diff options
Diffstat (limited to 'doc/user/compliance')
| -rw-r--r-- | doc/user/compliance/compliance_report/index.md | 48 | ||||
| -rw-r--r-- | doc/user/compliance/license_approval_policies.md | 14 | ||||
| -rw-r--r-- | doc/user/compliance/license_scanning_of_cyclonedx_files/index.md | 2 |
3 files changed, 41 insertions, 23 deletions
diff --git a/doc/user/compliance/compliance_report/index.md b/doc/user/compliance/compliance_report/index.md index d04aeec066f..ab80fbbba8e 100644 --- a/doc/user/compliance/compliance_report/index.md +++ b/doc/user/compliance/compliance_report/index.md @@ -35,14 +35,16 @@ When you select a row in the compliance report, a drawer appears that provides: ### View the compliance violations report for a group +> Target branch search [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/358414) in GitLab 16.0. + Prerequisites: - You must be an administrator or have the Owner role for the group. To view the compliance violations report: -1. On the top bar, select **Main menu > Groups** and find your group. -1. On the left sidebar, select **Security and Compliance > Compliance report**. +1. On the left sidebar, at the top, select **Search GitLab** (**{search}**) to find your group. +1. On the left sidebar, select **Secure > Compliance report**. You can sort the compliance report on: @@ -50,6 +52,12 @@ You can sort the compliance report on: - Type of violation. - Merge request title. +You can filter the compliance violations report on: + +- Project. +- Date range of merge. +- Target branch. + Select a row to see details of the compliance violation. #### Severity levels @@ -142,8 +150,8 @@ If the commit has a related merge commit, then the following are also included: To generate the Chain of Custody report: -1. On the top bar, select **Main menu > Groups** and find your group. -1. On the left sidebar, select **Security and Compliance > Compliance report**. +1. On the left sidebar, at the top, select **Search GitLab** (**{search}**) to find your group. +1. On the left sidebar, select **Secure > Compliance report**. 1. Select **List of all merge commits**. Depending on your version of GitLab, the Chain of Custody report is either sent through email or available for download. @@ -158,8 +166,8 @@ details for the provided commit SHA. To generate a commit-specific Chain of Custody report: -1. On the top bar, select **Main menu > Groups** and find your group. -1. On the left sidebar, select **Security and Compliance > Compliance report**. +1. On the left sidebar, at the top, select **Search GitLab** (**{search}**) to find your group. +1. On the left sidebar, select **Secure > Compliance report**. 1. At the top of the compliance report, to the right of **List of all commits**, select the down arrow (**{chevron-lg-down}**). 1. Enter the commit SHA, and then select **Export commit custody report**. @@ -189,8 +197,8 @@ Prerequisites: To view the compliance frameworks report: -1. On the top bar, select **Main menu > Groups** and find your group. -1. On the left sidebar, select **Security & Compliance > Compliance report**. +1. On the left sidebar, at the top, select **Search GitLab** (**{search}**) to find your group. +1. On the left sidebar, select **Secure > Compliance report**. 1. On the page, select the **Frameworks** tab. ### Apply a compliance framework to projects in a group @@ -206,16 +214,16 @@ Prerequisites: To apply a compliance framework to one project in a group: -1. On the top bar, select **Main menu > Groups** and find your group. -1. On the left sidebar, select **Security and Compliance > Compliance report**. +1. On the left sidebar, at the top, select **Search GitLab** (**{search}**) to find your group. +1. On the left sidebar, select **Secure > Compliance report**. 1. On the page, select the **Frameworks** tab. 1. Next to the project you want to add the compliance framework to, select **{plus}** **Add framework**. 1. Select an existing compliance framework or create a new one. To apply a compliance framework to multiple projects in a group: -1. On the top bar, select **Main menu > Groups** and find your group. -1. On the left sidebar, select **Security and Compliance > Compliance report**. +1. On the left sidebar, at the top, select **Search GitLab** (**{search}**) to find your group. +1. On the left sidebar, select **Secure > Compliance report**. 1. On the page, select the **Frameworks** tab. 1. Select multiple projects. 1. From the **Choose one bulk action** dropdown list, select **Apply framework to selected projects**. @@ -235,15 +243,15 @@ Prerequisites: To remove a compliance framework from one project in a group: -1. On the top bar, select **Main menu > Groups** and find your group. -1. On the left sidebar, select **Security and Compliance > Compliance report**. +1. On the left sidebar, at the top, select **Search GitLab** (**{search}**) to find your group. +1. On the left sidebar, select **Secure > Compliance report**. 1. On the page, select the **Frameworks** tab. 1. Next to the compliance framework to remove from the project, select **{close}** on the framework label. To remove a compliance framework from multiple projects in a group: -1. On the top bar, select **Main menu > Groups** and find your group. -1. On the left sidebar, select **Security and Compliance > Compliance report**. +1. On the left sidebar, at the top, select **Search GitLab** (**{search}**) to find your group. +1. On the left sidebar, select **Secure > Compliance report**. 1. On the page, select the **Frameworks** tab. 1. Select multiple projects. 1. From the **Choose one bulk action** dropdown list, select **Remove framework from selected projects**. @@ -264,8 +272,8 @@ Prerequisites: To export a report of compliance frameworks on projects in a group: -1. On the top bar, select **Main menu > Groups** and find your group. -1. On the left sidebar, select **Security and Compliance > Compliance report**. +1. On the left sidebar, at the top, select **Search GitLab** (**{search}**) to find your group. +1. On the left sidebar, select **Secure > Compliance report**. 1. On the page, select the **Frameworks** tab. 1. On the Frameworks tab, select the **Export as CSV** action in the top right corner @@ -277,8 +285,8 @@ A report is compiled and delivered to your email inbox as an attachment. To filter the list of compliance frameworks: -1. On the top bar, select **Main menu > Groups** and find your group. -1. On the left sidebar, select **Security & Compliance > Compliance report**. +1. On the left sidebar, at the top, select **Search GitLab** (**{search}**) to find your group. +1. On the left sidebar, select **Secure > Compliance report**. 1. On the page, select the **Frameworks** tab. 1. In the search field: 1. Select the attribute you want to filter by. diff --git a/doc/user/compliance/license_approval_policies.md b/doc/user/compliance/license_approval_policies.md index 860c2008021..96a4a08249a 100644 --- a/doc/user/compliance/license_approval_policies.md +++ b/doc/user/compliance/license_approval_policies.md @@ -24,6 +24,16 @@ The following video provides an overview of these policies. <iframe src="https://www.youtube-nocookie.com/embed/34qBQ9t8qO8" frameborder="0" allowfullscreen> </iframe> </figure> +## Prerequisites to creating a new license approval policy + +License approval policies rely on the output of a dependency scanning job to verify that requirements have been met. If dependency scanning has not been properly configured, and therefore no dependency scanning jobs ran related to an open MR, the policy has no data with which to verify the requirements. When security policies are missing data for evaluation, they fail closed and assume the merge request could contain vulnerabilities. + +To ensure enforcement of your policies, you should enable dependency scanning on your target development projects. You can achieve this a few different ways: + +- Create a global [scan execution policy](../application_security/policies/scan-execution-policies.md) that enforces Dependency Scanning to run in all target development projects. +- Use a [Compliance Pipeline](../../user/group/compliance_frameworks.md#compliance-frameworks) to define a Dependency Scanning job that is enforced on projects enforced by a given Compliance Framework. +- Work with development teams to configure [Dependency Scanning](../../user/application_security/dependency_scanning/index.md) in each of their project's `.gitlab-ci.yml` files or enable by using the [Security Configuration panel](../application_security/configuration/index.md). + ## Create a new license approval policy Create a license approval policy to enforce license compliance. @@ -31,8 +41,8 @@ Create a license approval policy to enforce license compliance. To create a license approval policy: 1. [Link a security policy project](../application_security/policies/index.md#managing-the-linked-security-policy-project) to your development group, subgroup, or project (the Owner role is required). -1. On the top bar, select **Main menu > Projects** and find your project. -1. On the left sidebar, select **Security & Compliance > Policies**. +1. On the left sidebar, at the top, select **Search GitLab** (**{search}**) to find your project. +1. Select **Secure > Policies**. 1. Create a new [Scan Result Policy](../application_security/policies/scan-result-policies.md). 1. In your policy rule, select **License scanning**. diff --git a/doc/user/compliance/license_scanning_of_cyclonedx_files/index.md b/doc/user/compliance/license_scanning_of_cyclonedx_files/index.md index 832f1007a91..22defd593cd 100644 --- a/doc/user/compliance/license_scanning_of_cyclonedx_files/index.md +++ b/doc/user/compliance/license_scanning_of_cyclonedx_files/index.md @@ -23,7 +23,7 @@ Licenses not in the SPDX list are reported as "Unknown". License information can Prerequisites: -- Enable [Synchronization with the GitLab License Database](../../admin_area/settings/security_and_compliance.md#choose-package-registry-metadata-to-sync) in Admin Area for the GitLab instance. +- On GitLab self-managed only, enable [Synchronization with the GitLab License Database](../../admin_area/settings/security_and_compliance.md#choose-package-registry-metadata-to-sync) in Admin Area for the GitLab instance. On GitLab SaaS this step has already been completed. - Enable [Dependency Scanning](../../application_security/dependency_scanning/index.md#configuration) and ensure that its prerequisites are met. |