_main_clusterwide +allow_cross_foreign_keys: +- gitlab_main_clusterwide +sharding_key: + group_id: namespaces diff --git a/db/docs/label_priorities.yml b/db/docs/label_priorities.yml index cdeb18d815b..dec55a2f117 100644 --- a/db/docs/label_priorities.yml +++ b/db/docs/label_priorities.yml @@ -7,4 +7,12 @@ feature_categories: description: The relative priority assigned to a label within a project, if any introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/commit/297892011330ecdd2fa7cbe47fbc6fd4f3b62171 milestone: '8.14' -gitlab_schema: gitlab_main +gitlab_schema: gitlab_main_cell +allow_cross_joins: +- gitlab_main_clusterwide +allow_cross_transactions: +- gitlab_main_clusterwide +allow_cross_foreign_keys: +- gitlab_main_clusterwide +sharding_key: + project_id: projects diff --git a/db/docs/pages_deployments.yml b/db/docs/pages_deployments.yml index f8aae63c191..c0b0c11abf5 100644 --- a/db/docs/pages_deployments.yml +++ b/db/docs/pages_deployments.yml @@ -7,4 +7,12 @@ feature_categories: description: Stores ZIP archives for GitLab Pages websites. introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/41785 milestone: '13.4' -gitlab_schema: gitlab_main +gitlab_schema: gitlab_main_cell +allow_cross_joins: +- gitlab_main_clusterwide +allow_cross_transactions: +- gitlab_main_clusterwide +allow_cross_foreign_keys: +- gitlab_main_clusterwide +sharding_key: + project_id: projects diff --git a/db/docs/project_pages_metadata.yml b/db/docs/project_pages_metadata.yml index e0d70015784..3db3d0a6c96 100644 --- a/db/docs/project_pages_metadata.yml +++ b/db/docs/project_pages_metadata.yml @@ -8,3 +8,5 @@ description: Store GitLab Pages metadata for projects. introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/17197 milestone: '12.4' gitlab_schema: gitlab_main_cell +sharding_key: + project_id: projects diff --git a/db/docs/timelog_categories.yml b/db/docs/timelog_categories.yml index a8874837a35..86d20de6415 100644 --- a/db/docs/timelog_categories.yml +++ b/db/docs/timelog_categories.yml @@ -7,4 +7,12 @@ feature_categories: description: Categories that can be associated to a timelog to categorize them introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/87529 milestone: '15.1' -gitlab_schema: gitlab_main +gitlab_schema: gitlab_main_cell +allow_cross_joins: +- gitlab_main_clusterwide +allow_cross_transactions: +- gitlab_main_clusterwide +allow_cross_foreign_keys: +- gitlab_main_clusterwide +sharding_key: + namespace_id: namespaces diff --git a/doc/.vale/gitlab/spelling-exceptions.txt b/doc/.vale/gitlab/spelling-exceptions.txt index b8cc7d4d890..03b4ecafd78 100644 --- a/doc/.vale/gitlab/spelling-exceptions.txt +++ b/doc/.vale/gitlab/spelling-exceptions.txt @@ -374,6 +374,7 @@ Flycheck focusable Forgerock formatters +Fortanix Fortinet FQDNs FreshBooks diff --git a/doc/administration/compliance.md b/doc/administration/compliance.md index 73583856cb0..67b9e8d06a9 100644 --- a/doc/administration/compliance.md +++ b/doc/administration/compliance.md @@ -18,13 +18,14 @@ standards or mandates from regulatory bodies. The following features help you define rules and policies to adhere to workflow requirements, separation of duties, and secure supply chain best practices: -| Feature | Instances | Groups | Projects | Description | -|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------|:-----------------------|:-----------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| [Credentials inventory](credentials_inventory.md) | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | Keep track of the credentials used by all of the users in a GitLab instance. | -| [Granular user roles<br/>and flexible permissions](../user/permissions.md) | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | Manage access and permissions with five different user roles and settings for external users. Set permissions according to people's role, rather than either read or write access to a repository. Don't share the source code with people that only need access to the issue tracker. | -| [Merge request approvals](../user/project/merge_requests/approvals/index.md) | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | Configure