Commit 1270174a authored by Kati Paizee's avatar Kati Paizee

Merge branch 'russell-standardize-secure-navigation-steps' into 'master'

Standardize UI navigation steps in Secure-related tasks

See merge request gitlab-org/gitlab!83366
parents 862882ba 5cb04931
......@@ -91,20 +91,25 @@ The API fuzzing configuration form helps you create or modify your project's API
configuration. The form lets you choose values for the most common API fuzzing options and builds
a YAML snippet that you can paste in your GitLab CI/CD configuration.
#### Configure Web API fuzzing with the configuration form
#### Configure Web API fuzzing in the UI
To generate an API Fuzzing configuration snippet:
1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **Security & Compliance > Configuration**.
1. In the **API Fuzzing** row, select **Configure**.
1. Complete the form as needed. Read below for more information on available configuration options.
1. In the **API Fuzzing** row, select **Enable API Fuzzing**.
1. Complete the fields. For details see [Available CI/CD variables](#available-cicd-variables).
1. Select **Generate code snippet**.
A modal opens with the YAML snippet corresponding to the options you've selected in the form.
1. Choose one of the following actions:
1. To copy the snippet to your clipboard and be redirected to your project's `.gitlab-ci.yml` file,
where you can paste the YAML configuration, select **Copy code and open `.gitlab-ci.yml` file**.
1. To copy the snippet to your clipboard and close the modal, select **Copy code only**.
1. Do one of the following:
1. To copy the snippet to your clipboard, select **Copy code only**.
1. To add the snippet to your project's `.gitlab-ci.yml` file, select
**Copy code and open `.gitlab-ci.yml` file**. The Pipeline Editor opens.
1. Paste the snippet into the `.gitlab-ci.yml` file.
1. Select the **Lint** tab to confirm the edited `.gitlab-ci.yml` file is valid.
1. Select the **Edit** tab, then select **Commit changes**.
When the snippet is committed to the `.gitlab-ci.yml` file, pipelines include an API Fuzzing job.
### OpenAPI Specification
......
......@@ -278,7 +278,8 @@ page.
You can enable or configure DAST settings using the UI. The generated settings are formatted so they
can be conveniently pasted into the `.gitlab-ci.yml` file.
1. From the project's home page, go to **Security & Compliance > Configuration**.
1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **Security & Compliance > Configuration**.
1. In the **Dynamic Application Security Testing (DAST)** section, select **Enable DAST** or
**Configure DAST**.
1. Select the desired **Scanner profile**, or select **Create scanner profile** and save a
......@@ -288,12 +289,14 @@ can be conveniently pasted into the `.gitlab-ci.yml` file.
1. Select **Generate code snippet**. A modal opens with the YAML snippet corresponding to the
options you selected.
1. Do one of the following:
1. Select **Copy code only** to copy the snippet to your clipboard.
1. Select **Copy code and open `.gitlab-ci.yml` file** to copy the snippet to your clipboard. The
CI/CD Editor then opens.
1. To copy the snippet to your clipboard, select **Copy code only**.
1. To add the snippet to your project's `.gitlab-ci.yml` file, select
**Copy code and open `.gitlab-ci.yml` file**. The Pipeline Editor opens.
1. Paste the snippet into the `.gitlab-ci.yml` file.
1. Select the **Lint** tab to confirm the edited `.gitlab-ci.yml` file is valid.
1. Select **Commit changes**.
1. Select the **Edit** tab, then select **Commit changes**.
When the snippet is committed to the `.gitlab-ci.yml` file, pipelines include a DAST job.
#### Crawling web applications dependent on JavaScript
......
