Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/doc/user/application_security
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2021-08-19 12:08:42 +0300
committerGitLab Bot <gitlab-bot@gitlab.com>2021-08-19 12:08:42 +0300
commitb76ae638462ab0f673e5915986070518dd3f9ad3 (patch)
treebdab0533383b52873be0ec0eb4d3c66598ff8b91 /doc/user/application_security
parent434373eabe7b4be9593d18a585fb763f1e5f1a6f (diff)
Add latest changes from gitlab-org/gitlab@14-2-stable-eev14.2.0-rc42
Diffstat (limited to 'doc/user/application_security')
-rw-r--r--doc/user/application_security/api_fuzzing/img/api_fuzzing_configuration_snippet_v13.10.pngbin27293 -> 0 bytes
-rw-r--r--doc/user/application_security/api_fuzzing/index.md4
-rw-r--r--doc/user/application_security/configuration/index.md122
-rw-r--r--doc/user/application_security/container_scanning/index.md6
-rw-r--r--doc/user/application_security/cve_id_request.md8
-rw-r--r--doc/user/application_security/dast/browser_based.md72
-rw-r--r--doc/user/application_security/dast/dast_troubleshooting.md26
-rw-r--r--doc/user/application_security/dast/index.md283
-rw-r--r--doc/user/application_security/dast/run_dast_offline.md63
-rw-r--r--doc/user/application_security/dependency_list/index.md15
-rw-r--r--doc/user/application_security/dependency_scanning/index.md352
-rw-r--r--doc/user/application_security/img/vulnerability_page_merge_request_button_dropdown_v13_1.pngbin53561 -> 0 bytes
-rw-r--r--doc/user/application_security/index.md2
-rw-r--r--doc/user/application_security/offline_deployments/index.md4
-rw-r--r--doc/user/application_security/policies/index.md36
-rw-r--r--doc/user/application_security/sast/img/sast_v13_2.pngbin7703 -> 0 bytes
-rw-r--r--doc/user/application_security/sast/index.md10
-rw-r--r--doc/user/application_security/secret_detection/index.md2
-rw-r--r--doc/user/application_security/security_dashboard/img/pipeline_security_dashboard_v13_10.pngbin80367 -> 0 bytes
-rw-r--r--doc/user/application_security/security_dashboard/img/pipeline_security_dashboard_v14_2.pngbin0 -> 83851 bytes
-rw-r--r--doc/user/application_security/security_dashboard/index.md2
-rw-r--r--doc/user/application_security/vulnerabilities/index.md2
-rw-r--r--doc/user/application_security/vulnerability_report/img/group_vulnerability_report_v13_9.pngbin54478 -> 0 bytes
-rw-r--r--doc/user/application_security/vulnerability_report/img/group_vulnerability_report_v14_2.pngbin0 -> 109933 bytes
-rw-r--r--doc/user/application_security/vulnerability_report/img/project_security_dashboard_status_change_v13_10.pngbin41154 -> 0 bytes
-rw-r--r--doc/user/application_security/vulnerability_report/img/project_security_dashboard_status_change_v14_2.pngbin0 -> 63558 bytes
-rw-r--r--doc/user/application_security/vulnerability_report/index.md20
27 files changed, 635 insertions, 394 deletions
diff --git a/doc/user/application_security/api_fuzzing/img/api_fuzzing_configuration_snippet_v13.10.png b/doc/user/application_security/api_fuzzing/img/api_fuzzing_configuration_snippet_v13.10.png
deleted file mode 100644
index 80c550a3ae7..00000000000
--- a/doc/user/application_security/api_fuzzing/img/api_fuzzing_configuration_snippet_v13.10.png
+++ /dev/null
Binary files differ
diff --git a/doc/user/application_security/api_fuzzing/index.md b/doc/user/application_security/api_fuzzing/index.md
index e35415003c7..7ed36572be4 100644
--- a/doc/user/application_security/api_fuzzing/index.md
+++ b/doc/user/application_security/api_fuzzing/index.md
@@ -38,7 +38,7 @@ or other scanners) during a scan could cause inaccurate results.
You can run a Web API fuzzing scan using the following methods:
-- [OpenAPI Specification](#openapi-specification) - version 2.0 or 3.0
+- [OpenAPI Specification](#openapi-specification) - version 2, and 3.
- [HTTP Archive](#http-archive-har) (HAR)
- [Postman Collection](#postman-collection) - version 2.0 or 2.1
@@ -112,6 +112,8 @@ To generate an API Fuzzing configuration snippet:
### OpenAPI Specification
+> Support for OpenAPI Specification v3.1 was
+> [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/327268) in GitLab 14.2.
> Support for OpenAPI Specification using YAML format was
> [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/330583) in GitLab 14.0.
> Support for OpenAPI Specification v3.0 was
diff --git a/doc/user/application_security/configuration/index.md b/doc/user/application_security/configuration/index.md
index 3cc88a40b6f..664fcd9b72f 100644
--- a/doc/user/application_security/configuration/index.md
+++ b/doc/user/application_security/configuration/index.md
@@ -11,9 +11,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
> - SAST configuration was [enabled](https://gitlab.com/groups/gitlab-org/-/epics/3659) in 13.3 and [improved](https://gitlab.com/gitlab-org/gitlab/-/issues/232862) in 13.4. **(ULTIMATE)**
> - DAST Profiles feature was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40474) in 13.4. **(ULTIMATE)**
> - A simplified version was made [available in all tiers](https://gitlab.com/gitlab-org/gitlab/-/issues/294076) in GitLab 13.10.
-
-WARNING:
-This feature might not be available to you. Check the **version history** note above for details.
+> - [Redesigned](https://gitlab.com/gitlab-org/gitlab/-/issues/326926) in 14.2.
The Security Configuration page displays what security scans are available, links to documentation and also simple enablement tools for the current project.
@@ -22,35 +20,37 @@ then in the left sidebar go to **Security & Compliance > Configuration**.
For each security control the page displays:
-- **Security Control:** Name, description, and a documentation link.
-- **Manage:** A management option or a documentation link.
-
-## UI redesign
-
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/326926) in 14.0 for GitLab Free and Premium, behind a feature flag, disabled by default.
-> - Enabled on GitLab.com for Free & Premium.
-> - Recommended for production use.
-> - It can be enabled or disabled for a single project.
-> - To use in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-ui-redesign). **(FREE SELF)**
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/333109) in 14.1 for GitLab Ultimate, behind a feature flag, disabled by default.
-> - Disabled on GitLab.com.
-> - Not recommended for production use.
-> - It can be enabled or disabled for a single project.
-> - To use in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-ui-redesign-for-ultimate). **(ULTIMATE SELF)**
+- Its name, description and a documentation link.
+- Whether or not it is available.
+- A configuration button or a link to its configuration guide.
-WARNING:
-This feature might not be available to you. Check the **version history** note above for details.
+## Security testing
-The Security Configuration page has been redesigned in GitLab Free and Premium.
-The same functionality exists as before, but presented in a more extensible
-way.
+You can configure the following security controls:
-For each security control the page displays:
+- Auto DevOps
+ - Click **Enable Auto DevOps** on the alert to enable it for the current project. For more details, see [Auto DevOps](../../../topics/autodevops/index.md).
+- SAST
+ - Click **Enable SAST** to use SAST for the current project. For more details, see [Configure SAST in the UI](../sast/index.md#configure-sast-in-the-ui).
+- DAST **(ULTIMATE)**
+ - Click **Enable DAST** to use DAST for the current Project. To manage the available DAST profiles used for on-demand scans Click **Manage Scans**. For more details, see [DAST on-demand scans](../dast/index.md#on-demand-scans).
+- Dependency Scanning **(ULTIMATE)**
+ - Select **Configure via Merge Request** to create a merge request with the changes required to
+ enable Dependency Scanning. For more details, see [Enable Dependency Scanning via an automatic merge request](../dependency_scanning/index.md#enable-dependency-scanning-via-an-automatic-merge-request).
-- Its name, description and a documentation link.
-- Whether or not it is available.
-- A configuration button or a link to its configuration guide.
+- Container Scanning **(ULTIMATE)**
+ - Can be configured via `.gitlab-ci.yml`. For more details, see [Container Scanning](../../../user/application_security/container_scanning/index.md#configuration).
+- Cluster Image Scanning **(ULTIMATE)**
+ - Can be configured via `.gitlab-ci.yml`. For more details, see [Cluster Image Scanning](../../../user/application_security/cluster_image_scanning/#configuration).
+- Secret Detection
+ - Select **Configure via Merge Request** to create a merge request with the changes required to
+ enable Secret Detection. For more details, see [Enable Secret Detection via an automatic merge request](../secret_detection/index.md#enable-secret-detection-via-an-automatic-merge-request).
+- API Fuzzing **(ULTIMATE)**
+ - Click **Enable API Fuzzing** to use API Fuzzing for the current Project. For more details, see [API Fuzzing](../../../user/application_security/api_fuzzing/index.md#enable-web-api-fuzzing).
+- Coverage Fuzzing **(ULTIMATE)**
+ - Can be configured via `.gitlab-ci.yml`. For more details, see [Coverage Fuzzing](../../../user/application_security/coverage_fuzzing/index.md#configuration).
+
## Status **(ULTIMATE)**
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20711) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.6.
@@ -63,71 +63,11 @@ _enabled_.
If the latest pipeline used [Auto DevOps](../../../topics/autodevops/index.md),
all security features are configured by default.
-For SAST, click **View history** to see the `.gitlab-ci.yml` file's history.
+Click **View history** to see the `.gitlab-ci.yml` file's history.
-## Manage **(ULTIMATE)**
+## Compliance **(ULTIMATE)**
You can configure the following security controls:
-- Auto DevOps
- - Click **Enable Auto DevOps** to enable it for the current project. For more details, see [Auto DevOps](../../../topics/autodevops/index.md).
-- SAST
- - Click either **Enable** or **Configure** to use SAST for the current project. For more details, see [Configure SAST in the UI](../sast/index.md#configure-sast-in-the-ui).
-- DAST Profiles
- - Click **Manage** to manage the available DAST profiles used for on-demand scans. For more details, see [DAST on-demand scans](../dast/index.md#on-demand-scans).
-- Secret Detection
- - Select **Configure via Merge Request** to create a merge request with the changes required to
- enable Secret Detection. For more details, see [Enable Secret Detection via an automatic merge request](../secret_detection/index.md#enable-secret-detection-via-an-automatic-merge-request).
-- Dependency Scanning
- - Select **Configure via Merge Request** to create a merge request with the changes required to
- enable Dependency Scanning. For more details, see [Enable Dependency Scanning via an automatic merge request](../dependency_scanning/index.md#enable-dependency-scanning-via-an-automatic-merge-request).
-
-## Enable or disable UI redesign **(FREE SELF)**
-
-The Security Configuration redesign is under development, but is ready for
-production use. It is deployed behind a feature flag that is **disabled by
-default**.
-[GitLab administrators with access to the GitLab Rails console](../../../administration/feature_flags.md) can enable it.
-
-To enable it:
-
-```ruby
-# For the instance
-Feature.enable(:security_configuration_redesign)
-# For a single project
-Feature.enable(:security_configuration_redesign, Project.find(<project id>))
-```
-
-To disable it:
-
-```ruby
-# For the instance
-Feature.disable(:security_configuration_redesign)
-# For a single project
-Feature.disable(:security_configuration_redesign, Project.find(<project id>))
-```
-
-## Enable or disable UI redesign for Ultimate **(ULTIMATE SELF)**
-
-The Security Configuration redesign is under development, and is not ready for
-production use. It is deployed behind a feature flag that is **disabled by
-default**.
-[GitLab administrators with access to the GitLab Rails console](../../../administration/feature_flags.md) can enable it.