approvals required for merge requests. | -| [Push rules](../user/project/repository/push_rules.md) | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | Control pushes to your repositories. | +| Feature | Instances | Groups | Projects | Description | +|:--------------|:------------------|:--------------------|:-----------------------|:-------------------------------| +| [Credentials inventory](credentials_inventory.md) | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | Keep track of the credentials used by all of the users in a GitLab instance. | +| [Granular user roles<br/>and flexible permissions](../user/permissions.md) | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | Manage access and permissions with five different user roles and settings for external users. Set permissions according to people's role, rather than either read or write access to a repository. Don't share the source code with people that only need access to the issue tracker. | +| [Merge request approvals](../user/project/merge_requests/approvals/index.md) | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | Configure approvals required for merge requests. | +| [Push rules](../user/project/repository/push_rules.md) | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | Control pushes to your repositories. | | Separation of duties using<br/>[protected branches](../user/project/protected_branches.md#require-code-owner-approval-on-a-protected-branch) and<br/>[custom CI/CD configuration paths](../ci/pipelines/settings.md#specify-a-custom-cicd-configuration-file) | **{dotted-circle}** No | **{dotted-circle}** No | **{check-circle}** Yes | Leverage the GitLab cross-project YAML configurations to define deployers of code and developers of code. See how to use this setup to define these roles in the [Separation of Duties deploy project](https://gitlab.com/guided-explorations/separation-of-duties-deploy/blob/master/README.md) and the [Separation of Duties project](https://gitlab.com/guided-explorations/separation-of-duties/blob/master/README.md). | +| [Security policies](../user/application_security/policies/index.md) | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | Configure customizable policies that require merge request approval based on policy rules, or enforce security scanners to execute in project pipelines for compliance requirements. Policies can be enforced granularly against specific projects, or all projects in a group or subgroup. | ## Compliant workflow automation @@ -40,6 +41,7 @@ compliance: |:------------------------------------------------------------------------------------|:-----------------------|:-----------------------|:-----------------------|:-------------------------------------------------------------------------------------------| | [Compliance frameworks](../user/group/compliance_frameworks.md) | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | Describe the type of compliance requirements projects must follow. | | [Compliance pipelines](../user/group/compliance_frameworks.md#compliance-pipelines) | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | Define a pipeline configuration to run for any projects with a given compliance framework. | +| [Scan result policy approval settings](../user/application_security/policies/scan-result-policies.md#approval_settings) | **{dotted-circle}** Yes | **{check-circle}** Yes | **{dotted-circle}** Yes | Enforce a scan result policy enforcing multiple approvers and override various project settings in all enforced groups or projects across your GitLab instance or group. | ## Audit management @@ -57,7 +59,7 @@ These features can help provide visibility into GitLab and audit what is happeni | [Audit events](audit_events.md) | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | To maintain the integrity of your code, audit events give administrators the ability to view any modifications made in the GitLab server in an advanced audit events system, so you can control, analyze, and track every change. | | [Audit reports](audit_reports.md) | **{check-circle}** Yes | **{check-circle}** Yes | **{check-circle}** Yes | Create and access reports based on the audit