Merge branch 'docs/security-reports' into 'master'

Consolidate all security reports under one section See merge request gitlab-org/gitlab-ee!5566

Merge branch 'docs/security-reports' into 'master'
Consolidate all security reports under one section See merge request gitlab-org/gitlab-ee!5566
27de6f09 · Achilleas Pipinellis · 8074f415 · b9e7572e · 27de6f09 · 27de6f09
Commit 27de6f09 authored May 14, 2018 by Achilleas Pipinellis
Show whitespace changes
Inline Side-by-side

Showing with 51 additions and 61 deletions

doc/README.md doc/README.md +4 -4

doc/user/project/merge_requests/index.md doc/user/project/merge_requests/index.md +47 -57

No files found.
--- a/doc/README.md
+++ b/doc/README.md
@@ -148,11 +148,11 @@ scales to run your tests faster.
 - [Review Apps](ci/review_apps/index.md): Preview changes to your app right from a merge request.
 - [Pipeline Graphs](ci/pipelines.md#pipeline-graphs)
 - [Multi-project pipeline graphs](ci/multi_project_pipeline_graphs.md) **[PREMIUM]**
- [Code Quality](user/project/merge_requests/code_quality_diff.md) **[STARTER]**
- [Static Application Security Testing (SAST)](user/project/merge_requests/sast.md) **[ULTIMATE]**
+- [Code Quality reports](user/project/merge_requests/code_quality_diff.md) **[STARTER]**
+- [Static Application Security Testing (SAST) reports](user/project/merge_requests/sast.md) **[ULTIMATE]**
 - [Dynamic Application Security Testing (DAST)](user/project/merge_requests/dast.md) **[ULTIMATE]**
- [Container Scanning](ci/examples/container_scanning.md) **[ULTIMATE]**
- [Dependency Scanning](ci/examples/dependency_scanning.md) **[ULTIMATE]**
+- [Dependency Scanning reports](user/project/merge_requests/dependency_scanning.md) **[ULTIMATE]**
+- [Container Scanning reports](user/project/merge_requests/container_scanning.md) **[ULTIMATE]**

 ### Package


--- a/doc/user/project/merge_requests/index.md
+++ b/doc/user/project/merge_requests/index.md
@@ -23,7 +23,7 @@ With GitLab merge requests, you can:
 - Assign it to any registered user, and change the assignee how many times you need
 - Assign a [milestone](../../project/milestones/index.md) and track the development of a broader implementation
 - Organize your issues and merge requests consistently throughout the project with [labels](../../project/labels.md)
- Add a time estimation and the time spent with that merge request with [Time Tracking](../../../workflow/time_tracking.html#time-tracking)
+- Add a time estimation and the time spent with that merge request with [Time Tracking](../../../workflow/time_tracking.md#time-tracking)
 - [Resolve merge conflicts from the UI](#resolve-conflicts)
 - Enable [fast-forward merge requests](#fast-forward-merge-requests)
 - Enable [semi-linear history merge requests](#semi-linear-history-merge-requests) as another security layer to guarantee the pipeline is passing in the target branch
@@ -32,15 +32,15 @@ With GitLab merge requests, you can:

 With **[GitLab Enterprise Edition][ee]**, you can also:

