diff options
Diffstat (limited to 'doc/development/integrations/secure.md')
| -rw-r--r-- | doc/development/integrations/secure.md | 34 |
1 files changed, 17 insertions, 17 deletions
diff --git a/doc/development/integrations/secure.md b/doc/development/integrations/secure.md index 1d5aced5869..fda75dad119 100644 --- a/doc/development/integrations/secure.md +++ b/doc/development/integrations/secure.md @@ -89,7 +89,7 @@ it's declared under the `reports:sast` key in the job definition, not because of ### Policies Certain GitLab workflows, such as [AutoDevOps](../../topics/autodevops/customize.md#disable-jobs), -define variables to indicate that given scans should be disabled. You can check for this by looking +define CI/CD variables to indicate that given scans should be disabled. You can check for this by looking for variables such as `DEPENDENCY_SCANNING_DISABLED`, `CONTAINER_SCANNING_DISABLED`, `SAST_DISABLED`, and `DAST_DISABLED`. If appropriate based on the scanner type, you should then disable running the custom scanner. @@ -97,7 +97,7 @@ disable running the custom scanner. GitLab also defines a `CI_PROJECT_REPOSITORY_LANGUAGES` variable, which provides the list of languages in the repository. Depending on this value, your scanner may or may not do something different. Language detection currently relies on the [`linguist`](https://github.com/github/linguist) Ruby gem. -See [GitLab CI/CD predefined variables](../../ci/variables/predefined_variables.md). +See the [predefined CI/CD variables](../../ci/variables/predefined_variables.md). #### Policy checking example @@ -170,23 +170,23 @@ It also generates text output on the standard output and standard error streams, ### Variables -All CI variables are passed to the scanner as environment variables. -The scanned project is described by the [predefined CI variables](../../ci/variables/README.md). +All CI/CD variables are passed to the scanner as environment variables. +The scanned project is described by the [predefined CI/CD variables](../../ci/variables/README.md). #### SAST and Dependency Scanning -SAST and Dependency Scanning scanners must scan the files in the project directory, given by the `CI_PROJECT_DIR` variable. +SAST and Dependency Scanning scanners must scan the files in the project directory, given by the `CI_PROJECT_DIR` CI/CD variable. #### Container Scanning In order to be consistent with the official Container Scanning for GitLab, scanners must scan the Docker image whose name and tag are given by `CI_APPLICATION_REPOSITORY` and `CI_APPLICATION_TAG`, respectively. If the `DOCKER_IMAGE` -variable is provided, then the `CI_APPLICATION_REPOSITORY` and `CI_APPLICATION_TAG` variables +CI/CD variable is provided, then the `CI_APPLICATION_REPOSITORY` and `CI_APPLICATION_TAG` variables are ignored, and the image specified in the `DOCKER_IMAGE` variable is scanned instead. If not provided, `CI_APPLICATION_REPOSITORY` should default to -`$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG`, which is a combination of predefined CI variables. +`$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG`, which is a combination of predefined CI/CD variables. `CI_APPLICATION_TAG` should default to `CI_COMMIT_SHA`. The scanner should sign in the Docker registry @@ -197,13 +197,13 @@ If these are not defined, then the scanner should use #### Configuration files While scanners may use `CI_PROJECT_DIR` to load specific configuration files, -it is recommended to expose configuration as environment variables, not files. +it is recommended to expose configuration as CI/CD variables, not files. ### Output file -Like any artifact uploaded to the GitLab CI/CD, +Like any artifact uploaded to GitLab CI/CD, the Secure report generated by the scanner must be written in the project directory, -given by the `CI_PROJECT_DIR` environment variable. +given by the `CI_PROJECT_DIR` CI/CD variable. It is recommended to name the output file after the type of scanning, and to use `gl-` as a prefix. Since all Secure reports are JSON files, it is recommended to use `.json` as a file extension. @@ -242,7 +242,7 @@ Also, we recommend prefixing error messages with `[ERRO]`, warnings with `[WARN] #### Logging level The scanner should filter out a log message if its log level is lower than the -one set in the `SECURE_LOG_LEVEL` variable. For instance, `info` and `warn` +one set in the `SECURE_LOG_LEVEL` CI/CD variable. For instance, `info` and `warn` messages should be skipped when `SECURE_LOG_LEVEL` is set to `error`. Accepted values are as follows, listed from highest to lowest: @@ -263,14 +263,14 @@ and what `bundle audit` writes to the standard output. If the command line fails, then it should be logged with the `error` log level; this makes it possible to debug the problem without having to change the log level to `debug` and rerun the scanning job. -#### common logutil package +#### common `logutil` package If you are using [go](https://golang.org/) and [common](https://gitlab.com/gitlab-org/security-products/analyzers/common), -then it is suggested that you use [logrus](https://github.com/Sirupsen/logrus) -and [common's logutil package](https://gitlab.com/gitlab-org/security-products/analyzers/common/-/tree/master/logutil) -to configure the formatter for [logrus](https://github.com/Sirupsen/logrus). -See the [logutil README.md](https://gitlab.com/gitlab-org/security-products/analyzers/common/-/tree/master/logutil/README.md) +then it is suggested that you use [Logrus](https://github.com/Sirupsen/logrus) +and [common's `logutil` package](https://gitlab.com/gitlab-org/security-products/analyzers/common/-/tree/master/logutil) +to configure the formatter for [Logrus](https://github.com/Sirupsen/logrus). +See the [`logutil` README](https://gitlab.com/gitlab-org/security-products/analyzers/common/-/tree/master/logutil/README.md) ## Report @@ -548,7 +548,7 @@ of the available SAST Analyzers and what data is currently available. The `remediations` field of the report is an array of remediation objects. Each remediation describes a patch that can be applied to -[automatically fix](../../user/application_security/#automatic-remediation-for-vulnerabilities) +[automatically fix](../../user/application_security/#apply-an-automatic-remediation-for-a-vulnerability) a set of vulnerabilities. Here is an example of a report that contains remediations. |