Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-12-16 03:15:50 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-12-16 03:15:50 +0300
commit: e04431d29efaf17dda9dfbfbd0c5001693b25ee4 (patch)
tree: f114abad1f4882ef6c9c702e8de3a84334809031 /doc/user
parent: 1c898dc5c10bbedf94386d917259153d73608495 (diff)
6 files changed, 53 insertions, 39 deletions
diff --git a/doc/user/admin_area/settings/account_and_limit_settings.md b/doc/user/admin_area/settings/account_and_limit_settings.md
index a6ad311da38..5868f20d0d8 100644
--- a/doc/user/admin_area/settings/account_and_limit_settings.md
+++ b/doc/user/admin_area/settings/account_and_limit_settings.md
@@ -75,21 +75,21 @@ If you choose a size larger than the configured value for the web server,
 you may receive errors. See the [troubleshooting section](#troubleshooting) for more
 details.
 
-## Personal Access Token prefix
+## Personal access token prefix
 
-> [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/342327) in GitLab 14.5. Default prefix added.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20968) in GitLab 13.7.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/342327) in GitLab 14.5, a default prefix.
 
-You can set a global prefix for all generated Personal Access Tokens.
+You can specify a prefix for personal access tokens. You might use a prefix
+to find tokens more quickly, or for use with automation tools.
 
-A prefix can help you identify PATs visually, as well as with automation tools.
+The default prefix is `glpat-` but administrators can change it.
 
-NOTE:
-For GitLab.com and self-managed instances, the default prefix is `glpat-`.
+[Project access tokens](../../project/settings/project_access_tokens.md) also inherit this prefix.
 
 ### Set a prefix
 
-Only a GitLab administrator can set the prefix, which is a global setting applied
-to any PAT generated in the system by any user:
+To change the default global prefix:
 
 1. On the top bar, select **Menu > Admin**.
 1. On the left sidebar, select **Settings > General**.
@@ -97,8 +97,8 @@ to any PAT generated in the system by any user:
 1. Fill in the **Personal Access Token prefix** field.
 1. Click **Save changes**.
 
-It is also possible to configure the prefix via the [settings API](../../../api/settings.md)
-using the `personal_access_token_prefix` field.
+You can also configure the prefix by using the
+[settings API](../../../api/settings.md).
 
 ## Repository size limit **(PREMIUM SELF)**
 
diff --git a/doc/user/application_security/container_scanning/index.md b/doc/user/application_security/container_scanning/index.md
index 92fcf0f76e0..c5d91f709dd 100644
--- a/doc/user/application_security/container_scanning/index.md
+++ b/doc/user/application_security/container_scanning/index.md
@@ -168,6 +168,36 @@ container_scanning:
     CS_DISABLE_DEPENDENCY_LIST: "true"
 ```
 
+#### Report language-specific findings
+
+> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/7277) in GitLab 14.6.
+
+The `CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN` CI/CD variable controls whether the scan reports
+findings related to programming languages. The languages supported depend on the
+[scanner used](#change-scanners):
+
+- [Trivy](https://aquasecurity.github.io/trivy/latest/vulnerability/detection/language/).
+- [Grype](https://github.com/anchore/grype#features).
+
+By default, the report only includes packages managed by the Operating System (OS) package manager
+(for example, `yum`, `apt`, `apk`, `tdnf`). To report security findings in non-OS packages, set
+`CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN` to `"false"`:
+
+```yaml
+include:
+  - template: Security/Container-Scanning.gitlab-ci.yml
+
+container_scanning:
+  variables:
+    CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN: "false"
+```
+
+When you enable this feature, you may see [duplicate findings](../terminology/#duplicate-finding)
+in the [Vulnerability Report](../vulnerability_report/)
+if [Dependency Scanning](../dependency_scanning/)
+is enabled for your project. This happens because GitLab can't automatically deduplicate the
+findings reported by the two different analyzers.
+
 #### Available CI/CD variables
 
 You can [configure](#customizing-the-container-scanning-settings) analyzers by using the following CI/CD variables:
diff --git a/doc/user/permissions.md b/doc/user/permissions.md
index eb79d5099eb..59ab5523ddd 100644
--- a/doc/user/permissions.md
+++ b/doc/user/permissions.md
@@ -119,7 +119,7 @@ The following table lists project permissions available for each role:
 | [Merge requests](project/merge_requests/index.md):<br>Apply code change suggestions                                     |          |          | ✓         | ✓          | ✓     |
 | [Merge requests](project/merge_requests/index.md):<br>Approve (*9*)                                                     |          |          | ✓         | ✓          | ✓     |
 | [Merge requests](project/merge_requests/index.md):<br>Assign                                                            |          |          | ✓         | ✓          | ✓     |
-| [Merge requests](project/merge_requests/index.md):<br>Create                                                            |          |          | ✓         | ✓          | ✓     |
+| [Merge requests](project/merge_requests/index.md):<br>Create (*18*)                                                          |          |          | ✓         | ✓          | ✓     |
 | [Merge requests](project/merge_requests/index.md):<br>Add labels                                                        |          |          | ✓         | ✓          | ✓     |
 | [Merge requests](project/merge_requests/index.md):<br>Lock threads                                                      |          |          | ✓         | ✓          | ✓     |
 | [Merge requests](project/merge_requests/index.md):<br>Manage or accept                                                  |          |          | ✓         | ✓          | ✓     |
@@ -233,6 +233,7 @@ The following table lists project permissions available for each role:
 1. Guest users can only set metadata (for example, labels, assignees, or milestones)
    when creating an issue. They cannot change the metadata on existing issues.
 1. In GitLab 14.5 or later, Guests are not allowed to [create incidents](../operations/incident_management/incidents.md#incident-creation).
+1. In projects that accept contributions from external members, users can create, edit, and close their own merge requests.
 
 ## Project features permissions
 
diff --git a/doc/user/profile/account/two_factor_authentication.md b/doc/user/profile/account/two_factor_authentication.md
index da0fc96714c..343f8e328ba 100644
--- a/doc/user/profile/account/two_factor_authentication.md
+++ b/doc/user/profile/account/two_factor_authentication.md
@@ -20,8 +20,7 @@ password secret.
 NOTE:
 When you enable 2FA, don't forget to back up your [recovery codes](#recovery-codes)!
 
-In addition to time-based one time passwords (TOTP), GitLab supports U2F
-(universal 2nd factor) and WebAuthn (experimental) devices as the second factor
+In addition to time-based one time passwords (TOTP), GitLab supports WebAuthn devices as the second factor
 of authentication. After being enabled, in addition to supplying your username
 and password to sign in, you're prompted to activate your U2F / WebAuthn device
 (usually by pressing a button on it) which performs secure authentication on
@@ -269,11 +268,11 @@ Click on **Register U2F Device** to complete the process.
 
 ### WebAuthn device
 
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/22506) in GitLab 13.4.
-> - It's [deployed behind a feature flag](../../feature_flags.md), disabled by default.
-> - It's disabled on GitLab.com.
-> - It's not recommended for production use.
-> - To use it in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-webauthn).
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/22506) in GitLab 13.4 [with a flag](../../../administration/feature_flags.md) named `webauthn`. Disabled by default.
+> - [Enabled on GitLab.com and self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/232671) in GitLab 14.6.
+
+FLAG:
+On self-managed GitLab, by default this feature is available. To disable the feature, ask an administrator to [disable the feature flag](../../../administration/feature_flags.md) named `webauthn`. If you disable the WebAuthn feature flag after WebAuthn devices have been registered, these devices are not usable until you re-enable this feature. On GitLab.com, this feature is available.
 
 The WebAuthn workflow is [supported by](https://caniuse.com/#search=webauthn) the
 following desktop browsers:
@@ -350,7 +349,7 @@ request, and you're automatically signed in.
 ### Sign in by using a WebAuthn device
 
 In supported browsers you should be automatically prompted to activate your WebAuthn device
-(for example, by touching/pressing its button) after entering your credentials.
+(for example, by touching or pressing its button) after entering your credentials.
 
 A message displays, indicating that your device responded to the authentication
 request and you're automatically signed in.
@@ -495,25 +494,6 @@ request a GitLab global administrator disable two-factor authentication for your
 
 - To enforce 2FA at the system or group levels see [Enforce Two-factor Authentication](../../../security/two_factor_authentication.md).
 
-## Enable or disable WebAuthn **(FREE SELF)**
-
-Support for WebAuthn is under development and not ready for production use. It is
-deployed behind a feature flag that is **disabled by default**.
-[GitLab administrators with access to the GitLab Rails console](../../../administration/feature_flags.md)
-can enable it.
-
-To enable it:
-
-```ruby
-Feature.enable(:webauthn)
-```
-
-To disable it:
-
-```ruby
-Feature.disable(:webauthn)
-```
-
 ## Troubleshooting
 
 If you are receiving an `invalid pin code` error, this may indicate that there is a time sync issue between the authentication application and the GitLab instance itself.
diff --git a/doc/user/project/merge_requests/index.md b/doc/user/project/merge_requests/index.md
index 54b97eb5732..8222d696853 100644
--- a/doc/user/project/merge_requests/index.md
+++ b/doc/user/project/merge_requests/index.md
@@ -74,7 +74,7 @@ change and whether you need access to a development environment:
 
 If you decide to permanently stop work on a merge request,
 GitLab recommends you close the merge request rather than
-[delete it](#delete-a-merge-request). Users with
+[delete it](#delete-a-merge-request). The author and assignees of a merge request, and users with
 Developer, Maintainer, or Owner [roles](../../permissions.md) in a project
 can close merge requests in the project:
 
diff --git a/doc/user/project/settings/project_access_tokens.md b/doc/user/project/settings/project_access_tokens.md
index a831e4b3460..44ece6cb172 100644
--- a/doc/user/project/settings/project_access_tokens.md
+++ b/doc/user/project/settings/project_access_tokens.md
@@ -32,6 +32,9 @@ You can use project access tokens:
   - Consider [disabling project access tokens](#enable-or-disable-project-access-token-creation) to
     lower potential abuse.
 
+Project access tokens inherit the [default prefix setting](../../admin_area/settings/account_and_limit_settings.md#personal-access-token-prefix)
+configured for personal access tokens.
+
 ## Create a project access token
 
 To create a project access token:
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-12-16 03:15:50 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-12-16 03:15:50 +0300
commit	e04431d29efaf17dda9dfbfbd0c5001693b25ee4 (patch)
tree	f114abad1f4882ef6c9c702e8de3a84334809031 /doc/user
parent	1c898dc5c10bbedf94386d917259153d73608495 (diff)