- View the deployment process across projects with [Multi-Project Pipeline Graphs](https://docs.gitlab.com/ee/ci/multi_project_pipeline_graphs.html#multi-project-pipeline-graphs) **[PREMIUM]**
- Request [approvals](https://docs.gitlab.com/ee/user/project/merge_requests/merge_request_approvals.html) from your managers **[STARTER]**
- [Squash and merge](https://docs.gitlab.com/ee/user/project/merge_requests/squash_and_merge.html) for a cleaner commit history **[STARTER]**
- Analyze the impact of your changes with [Code Quality reports](https://docs.gitlab.com/ee/user/project/merge_requests/code_quality_diff.html) **[STARTER]**
- Analyze your source code for vulnerabilities with [Static Application Security Testing](#static-application-security-testing) **[ULTIMATE]**
- Analyze your dependencies for vulnerabilities with [Dependency Scanning](#dependency-scanning) **[ULTIMATE]**
+- View the deployment process across projects with [Multi-Project Pipeline Graphs](../../../ci/multi_project_pipeline_graphs.md#multi-project-pipeline-graphs) **[PREMIUM]**
+- Request [approvals](merge_request_approvals.md) from your managers **[STARTER]**
+- [Squash and merge](squash_and_merge.md) for a cleaner commit history **[STARTER]**
+- Analyze the impact of your changes with [Code Quality reports](code_quality_diff.md) **[STARTER]**
 - Manage the licenses of your dependencies with [License Management](#license-management) **[ULTIMATE]**
- Analyze your Docker images for vulnerabilities with [Container Scanning](#container-scanning) **[ULTIMATE]**
- Analyze your running web applications for vulnerabilities with [Dynamic Application Security Testing](#dynamic-application-security-testing) **[ULTIMATE]**
+- Analyze your source code for vulnerabilities with [Static Application Security Testing](sast.md) **[ULTIMATE]**
+- Analyze your running web applications for vulnerabilities with [Dynamic Application Security Testing](dast.md) **[ULTIMATE]**
+- Analyze your dependencies for vulnerabilities with [Dependency Scanning](dependency_scanning.md) **[ULTIMATE]**
+- Analyze your Docker images for vulnerabilities with [Container Scanning](container_scanning.md) **[ULTIMATE]**
 - Determine the performance impact of changes with [Browser Performance Testing](#browser-performance-testing) **[PREMIUM]**

 ## Use cases
@@ -49,8 +49,8 @@ A. Consider you are a software developer working in a team:

 1. You checkout a new branch, and submit your changes through a merge request
 1. You gather feedback from your team
-1. You work on the implementation optimizing code with [Code Quality reports](https://docs.gitlab.com/ee/user/project/merge_requests/code_quality_diff.html) **[STARTER]**
-1. You avoid using dependencies whose license is not compatible with your project with [License Management reports](https://docs.gitlab.com/ee/user/project/merge_requests/license-management.html) **[ULTIMATE]**
+1. You work on the implementation optimizing code with [Code Quality reports](code_quality_diff.md) **[STARTER]**
+1. You avoid using dependencies whose license is not compatible with your project with [License Management reports](license_management.md) **[ULTIMATE]**
 1. You build and test your changes with GitLab CI/CD
 1. You request the [approval](#merge-request-approvals) from your manager
 1. Your manager pushes a commit with his final review, [approves the merge request](#merge-request-approvals), and set it to [merge when pipeline succeeds](#merge-when-pipeline-succeeds)
@@ -63,8 +63,8 @@ B. Consider you're a web developer writing a webpage for your company's website:
 1. You gather feedback from your reviewers
 1. Your changes are previewed with [Review Apps](../../../ci/review_apps/index.md)
 1. You request your web designers for their implementation
-1. You request the [approval](https://docs.gitlab.com/ee/user/project/merge_requests/merge_request_approvals.html) from your manager **[STARTER]**
-1. Once approved, your merge request is [squashed and merged](https://docs.gitlab.com/ee/user/project/merge_requests/squash_and_merge.html), and [deployed to staging with GitLab Pages](https://about.gitlab.com/2016/08/26/ci-deployment-and-environments/) (Squash and Merge is available in GitLab Starter)
+1. You request the [approval](merge_request_approvals.md) from your manager **[STARTER]**
+1. Once approved, your merge request is [squashed and merged](squash_and_merge.md), and [deployed to staging with GitLab Pages](https://about.gitlab.com/2016/08/26/ci-deployment-and-environments/) (Squash and Merge is available in GitLab Starter)
 1. Your production team [cherry picks](#cherry-pick-changes) the merge commit into production

 ## Merge requests per project
@@ -218,7 +218,7 @@ have been marked as a **Work In Progress**.

 [Learn more about settings a merge request as "Work In Progress".](work_in_progress_merge_requests.md)

-## Merge request approvals
+## Merge request approvals **[STARTER]**

 > Included in [GitLab Starter][products].

@@ -229,7 +229,7 @@ list of approvers that will need to approve every merge request in a project.

 [Read more about merge request approvals.](merge_request_approvals.md)

-## Code Quality
+## Code Quality **[STARTER]**

 > Introduced in [GitLab Starter][products] 9.3.

@@ -239,27 +239,15 @@ can show the Code Climate report right in the merge request widget area.

