Commit 1270174a authored by Kati Paizee's avatar Kati Paizee

Merge branch 'russell-standardize-secure-navigation-steps' into 'master'

Standardize UI navigation steps in Secure-related tasks

See merge request gitlab-org/gitlab!83366
parents 862882ba 5cb04931
...@@ -91,20 +91,25 @@ The API fuzzing configuration form helps you create or modify your project's API ...@@ -91,20 +91,25 @@ The API fuzzing configuration form helps you create or modify your project's API
configuration. The form lets you choose values for the most common API fuzzing options and builds configuration. The form lets you choose values for the most common API fuzzing options and builds
a YAML snippet that you can paste in your GitLab CI/CD configuration. a YAML snippet that you can paste in your GitLab CI/CD configuration.
#### Configure Web API fuzzing with the configuration form #### Configure Web API fuzzing in the UI
To generate an API Fuzzing configuration snippet: To generate an API Fuzzing configuration snippet:
1. On the top bar, select **Menu > Projects** and find your project. 1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **Security & Compliance > Configuration**. 1. On the left sidebar, select **Security & Compliance > Configuration**.
1. In the **API Fuzzing** row, select **Configure**. 1. In the **API Fuzzing** row, select **Enable API Fuzzing**.
1. Complete the form as needed. Read below for more information on available configuration options. 1. Complete the fields. For details see [Available CI/CD variables](#available-cicd-variables).
1. Select **Generate code snippet**. 1. Select **Generate code snippet**.
A modal opens with the YAML snippet corresponding to the options you've selected in the form. A modal opens with the YAML snippet corresponding to the options you've selected in the form.
1. Choose one of the following actions: 1. Do one of the following:
1. To copy the snippet to your clipboard and be redirected to your project's `.gitlab-ci.yml` file, 1. To copy the snippet to your clipboard, select **Copy code only**.
where you can paste the YAML configuration, select **Copy code and open `.gitlab-ci.yml` file**. 1. To add the snippet to your project's `.gitlab-ci.yml` file, select
1. To copy the snippet to your clipboard and close the modal, select **Copy code only**. **Copy code and open `.gitlab-ci.yml` file**. The Pipeline Editor opens.
1. Paste the snippet into the `.gitlab-ci.yml` file.
1. Select the **Lint** tab to confirm the edited `.gitlab-ci.yml` file is valid.
1. Select the **Edit** tab, then select **Commit changes**.
When the snippet is committed to the `.gitlab-ci.yml` file, pipelines include an API Fuzzing job.
### OpenAPI Specification ### OpenAPI Specification
......
...@@ -278,7 +278,8 @@ page. ...@@ -278,7 +278,8 @@ page.
You can enable or configure DAST settings using the UI. The generated settings are formatted so they You can enable or configure DAST settings using the UI. The generated settings are formatted so they
can be conveniently pasted into the `.gitlab-ci.yml` file. can be conveniently pasted into the `.gitlab-ci.yml` file.
1. From the project's home page, go to **Security & Compliance > Configuration**. 1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **Security & Compliance > Configuration**.
1. In the **Dynamic Application Security Testing (DAST)** section, select **Enable DAST** or 1. In the **Dynamic Application Security Testing (DAST)** section, select **Enable DAST** or
**Configure DAST**. **Configure DAST**.
1. Select the desired **Scanner profile**, or select **Create scanner profile** and save a 1. Select the desired **Scanner profile**, or select **Create scanner profile** and save a
...@@ -288,12 +289,14 @@ can be conveniently pasted into the `.gitlab-ci.yml` file. ...@@ -288,12 +289,14 @@ can be conveniently pasted into the `.gitlab-ci.yml` file.
1. Select **Generate code snippet**. A modal opens with the YAML snippet corresponding to the 1. Select **Generate code snippet**. A modal opens with the YAML snippet corresponding to the
options you selected. options you selected.
1. Do one of the following: 1. Do one of the following:
1. Select **Copy code only** to copy the snippet to your clipboard. 1. To copy the snippet to your clipboard, select **Copy code only**.
1. Select **Copy code and open `.gitlab-ci.yml` file** to copy the snippet to your clipboard. The 1. To add the snippet to your project's `.gitlab-ci.yml` file, select
CI/CD Editor then opens. **Copy code and open `.gitlab-ci.yml` file**. The Pipeline Editor opens.