-
-To enable it:
-
-```ruby
-# For the instance
-Feature.enable(:security_configuration_redesign_ee)
-# For a single project
-Feature.enable(:security_configuration_redesign_ee, Project.find(<project id>))
-```
-
-To disable it:
-
-```ruby
-# For the instance
-Feature.disable(:security_configuration_redesign_ee)
-# For a single project
-Feature.disable(:security_configuration_redesign_ee, Project.find(<project id>))
-```
+- License Compliance **(ULTIMATE)**
+ - Can be configured via `.gitlab-ci.yml`. For more details, see [License Compliance](../../../user/compliance/license_compliance/index.md#configuration).
diff --git a/doc/user/application_security/container_scanning/index.md b/doc/user/application_security/container_scanning/index.md
index 90e1e4b025c..5791351a067 100644
--- a/doc/user/application_security/container_scanning/index.md
+++ b/doc/user/application_security/container_scanning/index.md
@@ -160,8 +160,8 @@ You can [configure](#customizing-the-container-scanning-settings) analyzers by u
| `CS_REGISTRY_INSECURE` | `"false"` | Allow access to insecure registries (HTTP only). Should only be set to `true` when testing the image locally. | Trivy. The registry must listen on port `80/tcp`. |
| `CS_SEVERITY_THRESHOLD` | `UNKNOWN` | Severity level threshold. The scanner outputs vulnerabilities with severity level higher than or equal to this threshold. Supported levels are Unknown, Low, Medium, High, and Critical. | Trivy |
| `DOCKER_IMAGE` | `$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG` | The Docker image to be scanned. If set, this variable overrides the `$CI_APPLICATION_REPOSITORY` and `$CI_APPLICATION_TAG` variables. | All |
-| `DOCKER_PASSWORD` | `$CI_REGISTRY_PASSWORD` | Password for accessing a Docker registry requiring authentication. | All |
-| `DOCKER_USER` | `$CI_REGISTRY_USER` | Username for accessing a Docker registry requiring authentication. | All |
+| `DOCKER_PASSWORD` | `$CI_REGISTRY_PASSWORD` | Password for accessing a Docker registry requiring authentication. The default is only set if `$DOCKER_IMAGE` resides at [`$CI_REGISTRY`](../../../ci/variables/predefined_variables.md). | All |
+| `DOCKER_USER` | `$CI_REGISTRY_USER` | Username for accessing a Docker registry requiring authentication. The default is only set if `$DOCKER_IMAGE` resides at [`$CI_REGISTRY`](../../../ci/variables/predefined_variables.md). | All |
| `DOCKERFILE_PATH` | `Dockerfile` | The path to the `Dockerfile` to use for generating remediations. By default, the scanner looks for a file named `Dockerfile` in the root directory of the project. You should configure this variable only if your `Dockerfile` is in a non-standard location, such as a subdirectory. See [Solutions for vulnerabilities](#solutions-for-vulnerabilities-auto-remediation) for more details. | All |
| `SECURE_LOG_LEVEL` | `info` | Set the minimum logging level. Messages of this logging level or higher are output. From highest to lowest severity, the logging levels are: `fatal`, `error`, `warn`, `info`, `debug`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10880) in GitLab 13.1. | All |
@@ -170,7 +170,7 @@ You can [configure](#customizing-the-container-scanning-settings) analyzers by u
Support depends on the scanner:
- [Grype](https://github.com/anchore/grype#grype)
-- [Trivy](https://aquasecurity.github.io/trivy/latest/vuln-detection/os/) (Default).
+- [Trivy](https://aquasecurity.github.io/trivy/latest/vulnerability/detection/os/) (Default).
#### UBI-based images
diff --git a/doc/user/application_security/cve_id_request.md b/doc/user/application_security/cve_id_request.md
index aaf701c91dc..1489b250e4b 100644
--- a/doc/user/application_security/cve_id_request.md
+++ b/doc/user/application_security/cve_id_request.md
@@ -1,11 +1,11 @@
---
type: tutorial
stage: Secure
-group: Vulnerability Research
+group: Threat Insights
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---
-# CVE ID Requests **(ULTIMATE SAAS)**
+# CVE ID Requests **(FREE SAAS)**
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/41203) in GitLab 13.4, only for public projects on GitLab.com.
@@ -28,7 +28,7 @@ If the following conditions are met, a **Request CVE ID** button appears in your
- The project is hosted in GitLab.com.
- The project is public.
- You are a maintainer of the project.
-- The issue is confidential.
+- The issue is [confidential](../project/issues/confidential_issues.md).
## Submitting a CVE ID Request
@@ -37,7 +37,7 @@ the [GitLab CVE project](https://gitlab.com/gitlab-org/cves).
![CVE ID request button](img/cve_id_request_button.png)
-Creating the confidential issue starts the CVE request process.
+Creating the [confidential issue](../project/issues/confidential_issues.md) starts the CVE request process.
![New CVE ID request issue](img/new_cve_request_issue.png)
diff --git a/doc/user/application_security/dast/browser_based.md b/doc/user/application_security/dast/browser_based.md
index 1288db21880..e8fbc17327c 100644
--- a/doc/user/application_security/dast/browser_based.md
+++ b/doc/user/application_security/dast/browser_based.md
@@ -48,18 +48,26 @@ dast:
The browser-based crawler can be configured using CI/CD variables.
-| CI/CD variable | Type | Example | Description |
-|--------------------------------------| ----------------| --------------------------------- | ------------|
-| `DAST_WEBSITE` | URL | `http://www.site.com` | The URL of the website to scan. |
-| `DAST_BROWSER_SCAN` | boolean | `true` | Configures DAST to use the browser-based crawler engine. |
-| `DAST_BROWSER_ALLOWED_HOSTS` | List of strings | `site.com,another.com` | Hostnames included in this variable are considered in scope when crawled. By default the `DAST_WEBSITE` hostname is included in the allowed hosts list. |
-| `DAST_BROWSER_EXCLUDED_HOSTS` | List of strings | `site.com,another.com` | Hostnames included in this variable are considered excluded and connections are forcibly dropped. |
-| `DAST_BROWSER_IGNORED_HOSTS` | List of strings | `site.com,another.com` | Hostnames included in this variable are accessed but not reported against. |
-| `DAST_BROWSER_MAX_ACTIONS` | number | `10000` | The maximum number of actions that the crawler performs. For example, clicking a link, or filling a form. |
-| `DAST_BROWSER_MAX_DEPTH` | number | `10` | The maximum number of chained actions that the crawler takes. For example, `Click -> Form Fill -> Click` is a depth of three. |
-| `DAST_BROWSER_NUMBER_OF_BROWSERS` | number | `3` | The maximum number of concurrent browser instances to use. For shared runners on GitLab.com we recommended a maximum of three. Private runners with more resources may benefit from a higher number, but will likely produce little benefit after five to seven instances. |
-| `DAST_BROWSER_COOKIES` | dictionary | `abtesting_group:3,region:locked` | A cookie name and value to be added to every request. |
-| `DAST_BROWSER_LOG` | List of strings | `brows:debug,auth:debug` | A list of modules and their intended log level. |
+| CI/CD variable | Type | Example | Description |
+|----------------------------------------------| ----------------| --------------------------------- | ------------|
+| `DAST_WEBSITE` | URL | `http://www.site.com` | The URL of the website to scan. |
+| `DAST_BROWSER_SCAN` | boolean | `true` | Configures DAST to use the browser-based crawler engine. |
+| `DAST_BROWSER_ALLOWED_HOSTS` | List of strings | `site.com,another.com` | Hostnames included in this variable are considered in scope when crawled. By default the `DAST_WEBSITE` hostname is included in the allowed hosts list. |
+| `DAST_BROWSER_EXCLUDED_HOSTS` | List of strings | `site.com,another.com` | Hostnames included in this variable are considered excluded and connections are forcibly dropped. |
+| `DAST_BROWSER_IGNORED_HOSTS` | List of strings | `site.com,another.com` | Hostnames included in this variable are accessed but not reported against. |
+| `DAST_BROWSER_MAX_ACTIONS` | number | `10000` | The maximum number of actions that the crawler performs. For example, clicking a link, or filling a form. |
+| `DAST_BROWSER_MAX_DEPTH` | number | `10` | The maximum number of chained actions that the crawler takes. For example, `Click -> Form Fill -> Click` is a depth of three. |
+| `DAST_BROWSER_NUMBER_OF_BROWSERS` | number | `3` | The maximum number of concurrent browser instances to use. For shared runners on GitLab.com we recommended a maximum of three. Private runners with more resources may benefit from a higher number, but will likely produce little benefit after five to seven instances. |
+| `DAST_BROWSER_COOKIES` | dictionary | `abtesting_group:3,region:locked` | A cookie name and value to be added to every request. |
+| `DAST_BROWSER_LOG` | List of strings | `brows:debug,auth:debug` | A list of modules and their intended log level. |
+| `DAST_BROWSER_NAVIGATION_TIMEOUT` | [Duration string](https://golang.org/pkg/time/#ParseDuration) | `15s` | The maximum amount of time to wait for a browser to navigate from one page to another |
+| `DAST_BROWSER_ACTION_TIMEOUT` | [Duration string](https://golang.org/pkg/time/#ParseDuration) | `7s` | The maximum amount of time to wait for a browser to complete an action |
+| `DAST_BROWSER_STABILITY_TIMEOUT` | [Duration string](https://golang.org/pkg/time/#ParseDuration) | `7s` | The maximum amount of time to wait for a browser to consider a page loaded and ready for analysis |
+| `DAST_BROWSER_NAVIGATION_STABILITY_TIMEOUT` | [Duration string](https://golang.org/pkg/time/#ParseDuration) | `7s` | The maximum amount of time to wait for a browser to consider a page loaded and ready for analysis after a navigation completes |
+| `DAST_BROWSER_ACTION_STABILITY_TIMEOUT` | [Duration string](https://golang.org/pkg/time/#ParseDuration) | `800ms` | The maximum amount of time to wait for a browser to consider a page loaded and ready for analysis after completing an action |
+| `DAST_BROWSER_SEARCH_ELEMENT_TIMEOUT` | [Duration string](https://golang.org/pkg/time/#ParseDuration) | `3s` | The maximum amount of time to allow the browser to search for new elements or navigations |
+| `DAST_BROWSER_EXTRACT_ELEMENT_TIMEOUT` | [Duration string](https://golang.org/pkg/time/#ParseDuration) | `5s` | The maximum amount of time to allow the browser to extract newly found elements or navigations |
+| `DAST_BROWSER_ELEMENT_TIMEOUT` | [Duration string](https://golang.org/pkg/time/#ParseDuration) | `600ms` | The maximum amount of time to wait for an element before determining it is ready for analysis |
The [DAST variables](index.md#available-cicd-variables) `SECURE_ANALYZERS_PREFIX`, `DAST_FULL_SCAN_ENABLED`, `DAST_AUTO_UPDATE_ADDONS`, `DAST_EXCLUDE_RULES`, `DAST_REQUEST_HEADERS`, `DAST_HTML_REPORT`, `DAST_MARKDOWN_REPORT`, `DAST_XML_REPORT`,
`DAST_AUTH_URL`, `DAST_USERNAME`, `DAST_PASSWORD`, `DAST_USERNAME_FIELD`, `DAST_PASSWORD_FIELD`, `DAST_FIRST_SUBMIT_FIELD`, `DAST_SUBMIT_FIELD`, `DAST_EXCLUDE_URLS`, `DAST_AUTH_VERIFICATION_URL`, `DAST_BROWSER_AUTH_VERIFICATION_SELECTOR`, `DAST_BROWSER_AUTH_VERIFICATION_LOGIN_FORM`, `DAST_BROWSER_AUTH_REPORT`,
@@ -86,6 +94,46 @@ You can manage the trade-off between coverage and scan time with the following m
- Limit the page depth that the browser-based crawler will check coverage on with the [variable](#available-cicd-variables) `DAST_BROWSER_MAX_DEPTH`. The crawler uses a breadth-first search strategy, so pages with smaller depth are crawled first. The default is `10`.
- Vertically scaling the runner and using a higher number of browsers with [variable](#available-cicd-variables) `DAST_BROWSER_NUMBER_OF_BROWSERS`. The default is `3`.
+## Timeouts
+
+Due to poor network conditions or heavy application load, the default timeouts may not be applicable to your application.
+
+Browser-based scans offer the ability to adjust various timeouts to ensure it continues smoothly as it transitions from one page to the next. These values are configured using a [Duration string](https://golang.org/pkg/time/#ParseDuration) which allow you to configure durations with a prefix: `m` for minutes, `s` for seconds, and `ms` for milliseconds.
+
+Navigations, or the act of loading a new page, usually require the most amount of time as they are
+loading multiple new resources such as JavaScript or CSS files. Depending on the size of these resources, or the speed at which they are returned, the default `DAST_BROWSER_NAVIGATION_TIMEOUT` may not be sufficient.
+
+Stability timeouts, such as those configurable with `DAST_BROWSER_NAVIGATION_STABILITY_TIMEOUT`, `DAST_BROWSER_STABILITY_TIMEOUT`, and `DAST_BROWSER_ACTION_STABILITY_TIMEOUT` can also be configured. Stability timeouts determine when browser-based scans consider
+a page fully loaded. Browser-based scans consider a page loaded when:
+
+1. The [DOMContentLoaded](https://developer.mozilla.org/en-US/docs/Web/API/Window/DOMContentLoaded_event) event has fired.
+1. There are no open or outstanding requests that are deemed important, such as JavaScript and CSS. Media files are usually deemed unimportant.
+1. Depending on whether the browser executed a navigation, was forcibly transitioned, or action:
+
+ - There are no new Document Object Model (DOM) modification events after the `DAST_BROWSER_NAVIGATION_STABILITY_TIMEOUT`, `DAST_BROWSER_STABILITY_TIMEOUT` or `DAST_BROWSER_ACTION_STABILITY_TIMEOUT` durations
+
+After these events have occurred, browser-based scans consider the page loaded and ready and attempt the next action.