......@@ -84,9 +84,9 @@ the body generation is limited to these body types:
- `application/json`
- `application/xml`
Follow these steps to configure DAST API in GitLab with an OpenAPI specification:
To configure DAST API scanning with an OpenAPI specification:
1. To use DAST API, you must [include](../../../ci/yaml/index.md#includetemplate)
1. To use DAST API scanning, [include](../../../ci/yaml/index.md#includetemplate)
the [`DAST-API.gitlab-ci.yml` template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/DAST-API.gitlab-ci.yml)
that's provided as part of your GitLab installation. Add the following to your
`.gitlab-ci.yml` file:
......@@ -182,8 +182,7 @@ WARNING:
HAR files may contain sensitive information such as authentication tokens, API keys, and session
cookies. We recommend that you review the HAR file contents before adding them to a repository.
Follow these steps to configure DAST API to use a HAR file that provides information about the
target API to test:
To configure DAST API scanning to use a HAR file:
1. To use DAST API, you must [include](../../../ci/yaml/index.md#includetemplate)
the [`DAST-API.gitlab-ci.yml` template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/DAST-API.gitlab-ci.yml)
......@@ -282,8 +281,7 @@ Postman Collection files may contain sensitive information such as authenticatio
and session cookies. We recommend that you review the Postman Collection file contents before adding
them to a repository.
Follow these steps to configure DAST API to use a Postman Collection file that provides
information about the target API to test:
To configure DAST API scanning to use a Postman Collection file:
1. To use DAST API, you must [include](../../../ci/yaml/index.md#includetemplate)
the [`DAST-API.gitlab-ci.yml` template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/DAST-API.gitlab-ci.yml)
......
......@@ -508,19 +508,18 @@ always take the latest dependency scanning artifact available.
> - [Enabled on self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/282533) in GitLab 14.1.
> - [Feature flag sec_dependency_scanning_ui_enable removed](https://gitlab.com/gitlab-org/gitlab/-/issues/326005) in GitLab 14.2.
To enable Dependency Scanning in a project, you can create a merge request
from the Security Configuration page.
To enable Dependency Scanning in a project, you can create a merge request:
1. In the project where you want to enable Dependency Scanning, navigate to
**Security & Compliance > Configuration**.
1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **Security & Compliance > Configuration**.
1. In the **Dependency Scanning** row, select **Configure with a merge request**.
1. Review and merge the merge request to enable Dependency Scanning.
This automatically creates a merge request with the changes necessary to enable Dependency Scanning
that you can review and merge to complete the configuration.
Pipelines now include a dependency scanning job.
### Customizing the dependency scanning settings
The dependency scanning settings can be changed through [CI/CD variables](#available-cicd-variables) by using the
The Dependency Scanning settings can be changed through [CI/CD variables](#available-cicd-variables) by using the
[`variables`](../../../ci/yaml/index.md#variables) parameter in `.gitlab-ci.yml`.
For example:
......
......@@ -93,15 +93,14 @@ that you can download and analyze.
### Enable IaC Scanning via an automatic merge request
To enable IaC Scanning in a project, you can create a merge request
from the Security Configuration page:
To enable IaC Scanning in a project, you can create a merge request:
1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **Security & Compliance > Configuration**.
1. In the **Infrastructure as Code (IaC) Scanning** row, select **Configure with a merge request**.
1. Review and merge the merge request to enable IaC Scanning.
This automatically creates a merge request with the changes necessary to enable IaC Scanning
that you can review and merge to complete the configuration.
Pipelines now include an IaC job.
## Reports JSON format
......
......@@ -190,28 +190,28 @@ always take the latest SAST artifact available.
### Configure SAST in the UI
You can enable and configure SAST in the UI, either with default settings, or with customizations.
Use the method that best meets your needs.
The method you can use depends on your GitLab license tier.
- [Configure SAST in the UI with default settings](#configure-sast-in-the-ui-with-default-settings)
- [Configure SAST in the UI with customizations](#configure-sast-in-the-ui-with-customizations)
- [Configure SAST in the UI with default settings](#configure-sast-in-the-ui-with-default-settings).