1. Paste the snippet into the `.gitlab-ci.yml` file. 1. Paste the snippet into the `.gitlab-ci.yml` file.
1. Select the **Lint** tab to confirm the edited `.gitlab-ci.yml` file is valid. 1. Select the **Lint** tab to confirm the edited `.gitlab-ci.yml` file is valid.
1. Select **Commit changes**. 1. Select the **Edit** tab, then select **Commit changes**.
When the snippet is committed to the `.gitlab-ci.yml` file, pipelines include a DAST job.
#### Crawling web applications dependent on JavaScript #### Crawling web applications dependent on JavaScript
......
...@@ -84,9 +84,9 @@ the body generation is limited to these body types: ...@@ -84,9 +84,9 @@ the body generation is limited to these body types:
- `application/json` - `application/json`
- `application/xml` - `application/xml`
Follow these steps to configure DAST API in GitLab with an OpenAPI specification: To configure DAST API scanning with an OpenAPI specification:
1. To use DAST API, you must [include](../../../ci/yaml/index.md#includetemplate) 1. To use DAST API scanning, [include](../../../ci/yaml/index.md#includetemplate)
the [`DAST-API.gitlab-ci.yml` template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/DAST-API.gitlab-ci.yml) the [`DAST-API.gitlab-ci.yml` template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/DAST-API.gitlab-ci.yml)
that's provided as part of your GitLab installation. Add the following to your that's provided as part of your GitLab installation. Add the following to your
`.gitlab-ci.yml` file: `.gitlab-ci.yml` file:
...@@ -182,8 +182,7 @@ WARNING: ...@@ -182,8 +182,7 @@ WARNING:
HAR files may contain sensitive information such as authentication tokens, API keys, and session HAR files may contain sensitive information such as authentication tokens, API keys, and session
cookies. We recommend that you review the HAR file contents before adding them to a repository. cookies. We recommend that you review the HAR file contents before adding them to a repository.
Follow these steps to configure DAST API to use a HAR file that provides information about the To configure DAST API scanning to use a HAR file:
target API to test:
1. To use DAST API, you must [include](../../../ci/yaml/index.md#includetemplate) 1. To use DAST API, you must [include](../../../ci/yaml/index.md#includetemplate)
the [`DAST-API.gitlab-ci.yml` template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/DAST-API.gitlab-ci.yml) the [`DAST-API.gitlab-ci.yml` template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/DAST-API.gitlab-ci.yml)
...@@ -282,8 +281,7 @@ Postman Collection files may contain sensitive information such as authenticatio ...@@ -282,8 +281,7 @@ Postman Collection files may contain sensitive information such as authenticatio
and session cookies. We recommend that you review the Postman Collection file contents before adding and session cookies. We recommend that you review the Postman Collection file contents before adding
them to a repository. them to a repository.
Follow these steps to configure DAST API to use a Postman Collection file that provides To configure DAST API scanning to use a Postman Collection file:
information about the target API to test:
1. To use DAST API, you must [include](../../../ci/yaml/index.md#includetemplate) 1. To use DAST API, you must [include](../../../ci/yaml/index.md#includetemplate)
the [`DAST-API.gitlab-ci.yml` template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/DAST-API.gitlab-ci.yml) the [`DAST-API.gitlab-ci.yml` template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/DAST-API.gitlab-ci.yml)
......
...@@ -508,19 +508,18 @@ always take the latest dependency scanning artifact available. ...@@ -508,19 +508,18 @@ always take the latest dependency scanning artifact available.
> - [Enabled on self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/282533) in GitLab 14.1. > - [Enabled on self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/282533) in GitLab 14.1.
> - [Feature flag sec_dependency_scanning_ui_enable removed](https://gitlab.com/gitlab-org/gitlab/-/issues/326005) in GitLab 14.2. > - [Feature flag sec_dependency_scanning_ui_enable removed](https://gitlab.com/gitlab-org/gitlab/-/issues/326005) in GitLab 14.2.
To enable Dependency Scanning in a project, you can create a merge request To enable Dependency Scanning in a project, you can create a merge request:
from the Security Configuration page.