events that have occurred. Use pre-built GitLab reports or the API to build your own. | | [Auditor users](auditor_users.md) | **{check-circle}** Yes | **{dotted-circle}** No | **{dotted-circle}** No | Auditor users are users who are given read-only access to all projects, groups, and other resources on the GitLab instance. | -| [Compliance center](../user/compliance/compliance_center/index.md) | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | Quickly get visibility into the compliance posture of your organization. | +| [Compliance center](../user/compliance/compliance_center/index.md) | **{dotted-circle}** No | **{check-circle}** Yes | **{dotted-circle}** No | Quickly get visibility into the compliance posture of your organization through compliance standards adherence reporting and violations reports. Manage your groups compliance frameworks centrally. | ## Other compliance features diff --git a/doc/administration/packages/dependency_proxy.md b/doc/administration/packages/dependency_proxy.md index 8098ed2e95b..e34153e01e0 100644 --- a/doc/administration/packages/dependency_proxy.md +++ b/doc/administration/packages/dependency_proxy.md @@ -78,9 +78,8 @@ Follow the steps for Linux package installations for each Web and Sidekiq node. ## Turn on the Dependency Proxy The Dependency Proxy is turned on by default, but can be turned off by an -administrator. To turn on the Dependency Proxy, follow the instructions in -[Turn off the Dependency Proxy](#turn-off-the-dependency-proxy), -but set the `enabled` fields to `true`. +administrator. To turn it off manually, follow the instructions in +[Turn off the Dependency Proxy](#turn-off-the-dependency-proxy). ## Changing the storage path diff --git a/doc/api/users.md b/doc/api/users.md index cd911196f74..2908f552a9d 100644 --- a/doc/api/users.md +++ b/doc/api/users.md @@ -1695,12 +1695,13 @@ Parameters: ## Delete email for current user -Deletes email owned by authenticated user. +Deletes the specified email address owned by the authenticated user. Cannot be used to delete a primary email address. -This returns a `204 No Content` status code if the operation was successfully -or `404` if the resource was not found. +If the deleted email address is used for any user emails, those user emails are sent to the primary email address instead. -This cannot delete a primary email address. +NOTE: +Because of [known issue](https://gitlab.com/gitlab-org/gitlab/-/issues/438600), group notifications are still sent to +the deleted email address. ```plaintext DELETE /user/emails/:email_id @@ -1712,6 +1713,11 @@ Parameters: |------------|---------|----------|-------------| | `email_id` | integer | yes | Email ID | +Returns: + +- `204 No Content` if the operation was successful. +- `404` if the resource was not found. + ## Delete email for given user **(FREE SELF)** Prerequisites: diff --git a/doc/ci/img/dsm_secret_import_1.png b/doc/ci/img/dsm_secret_import_1.png Binary files differnew file mode 100644 index 00000000000..fd0b6f612f5 --- /dev/null +++ b/doc/ci/img/dsm_secret_import_1.png diff --git a/doc/ci/img/dsm_secret_import_2.png b/doc/ci/img/dsm_secret_import_2.png Binary files differnew file mode 100644 index 00000000000..b1657affcd8 --- /dev/null +++ b/doc/ci/img/dsm_secret_import_2.png diff --git a/doc/ci/img/dsm_secrets.png b/doc/ci/img/dsm_secrets.png Binary files differnew file mode 100644 index 00000000000..0c4e687e519 --- /dev/null +++ b/doc/ci/img/dsm_secrets.png diff --git a/doc/ci/img/gitlab_build_result_1.png b/doc/ci/img/gitlab_build_result_1.png Binary files differnew file mode 100644 index 00000000000..43169c5ed91 --- /dev/null +++ b/doc/ci/img/gitlab_build_result_1.png diff --git a/doc/ci/img/gitlab_build_result_2.png b/doc/ci/img/gitlab_build_result_2.png Binary files differnew file mode 100644 index 00000000000..5bc34740be8 --- /dev/null +++ b/doc/ci/img/gitlab_build_result_2.png diff --git a/doc/ci/img/gitlab_build_result_3.png b/doc/ci/img/gitlab_build_result_3.png Binary files differnew file mode 100644 index 00000000000..3c3727ef9ce --- /dev/null +++ b/doc/ci/img/gitlab_build_result_3.png diff --git a/doc/ci/secrets/fortanix_dsm_integration.md b/doc/ci/secrets/fortanix_dsm_integration.md new file mode 100644 index 00000000000..06758510196 --- /dev/null +++ b/doc/ci/secrets/fortanix_dsm_integration.md @@ -0,0 +1,222 @@ +--- +stage: Verify +group: Pipeline Security +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +type: concepts, howto +--- + +# Tutorial: Use Fortanix Data Security Manager (DSM) with GitLab + +You can use Fortanix Data Security Manager (DSM) as your secrets manager for GitLab CI/CD pipelines. + +This tutorial explains the steps required to generate new secrets in Fortanix DSM, or use existing secrets, +and use them in GitLab CI/CD jobs. Follow the instructions carefully, to implement this integration, +enhancing data security and optimizing your CI/CD pipelines. + +## Before you begin + +Ensure that you have: + +- Access to a Fortanix DSM account with appropriate administrative privileges. For more information, refer to [Getting Started with Fortanix Data Security Manager](https://www.fortanix.com/start-your-free-trial). +- A [GitLab account](https://gitlab.com/users/sign_up) with access to the project where you intend to set up the integration. +- Knowledge about the process of saving secrets in Fortanix DSM, including generating and importing secrets. +- Access to necessary permissions in Fortanix DSM and GitLab for group, application, plugin, variable, and secret management. + +## Generate and import a new secret + +To generate a new secret in Fortanix DSM and use it with GitLab: + +1. Log in to your Fortanix DSM account. +1. In Fortanix DSM, [create a new group and an application](https://support.fortanix.com/hc/en-us/articles/360015809372-User-s-Guide-Getting-Started-with-Fortanix-Data-Security-Manager-UI). +1. Configure the [API Key as the authentication method for the application](https://support.fortanix.com/hc/en-us/articles/360033272171-User-s-Guide-Authentication). +1. Use the following code to generate a new plugin in Fortanix DSM: + + ```lua + numericAlphabet = "0123456789" + alphanumericAlphabet = numericAlphabet .. "abcdefghijklmnopqrstuvwxyz" + alphanumericCapsAlphabet = alphanumericAlphabet .. "ABCDEFGHIJKLMNOPQRSTUVWXYZ" + alphanumericCapsSymbolsAlphabets = alphanumericCapsAlphabet .. "!@#$&*_%=" + + function genPass(alphabet, len, name, import) + local alphabetSize = #alphabet + local password = '' + + for i = 1, len, 1 do + local random_char = math.random(alphabetSize) + password = password .. string.sub(alphabet, random_char, random_char) + end + + local pass = Blob.from_bytes(password) + + if import == "yes" then + local sobject = assert(Sobject.import { name = name, obj_type = "SECRET", value = pass, key_ops = {'APPMANAGEABLE', 'EXPORT'} }) + return password + end + + return password; + end + + function run(input) + if input.type == "numeric" then + return genPass(numericAlphabet, input.length, input.name, input.import) + end + + if input.type == "alphanumeric" then + return genPass(alphanumericAlphabet, input.length, input.name, input.import) + end + + if input.type == "alphanumeric_caps" then + return genPass(alphanumericCapsAlphabet, input.length, input.name, input.import) + end + + if input.type == "alphanumeric_caps_symbols" then + return genPass(alphanumericCapsSymbolsAlphabets, input.length, input.name, input.import) + end + end + ``` + + For more information, see the [Fortanix user's Guide: Plugin Library](https://support.fortanix.com/hc/en-us/articles/360041950371-User-s-Guide-Plugin-Library). + + - Set the import option to `yes` if you want to store the secret in Fortanix DSM: + + ```json + { + "type": "alphanumeric_caps", + "length": 64, + "name": "GitLab-Secret", + "import": "yes" + } + ``` + + - Set the import option to `no` if you only want a new value generated for rotation: + + ```json + { + "type": "numeric", + "length": 64, + "name": "GitLab-Secret", + "import": "no" + } + ``` + +1. In GitLab, go to your project. +1. Go to **Settings > CI/CD > Variables**, and add these variables: + - `FORTANIX_API_ENDPOINT` + - `FORTANIX_API_KEY` + - `FORTANIX_PLUGIN_ID` + +1. Create or edit the `.gitlab-ci.yml` configuration file in your project to use the integration: + + ```yaml + stages: + - build + + build: + stage: build + image: ubuntu + script: + - apt-get update + - apt install --assume-yes jq + - apt install --assume-yes curl + - jq --version + - curl --version + - secret=$(curl --silent --request POST --header "Authorization:Basic ${FORTANIX_API_KEY}" ${FORTANIX_API_ENDPOINT}/sys/v1/plugins/${FORTANIX_PLUGIN_ID} --data "{\"type\":\"alphanumeric_caps\", \"name\":\"$CI_PIPELINE_ID\",\"import\":\"yes\", \"length\":\"48\"}" | jq --raw-output) + - nsecret=$(curl --silent --request POST --header "Authorization:Basic ${FORTANIX_API_KEY}" ${FORTANIX_API_ENDPOINT}/sys/v1/plugins/${FORTANIX_PLUGIN_ID} --data "{\"type\":\"alphanumeric_caps\", \"import\":\"no\", \"length\":\"48\"}" | jq --raw-output) + - encodesecret=$(echo $nsecret | base64) + - rotate=$(curl --silent --request POST --header "Authorization:Basic ${FORTANIX_API_KEY}" ${FORTANIX_API_ENDPOINT}/crypto/v1/keys/rekey --data "{\"name\":\"$CI_PIPELINE_ID\", \"value\":\"$encodesecret\"}" | jq --raw-output .kid) + ``` + +1. The pipeline should run automatically after saving the `.gitlab-ci.yml` file. + If not, select **Build > Pipelines > Run pipeline**. +1. Go to **Build > Jobs** and check the `build` job's log: + + -  + + + +## Use an existing secret from Fortanix DSM + +To use a secret that already exists in Fortanix DSM with GitLab: + +1. The secret must be marked as exportable in Fortanix: + +  + +1. In GitLab, go to your project. +1. Go to **Settings > CI/CD > Variables**, and add these variables: + - `FORTANIX_API_ENDPOINT` + - `FORTANIX_API_KEY` + - `FORTANIX_PLUGIN_ID` + +1. Create or edit the `.gitlab-ci.yml` configuration file in your project to use the integration: + + ```yaml + stages: + - build + + build: + stage: build + image: ubuntu + script: + - apt-get update + - apt install --assume-yes jq + - apt install --assume-yes curl + - jq --version + - curl --version + - secret=$(curl --silent --request POST --header "Authorization:Basic ${FORTANIX_API_KEY}" ${FORTANIX_API_ENDPOINT}/crypto/v1/keys/export --data "{\"name\":\"${FORTANIX_SECRET_NAME}\"}" | jq --raw-output .value) + ``` + +1. The pipeline should run automatically after saving the `.gitlab-ci.yml` file. + If not, select **Build > Pipelines > Run pipeline**. +1. Go to **Build > Jobs** and check the `build` job's log: + + -  + +## Code Signing + +To set up code signing securely in your GitLab environment: + +1. Log in to your Fortanix DSM account. +1. Import `keystore_password` and `key_password` as secrets in Fortanix DSM. Ensure that they are marked as exportable. + +  + +1. In GitLab, go to your project. +1. Go to **Settings > CI/CD > Variables**, and add these variables: + - `FORTANIX_API_ENDPOINT` + - `FORTANIX_API_KEY` + - `FORTANIX_SECRET_NAME_1` (for `keystore_password`) + - `FORTANIX_SECRET_NAME_2` (for `key_password`) + +1. Create or edit the `.gitlab-ci.yml` configuration file in your project to use the integration: + + ```yaml + stages: + - build + + build: + stage: build + image: ubuntu + script: + - apt-get update -qy + - apt install --assume-yes jq + - apt install --assume-yes curl + - apt-get install wget + - apt-get install unzip + - apt-get install --assume-yes openjdk-8-jre-headless openjdk-8-jdk # Install Java + - keystore_password=$(curl --silent --request POST --header "Authorization:Basic ${FORTANIX_API_KEY}" ${FORTANIX_API_ENDPOINT}/crypto/v1/keys/export --data "{\"name\":\"${FORTANIX_SECRET_NAME_1}\"}" | jq --raw-output .value) + - key_password=$(curl --silent --request POST --header "Authorization:Basic ${FORTANIX_API_KEY}" ${FORTANIX_API_ENDPOINT}/crypto/v1/keys/export --data "{\"name\":\"${FORTANIX_SECRET_NAME_2}\"}" | jq --raw-output .value) + - echo "yes" | keytool -genkeypair -alias mykey -keyalg RSA -keysize 2048 -keystore keystore.jks -storepass $keystore_password -keypass $key_password -dname "CN=test" + - mkdir -p src/main/java + - echo 'public class HelloWorld { public static void main(String[] args) { System.out.println("Hello, World!"); } }' > src/main/java/HelloWorld.java + - javac src/main/java/HelloWorld.java + - mkdir -p target + - jar cfe target/HelloWorld.jar HelloWorld -C src/main/java HelloWorld.class + - jarsigner -keystore keystore.jks -storepass $keystore_password -keypass $key_password -signedjar signed.jar target/HelloWorld.jar mykey + ``` + +1. The pipeline should run automatically after saving the `.gitlab-ci.yml` file. + If not, select **Build > Pipelines > Run pipeline**. +1. Go to **Build > Jobs** and check the `build` job's log: + + -  diff --git a/doc/subscriptions/gitlab_com/index.md b/doc/subscriptions/gitlab_com/index.md index ff9d103461e..f5505cb3945 100644 --- a/doc/subscriptions/gitlab_com/index.md +++ b/doc/subscriptions/gitlab_com/index.md @@ -64,10 +64,6 @@ The following information is displayed: ## How seat usage is determined -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/216899) in GitLab 13.5. -> - [Updated](https://gitlab.com/gitlab-org/gitlab/-/issues/292086) in GitLab 13.8 to include public - email address. - A GitLab SaaS subscription uses a concurrent (_seat_) model. You pay for a subscription according to the maximum number of users assigned to the top-level group or its children during the billing period. You can add and remove users during the subscription period without incurring additional charges, as long as the total users @@ -124,8 +120,6 @@ a difference between the information in the **Usage Quotas** page and the **Bill ### Search seat usage -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/262875) in GitLab 13.8. - To search users in the **Seat usage** page, enter a string in the search field. A minimum of 3 characters are required. @@ -232,7 +226,7 @@ After you dismiss the alert, it doesn't display until another seat is used. The alert displays based on the following seat usage. You cannot configure the amounts at which the alert displays. -| Seats in subscription | Seat usage | +| Seats in subscription | Alert displays when | |-----------------------|----------------------| | 0-15 | One seat remains. | | 16-25 | Two seats remain. | diff --git a/doc/user/compliance/compliance_center/index.md b/doc/user/compliance/compliance_center/index.md index da65cc9ef6e..fd48f5b6080 100644 --- a/doc/user/compliance/compliance_center/index.md +++ b/doc/user/compliance/compliance_center/index.md @@ -8,33 +8,33 @@ info: To determine the technical writer assigned to the Stage/Group associated w > [Renamed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/122931) from Compliance report in GitLab 16.3. -See report and manage standards adherence, violations, and compliance frameworks for the group +The compliance center is the central location for compliance teams to manage their compliance standards adherence reporting, violations reporting, and compliance frameworks for their group. -## Standards adherence dashboard +## Compliance standards adherence dashboard > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/125875) GraphQL APIs in GitLab 16.2 [with a flag](../../../administration/feature_flags.md) named `compliance_adherence_report`. Disabled by default. -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/125444) standards adherence dashboard in GitLab 16.3 [with a flag](../../../administration/feature_flags.md) named `adherence_report_ui`. Disabled by default. +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/125444) compliance standards adherence dashboard in GitLab 16.3 [with a flag](../../../administration/feature_flags.md) named `adherence_report_ui`. Disabled by default. > - [Enabled](https://gitlab.com/gitlab-org/gitlab/-/issues/414495) in GitLab 16.5. > - [Feature flag `compliance_adherence_report` and `adherence_report_ui`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/137398) removed in GitLab 16.7. > - Standards adherence filtering [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/413734) in GitLab 16.7. -Standards adherence dashboard lists the adherence status of projects complying to GitLab standard. +The compliance standards adherence dashboard lists the adherence status of projects complying to the _GitLab standard_. When a project is added or an associated project or group setting is changed, an adherence scan is run on that project to update the standards adherence for that project. The date in the **Last Scanned** column reflects any changes. -### View the standards adherence dashboard +### View the compliance standards adherence dashboard Prerequisites: - You must be an administrator or have the Owner role for the group. -To view the standards adherence dashboard for a group: +To view the compliance standards adherence dashboard for a group: 1. On the left sidebar, select **Search or go to** and find your group. 