- [Configure SAST in the UI with customizations](#configure-sast-in-the-ui-with-customizations). **(ULTIMATE)**
### Configure SAST in the UI with default settings
> [Introduced](https://about.gitlab.com/releases/2021/02/22/gitlab-13-9-released/#security-configuration-page-for-all-users) in GitLab 13.9
NOTE:
The configuration tool works best with no existing `.gitlab-ci.yml` file, or with a minimal
configuration file. If you have a complex GitLab configuration file it may not be parsed
successfully, and an error may occur.
To enable and configure SAST with default settings:
1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **Security & Compliance** > **Configuration**.
1. In the SAST section, select `Enable via MR`.
1. Review the draft MR that enables SAST with the default recommended settings in the
`.gitlab-ci.yml` file.
1. Merge the MR to enable SAST. You should see SAST jobs run in that MR's pipeline.
1. In the SAST section, select **Configure with a merge request**.
1. Review and merge the merge request to enable SAST.
NOTE:
The configuration tool works best with no existing `.gitlab-ci.yml` file, or with a minimal
configuration file. If you have a complex GitLab configuration file it may not be parsed
successfully, and an error may occur.
Pipelines now include a SAST job.
### Configure SAST in the UI with customizations **(ULTIMATE)**
......@@ -219,27 +219,28 @@ successfully, and an error may occur.
> - [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/232862) in GitLab 13.4.
> - [Improved](https://gitlab.com/groups/gitlab-org/-/epics/3635) in GitLab 13.5.
NOTE:
The configuration tool works best with no existing `.gitlab-ci.yml` file, or with a minimal
configuration file. If you have a complex GitLab configuration file it may not be parsed
successfully, and an error may occur.
To enable and configure SAST with customizations:
1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **Security & Compliance > Configuration**.
1. If the project does not have a `.gitlab-ci.yml` file, select **Enable** in the Static Application
Security Testing (SAST) row, otherwise select **Configure**.
1. If the project does not have a `.gitlab-ci.yml` file, select **Enable SAST** in the Static
Application Security Testing (SAST) row, otherwise select **Configure SAST**.
1. Enter the custom SAST values.
Custom values are stored in the `.gitlab-ci.yml` file. For CI/CD variables not in the SAST
Configuration page, their values are left unchanged. Default values are inherited from the GitLab
SAST template.
Configuration page, their values are inherited from the GitLab SAST template.
1. Optionally, expand the **SAST analyzers** section, select individual
[SAST analyzers](analyzers.md) and enter custom analyzer values.
1. Select **Create Merge Request**.
1. Review and merge the merge request.
NOTE:
The configuration tool works best with no existing `.gitlab-ci.yml` file, or with a minimal
configuration file. If you have a complex GitLab configuration file it may not be parsed
successfully, and an error may occur.
Pipelines now include a SAST job.
### Overriding SAST jobs
......
......@@ -112,20 +112,19 @@ always take the latest Secret Detection artifact available.
> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/4496) in GitLab 13.11, deployed behind a feature flag, enabled by default.
> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/329886) in GitLab 14.1.
To enable Secret Detection in a project, you can create a merge request
from the Security Configuration page.
NOTE:
This method works best with no existing `.gitlab-ci.yml` file, or with a minimal configuration
file. If you have a complex GitLab configuration file it may not be parsed successfully, and an
error may occur.
1. In the project where you want to enable Secret Detection, go to
**Security & Compliance > Configuration**.
1. In the **Secret Detection** row, select **Configure with a merge request**.
To enable Secret Detection in a project, you can create a merge request:
This automatically creates a merge request with the changes necessary to enable Secret Detection
that you can review and merge to complete the configuration.
1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **Security & Compliance > Configuration**.
1. In the **Secret Detection** row, select **Configure with a merge request**.
1. Review and merge the merge request to enable Secret Detection.
NOTE:
The configuration tool works best with no existing `.gitlab-ci.yml` file, or with a minimal
configuration file. If you have a complex GitLab configuration file it may not be parsed
successfully, and an error may occur.
Pipelines now include a Secret Detection job.
### Customizing settings
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment