info:To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
info:To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---
---
# Security Configuration **(ULTIMATE)**
# Security Configuration **(FREE)**
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20711) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.6.
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20711) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.6. **(ULTIMATE)**
> - SAST configuration was [enabled](https://gitlab.com/groups/gitlab-org/-/epics/3659) in 13.3 and [improved](https://gitlab.com/gitlab-org/gitlab/-/issues/232862) in 13.4.
> - SAST configuration was [enabled](https://gitlab.com/groups/gitlab-org/-/epics/3659) in 13.3 and [improved](https://gitlab.com/gitlab-org/gitlab/-/issues/232862) in 13.4. **(ULTIMATE)**
> - DAST Profiles feature was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40474) in 13.4.
> - DAST Profiles feature was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40474) in 13.4. **(ULTIMATE)**
> - A simplified version was made [available in all tiers](https://gitlab.com/gitlab-org/gitlab/-/issues/294076) in GitLab 13.9. **(FREE)**
> - It's [deployed behind a feature flag](../../feature_flags.md), disabled by default.
> - It's enabled on GitLab.com.
> - It's recommended for production use.
> - For GitLab self-managed instances, GitLab administrators can opt to [enable it](#enable-or-disable-security-configuration). **(FREE SELF)**
> - It can be enabled or disabled for a single project.
WARNING:
This feature might not be available to you. Check the **version history** note above for details.
The Security Configuration page displays the configuration state of each security control in the
The Security Configuration page displays what security scans are available, links to documentation and also simple enablement tools for the current project.
current project.
To view a project's security configuration, go to the project's home page,
To view a project's security configuration, go to the project's home page,
then in the left sidebar go to **Security & Compliance > Configuration**.
then in the left sidebar go to **Security & Compliance > Configuration**.
...
@@ -20,10 +28,11 @@ then in the left sidebar go to **Security & Compliance > Configuration**.
...
@@ -20,10 +28,11 @@ then in the left sidebar go to **Security & Compliance > Configuration**.
For each security control the page displays:
For each security control the page displays:
-**Security Control:** Name, description, and a documentation link.
-**Security Control:** Name, description, and a documentation link.
-**Status:** The security control's status (enabled, not enabled, or available).
-**Manage:** A management option or a documentation link.
-**Manage:** A management option or a documentation link.
## Status
## Status **(ULTIMATE)**
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20711) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.6.
The status of each security control is determined by the project's latest default branch
The status of each security control is determined by the project's latest default branch
[CI pipeline](../../../ci/pipelines/index.md).
[CI pipeline](../../../ci/pipelines/index.md).
...
@@ -35,7 +44,7 @@ all security features are configured by default.
...
@@ -35,7 +44,7 @@ all security features are configured by default.
For SAST, click **View history** to see the `.gitlab-ci.yml` file's history.
For SAST, click **View history** to see the `.gitlab-ci.yml` file's history.
## Manage
## Manage **(ULTIMATE)**
You can configure the following security controls:
You can configure the following security controls:
...
@@ -45,3 +54,25 @@ You can configure the following security controls:
...
@@ -45,3 +54,25 @@ You can configure the following security controls:
- Click either **Enable** or **Configure** to use SAST for the current project. For more details, see [Configure SAST in the UI](../sast/index.md#configure-sast-in-the-ui).
- Click either **Enable** or **Configure** to use SAST for the current project. For more details, see [Configure SAST in the UI](../sast/index.md#configure-sast-in-the-ui).
- DAST Profiles
- DAST Profiles
- Click **Manage** to manage the available DAST profiles used for on-demand scans. For more details, see [DAST on-demand scans](../dast/index.md#on-demand-scans).
- Click **Manage** to manage the available DAST profiles used for on-demand scans. For more details, see [DAST on-demand scans](../dast/index.md#on-demand-scans).
### Enable or disable Security Configuration **(FREE SELF)**
Security Configuration is under development but ready for production use.
It is deployed behind a feature flag that is **disabled by default**.
[GitLab administrators with access to the GitLab Rails console](../../../administration/feature_flags.md)