+
+If your application experiences latency or returns many navigation failures, consider adjusting the timeout values such in this example:
+
+```yaml
+include:
+ - template: DAST.gitlab-ci.yml
+
+dast:
+ variables:
+ DAST_WEBSITE: "https://my.site.com"
+ DAST_BROWSER_NAVIGATION_TIMEOUT: "25s"
+ DAST_BROWSER_ACTION_TIMEOUT: "10s"
+ DAST_BROWSER_STABILITY_TIMEOUT: "15s"
+ DAST_BROWSER_NAVIGATION_STABILITY_TIMEOUT: "15s"
+ DAST_BROWSER_ACTION_TIMEOUT: "10s"
+ DAST_BROWSER_ACTION_STABILITY_TIMEOUT: "3s"
+```
+
+NOTE:
+Adjusting these values may impact scan time as they adjust how long each browser waits for various activities to complete.
+
## Debugging scans using logging
Logging can be used to help you troubleshoot a scan.
diff --git a/doc/user/application_security/dast/dast_troubleshooting.md b/doc/user/application_security/dast/dast_troubleshooting.md
index 48b48392e65..725fab85789 100644
--- a/doc/user/application_security/dast/dast_troubleshooting.md
+++ b/doc/user/application_security/dast/dast_troubleshooting.md
@@ -11,6 +11,32 @@ The following troubleshooting scenarios have been collected from customer suppor
experience a problem not addressed here, or the information here does not fix your problem, create a
support ticket. For more details, see the [GitLab Support](https://about.gitlab.com/support/) page.
+## Debugging DAST jobs
+
+A DAST job has two executing processes:
+
+- The ZAP server.
+- A series of scripts that start, control and stop the ZAP server.
+
+Enable the `DAST_DEBUG` CI/CD variable to debug scripts. This can help when troubleshooting the job,
+and outputs statements indicating what percentage of the scan is complete.
+For details on using variables, see [Overriding the DAST template](index.md#customizing-the-dast-settings).
+
+Debug mode of the ZAP server can be enabled using the `DAST_ZAP_LOG_CONFIGURATION` variable.
+The following table outlines examples of values that can be set and the effect that they have on the output that is logged.
+Multiple values can be specified, separated by semicolons.
+
+For example, `log4j.logger.org.parosproxy.paros.network.HttpSender=DEBUG;log4j.logger.com.crawljax=DEBUG`.
+
+| Log configuration value | Effect |
+|-------------------------------------------------- | ----------------------------------------------------------------- |
+| `log4j.rootLogger=DEBUG` | Enable all debug logging statements. |
+| `log4j.logger.org.apache.commons.httpclient=DEBUG` | Log every HTTP request and response made by the ZAP server. |
+| `log4j.logger.org.zaproxy.zap.spider.SpiderController=DEBUG` | Log URLs found during the spider scan of the target. |
+| `log4j.logger.com.crawljax=DEBUG` | Enable Ajax Crawler debug logging statements. |
+| `log4j.logger.org.parosproxy.paros=DEBUG` | Enable ZAP server proxy debug logging statements. |
+| `log4j.logger.org.zaproxy.zap=DEBUG` | Enable debug logging statements of the general ZAP server code. |
+
## Running out of memory
By default, ZAProxy, which DAST relies on, is allocated memory that sums to 25%
diff --git a/doc/user/application_security/dast/index.md b/doc/user/application_security/dast/index.md
index 4b10f03fec3..7455915761c 100644
--- a/doc/user/application_security/dast/index.md
+++ b/doc/user/application_security/dast/index.md
@@ -121,6 +121,34 @@ services: # use services to link the container to the dast job
alias: yourapp
```
+### DAST job order
+
+When using the `DAST.gitlab-ci.yml` template, the `dast` stage is run last as shown in
+the example below. To ensure DAST scans the latest code, deploy your application
+in a stage before the `dast` stage.
+
+```yaml
+ stages:
+ - build
+ - test
+ - deploy
+ - dast
+```
+
+Take care if your pipeline is configured to deploy to the same web server in each run. Running a
+pipeline while another is still running could result in one pipeline overwriting the code from
+another pipeline. The site to be scanned should be excluded from changes for the duration of a DAST
+scan. The only changes to the site should be from the DAST scanner.
+
+Changes to the site during a scan from any of the following could lead to inaccurate results:
+
+- Users.
+- Scheduled tasks.
+- Database changes.
+- Code changes.
+- Other pipelines.
+- Other scanners.
+
## DAST run options
You can use DAST to examine your web application:
@@ -147,28 +175,6 @@ To enable DAST to run automatically, either:
`.gitlab-ci.yml` file.
- [Configure DAST using the UI](#configure-dast-using-the-ui).
-### DAST job order
-
-When using the `DAST.gitlab-ci.yml` template, the `dast` stage is run last as shown in
-the example below. To ensure DAST scans the latest code, deploy your application
-in a stage before the `dast` stage.
-
-```yaml
- stages:
- - build
- - test
- - deploy
- - dast
-```
-
-Be aware that if your pipeline is configured to deploy to the same webserver in
-each run, running a pipeline while another is still running could cause a race condition
-where one pipeline overwrites the code from another pipeline. The site to be scanned
-should be excluded from changes for the duration of a DAST scan.
-The only changes to the site should be from the DAST scanner. Be aware that any
-changes that users, scheduled tasks, database changes, code changes, other pipelines, or other scanners make to
-the site during a scan could lead to inaccurate results.
-
#### Include the DAST template
> This template was [updated](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/62597) to DAST_VERSION: 2 in GitLab 14.0.
@@ -298,7 +304,7 @@ For more details, including setup instructions, see [DAST browser-based crawler]
### Full scan
-DAST can be configured to perform [ZAP Full Scan](https://github.com/zaproxy/zaproxy/wiki/ZAP-Full-Scan), which
+DAST can be configured to perform [ZAP Full Scan](https://www.zaproxy.org/docs/docker/full-scan/), which
includes both passive and active scanning against the same target website:
```yaml
@@ -583,30 +589,6 @@ by the application as correctly authenticated.
Authentication supports single form logins, multi-step login forms, and authenticating to URLs outside of the configured target URL.
-Variables that are related to authenticated scans are:
-
-```yaml
-include:
- - template: DAST.gitlab-ci.yml
-
-dast:
- variables:
- DAST_WEBSITE: "https://example.com"
- DAST_AUTH_URL: "https://login.example.com/"
- DAST_BROWSER_PATH_TO_LOGIN_FORM: "css:.navigation-menu,css:.login-menu-item" # optional list of selectors that should be clicked on prior to attempting to input username/password into the sign-in HTML form
- DAST_USERNAME: "admin"
- DAST_PASSWORD: "P@55w0rd!"
- DAST_USERNAME_FIELD: "name:username" # a selector describing the element containing the username field at the sign-in HTML form
- DAST_PASSWORD_FIELD: "id:password" # a selector describing the element containing the password field at the sign-in HTML form
- DAST_FIRST_SUBMIT_FIELD: "css:button[type='user-submit']" # optional, the selector of the element that when clicked will submit the username form of a multi-page login process
- DAST_SUBMIT_FIELD: "css:button[type='submit']" # the selector of the element that when clicked will submit the login form or the password form of a multi-page login process
- DAST_EXCLUDE_URLS: "http://example.com/sign-out" # optional, URLs to skip during the authenticated scan; comma-separated, no spaces in between
- DAST_AUTH_VERIFICATION_URL: "http://example.com/loggedin_page" # optional, used to verify authentication is successful by expecting this URL once the login form has been submitted
- DAST_AUTH_VERIFICATION_SELECTOR: "css:.user-profile" # optional, used to verify authentication is successful by expecting a selector to be present on the page once the login form has been submitted
- DAST_AUTH_VERIFICATION_LOGIN_FORM: "true" # optional, used to verify authentication is successful by ensuring there are no login forms on the page once the login form has been submitted
- DAST_AUTH_REPORT: "true" # optionally output an authentication debug report
-```
-
WARNING:
**NEVER** run an authenticated scan against a production server. When an authenticated
scan is run, it may perform *any* function that the authenticated user can. This
@@ -762,55 +744,56 @@ dast:
### Available CI/CD variables
-You can use CI/CD variables to customize DAST.
-
-| CI/CD variable | Type | Description |
-|:------------------------------------------------|:--------------|:-------------------------------|
-| `SECURE_ANALYZERS_PREFIX` | URL | Set the Docker registry base address from which to download the analyzer. |
-| `DAST_WEBSITE` <sup>1</sup> | URL | The URL of the website to scan. `DAST_API_OPENAPI` must be specified if this is omitted. |
-| `DAST_API_OPENAPI` | URL or string | The API specification to import. The specification can be hosted at a URL, or the name of a file present in the `/zap/wrk` directory. `DAST_WEBSITE` must be specified if this is omitted. |
-| `DAST_API_SPECIFICATION` <sup>1</sup> | URL or string | [Deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/290241) in GitLab 13.12 and replaced by `DAST_API_OPENAPI`. To be removed in GitLab 15.0. The API specification to import. The specification can be hosted at a URL, or the name of a file present in the `/zap/wrk` directory. `DAST_WEBSITE` must be specified if this is omitted. |
-| `DAST_SPIDER_START_AT_HOST` | boolean | Set to `false` to prevent DAST from resetting the target to its host before scanning. When `true`, non-host targets `http://test.site/some_path` is reset to `http://test.site` before scan. Default: `true`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/258805) in GitLab 13.6. |
-| `DAST_AUTH_URL` <sup>1</sup> | URL | The URL of the page containing the sign-in HTML form on the target website. `DAST_USERNAME` and `DAST_PASSWORD` are submitted with the login form to create an authenticated scan. Not supported for API scans. |
-| `DAST_BROWSER_PATH_TO_LOGIN_FORM` <sup>1</sup> | selector | Comma-separated list of selectors that will be clicked on prior to attempting to enter `DAST_USERNAME` and `DAST_PASSWORD` into the login form. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/326633) in GitLab 14.1. |
-| `DAST_USERNAME` <sup>1</sup> | string | The username to authenticate to in the website. |
-| `DAST_PASSWORD` <sup>1</sup> | string | The password to authenticate to in the website. |
-| `DAST_USERNAME_FIELD` <sup>1</sup> | string | The name of username field at the sign-in HTML form. |
-| `DAST_PASSWORD_FIELD` <sup>1</sup> | string | The name of password field at the sign-in HTML form. |
-| `DAST_SKIP_TARGET_CHECK` | boolean | Set to `true` to prevent DAST from checking that the target is available before scanning. Default: `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/229067) in GitLab 13.8. |
-| `DAST_MASK_HTTP_HEADERS` | string | Comma-separated list of request and response headers to be masked (GitLab 13.1). Must contain **all** headers to be masked. Refer to [list of headers that are masked by default](#hide-sensitive-information). |
-| `DAST_EXCLUDE_URLS` <sup>1</sup> | URLs | The URLs to skip during the authenticated scan; comma-separated. Regular expression syntax can be used to match multiple URLs. For example, `.*` matches an arbitrary character sequence. Not supported for API scans. |
-| `DAST_FULL_SCAN_ENABLED` <sup>1</sup> | boolean | Set to `true` to run a [ZAP Full Scan](https://github.com/zaproxy/zaproxy/wiki/ZAP-Full-Scan) instead of a [ZAP Baseline Scan](https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan). Default: `false` |
-| `DAST_FULL_SCAN_DOMAIN_VALIDATION_REQUIRED` | boolean | **{warning}** **[Removed](https://gitlab.com/gitlab-org/gitlab/-/issues/293595)** in GitLab 14.0. Set to `true` to require domain validation when running DAST full scans. Not supported for API scans. Default: `false` |
-| `DAST_AUTO_UPDATE_ADDONS` | boolean | ZAP add-ons are pinned to specific versions in the DAST Docker image. Set to `true` to download the latest versions when the scan starts. Default: `false` |
-| `DAST_API_HOST_OVERRIDE` <sup>1</sup> | string | Used to override domains defined in API specification files. Only supported when importing the API specification from a URL. Example: `example.com:8080` |
-| `DAST_EXCLUDE_RULES` | string | Set to a comma-separated list of Vulnerability Rule IDs to exclude them from running during the scan. Rule IDs are numbers and can be found from the DAST log or on the [ZAP project](https://www.zaproxy.org/docs/alerts/). For example, `HTTP Parameter Override` has a rule ID of `10026`. Cannot be used when `DAST_ONLY_INCLUDE_RULES` is set. **Note:** In earlier versions of GitLab the excluded rules were executed but vulnerabilities they generated were suppressed. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/118641) in GitLab 12.10. |
-| `DAST_ONLY_INCLUDE_RULES` | string | Set to a comma-separated list of Vulnerability Rule IDs to configure the scan to run only them. Rule IDs are numbers and can be found from the DAST log or on the [ZAP project](https://www.zaproxy.org/docs/alerts/). Cannot be used when `DAST_EXCLUDE_RULES` is set. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/250651) in GitLab 13.12. |
-| `DAST_REQUEST_HEADERS` <sup>1</sup> | string | Set to a comma-separated list of request header names and values. Headers are added to every request made by DAST. For example, `Cache-control: no-cache,User-Agent: DAST/1.0` |
-| `DAST_DEBUG` <sup>1</sup> | boolean | Enable debug message output. Default: `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/12652) in GitLab 13.1. |
-| `DAST_TARGET_AVAILABILITY_TIMEOUT` <sup>1</sup> | number | Time limit in seconds to wait for target availability. |
-| `DAST_SPIDER_MINS` <sup>1</sup> | number | The maximum duration of the spider scan in minutes. Set to `0` for unlimited. Default: One minute, or unlimited when the scan is a full scan. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/12652) in GitLab 13.1. |
-| `DAST_HTML_REPORT` | string | The filename of the HTML report written at the end of a scan. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/12652) in GitLab 13.1. |
-| `DAST_MARKDOWN_REPORT` | string | The filename of the Markdown report written at the end of a scan. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/12652) in GitLab 13.1. |
-| `DAST_XML_REPORT` | string | The filename of the XML report written at the end of a scan. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/12652) in GitLab 13.1. |
-| `DAST_INCLUDE_ALPHA_VULNERABILITIES` | boolean | Set to `true` to include alpha passive and active scan rules. Default: `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/12652) in GitLab 13.1. |
-| `DAST_USE_AJAX_SPIDER` <sup>1</sup> | boolean | Set to `true` to use the AJAX spider in addition to the traditional spider, useful for crawling sites that require JavaScript. Default: `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/12652) in GitLab 13.1. |
-| `DAST_PATHS` | string | Set to a comma-separated list of URLs for DAST to scan. For example, `/page1.html,/category1/page3.html,/page2.html`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214120) in GitLab 13.4. |
-| `DAST_PATHS_FILE` | string | The file path containing the paths within `DAST_WEBSITE` to scan. The file must be plain text with one path per line. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/258825) in GitLab 13.6. |
-| `DAST_SUBMIT_FIELD` | string | The `id` or `name` of the element that when clicked submits the login form or the password form of a multi-page login process. [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/issues/9894) in GitLab 12.4. |
-| `DAST_FIRST_SUBMIT_FIELD` | string | The `id` or `name` of the element that when clicked submits the username form of a multi-page login process. [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/issues/9894) in GitLab 12.4. |
-| `DAST_ZAP_CLI_OPTIONS` | string | ZAP server command-line options. For example, `-Xmx3072m` would set the Java maximum memory allocation pool size. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/12652) in GitLab 13.1. |
-| `DAST_ZAP_LOG_CONFIGURATION` | string | Set to a semicolon-separated list of additional log4j properties for the ZAP Server. For example, `log4j.logger.org.parosproxy.paros.network.HttpSender=DEBUG;log4j.logger.com.crawljax=DEBUG` |
-| `DAST_AUTH_EXCLUDE_URLS` | URLs | **{warning}** **[Removed](https://gitlab.com/gitlab-org/gitlab/-/issues/289959)** in GitLab 14.0. Replaced by `DAST_EXCLUDE_URLS`. The URLs to skip during the authenticated scan; comma-separated. Regular expression syntax can be used to match multiple URLs. For example, `.*` matches an arbitrary character sequence. Not supported for API scans. |
-| `DAST_AGGREGATE_VULNERABILITIES` | boolean | Vulnerability aggregation is set to `true` by default. To disable this feature and see each vulnerability individually set to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/254043) in GitLab 14.0. |
-| `DAST_MAX_URLS_PER_VULNERABILITY` | number | The maximum number of URLs reported for a single vulnerability. `DAST_MAX_URLS_PER_VULNERABILITY` is set to `50` by default. To list all the URLs set to `0`. [Introduced](https://gitlab.com/gitlab-org/security-products/dast/-/merge_requests/433) in GitLab 13.12. |
-| `DAST_AUTH_REPORT` | boolean | Used in combination with exporting the `gl-dast-debug-auth-report.html` artifact to aid in debugging authentication issues. |
-| `DAST_AUTH_VERIFICATION_URL` <sup>1</sup> | URL | A URL only accessible to logged in users that DAST can use to confirm successful authentication. If provided, DAST exits if it cannot access the URL. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/207335) in GitLab 13.8. |
-| `DAST_AUTH_VERIFICATION_SELECTOR` | selector | Verifies successful authentication by checking for presence of a selector once the login form has been submitted. Example: `css:.user-photo` |
-| `DAST_AUTH_VERIFICATION_LOGIN_FORM` | boolean | Verifies successful authentication by checking for the lack of a login form once the login form has been submitted. |
-| `DAST_ADVERTISE_SCAN` | boolean | Set to `true` to add a `Via` header to every request sent, advertising that the request was sent as part of a GitLab DAST scan. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/334947) in GitLab 14.1. |
+These CI/CD variables are specific to DAST. They can be used to customize the behavior of DAST to your requirements.
+
+| CI/CD variable | Type | Description |
+|:-------------------------------------------------|:--------------|:------------------------------|
+| `DAST_ADVERTISE_SCAN` | boolean | Set to `true` to add a `Via` header to every request sent, advertising that the request was sent as part of a GitLab DAST scan. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/334947) in GitLab 14.1. |
+| `DAST_AGGREGATE_VULNERABILITIES` | boolean | Vulnerability aggregation is set to `true` by default. To disable this feature and see each vulnerability individually set to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/254043) in GitLab 14.0. |
+| `DAST_API_HOST_OVERRIDE` <sup>1</sup> | string | Used to override domains defined in API specification files. Only supported when importing the API specification from a URL. Example: `example.com:8080`. |
+| `DAST_API_OPENAPI` | URL or string | The API specification to import. The specification can be hosted at a URL, or the name of a file present in the `/zap/wrk` directory. The variable `DAST_WEBSITE` must be specified if this is omitted. |
+| `DAST_API_SPECIFICATION` <sup>1</sup> | URL or string | [Deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/290241) in GitLab 13.12 and replaced by `DAST_API_OPENAPI`. To be removed in GitLab 15.0. The API specification to import. The specification can be hosted at a URL, or the name of a file present in the `/zap/wrk` directory. The variable `DAST_WEBSITE` must be specified if this is omitted. |
+| `DAST_AUTH_REPORT` <sup>2</sup> | boolean | Used in combination with exporting the `gl-dast-debug-auth-report.html` artifact to aid in debugging authentication issues. |
+| `DAST_AUTH_EXCLUDE_URLS` <sup>2</sup> | URLs | **{warning}** **[Removed](https://gitlab.com/gitlab-org/gitlab/-/issues/289959)** in GitLab 14.0. Replaced by `DAST_EXCLUDE_URLS`. The URLs to skip during the authenticated scan; comma-separated. Regular expression syntax can be used to match multiple URLs. For example, `.*` matches an arbitrary character sequence. Not supported for API scans. |
+| `DAST_AUTH_URL` <sup>1,2</sup> | URL | The URL of the page containing the sign-in HTML form on the target website. `DAST_USERNAME` and `DAST_PASSWORD` are submitted with the login form to create an authenticated scan. Not supported for API scans. Example: `https://login.example.com`. |
+| `DAST_AUTH_VERIFICATION_LOGIN_FORM` <sup>2</sup> | boolean | Verifies successful authentication by checking for the lack of a login form once the login form has been submitted. |
+| `DAST_AUTH_VERIFICATION_SELECTOR` <sup>2</sup> | selector | Verifies successful authentication by checking for presence of a selector once the login form has been submitted. Example: `css:.user-photo`. |
+| `DAST_AUTH_VERIFICATION_URL` <sup>1,2</sup> | URL | A URL only accessible to logged in users that DAST can use to confirm successful authentication. If provided, DAST exits if it cannot access the URL. Example: `"http://example.com/loggedin_page"`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/207335) in GitLab 13.8. |
+| `DAST_AUTO_UPDATE_ADDONS` | boolean | ZAP add-ons are pinned to specific versions in the DAST Docker image. Set to `true` to download the latest versions when the scan starts. Default: `false`. |
+| `DAST_BROWSER_PATH_TO_LOGIN_FORM` <sup>1,2</sup> | selector | Comma-separated list of selectors that will be clicked on prior to attempting to enter `DAST_USERNAME` and `DAST_PASSWORD` into the login form. Example: `"css:.navigation-menu,css:.login-menu-item"`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/326633) in GitLab 14.1. |
+| `DAST_DEBUG` <sup>1</sup> | boolean | Enable debug message output. Default: `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/12652) in GitLab 13.1. |
+| `DAST_EXCLUDE_RULES` | string | Set to a comma-separated list of Vulnerability Rule IDs to exclude them from running during the scan. Rule IDs are numbers and can be found from the DAST log or on the [ZAP project](https://www.zaproxy.org/docs/alerts/). For example, `HTTP Parameter Override` has a rule ID of `10026`. Cannot be used when `DAST_ONLY_INCLUDE_RULES` is set. **Note:** In earlier versions of GitLab the excluded rules were executed but vulnerabilities they generated were suppressed. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/118641) in GitLab 12.10. |
+| `DAST_EXCLUDE_URLS` <sup>1,2</sup> | URLs | The URLs to skip during the authenticated scan; comma-separated. Regular expression syntax can be used to match multiple URLs. For example, `.*` matches an arbitrary character sequence. Not supported for API scans. Example, `http://example.com/sign-out`. |
+| `DAST_FIRST_SUBMIT_FIELD` <sup>2</sup> | string | The `id` or `name` of the element that when clicked submits the username form of a multi-page login process. For example, `css:button[type='user-submit']`. [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/issues/9894) in GitLab 12.4. |
+| `DAST_FULL_SCAN_DOMAIN_VALIDATION_REQUIRED` | boolean | **{warning}** **[Removed](https://gitlab.com/gitlab-org/gitlab/-/issues/293595)** in GitLab 14.0. Set to `true` to require domain validation when running DAST full scans. Not supported for API scans. Default: `false` |
+| `DAST_FULL_SCAN_ENABLED` <sup>1</sup> | boolean | Set to `true` to run a [ZAP Full Scan](https://github.com/zaproxy/zaproxy/wiki/ZAP-Full-Scan) instead of a [ZAP Baseline Scan](https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan). Default: `false` |
+| `DAST_HTML_REPORT` | string | The filename of the HTML report written at the end of a scan. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/12652) in GitLab 13.1. |
+| `DAST_INCLUDE_ALPHA_VULNERABILITIES` | boolean | Set to `true` to include alpha passive and active scan rules. Default: `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/12652) in GitLab 13.1. |
+| `DAST_MARKDOWN_REPORT` | string | The filename of the Markdown report written at the end of a scan. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/12652) in GitLab 13.1. |
+| `DAST_MASK_HTTP_HEADERS` | string | Comma-separated list of request and response headers to be masked (GitLab 13.1). Must contain **all** headers to be masked. Refer to [list of headers that are masked by default](#hide-sensitive-information). |
+| `DAST_MAX_URLS_PER_VULNERABILITY` | number | The maximum number of URLs reported for a single vulnerability. `DAST_MAX_URLS_PER_VULNERABILITY` is set to `50` by default. To list all the URLs set to `0`. [Introduced](https://gitlab.com/gitlab-org/security-products/dast/-/merge_requests/433) in GitLab 13.12. |
+| `DAST_ONLY_INCLUDE_RULES` | string | Set to a comma-separated list of Vulnerability Rule IDs to configure the scan to run only them. Rule IDs are numbers and can be found from the DAST log or on the [ZAP project](https://www.zaproxy.org/docs/alerts/). Cannot be used when `DAST_EXCLUDE_RULES` is set. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/250651) in GitLab 13.12. |
+| `DAST_PASSWORD` <sup>1,2</sup> | string | The password to authenticate to in the website. Example: `P@55w0rd!` |
+| `DAST_PASSWORD_FIELD` <sup>1,2</sup> | string | The selector of password field at the sign-in HTML form. Example: `id:password` |
+| `DAST_PATHS` | string | Set to a comma-separated list of URLs for DAST to scan. For example, `/page1.html,/category1/page3.html,/page2.html`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214120) in GitLab 13.4. |
+| `DAST_PATHS_FILE` | string | The file path containing the paths within `DAST_WEBSITE` to scan. The file must be plain text with one path per line. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/258825) in GitLab 13.6. |
+| `DAST_REQUEST_HEADERS` <sup>1</sup> | string | Set to a comma-separated list of request header names and values. Headers are added to every request made by DAST. For example, `Cache-control: no-cache,User-Agent: DAST/1.0` |
+| `DAST_SKIP_TARGET_CHECK` | boolean | Set to `true` to prevent DAST from checking that the target is available before scanning. Default: `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/229067) in GitLab 13.8. |
+| `DAST_SPIDER_MINS` <sup>1</sup> | number | The maximum duration of the spider scan in minutes. Set to `0` for unlimited. Default: One minute, or unlimited when the scan is a full scan. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/12652) in GitLab 13.1. |
+| `DAST_SPIDER_START_AT_HOST` | boolean | Set to `false` to prevent DAST from resetting the target to its host before scanning. When `true`, non-host targets `http://test.site/some_path` is reset to `http://test.site` before scan. Default: `true`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/258805) in GitLab 13.6. |
+| `DAST_SUBMIT_FIELD` <sup>2</sup> | string | The `id` or `name` of the element that when clicked submits the login form or the password form of a multi-page login process. For example, `css:button[type='submit']`. [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/issues/9894) in GitLab 12.4. |
+| `DAST_TARGET_AVAILABILITY_TIMEOUT` <sup>1</sup> | number | Time limit in seconds to wait for target availability. |
+| `DAST_USE_AJAX_SPIDER` <sup>1</sup> | boolean | Set to `true` to use the AJAX spider in addition to the traditional spider, useful for crawling sites that require JavaScript. Default: `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/12652) in GitLab 13.1. |
+| `DAST_USERNAME` <sup>1,2</sup> | string | The username to authenticate to in the website. Example: `admin` |
+| `DAST_USERNAME_FIELD` <sup>1,2</sup> | string | The selector of username field at the sign-in HTML form. Example: `name:username` |
+| `DAST_XML_REPORT` | string | The filename of the XML report written at the end of a scan. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/12652) in GitLab 13.1. |
+| `DAST_WEBSITE` <sup>1</sup> | URL | The URL of the website to scan. The variable `DAST_API_OPENAPI` must be specified if this is omitted. |
+| `DAST_ZAP_CLI_OPTIONS` | string | ZAP server command-line options. For example, `-Xmx3072m` would set the Java maximum memory allocation pool size. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/12652) in GitLab 13.1. |
+| `DAST_ZAP_LOG_CONFIGURATION` | string | Set to a semicolon-separated list of additional log4j properties for the ZAP Server. Example: `log4j.logger.org.parosproxy.paros.network.HttpSender=DEBUG;log4j.logger.com.crawljax=DEBUG` |
+| `SECURE_ANALYZERS_PREFIX` | URL | Set the Docker registry base address from which to download the analyzer. |