1. Select **Secure > Compliance center**. -You can filter the standards adherence dashboard on: +You can filter the compliance standards adherence dashboard on: - The project that the check was performed on. - The type of check that was performed on a project. @@ -42,7 +42,7 @@ You can filter the standards adherence dashboard on: ### GitLab standard -GitLab standard consists of three rules: +The GitLab standard consists of three rules: - Prevent authors as approvers. - Prevent committers as approvers. @@ -50,7 +50,7 @@ GitLab standard consists of three rules: #### Prevent authors as approvers -To comply with GitLab standard, you must prevent users from approving their own merge requests. For more information, +To comply with the GitLab standard, you must prevent users from approving their own merge requests. For more information, see [Prevent approval by author](../../project/merge_requests/approvals/settings.md#prevent-approval-by-author). On self-managed GitLab, when instance-level setting for [prevent approval by author](../../../administration/merge_requests_approvals.md) @@ -59,7 +59,7 @@ To update the adherence status for these projects, the group-level or the projec #### Prevent committers as approvers -To comply with GitLab standard, you must prevent users from approving merge requests where they've added commits. For +To comply with the GitLab standard, you must prevent users from approving merge requests where they've added commits. For more information, see [Prevent approvals by users who add commits](../../project/merge_requests/approvals/settings.md#prevent-approvals-by-users-who-add-commits). On self-managed GitLab, when instance-level setting for [prevent approvals by users who add commits](../../../administration/merge_requests_approvals.md) @@ -68,10 +68,10 @@ To update the adherence status for these projects, the group-level or the projec #### At least two approvals -To comply with GitLab standard, you must have at least two users approve a merge request to get it merged. For more +To comply with the GitLab standard, you must have at least two users approve a merge request to get it merged. For more information, see [Merge request approval rules](../../project/merge_requests/approvals/rules.md). -### Export standards adherence report for projects in a group +### Export compliance standards adherence report for projects in a group > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/413736) in GitLab 16.8 [with a flag](../../../administration/feature_flags.md) named `compliance_standards_adherence_csv_export`. Disabled by default. @@ -85,7 +85,7 @@ Prerequisites: - You must be an administrator or have the Owner role for the group. -To export the standards adherence report for projects in a group: +To export the compliance standards adherence report for projects in a group: 1. On the left sidebar, select **Search or go to** and find your group. 1. Select **Secure > Compliance center**. @@ -105,9 +105,9 @@ A report is compiled and delivered to your email inbox as an attachment. > - [Renamed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/112111) to compliance violations report in GitLab 15.9. > - Ability to create and edit compliance frameworks [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/394950) in GitLab 16.0. -With compliance violations report, you can see a high-level view of merge request activity for all projects in the group. +With the compliance violations report, you can see a high-level view of merge request activity for all projects in the group. -When you select a row in the compliance report, a drawer appears that provides: +When you select a row in the compliance violations report, a drawer appears that provides: - The project name and [compliance framework label](../../project/working_with_projects.md#add-a-compliance-framework-to-a-project), if