 [Read more about Code Quality reports.](code_quality_diff.md)

-## Static Application Security Testing **[ULTIMATE]**
-
-> Introduced in [GitLab Ultimate][products] 10.3.
-
-If you are using [GitLab CI/CD][ci], you can analyze your source code for known
-vulnerabilities using Static Application Security Testing (SAST).
-Going a step further, GitLab can show the vulnerability report right in the
-merge request widget area.
-
-[Read more about Static Application Security Testing reports.](sast.md)
+## Browser Performance Testing **[PREMIUM]**

-## Dependency Scanning **[ULTIMATE]**
+> Introduced in [GitLab Premium][products] 10.3.

-> Introduced in [GitLab Ultimate][products] 10.7.
+If your application offers a web interface and you are using [GitLab CI/CD][ci], you can quickly determine the performance impact of pending code changes. GitLab uses [Sitespeed.io][sitespeed], a free and open source tool for measuring the performance of web sites, to analyze the performance of specific pages.

-If you are using [GitLab CI/CD][ci], you can analyze your dependencies for known
-vulnerabilities using Dependency Scanning.
-Going a step further, GitLab can show the vulnerability report right in the
-merge request widget area.
+GitLab runs the [Sitespeed.io container][sitespeed-container] and displays the difference in overall performance scores between the source and target branches.

-[Read more about Dependency Scanning reports.](dependency_scanning.md)
+[Read more about Browser Performance Testing.](browser_performance_testing.md)

 ## License Management **[ULTIMATE]**

@@ -272,38 +260,40 @@ merge request widget area.

 [Read more about License Management reports.](license_management.md)

-## Container Scanning **[ULTIMATE]**
-
-> Introduced in [GitLab Ultimate][products] 10.4.
+## Security reports **[ULTIMATE]**

-If you are using [GitLab CI/CD][ci], you can analyze your Docker images for known
-vulnerabilities.
-Going a step further, GitLab can show the vulnerability report right in the
-merge request widget area.
+GitLab can scan and report any vulnerabilities found in your project. The
+following security reports are available:

-[Read more about Container Scanning reports.](container_scanning.md)
+- [Static Application Security Testing reports](sast.md) - Analyze your source
+  code for known vulnerabilities using Static Application Security Testing (SAST)
+  and see the security report right in your merge requests.
+- [Dynamic Application Security Testing reports](dast.md) - Analyze your running
+  web application(s) for known vulnerabilities using Dynamic Application Security
+  Testing (DAST) and see the security report right in your merge requests.
+- [Dependency Scanning reports](dependency_scanning.md) - Analyze your
+  dependencies for known vulnerabilities using Dependency Scanning and see the
+  security report right in your merge requests.
+- [Container Scanning reports](container_scanning.md) - Analyze your Docker
+  images for known vulnerabilities and see the security report right in your
+  merge requests.

-## Dynamic Application Security Testing **[ULTIMATE]**
+### Interacting with security reports **[ULTIMATE]**

-> Introduced in [GitLab Ultimate][products] 10.4.
-
-If you are using [GitLab CI/CD][ci], you can analyze your running web
-application(s) for known vulnerabilities using Dynamic Application Security
-Testing (DAST).
-Going a step further, GitLab can show the vulnerability report right in the
-merge request widget area.
-
-[Read more about Dynamic Application Security Testing reports.](dast.md)
-
-## Browser Performance Testing **[PREMIUM]**
-
-> Introduced in [GitLab Premium][products] 10.3.
+> Introduced in [GitLab Ultimate][products] 10.8.

-If your application offers a web interface and you are using [GitLab CI/CD][ci], you can quickly determine the performance impact of pending code changes. GitLab uses [Sitespeed.io][sitespeed], a free and open source tool for measuring the performance of web sites, to analyze the performance of specific pages.
+CAUTION: **Warning:**
+This feature is currently experimental and while you can start using it,
+it may receive important changes in the future.

-GitLab runs the [Sitespeed.io container][sitespeed-container] and displays the difference in overall performance scores between the source and target branches.
+Each security vulnerability in the report is actionable which means that you can:

-[Read more about Browser Performance Testing.](browser_performance_testing.md)
+- **Dismiss it** - Dismissing a vulnerability will place a ~~strikethrough~~
+  styling on it.
+- **Revert your dismissal** - Reverting a dismissal will undo the
+  ~~strikethrough~~ styling.
+- **Create an issue out of it** - The new issue will have the title and
+  description pre-populated with the information of the vulnerability report.

 ## Live preview with Review Apps