1. Available to an on-demand DAST scan.
+1. Used for authentication.
#### Selectors
@@ -838,8 +821,8 @@ Chrome DevTools element selector tool is an effective way to find a selector.
![highlight](img/dast_auth_browser_scan_highlight.png)
1. Once highlighted, you can see the element's details, including attributes that would make a good candidate for a selector.
-In this example, the `id="user_login"` appears to be a good candidate. You can use this as a selector as the DAST username field by setting
-`DAST_USERNAME_FIELD: "id:user_login"`.
+In this example, the `id="user_login"` appears to be a good candidate. You can use this as a selector as the DAST username field by setting
+`DAST_USERNAME_FIELD: "id:user_login"`.
##### Choose the right selector
@@ -926,89 +909,6 @@ variables:
The DAST job does not require the project's repository to be present when running, so by default
[`GIT_STRATEGY`](../../../ci/runners/configure_runners.md#git-strategy) is set to `none`.
-### Debugging DAST jobs
-
-A DAST job has two executing processes:
-
-- The ZAP server.
-- A series of scripts that start, control and stop the ZAP server.
-
-Debug mode of the scripts can be enabled by using the `DAST_DEBUG` CI/CD variable. This can help when troubleshooting the job,
-and outputs statements indicating what percentage of the scan is complete.
-For details on using variables, see [Overriding the DAST template](#customizing-the-dast-settings).
-
-Debug mode of the ZAP server can be enabled using the `DAST_ZAP_LOG_CONFIGURATION` variable.
-The following table outlines examples of values that can be set and the effect that they have on the output that is logged.
-Multiple values can be specified, separated by semicolons.
-
-For example, `log4j.logger.org.parosproxy.paros.network.HttpSender=DEBUG;log4j.logger.com.crawljax=DEBUG`.
-
-| Log configuration value | Effect |
-|-------------------------------------------------- | ----------------------------------------------------------------- |
-| `log4j.rootLogger=DEBUG` | Enable all debug logging statements. |
-| `log4j.logger.org.apache.commons.httpclient=DEBUG` | Log every HTTP request and response made by the ZAP server. |
-| `log4j.logger.org.zaproxy.zap.spider.SpiderController=DEBUG` | Log URLs found during the spider scan of the target. |
-| `log4j.logger.com.crawljax=DEBUG` | Enable Ajax Crawler debug logging statements. |
-| `log4j.logger.org.parosproxy.paros=DEBUG` | Enable ZAP server proxy debug logging statements. |
-| `log4j.logger.org.zaproxy.zap=DEBUG` | Enable debug logging statements of the general ZAP server code. |
-
-## Running DAST in an offline environment
-
-For self-managed GitLab instances in an environment with limited, restricted, or intermittent access
-to external resources through the internet, some adjustments are required for the DAST job to
-successfully run. For more information, see [Offline environments](../offline_deployments/index.md).
-
-### Requirements for offline DAST support
-
-To use DAST in an offline environment, you need:
-
-- GitLab Runner with the [`docker` or `kubernetes` executor](#prerequisites).
-- Docker Container Registry with a locally available copy of the DAST
- [container image](https://gitlab.com/security-products/dast), found in the
- [DAST container registry](https://gitlab.com/security-products/dast/container_registry).
-
-Note that GitLab Runner has a [default `pull policy` of `always`](https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy),
-meaning the runner tries to pull Docker images from the GitLab container registry even if a local
-copy is available. The GitLab Runner [`pull_policy` can be set to `if-not-present`](https://docs.gitlab.com/runner/executors/docker.html#using-the-if-not-present-pull-policy)
-in an offline environment if you prefer using only locally available Docker images. However, we
-recommend keeping the pull policy setting to `always` if not in an offline environment, as this
-enables the use of updated scanners in your CI/CD pipelines.
-
-### Make GitLab DAST analyzer images available inside your Docker registry
-
-For DAST, import the following default DAST analyzer image from `registry.gitlab.com` to your [local Docker container registry](../../packages/container_registry/index.md):
-
-- `registry.gitlab.com/security-products/dast:latest`
-
-The process for importing Docker images into a local offline Docker registry depends on
-**your network security policy**. Please consult your IT staff to find an accepted and approved
-process by which external resources can be imported or temporarily accessed.
-These scanners are [periodically updated](../vulnerabilities/index.md#vulnerability-scanner-maintenance)
-with new definitions, and you may be able to make occasional updates on your own.
-
-For details on saving and transporting Docker images as a file, see Docker's documentation on
-[`docker save`](https://docs.docker.com/engine/reference/commandline/save/),
-[`docker load`](https://docs.docker.com/engine/reference/commandline/load/),
-[`docker export`](https://docs.docker.com/engine/reference/commandline/export/), and
-[`docker import`](https://docs.docker.com/engine/reference/commandline/import/).
-
-### Set DAST CI/CD job variables to use local DAST analyzers
-
-Add the following configuration to your `.gitlab-ci.yml` file. You must replace `image` to refer to
-the DAST Docker image hosted on your local Docker container registry:
-
-```yaml
-include:
- - template: DAST.gitlab-ci.yml
-dast:
- image: registry.example.com/namespace/dast:latest
-```
-
-The DAST job should now use local copies of the DAST analyzers to scan your code and generate
-security reports without requiring internet access.
-
-Alternatively, you can use the CI/CD variable `SECURE_ANALYZERS_PREFIX` to override the base registry address of the `dast` image.
-
## On-demand scans
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/218465) in GitLab 13.2.
@@ -1148,7 +1048,12 @@ When an API site type is selected, a [host override](#host-override) is used to
#### Site profile validation
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/233020) in GitLab 13.8.
+> - Site profile validation [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/233020) in GitLab 13.8.
+> - Meta tag validation [enabled on GitLab.com](https://gitlab.com/groups/gitlab-org/-/epics/6460) in GitLab 14.2 and is ready for production use.
+> - Meta tag validation [enabled with `dast_meta_tag_validation flag` flag](https://gitlab.com/gitlab-org/gitlab/-/issues/337711) for self-managed GitLab in GitLab 14.2 and is ready for production use.
+
+FLAG:
+On self-managed GitLab, by default this feature is available. To hide the feature, ask an administrator to [disable the `dast_meta_tag_validation` flag](../../../administration/feature_flags.md). On GitLab.com, this feature is available but can be configured by GitLab.com administrators only.
Site profile validation reduces the risk of running an active scan against the wrong website. A site
must be validated before an active scan can run against it. The site validation methods are as
@@ -1160,8 +1065,14 @@ follows:
- _Header validation_ requires the header `Gitlab-On-Demand-DAST` be added to the target site,
with a value unique to the project. The validation process checks that the header is present, and
checks its value.
+- _Meta tag validation_ requires the meta tag named `gitlab-dast-validation` be added to the target site,
+ with a value unique to the project. Make sure it's added to the `<head>` section of the page. The validation process checks that the meta tag is present, and
+ checks its value.
+
+All these methods are equivalent in functionality. Use whichever is feasible.
-Both methods are equivalent in functionality. Use whichever is feasible.
+In [GitLab 14.2 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/324990), site profile
+validation happens in a CI job using the [GitLab Runner](../../../ci/runners/index.md).
#### Create a site profile
@@ -1210,8 +1121,9 @@ Prerequisites:
To validate a site profile:
-1. From your project's home page, go to **Security & Compliance > Configuration**.
-1. In the **DAST Profiles** row select **Manage**.
+1. On the top bar, select **Menu > Projects** and find your project.
+1. On the left sidebar, select **Security & Compliance > Configuration**.
+1. In the **Dynamic Application Security Testing (DAST)** section, select **Manage scans**.
1. Select the **Site Profiles** tab.
1. In the profile's row select **Validate** or **Retry validation**.
1. Select the validation method.
@@ -1225,6 +1137,11 @@ To validate a site profile:
1. Edit the header of the site to validate, and paste the clipboard content.
1. Select the input field in **Step 3** and enter the location of the header.
1. Select **Validate**.
+ 1. For **Meta tag validation**:
+ 1. Select the clipboard icon in **Step 2**.
+ 1. Edit the content of the site to validate, and paste the clipboard content.
+ 1. Select the input field in **Step 3** and enter the location of the meta tag.
+ 1. Select **Validate**.
The site is validated and an active scan can run against it.
diff --git a/doc/user/application_security/dast/run_dast_offline.md b/doc/user/application_security/dast/run_dast_offline.md
new file mode 100644
index 00000000000..39747a5cbe5
--- /dev/null
+++ b/doc/user/application_security/dast/run_dast_offline.md
@@ -0,0 +1,63 @@
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+type: reference, howto
+---
+
+# Run DAST in an offline environment
+
+For self-managed GitLab instances in an environment with limited, restricted, or intermittent access
+to external resources through the internet, some adjustments are required for the DAST job to
+successfully run. For more information, see [Offline environments](../offline_deployments/index.md).
+
+## Requirements for offline DAST support
+
+To use DAST in an offline environment, you need:
+
+- GitLab Runner with the [`docker` or `kubernetes` executor](index.md#prerequisites).
+- Docker Container Registry with a locally available copy of the DAST
+ [container image](https://gitlab.com/security-products/dast), found in the
+ [DAST container registry](https://gitlab.com/security-products/dast/container_registry).
+
+Note that GitLab Runner has a [default `pull policy` of `always`](https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy),
+meaning the runner tries to pull Docker images from the GitLab container registry even if a local
+copy is available. The GitLab Runner [`pull_policy` can be set to `if-not-present`](https://docs.gitlab.com/runner/executors/docker.html#using-the-if-not-present-pull-policy)
+in an offline environment if you prefer using only locally available Docker images. However, we
+recommend keeping the pull policy setting to `always` if not in an offline environment, as this
+enables the use of updated scanners in your CI/CD pipelines.
+
+## Make GitLab DAST analyzer images available inside your Docker registry
+
+For DAST, import the following default DAST analyzer image from `registry.gitlab.com` to your [local Docker container registry](../../packages/container_registry/index.md):
+
+- `registry.gitlab.com/security-products/dast:latest`
+
+The process for importing Docker images into a local offline Docker registry depends on
+**your network security policy**. Please consult your IT staff to find an accepted and approved
+process by which external resources can be imported or temporarily accessed.
+These scanners are [periodically updated](../vulnerabilities/index.md#vulnerability-scanner-maintenance)
+with new definitions, and you may be able to make occasional updates on your own.
+
+For details on saving and transporting Docker images as a file, see Docker's documentation on
+[`docker save`](https://docs.docker.com/engine/reference/commandline/save/),
+[`docker load`](https://docs.docker.com/engine/reference/commandline/load/),
+[`docker export`](https://docs.docker.com/engine/reference/commandline/export/), and
+[`docker import`](https://docs.docker.com/engine/reference/commandline/import/).
+
+## Set DAST CI/CD job variables to use local DAST analyzers
+
+Add the following configuration to your `.gitlab-ci.yml` file. You must replace `image` to refer to
+the DAST Docker image hosted on your local Docker container registry:
+
+```yaml
+include:
+ - template: DAST.gitlab-ci.yml
+dast:
+ image: registry.example.com/namespace/dast:latest
+```
+
+The DAST job should now use local copies of the DAST analyzers to scan your code and generate
+security reports without requiring internet access.
+
+Alternatively, you can use the CI/CD variable `SECURE_ANALYZERS_PREFIX` to override the base registry address of the `dast` image.
diff --git a/doc/user/application_security/dependency_list/index.md b/doc/user/application_security/dependency_list/index.md
index 9fc90c427c5..1cb21d34853 100644
--- a/doc/user/application_security/dependency_list/index.md
+++ b/doc/user/application_security/dependency_list/index.md
@@ -10,7 +10,10 @@ info: To determine the technical writer assigned to the Stage/Group associated w
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10075) in GitLab Ultimate 12.0.
Use the dependency list to review your project's dependencies and key
-details about those dependencies, including their known vulnerabilities. It is a collection of dependencies in your project, including existing and new findings. To see the dependency list, go to your project and select **Security & Compliance > Dependency List**.
+details about those dependencies, including their known vulnerabilities. It is a collection of dependencies in your project, including existing and new findings.
+
+To see the dependency list, go to your project and select **Security & Compliance > Dependency List**.
+
This information is sometimes referred to as a Software Bill of Materials or SBoM / BOM.
The dependency list only shows the results of the last successful pipeline to run on the default branch. This is why we recommend not changing the default behavior of allowing the secure jobs to fail.
@@ -71,4 +74,12 @@ If the [License Compliance](../../compliance/license_compliance/index.md) CI job
## Downloading the dependency list
You can download your project's full list of dependencies and their details in
-`JSON` format by selecting the download button.
+`JSON` format.
+
+### In the UI
+
+You can download your project’s list of dependencies and their details in JSON format by selecting the **Export** button. Note that the dependency list only shows the results of the last successful pipeline to run on the default branch.
+
+### Using the API
+
+You can download your project’s list of dependencies [using the API](../../../api/dependencies.md#list-project-dependencies). Note this only provides the dependencies identified by the gemnasium family of analyzers and [not any other of the GitLab dependency analyzers](../dependency_scanning/analyzers.md).
diff --git a/doc/user/application_security/dependency_scanning/index.md b/doc/user/application_security/dependency_scanning/index.md
index 76a14aae715..565b9c29934 100644
--- a/doc/user/application_security/dependency_scanning/index.md
+++ b/doc/user/application_security/dependency_scanning/index.md
@@ -7,8 +7,6 @@ info: To determine the technical writer assigned to the Stage/Group associated w
# Dependency Scanning **(ULTIMATE)**
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/5105) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.7.
-
The Dependency Scanning feature can automatically find security vulnerabilities in your
dependencies while you're developing and testing your applications. For example, dependency scanning
lets you know if your application uses an external (open source) library that is known to be
@@ -29,19 +27,11 @@ either:
GitLab checks the dependency scanning report, compares the found vulnerabilities
between the source and target branches, and shows the information on the
-merge request.
+merge request. The results are sorted by the [severity](../vulnerabilities/severities.md) of the
+vulnerability.
![Dependency scanning Widget](img/dependency_scanning_v13_2.png)
-The results are sorted by the severity of the vulnerability:
-
-1. Critical
-1. High
-1. Medium
-1. Low
-1. Unknown
-1. Everything else
-
## Requirements
To run dependency scanning jobs, by default, you need GitLab Runner with the
@@ -53,29 +43,283 @@ WARNING:
If you use your own runners, make sure your installed version of Docker
is **not** `19.03.0`. See [troubleshooting information](#error-response-from-daemon-error-processing-tar-file-docker-tar-relocation-error) for details.
+WARNING:
+Dependency Scanning does not support run-time installation of compilers and interpreters.
+If you have need of this, please explain why by filling out the survey [here](https://docs.google.com/forms/d/e/1FAIpQLScKo7xEYA65rOjPTGIufAyfjPGnCALSJZoTxBlvskfFMEOZMw/viewform).
+
## Supported languages and package managers
-GitLab relies on [`rules`](../../../ci/yaml/index.md#rules) to start relevant analyzers depending on the languages detected in the repository.
-The current detection logic limits the maximum search depth to two levels. For example, the `gemnasium-dependency_scanning` job is enabled if a repository contains either a `Gemfile` or `api/Gemfile` file, but not if the only supported dependency file is `api/client/Gemfile`.
+Dependency Scanning automatically detects the languages used in the repository. All analyzers
+matching the detected languages are run. There is usually no need to customize the selection of
+analyzers. We recommend not specifying the analyzers so you automatically use the full selection
+for best coverage, avoiding the need to make adjustments when there are deprecations or removals.
+However, you can override the selection using the variable `DS_EXCLUDED_ANALYZERS`.
+
+The language detection relies on CI job [`rules`](../../../ci/yaml/index.md#rules) and searches a
+maximum of two directory levels from the repository's root. For example, the
+`gemnasium-dependency_scanning` job is enabled if a repository contains either a `Gemfile` or
+`api/Gemfile` file, but not if the only supported dependency file is `api/client/Gemfile`.
The following languages and dependency managers are supported:
-| Package Managers | Languages | Supported files | Scan tools |
-| ------------------- | --------- | --------------- | ------------ |
-| [Bundler](https://bundler.io/) | Ruby | `Gemfile.lock`, `gems.locked` | [Gemnasium](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium), [bundler-audit](https://github.com/rubysec/bundler-audit) |
-| [Composer](https://getcomposer.org/) | PHP | `composer.lock` | [Gemnasium](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium) |
-| [Conan](https://conan.io/) | C, C++ | [`conan.lock`](https://docs.conan.io/en/latest/versioning/lockfiles.html) | [Gemnasium](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium) |
-| [Golang](https://golang.org/) | Go | `go.sum` | [Gemnasium](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium) |
-| [Gradle](https://gradle.org/), [Maven](https://maven.apache.org/) | Java | `build.gradle`, `build.gradle.kts`, `pom.xml` | [Gemnasium](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium) |
-| [npm](https://www.npmjs.com/), [yarn](https://classic.yarnpkg.com/en/) 1.x | JavaScript | `package-lock.json`, `npm-shrinkwrap.json`, `yarn.lock` | [Gemnasium](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium) |
-| [npm](https://www.npmjs.com/) (7 and earlier), [yarn](https://classic.yarnpkg.com/en/) 1.x | JavaScript | `package.json` | [Retire.js](https://retirejs.github.io/retire.js/) |
-| [NuGet](https://www.nuget.org/) 4.9+ | .NET, C# | [`packages.lock.json`](https://docs.microsoft.com/en-us/nuget/consume-packages/package-references-in-project-files#enabling-lock-file) | [Gemnasium](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium) |
-| [`setuptools`](https://setuptools.readthedocs.io/en/latest/), [pip](https://pip.pypa.io/en/stable/), [Pipenv](https://pipenv.pypa.io/en/latest/) (*1*) | Python | `setup.py`, `requirements.txt`, `requirements.pip`, `requires.txt`, `Pipfile`, `Pipfile.lock` | [Gemnasium](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium) |
-| [sbt](https://www.scala-sbt.org/) (*2*) | Scala | `build.sbt` | [Gemnasium](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium) |
-
-1. [Pipenv](https://pipenv.pypa.io/en/latest/) projects are scanned when a `Pipfile` is present.
+<style>
+table.supported-languages tr:nth-child(even) {
+ background-color: transparent;
+}
+
+table.supported-languages td {
+ border-left: 1px solid #dbdbdb;
+ border-right: 1px solid #dbdbdb;
+ border-bottom: 1px solid #dbdbdb;
+}
+
+table.supported-languages tr td:first-child {
+ border-left: 0;
+}
+
+table.supported-languages tr td:last-child {
+ border-right: 0;
+}
+
+table.supported-languages ul {
+ list-style-type: none;
+ padding-left: 0px;
+ margin-bottom: 0px;
+}
+</style>
+
+<table class="supported-languages">
+ <thead>
+ <tr>
+ <th>Language</th>
+ <th>Package Manager</th>
+ <th>Package Manager Versions</th>
+ <th>Supported files</th>
+ <th>Analyzer</th>
+ <th><a href="#how-multiple-files-are-processed">Processes multiple files?</a></th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td rowspan="2">Ruby</td>
+ <td rowspan="2"><a href="https://bundler.io/">Bundler</a></td>
+ <td rowspan="2">Any</td>
+ <td>
+ <ul>
+ <li><code>Gemfile.lock</code></li>
+ <li><code>gems.locked</code></li>
+ </ul>
+ </td>
+ <td><a href="https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium">Gemnasium</a></td>
+ <td>Y</td>
+ </tr>
+ <tr>
+ <td><code>Gemfile.lock</code></td>
+ <td><a href="https://github.com/rubysec/bundler-audit">bundler-audit</a></td>
+ <td>N</td>
+ </tr>
+ <tr>
+ <td>PHP</td>
+ <td><a href="https://getcomposer.org/">Composer</a></td>
+ <td>Any</td>
+ <td><code>composer.lock</code></td>
+ <td><a href="https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium">Gemnasium</a></td>
+ <td>Y</td>
+ </tr>
+ <tr>
+ <td>C</td>
+ <td rowspan="2"><a href="https://conan.io/">Conan</a></td>
+ <td rowspan="2">Any</td>
+ <td rowspan="2"><a href="https://docs.conan.io/en/latest/versioning/lockfiles.html"><code>conan.lock</code></a></td>
+ <td rowspan="2"><a href="https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium">Gemnasium</a></td>
+ <td rowspan="2">Y</td>
+ </tr>
+ <tr>
+ <td>C++</td>
+ </tr>
+ <tr>
+ <td>Go</td>
+ <td><a href="https://golang.org/">Golang</a></td>
+ <td>Any</td>
+ <td><code>go.sum</code></td>
+ <td><a href="https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium">Gemnasium</a></td>
+ <td>Y</td>
+ </tr>
+ <tr>
+ <td rowspan="2">Java</td>
+ <td><a href="https://gradle.org/">Gradle</a></td>
+ <td>Any</td>
+ <td>
+ <ul>
+ <li><code>build.gradle</code></li>
+ <li><code>build.gradle.kts</code></li>
+ </ul>
+ </td>
+ <td><a href="https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium">Gemnasium</a></td>
+ <td>N</td>
+ </tr>
+ <tr>
+ <td><a href="https://maven.apache.org/">Maven</a></td>
+ <td>Any</td>
+ <td><code>pom.xml</code></td>
+ <td><a href="https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium">Gemnasium</a></td>
+ <td>N</td>
+ </tr>
+ <tr>
+ <td rowspan="3">JavaScript</td>
+ <td rowspan="2"><a href="https://www.npmjs.com/">npm</a></td>
+ <td rowspan="2">Any</td>
+ <td>
+ <ul>
+ <li><code>package-lock.json</code></li>
+ <li><code>npm-shrinkwrap.json</code></li>
+ </ul>
+ </td>
+ <td><a href="https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium">Gemnasium</a></td>
+ <td>Y</td>
+ </tr>
+ <tr>
+ <td><code>package.json</code></td>
+ <td><a href="https://retirejs.github.io/retire.js/">Retire.js</a></td>
+ <td>N</td>
+ </tr>
+ <tr>
+ <td><a href="https://classic.yarnpkg.com/en/">yarn</a></td>
+ <td>1.x</td>
+ <td><code>yarn.lock</code></td>
+ <td><a href="https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium">Gemnasium</a></td>
+ <td>Y</td>
+ </tr>
+ <tr>
+ <td>.NET</td>
+ <td rowspan="2"><a href="https://www.nuget.org/">NuGet</a></td>
+ <td rowspan="2">&gt;= 4.9</td>
+ <td rowspan="2"><a href="https://docs.microsoft.com/en-us/nuget/consume-packages/package-references-in-project-files#enabling-lock-file"><code>packages.lock.json</code></a></td>
+ <td rowspan="2"><a href="https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium">Gemnasium</a></td>
+ <td rowspan="2">Y</td>
+ </tr>
+ <tr>
+ <td>C#</td>
+ </tr>
+ <tr>
+ <td rowspan="3">Python</td>
+ <td><a href="https://setuptools.readthedocs.io/en/latest/">setuptools</a></td>
+ <td>Any</td>
+ <td><code>setup.py</code></td>
+ <td><a href="https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium">Gemnasium</a></td>
+ <td>N</td>
+ </tr>
+ <tr>
+ <td><a href="https://pip.pypa.io/en/stable/">pip</a></td>
+ <td>Any</td>
+ <td>
+ <ul>
+ <li><code>requirements.txt</code></li>
+ <li><code>requirements.pip</code></li>
+ <li><code>requires.txt</code></li>
+ </ul>
+ </td>
+ <td><a href="https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium">Gemnasium</a></td>
+ <td>N</td>
+ </tr>
+ <tr>
+ <td><a href="https://pipenv.pypa.io/en/latest/">Pipenv</a></td>
+ <td>Any</td>
+ <td>
+ <ul>
+ <li><a href="https://pipenv.pypa.io/en/latest/basics/#example-pipfile-pipfile-lock"><code>Pipfile</code></a></li>
+ <li><a href="https://pipenv.pypa.io/en/latest/basics/#example-pipfile-pipfile-lock"><code>Pipfile.lock</code></a><sup><b><a href="#notes-regarding-supported-languages-and-package-managers">1</a></b></sup></li>
+ </ul>
+ </td>
+ <td><a href="https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium">Gemnasium</a></td>
+ <td>N</td>
+ </tr>
+ <tr>
+ <td>Scala</td>
+ <td><a href="https://www.scala-sbt.org/">sbt</a><sup><b><a href="#notes-regarding-supported-languages-and-package-managers">2</a></b></sup></td>
+ <td>Any</td>
+ <td><code>build.sbt</code></td>
+ <td><a href="https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium">Gemnasium</a></td>
+ <td>N</td>
+ </tr>
+ </tbody>
+</table>
+
+### Notes regarding supported languages and package managers
+
+1. The presence of a `Pipfile.lock` file alone will _not_ trigger the analyzer; the presence of a `Pipfile` is still required in order
+for the analyzer to be executed. However, if a `Pipfile.lock` file is found, it will be used by `Gemnasium` to scan the exact package
+versions listed in this file.