1. In the project where you want to enable Dependency Scanning, navigate to 1. On the top bar, select **Menu > Projects** and find your project.
**Security & Compliance > Configuration**. 1. On the left sidebar, select **Security & Compliance > Configuration**.
1. In the **Dependency Scanning** row, select **Configure with a merge request**. 1. In the **Dependency Scanning** row, select **Configure with a merge request**.
1. Review and merge the merge request to enable Dependency Scanning.
This automatically creates a merge request with the changes necessary to enable Dependency Scanning Pipelines now include a dependency scanning job.
that you can review and merge to complete the configuration.
### Customizing the dependency scanning settings ### Customizing the dependency scanning settings
The dependency scanning settings can be changed through [CI/CD variables](#available-cicd-variables) by using the The Dependency Scanning settings can be changed through [CI/CD variables](#available-cicd-variables) by using the
[`variables`](../../../ci/yaml/index.md#variables) parameter in `.gitlab-ci.yml`. [`variables`](../../../ci/yaml/index.md#variables) parameter in `.gitlab-ci.yml`.
For example: For example:
......
...@@ -93,15 +93,14 @@ that you can download and analyze. ...@@ -93,15 +93,14 @@ that you can download and analyze.
### Enable IaC Scanning via an automatic merge request ### Enable IaC Scanning via an automatic merge request
To enable IaC Scanning in a project, you can create a merge request To enable IaC Scanning in a project, you can create a merge request:
from the Security Configuration page:
1. On the top bar, select **Menu > Projects** and find your project. 1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **Security & Compliance > Configuration**. 1. On the left sidebar, select **Security & Compliance > Configuration**.
1. In the **Infrastructure as Code (IaC) Scanning** row, select **Configure with a merge request**. 1. In the **Infrastructure as Code (IaC) Scanning** row, select **Configure with a merge request**.
1. Review and merge the merge request to enable IaC Scanning.
This automatically creates a merge request with the changes necessary to enable IaC Scanning Pipelines now include an IaC job.
that you can review and merge to complete the configuration.
## Reports JSON format ## Reports JSON format
......
...@@ -190,28 +190,28 @@ always take the latest SAST artifact available. ...@@ -190,28 +190,28 @@ always take the latest SAST artifact available.
### Configure SAST in the UI ### Configure SAST in the UI
You can enable and configure SAST in the UI, either with default settings, or with customizations. You can enable and configure SAST in the UI, either with default settings, or with customizations.
Use the method that best meets your needs. The method you can use depends on your GitLab license tier.
- [Configure SAST in the UI with default settings](#configure-sast-in-the-ui-with-default-settings) - [Configure SAST in the UI with default settings](#configure-sast-in-the-ui-with-default-settings).
- [Configure SAST in the UI with customizations](#configure-sast-in-the-ui-with-customizations) - [Configure SAST in the UI with customizations](#configure-sast-in-the-ui-with-customizations). **(ULTIMATE)**
### Configure SAST in the UI with default settings ### Configure SAST in the UI with default settings
> [Introduced](https://about.gitlab.com/releases/2021/02/22/gitlab-13-9-released/#security-configuration-page-for-all-users) in GitLab 13.9 > [Introduced](https://about.gitlab.com/releases/2021/02/22/gitlab-13-9-released/#security-configuration-page-for-all-users) in GitLab 13.9
NOTE:
The configuration tool works best with no existing `.gitlab-ci.yml` file, or with a minimal
configuration file. If you have a complex GitLab configuration file it may not be parsed
successfully, and an error may occur.
To enable and configure SAST with default settings: To enable and configure SAST with default settings:
1. On the top bar, select **Menu > Projects** and find your project. 1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **Security & Compliance** > **Configuration**. 1. On the left sidebar, select **Security & Compliance** > **Configuration**.
1. In the SAST section, select `Enable via MR`. 1. In the SAST section, select **Configure with a merge request**.
1. Review the draft MR that enables SAST with the default recommended settings in the 1. Review and merge the merge request to enable SAST.
`.gitlab-ci.yml` file.
1. Merge the MR to enable SAST. You should see SAST jobs run in that MR's pipeline.
NOTE: Pipelines now include a SAST job.