the project has one assigned. @@ -171,21 +171,6 @@ From [GitLab 14.10](https://gitlab.com/groups/gitlab-org/-/epics/6870), these ar | Committers approved merge request | High | [Separation of duties](#separation-of-duties) | Committers of the merge request approved the merge request they contributed to. For more information, see [Prevent approvals by users who add commits](../../project/merge_requests/approvals/settings.md#prevent-approvals-by-users-who-add-commits). | | Fewer than two approvals | High | [Separation of duties](#separation-of-duties) | Merge request was merged with fewer than two approvals. For more information, see [Merge request approval rules](../../project/merge_requests/approvals/rules.md). | -The following are unavailable compliance violations that are tracked in [epic 5237](https://gitlab.com/groups/gitlab-org/-/epics/5237). - -<!-- vale gitlab.SubstitutionWarning = NO --> - -| Violation | Severity level | Category | Description | -|:-------------------------------------|:---------------|:---------------------------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------| -| Pipeline failed | Medium | [Pipeline results](../../../ci/pipelines/index.md) | Merge requests pipeline failed and was merged. | -| Pipeline passed with warnings | Info | [Pipeline results](../../../ci/pipelines/index.md) | Merge request pipeline passed with warnings and was merged. | -| Code coverage down more than 10% | High | [Code coverage](../../../ci/testing/code_coverage.md#view-code-coverage-results-in-the-mr) | Code coverage report for the merge request indicates a reduction in coverage of more than 10%. | -| Code coverage down between 5% to 10% | Medium | [Code coverage](../../../ci/testing/code_coverage.md#view-code-coverage-results-in-the-mr) | Code coverage report for the merge request indicates a reduction in coverage of between 5% to 10%. | -| Code coverage down between 1% to 5% | Low | [Code coverage](../../../ci/testing/code_coverage.md#view-code-coverage-results-in-the-mr) | Code coverage report for the merge request indicates a reduction in coverage of between 1% to 5%. | -| Code coverage down less than 1% | Info | [Code coverage](../../../ci/testing/code_coverage.md#view-code-coverage-results-in-the-mr) | Code coverage report for the merge request indicates a reduction in coverage of less than 1%. | - -<!-- vale gitlab.SubstitutionWarning = YES --> - ##### Separation of duties GitLab supports a separation of duties policy between users who create and approve merge requests. Our criteria for the diff --git a/gems/gitlab-secret_detection/lib/gitlab/secret_detection/scan.rb b/gems/gitlab-secret_detection/lib/gitlab/secret_detection/scan.rb index 37103912615..3918d584ccd 100644 --- a/gems/gitlab-secret_detection/lib/gitlab/secret_detection/scan.rb +++ b/gems/gitlab-secret_detection/lib/gitlab/secret_detection/scan.rb @@ -86,9 +86,9 @@ module Gitlab next SecretDetection::Response.new(SecretDetection::Status::NOT_FOUND) if matched_blobs.empty? secrets = if subprocess - run_scan_within_subprocess(blobs, blob_timeout) + run_scan_within_subprocess(matched_blobs, blob_timeout) else - run_scan(blobs, blob_timeout) + run_scan(matched_blobs, blob_timeout) end scan_status = overall_scan_status(secrets) diff --git a/gems/gitlab-secret_detection/spec/lib/gitlab/secret_detection/scan_spec.rb b/gems/gitlab-secret_detection/spec/lib/gitlab/secret_detection/scan_spec.rb index e69fcceeaab..c2377f57173 100644 --- a/gems/gitlab-secret_detection/spec/lib/gitlab/secret_detection/scan_spec.rb +++ b/gems/gitlab-secret_detection/spec/lib/gitlab/secret_detection/scan_spec.rb @@ -149,6 +149,16 @@ RSpec.describe Gitlab::SecretDetection::Scan, feature_category: :secret_detectio ) end + it "attempts to keyword match returning only filtered blobs for further scan" do + expected = blobs.filter { |b| b.data != "data with no secret" } + + expect(scan).to receive(:filter_by_keywords) + .with(blobs) + .and_return(expected) + + scan.secrets_scan(blobs) + end + it "matches multiple rules when running in main process" do expect(scan.secrets_scan(blobs, subprocess: false)).to eq(expected_response) end |