+
+ Support for `Pipfile.lock` files without requiring the presence of a `Pipfile` will be implemented in the following upcoming issue:
+ [Dependency Scanning of Pipfile.lock without installing project dependencies](https://gitlab.com/gitlab-org/gitlab/-/issues/299294).
+
1. Support for [sbt](https://www.scala-sbt.org/) 1.3 and above was added in GitLab 13.9.
+### How analyzers are triggered
+
+GitLab relies on [`rules:exists`](../../../ci/yaml/index.md#rulesexists) to start the relevant analyzers for the languages detected by the presence of the
+`Supported files` in the repository as shown in the [table above](#supported-languages-and-package-managers).
+
+The current detection logic limits the maximum search depth to two levels. For example, the `gemnasium-dependency_scanning` job is enabled if
+a repository contains either a `Gemfile.lock` or `api/Gemfile.lock` file, but not if the only supported dependency file is `api/client/Gemfile.lock`.
+
+### How multiple files are processed
+
+NOTE:
+If you've run into problems while scanning multiple files, please contribute a comment to
+[this issue](https://gitlab.com/gitlab-org/gitlab/-/issues/337056).
+
+#### Ruby
+
+The following analyzers are executed, each of which have different behavior when processing multiple files:
+
+- [Gemnasium](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium)
+
+ Supports multiple lockfiles.
+
+- [bundler-audit](https://github.com/rubysec/bundler-audit)
+
+ Does not support multiple lockfiles. When multiple lockfiles exist, `bundler-audit`
+ analyzes the first lockfile discovered while traversing the directory tree in alphabetical order.
+
+We execute both analyzers because they use different sources of vulnerability data. The result is more comprehensive analysis than if only one was executed.
+
+#### Python
+
+We only execute one build in the directory where a requirements file has been detected, such as `requirements.txt` or any
+variation of this file (for example, `requirements.pip` or `requires.txt`).
+
+#### Java and Scala
+
+We only execute one build in the directory where a build file has been detected, such as `build.sbt` or `build.gradle`.
+Please note, we support the following types of Java project stuctures:
+
+- [multi-project sbt builds](https://www.scala-sbt.org/1.x/docs/Multi-Project.html)
+- [multi-project gradle builds](https://docs.gradle.org/current/userguide/intro_multi_project_builds.html)
+- [multi-module maven projects](https://maven.apache.org/pom.html#Aggregation)
+
+#### JavaScript
+
+The following analyzers are executed, each of which have different behavior when processing multiple files:
+
+- [Gemnasium](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium)
+
+ Supports multiple lockfiles
+
+- [Retire.js](https://retirejs.github.io/retire.js/)
+
+ Does not support multiple lockfiles. When multiple lockfiles exist, `Retire.js`
+ analyzes the first lockfile discovered while traversing the directory tree in alphabetical order.
+
+We execute both analyzers because they use different sources of vulnerability data. The result is more comprehensive analysis than if only one was executed.
+
+#### PHP, Go, C, C++, .NET, C&#35;
+
+The analyzer for these languages supports multiple lockfiles.
+
+### Future support for additional languages
+
Plans are underway for supporting the following languages, dependency managers, and dependency files. For details, see the issue link for each.
For workarounds, see the [Troubleshooting section](#troubleshooting)
@@ -113,17 +357,8 @@ always take the latest dependency scanning artifact available.
### Enable Dependency Scanning via an automatic merge request
> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/4908) in GitLab 14.1.
-> - [Deployed behind a feature flag](../../../user/feature_flags.md), enabled by default.
-> - Enabled on GitLab.com.
-> - Recommended for production use.
-> - For GitLab self-managed instances, GitLab administrators can opt to [disable it](#enable-or-disable-configure-dependency-scanning-via-a-merge-request). **(ULTIMATE SELF)**
-
-WARNING:
-This feature might not be available to you. Check the **version history** note above for details.
-
-There can be
-[risks when disabling released features](../../../user/feature_flags.md#risks-when-disabling-released-features).
-Refer to this feature's version history for more details.
+> - [Enabled with `sec_dependency_scanning_ui_enable` flag](https://gitlab.com/gitlab-org/gitlab/-/issues/282533) for self-managed GitLab in GitLab 14.1 and is ready for production use.
+> - [Feature flag sec_dependency_scanning_ui_enable removed](https://gitlab.com/gitlab-org/gitlab/-/issues/326005) in GitLab 14.2.
To enable Dependency Scanning in a project, you can create a merge request
from the Security Configuration page.
@@ -624,7 +859,7 @@ Generally, the approach is the following:
1. Add [`dependencies: [<your-converter-job>]`](../../../ci/yaml/index.md#dependencies)
to your `dependency_scanning` job to make use of the converted definitions files.
-For example, the currently unsupported `poetry.lock` file can be
+For example, the unsupported `poetry.lock` file can be
[converted](https://python-poetry.org/docs/cli/#export)
to the supported `requirements.txt` as follows.
@@ -633,25 +868,17 @@ include:
- template: Dependency-Scanning.gitlab-ci.yml
stages:
- - .pre
- test
variables:
PIP_REQUIREMENTS_FILE: "requirements-converted.txt"
-convert-poetry:
- stage: .pre
- image: python:3-slim
- script:
+gemnasium-python-dependency_scanning:
+ # Work around https://gitlab.com/gitlab-org/gitlab/-/issues/7006
+ before_script:
- pip install poetry # Or via another method: https://python-poetry.org/docs/#installation
- - poetry export --output "$PIP_REQUIREMENTS_FILE"
- artifacts:
- paths:
- - "$PIP_REQUIREMENTS_FILE"
-
-dependency_scanning:
- stage: test
- dependencies: ["convert-poetry"]
+ - poetry export --output="$PIP_REQUIREMENTS_FILE"
+ - rm poetry.lock pyproject.toml
```
### `Error response from daemon: error processing tar file: docker-tar: relocation error`
@@ -681,22 +908,3 @@ with a dependency on this version of Python should use `retire.js` version 2.10.
### Error: `dependency_scanning is used for configuration only, and its script should not be executed`
For information on this, see the [GitLab Secure troubleshooting section](../index.md#error-job-is-used-for-configuration-only-and-its-script-should-not-be-executed).
-
-### Enable or disable Configure Dependency Scanning via a Merge Request
-
-Configure Dependency Scanning via a Merge Request is under development but ready for production use.
-It is deployed behind a feature flag that is **enabled by default**.
-[GitLab administrators with access to the GitLab Rails console](../../../administration/feature_flags.md)
-can opt to disable it.
-
-To disable it:
-
-```ruby
-Feature.disable(:sec_dependency_scanning_ui_enable)
-```
-
-To enable it:
-
-```ruby
-Feature.enable(:sec_dependency_scanning_ui_enable)
-```
diff --git a/doc/user/application_security/img/vulnerability_page_merge_request_button_dropdown_v13_1.png b/doc/user/application_security/img/vulnerability_page_merge_request_button_dropdown_v13_1.png
deleted file mode 100644
index 05ca74c3d5c..00000000000
--- a/doc/user/application_security/img/vulnerability_page_merge_request_button_dropdown_v13_1.png
+++ /dev/null
Binary files differ
diff --git a/doc/user/application_security/index.md b/doc/user/application_security/index.md
index 616d2f8c790..3b0725021ef 100644
--- a/doc/user/application_security/index.md
+++ b/doc/user/application_security/index.md
@@ -114,7 +114,7 @@ rules:
If you add the security scanning jobs as described in [Security scanning with Auto DevOps](#security-scanning-with-auto-devops) or [Security scanning without Auto DevOps](#security-scanning-without-auto-devops) to your `.gitlab-ci.yml` each added [security scanning tool](#security-scanning-tools) behave as described below.
-For each compatible analyzer, a job is created in the `test`, `dast` or `fuzz` stage of your pipeline and runs on the next new branch pipeline. Features such as the [Security Dashboard](security_dashboard/index.md), [Vulnerability Report](vulnerability_report/index.md), and [Dependency List](dependency_list/index.md) that rely on this scan data only show results from pipelines on the default branch. Please note that one tool may use many analyzers.
+For each compatible analyzer, a job is created in the `test`, `dast` or `fuzz` stage of your pipeline and runs on the next new branch pipeline. Features such as the [Security Dashboard](security_dashboard/index.md), [Vulnerability Report](vulnerability_report/index.md), and [Dependency List](dependency_list/index.md) that rely on this scan data only show results from pipelines on the default branch. One tool might use many analyzers.
Our language and package manager specific jobs attempt to assess which analyzer(s) they should run for your project so that you can do less configuration.
diff --git a/doc/user/application_security/offline_deployments/index.md b/doc/user/application_security/offline_deployments/index.md
index d87da15b4b0..3bf9d85cd0b 100644
--- a/doc/user/application_security/offline_deployments/index.md
+++ b/doc/user/application_security/offline_deployments/index.md
@@ -61,7 +61,7 @@ mirroring the packages inside your own offline network.
Once a vulnerability is found, you can interact with it. Read more on how to
[address the vulnerabilities](../vulnerabilities/index.md).
-Please note that in some cases the reported vulnerabilities provide metadata that can contain
+In some cases the reported vulnerabilities provide metadata that can contain
external links exposed in the UI. These links might not be accessible within an offline environment.
### Resolving vulnerabilities
@@ -87,7 +87,7 @@ above. You can find more information at each of the pages below:
- [Container scanning offline directions](../container_scanning/index.md#running-container-scanning-in-an-offline-environment)
- [SAST offline directions](../sast/index.md#running-sast-in-an-offline-environment)
-- [DAST offline directions](../dast/index.md#running-dast-in-an-offline-environment)
+- [DAST offline directions](../dast/run_dast_offline.md#run-dast-in-an-offline-environment)
- [License Compliance offline directions](../../compliance/license_compliance/index.md#running-license-compliance-in-an-offline-environment)
- [Dependency Scanning offline directions](../dependency_scanning/index.md#running-dependency-scanning-in-an-offline-environment)
diff --git a/doc/user/application_security/policies/index.md b/doc/user/application_security/policies/index.md
index 076872c9864..3d0135678b7 100644
--- a/doc/user/application_security/policies/index.md
+++ b/doc/user/application_security/policies/index.md
@@ -129,9 +129,9 @@ rule in the defined policy are met.
| Field | Type | Possible values | Description |
|-------|------|-----------------|-------------|
-| `scan` | `string` | `dast` | The action's type. |
-| `site_profile` | `string` | Name of the selected [DAST site profile](../dast/index.md#site-profile). | The DAST site profile to execute the DAST scan. |
-| `scanner_profile` | `string` or `null` | Name of the selected [DAST scanner profile](../dast/index.md#scanner-profile). | The DAST scanner profile to execute the DAST scan. |
+| `scan` | `string` | `dast`, `secret_detection` | The action's type. |
+| `site_profile` | `string` | Name of the selected [DAST site profile](../dast/index.md#site-profile). | The DAST site profile to execute the DAST scan. This field should only be set if `scan` type is `dast`. |
+| `scanner_profile` | `string` or `null` | Name of the selected [DAST scanner profile](../dast/index.md#scanner-profile). | The DAST scanner profile to execute the DAST scan. This field should only be set if `scan` type is `dast`.|
Note the following:
@@ -144,6 +144,11 @@ Note the following:
- When configuring policies with a scheduled DAST scan, the author of the commit in the security
policy project's repository must have access to the scanner and site profiles. Otherwise, the scan
is not scheduled successfully.
+- For a secret detection scan, only rules with the default ruleset are supported. [Custom rulesets](../secret_detection/index.md#custom-rulesets)
+ are not supported.
+- A secret detection scan runs in `normal` mode when executed as part of a pipeline, and in
+ [`historic`](../secret_detection/index.md#full-history-secret-scan)
+ mode when executed as part of a scheduled scan.
Here's an example:
@@ -161,8 +166,8 @@ scan_execution_policy:
- scan: dast
scanner_profile: Scanner Profile A
site_profile: Site Profile B
-- name: Enforce DAST scan every 10 minutes
- description: This policy enforces a DAST scan to run every 10 minutes
+- name: Enforce DAST and secret detection scans every 10 minutes
+ description: This policy enforces DAST and secret detection scans to run every 10 minutes
enabled: true
rules:
- type: schedule
@@ -173,12 +178,25 @@ scan_execution_policy:
- scan: dast
scanner_profile: Scanner Profile C
site_profile: Site Profile D
+ - scan: secret_detection
+- name: Enforce Secret Detection in every default branch pipeline
+ description: This policy enforces pipeline configuration to have a job with Secret Detection scan for the default branch
+ enabled: true
+ rules:
+ - type: pipeline
+ branches:
+ - main
+ actions:
+ - scan: secret_detection
```
-In this example, the DAST scan runs with the scanner profile `Scanner Profile A` and the site
-profile `Site Profile B` for every pipeline executed on branches that match the
-`release/*` wildcard (for example, branch name `release/v1.2.1`); and the DAST scan runs with
-the scanner profile `Scanner Profile C` and the site profile `Site Profile D` every 10 minutes.
+In this example:
+
+- For every pipeline executed on branches that match the `release/*` wildcard (for example, branch
+ `release/v1.2.1`), DAST scans run with `Scanner Profile A` and `Site Profile B`.
+- DAST and secret detection scans run every 10 minutes. The DAST scan runs with `Scanner Profile C`
+ and `Site Profile D`.
+- Secret detection scans run for every pipeline executed on the `main` branch.
## Security Policy project selection
diff --git a/doc/user/application_security/sast/img/sast_v13_2.png b/doc/user/application_security/sast/img/sast_v13_2.png
deleted file mode 100644
index 5697ed9beb0..00000000000
--- a/doc/user/application_security/sast/img/sast_v13_2.png
+++ /dev/null
Binary files differ
diff --git a/doc/user/application_security/sast/index.md b/doc/user/application_security/sast/index.md
index c64df616925..6e88f38d900 100644
--- a/doc/user/application_security/sast/index.md
+++ b/doc/user/application_security/sast/index.md
@@ -31,8 +31,8 @@ The results are sorted by the priority of the vulnerability:
1. High
1. Medium
1. Low
+1. Info
1. Unknown
-1. Everything else
A pipeline consists of multiple jobs, including SAST and DAST scanning. If any job fails to finish
for any reason, the security dashboard does not show SAST scanner output. For example, if the SAST
@@ -71,6 +71,7 @@ You can also [view our language roadmap](https://about.gitlab.com/direction/secu
| .NET Core | [Security Code Scan](https://security-code-scan.github.io) | 11.0 |
| .NET Framework | [Security Code Scan](https://security-code-scan.github.io) | 13.0 |
| Apex (Salesforce) | [PMD](https://pmd.github.io/pmd/index.html) | 12.1 |
+| C | [Semgrep](https://semgrep.dev) | 14.2 |
| C/C++ | [Flawfinder](https://github.com/david-a-wheeler/flawfinder) | 10.7 |
| Elixir (Phoenix) | [Sobelow](https://github.com/nccgroup/sobelow) | 11.1 |
| Go | [Gosec](https://github.com/securego/gosec) | 10.7 |
@@ -146,6 +147,7 @@ as shown in the following table:
| [Access to Security Dashboard](../../application_security/security_dashboard/index.md) | **{dotted-circle}** | **{check-circle}** |
| [Configure SAST in the UI](#configure-sast-in-the-ui) | **{dotted-circle}** | **{check-circle}** |
| [Customize SAST Rulesets](#customize-rulesets) | **{dotted-circle}** | **{check-circle}** |
+| [False Positive Detection](#false-positive-detection) | **{dotted-circle}** | **{check-circle}** |
## Contribute your scanner
@@ -355,6 +357,12 @@ To create a custom ruleset:
value = "gosec-config.json"
```
+### False Positive Detection **(ULTIMATE)**
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/292686) in GitLab 14.2.
+
+Vulnerabilities that have been detected and are false positives will be flagged as false positives in the security dashboard.
+
### Using CI/CD variables to pass credentials for private repositories
Some analyzers require downloading the project's dependencies in order to
diff --git a/doc/user/application_security/secret_detection/index.md b/doc/user/application_security/secret_detection/index.md
index 938bd3b41d5..b6ff68c861b 100644
--- a/doc/user/application_security/secret_detection/index.md
+++ b/doc/user/application_security/secret_detection/index.md
@@ -35,7 +35,7 @@ GitLab displays identified secrets visibly in a few places:
Secret Detection detects a variety of common secrets by default. You can also customize the secret detection patterns using [custom rulesets](#custom-rulesets).
-The [default ruleset provided by Gitleaks](https://gitlab.com/gitlab-org/security-products/analyzers/secrets/-/blob/master/gitleaks/gitleaks.toml) includes the following key types:
+The [default ruleset provided by Gitleaks](https://gitlab.com/gitlab-org/security-products/analyzers/secrets/-/blob/master/gitleaks.toml) includes the following key types:
- Cloud services:
- Amazon Web Services (AWS)
diff --git a/doc/user/application_security/security_dashboard/img/pipeline_security_dashboard_v13_10.png b/doc/user/application_security/security_dashboard/img/pipeline_security_dashboard_v13_10.png
deleted file mode 100644
index 72b24a3fd28..00000000000
--- a/doc/user/application_security/security_dashboard/img/pipeline_security_dashboard_v13_10.png
+++ /dev/null
Binary files differ
diff --git a/doc/user/application_security/security_dashboard/img/pipeline_security_dashboard_v14_2.png b/doc/user/application_security/security_dashboard/img/pipeline_security_dashboard_v14_2.png
new file mode 100644
index 00000000000..3a195a5ce8d
--- /dev/null
+++ b/doc/user/application_security/security_dashboard/img/pipeline_security_dashboard_v14_2.png
Binary files differ
diff --git a/doc/user/application_security/security_dashboard/index.md b/doc/user/application_security/security_dashboard/index.md
index 806bc03e30e..b799177ec5a 100644
--- a/doc/user/application_security/security_dashboard/index.md
+++ b/doc/user/application_security/security_dashboard/index.md
@@ -51,7 +51,7 @@ The security dashboard and vulnerability report displays information about vulne
At the pipeline level, the Security section displays the vulnerabilities present in the branch of
the project the pipeline ran against.
-![Pipeline Security Dashboard](img/pipeline_security_dashboard_v13_10.png)
+![Pipeline Security Dashboard](img/pipeline_security_dashboard_v14_2.png)
Visit the page for any pipeline that ran any of the [supported reports](#supported-reports). To view
the pipeline's security findings, select the **Security** tab when viewing the pipeline.
diff --git a/doc/user/application_security/vulnerabilities/index.md b/doc/user/application_security/vulnerabilities/index.md
index 6437f2325e8..a727dc88ffc 100644
--- a/doc/user/application_security/vulnerabilities/index.md
+++ b/doc/user/application_security/vulnerabilities/index.md
@@ -75,7 +75,7 @@ The issue is then opened so you can take further action.
Prerequisites:
-- [Enable Jira integration](../../project/integrations/jira.md).
+- [Enable Jira integration](../../../integration/jira/index.md).
The **Enable Jira issues creation from vulnerabilities** option must be selected as part of the configuration.
- Each user must have a personal Jira user account with permission to create issues in the target project.
diff --git a/doc/user/application_security/vulnerability_report/img/group_vulnerability_report_v13_9.png b/doc/user/application_security/vulnerability_report/img/group_vulnerability_report_v13_9.png
deleted file mode 100644
index 72443180e09..00000000000
--- a/doc/user/application_security/vulnerability_report/img/group_vulnerability_report_v13_9.png
+++ /dev/null
Binary files differ
diff --git a/doc/user/application_security/vulnerability_report/img/group_vulnerability_report_v14_2.png b/doc/user/application_security/vulnerability_report/img/group_vulnerability_report_v14_2.png
new file mode 100644
index 00000000000..193efe9c386
--- /dev/null
+++ b/doc/user/application_security/vulnerability_report/img/group_vulnerability_report_v14_2.png
Binary files differ
diff --git a/doc/user/application_security/vulnerability_report/img/project_security_dashboard_status_change_v13_10.png b/doc/user/application_security/vulnerability_report/img/project_security_dashboard_status_change_v13_10.png
deleted file mode 100644
index f9f60810f20..00000000000
--- a/doc/user/application_security/vulnerability_report/img/project_security_dashboard_status_change_v13_10.png
+++ /dev/null
Binary files differ
diff --git a/doc/user/application_security/vulnerability_report/img/project_security_dashboard_status_change_v14_2.png b/doc/user/application_security/vulnerability_report/img/project_security_dashboard_status_change_v14_2.png
new file mode 100644
index 00000000000..056e051363d
--- /dev/null
+++ b/doc/user/application_security/vulnerability_report/img/project_security_dashboard_status_change_v14_2.png
Binary files differ
diff --git a/doc/user/application_security/vulnerability_report/index.md b/doc/user/application_security/vulnerability_report/index.md
index da59c0fbe79..c2c2e7459ba 100644
--- a/doc/user/application_security/vulnerability_report/index.md
+++ b/doc/user/application_security/vulnerability_report/index.md
@@ -16,7 +16,7 @@ At all levels, the Vulnerability Report contains:
- Filters for common vulnerability attributes.
- Details of each vulnerability, presented in tabular layout.
-![Vulnerability Report](img/group_vulnerability_report_v13_9.png)
+![Vulnerability Report](img/group_vulnerability_report_v14_2.png)
## Project-level Vulnerability Report
@@ -49,7 +49,7 @@ You can filter the vulnerabilities table by:
|:---------|:------------------|
| Status | Detected, Confirmed, Dismissed, Resolved. |
| Severity | Critical, High, Medium, Low, Info, Unknown. |
-| Scanner | For more details, see [Scanner filter](#scanner-filter). |
+| Tool | For more details, see [Tool filter](#tool-filter). |
| Project | For more details, see [Project filter](#project-filter). |
| Activity | For more details, see [Activity filter](#activity-filter). |
@@ -70,17 +70,17 @@ The filters' criteria are combined to show only vulnerabilities matching all cri
An exception to this behavior is the Activity filter. For more details about how it works, see
[Activity filter](#activity-filter).
-## Scanner filter
+## Tool filter
-The scanner filter allows you to focus on vulnerabilities detected by selected scanners.
+The tool filter allows you to focus on vulnerabilities detected by selected tools.
-When using the scanner filter, you can choose:
+When using the tool filter, you can choose:
-- **All scanners** (default).
-- Individual GitLab-provided scanners.
-- Any integrated 3rd-party scanner. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/229661) in GitLab 13.12.
+- **All tools** (default).
+- Individual GitLab-provided tools.
+- Any integrated 3rd-party tool. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/229661) in GitLab 13.12.
-For details of each of the available scanners, see [Security scanning tools](../index.md#security-scanning-tools).
+For details of each of the available tools, see [Security scanning tools](../index.md#security-scanning-tools).
### Project filter
@@ -143,7 +143,7 @@ To change the status of vulnerabilities in the table:
1. Select the checkbox for each vulnerability you want to update the status of.
1. In the dropdown that appears select the desired status, then select **Change status**.
-![Project Vulnerability Report](img/project_security_dashboard_status_change_v13_10.png)
+![Project Vulnerability Report](img/project_security_dashboard_status_change_v14_2.png)
## Export vulnerability details
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-14 21:26:39 +0300