The configuration tool works best with no existing `.gitlab-ci.yml` file, or with a minimal
configuration file. If you have a complex GitLab configuration file it may not be parsed
successfully, and an error may occur.
### Configure SAST in the UI with customizations **(ULTIMATE)** ### Configure SAST in the UI with customizations **(ULTIMATE)**
...@@ -219,27 +219,28 @@ successfully, and an error may occur. ...@@ -219,27 +219,28 @@ successfully, and an error may occur.
> - [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/232862) in GitLab 13.4. > - [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/232862) in GitLab 13.4.
> - [Improved](https://gitlab.com/groups/gitlab-org/-/epics/3635) in GitLab 13.5. > - [Improved](https://gitlab.com/groups/gitlab-org/-/epics/3635) in GitLab 13.5.
NOTE:
The configuration tool works best with no existing `.gitlab-ci.yml` file, or with a minimal
configuration file. If you have a complex GitLab configuration file it may not be parsed
successfully, and an error may occur.
To enable and configure SAST with customizations: To enable and configure SAST with customizations:
1. On the top bar, select **Menu > Projects** and find your project. 1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **Security & Compliance > Configuration**. 1. On the left sidebar, select **Security & Compliance > Configuration**.
1. If the project does not have a `.gitlab-ci.yml` file, select **Enable** in the Static Application 1. If the project does not have a `.gitlab-ci.yml` file, select **Enable SAST** in the Static
Security Testing (SAST) row, otherwise select **Configure**. Application Security Testing (SAST) row, otherwise select **Configure SAST**.
1. Enter the custom SAST values. 1. Enter the custom SAST values.
Custom values are stored in the `.gitlab-ci.yml` file. For CI/CD variables not in the SAST Custom values are stored in the `.gitlab-ci.yml` file. For CI/CD variables not in the SAST
Configuration page, their values are left unchanged. Default values are inherited from the GitLab Configuration page, their values are inherited from the GitLab SAST template.
SAST template.
1. Optionally, expand the **SAST analyzers** section, select individual 1. Optionally, expand the **SAST analyzers** section, select individual
[SAST analyzers](analyzers.md) and enter custom analyzer values. [SAST analyzers](analyzers.md) and enter custom analyzer values.
1. Select **Create Merge Request**. 1. Select **Create Merge Request**.
1. Review and merge the merge request. 1. Review and merge the merge request.
NOTE: Pipelines now include a SAST job.
The configuration tool works best with no existing `.gitlab-ci.yml` file, or with a minimal
configuration file. If you have a complex GitLab configuration file it may not be parsed
successfully, and an error may occur.
### Overriding SAST jobs ### Overriding SAST jobs
......
...@@ -112,20 +112,19 @@ always take the latest Secret Detection artifact available. ...@@ -112,20 +112,19 @@ always take the latest Secret Detection artifact available.
> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/4496) in GitLab 13.11, deployed behind a feature flag, enabled by default. > - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/4496) in GitLab 13.11, deployed behind a feature flag, enabled by default.
> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/329886) in GitLab 14.1. > - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/329886) in GitLab 14.1.
To enable Secret Detection in a project, you can create a merge request NOTE:
from the Security Configuration page. This method works best with no existing `.gitlab-ci.yml` file, or with a minimal configuration
file. If you have a complex GitLab configuration file it may not be parsed successfully, and an
error may occur.
1. In the project where you want to enable Secret Detection, go to To enable Secret Detection in a project, you can create a merge request:
**Security & Compliance > Configuration**.
1. In the **Secret Detection** row, select **Configure with a merge request**.
This automatically creates a merge request with the changes necessary to enable Secret Detection 1. On the top bar, select **Menu > Projects** and find your project.
that you can review and merge to complete the configuration. 1. On the left sidebar, select **Security & Compliance > Configuration**.
1. In the **Secret Detection** row, select **Configure with a merge request**.
1. Review and merge the merge request to enable Secret Detection.
NOTE: Pipelines now include a Secret Detection job.
The configuration tool works best with no existing `.gitlab-ci.yml` file, or with a minimal
configuration file. If you have a complex GitLab configuration file it may not be parsed
successfully, and an error may occur.
### Customizing settings ### Customizing settings
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment