diff options
Diffstat (limited to 'doc/user/application_security/index.md')
| -rw-r--r-- | doc/user/application_security/index.md | 22 |
1 files changed, 16 insertions, 6 deletions
diff --git a/doc/user/application_security/index.md b/doc/user/application_security/index.md index 25fa1f5cbaf..e31877d195a 100644 --- a/doc/user/application_security/index.md +++ b/doc/user/application_security/index.md @@ -1,7 +1,7 @@ --- stage: Secure group: Static Analysis -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Application security **(ULTIMATE ALL)** @@ -95,6 +95,12 @@ against this, infrastructure analysis occurs on every merge request. Checks are - Infrastructure as Code (IaC) configuration files that define your application's deployment environment - [Infrastructure as Code (IaC) Scanning](iac_scanning/index.md). +## Data privacy + +Concerning data privacy in the domain of security scanners, GitLab processes the source code and performs analysis locally on the GitLab Runner. No data is transmitted outside GitLab infrastructure (server and runners). + +Our scanners access the internet only to download the latest sets of signatures, rules, and patches. If you prefer the scanners do not access the internet, consider using an [offline environment](offline_deployments/index.md). + ## Vulnerability scanner maintenance The following vulnerability scanners and their databases are regularly updated: @@ -270,7 +276,9 @@ In the Free tier, the reports above aren't parsed by GitLab. As a result, the wi A merge request contains a security widget which displays a summary of the _new_ results. New results are determined by comparing the findings of the merge request against the findings of the most recent completed pipeline (`success`, `failed`, `canceled` or `skipped`) for the commit when the feature branch was created from the target branch. -GitLab checks the last 10 pipelines for the commit when the feature was created from the target branch to find one with security reports to use in comparison logic. If security scans have not run for the last 10 completed pipelines in the target branch when the feature branch was created, there is no base for comparison. The vulnerabilities from the merge request findings are listed as new in the merge request security widget. We recommend you run a scan of the `default` (target) branch before enabling feature branch scans for your developers. +GitLab checks the last 10 pipelines for the commit when the feature branch was created from the target branch to find one with security reports to use in comparison logic. If security scans have not run for the last 10 completed pipelines in the target branch when the feature branch was created, there is no base for comparison. The vulnerabilities from the merge request findings are listed as _new_ in the merge request security widget. We recommend you run a scan of the `default` (target) branch before enabling feature branch scans for your developers. + +The MR security widget considers all supported pipeline sources (based on the [`CI_PIPELINE_SOURCE` variable](../../ci/variables/predefined_variables.md)) when comparing results from both the source and target branches when determining if a merge request requires approval. Pipeline sources `webide` and `parent_pipeline` are not supported. The merge request security widget displays only a subset of the vulnerabilities in the generated JSON artifact because it contains both new and existing findings. @@ -283,9 +291,11 @@ findings, select **View full report** to go directly to the **Security** tab in ### Pipeline security tab -A pipeline's security tab lists all findings in the current branch. It includes new findings introduced by this branch -and existing vulnerabilities already present when you created the branch. These results likely do not match the findings -displayed in the Merge Request security widget, as those do not include the existing vulnerabilities. Refer to [View vulnerabilities in a pipeline](vulnerability_report/pipeline.md) for more information. +A pipeline's security tab lists all findings in the current branch. It includes findings introduced +by this branch and vulnerabilities already present in the base branch. These results likely do not +match the findings displayed in the Merge Request security widget, as those do not include the +existing vulnerabilities. For more information see +[Vulnerabilities in a pipeline](vulnerability_report/pipeline.md). ### Security dashboard @@ -588,7 +598,7 @@ variables: This indicates to all GitLab analyzers that they are to output **all** messages. For more details, see [logging level](#logging-level). -<!-- NOTE: The below subsection(`### Secure job failing with exit code 1`) documentation URL is referred in the [/gitlab-org/security-products/analyzers/command](https://gitlab.com/gitlab-org/security-products/analyzers/command/-/blob/main/command.go#L19) repository. If this section/subsection changes, please ensure to update the corresponding URL in the mentioned repository. +<!-- NOTE: The below subsection(`### Secure job failing with exit code 1`) documentation URL is referred in the [/gitlab-org/security-products/analyzers/command](https://gitlab.com/gitlab-org/security-products/analyzers/command/-/blob/main/command.go#L19) repository. If this section/subsection changes, ensure to update the corresponding URL in the mentioned repository. --> ### Secure job failing with exit code 1 |