Merge branch 'russell/improve-sast-configuration' into 'master'

Improve SAST configuration content

See merge request gitlab-org/gitlab!39283

doc/user/application_security/configuration/index.md

@@ -9,35 +9,21 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20711) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.6.
 
-## Overview
+The Security Configuration page displays the configuration state of each security feature in the
+current project. The page uses the project's latest default branch [CI pipeline](../../../ci/pipelines/index.md)
+to determine each feature's configuration state. If a job with the expected security report artifact
+exists in the pipeline, the feature is considered enabled.
 
-The security configuration page displays the configuration state of each of the security
-features and can be accessed through a project's sidebar nav.
-
-![Screenshot of security configuration page](../img/security_configuration_page_v13_2.png)
-
-The page uses the project's latest default branch [CI pipeline](../../../ci/pipelines/index.md) to determine the configuration
-state of each feature. If a job with the expected security report artifact exists in the pipeline,
-the feature is considered configured.
+You can only enable SAST from the Security Configuration page. Documentation links are included for
+the other features. For details about configuring SAST, see [Configure SAST in the UI](../sast/index.md#configure-sast-in-the-ui).
 
 NOTE: **Note:**
 If the latest pipeline used [Auto DevOps](../../../topics/autodevops/index.md),
-all security features will be configured by default.
-
-## SAST Configuration
-
-> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/3659) in GitLab Ultimate 13.3.
-
-For projects that do not already have a `.gitlab-ci.yml` file,
-[configure SAST in the UI](../sast/index.md#configure-sast-in-the-ui).
+all security features are configured by default.
 
-## Limitations
+## View Security Configuration
 
-It is not yet possible to enable or disable most features using the
-configuration page. However, instructions on how to enable or disable a feature
-can be found through the links next to each feature on that page.
+To view a project's security configuration:
 
-If a project does not have an existing CI configuration, then the SAST feature
-can be enabled by clicking on the "Enable with Merge Request" button under the
-"Manage" column. Future work will expand this to editing _existing_ CI
-configurations, and to other security features.
+1. Go to the project's home page.
+1. In the left sidebar, go to **Security & Configuration** > **Configuration**.

doc/user/application_security/sast/index.md

@@ -14,21 +14,9 @@ The whitepaper ["A Seismic Shift in Application Security"](https://about.gitlab.
 explains how **4 of the top 6 attacks were application based**. Download it
 to learn how to protect your organization.
 
-## Overview
-
 If you're using [GitLab CI/CD](../../../ci/README.md), you can analyze your source code for known
-vulnerabilities using Static Application Security Testing (SAST).
-
-You can take advantage of SAST by doing one of the following:
-
-- [Including the SAST template](#configuration) in your existing `.gitlab-ci.yml` file.
-- Implicitly using [Auto SAST](../../../topics/autodevops/stages.md#auto-sast-ultimate) provided by
-  [Auto DevOps](../../../topics/autodevops/index.md).
-- Using the [SAST Configuration tool](#configure-sast-in-the-ui) to create the necessary
-  `.gitlab-ci.yml` file for you.
-
-GitLab checks the SAST report, compares the found vulnerabilities between the
-source and target branches.
+vulnerabilities using Static Application Security Testing (SAST). GitLab checks the SAST report and
+compares the found vulnerabilities between the source and target branches.
 
 Details of the vulnerabilities found are included in the merge request. **(ULTIMATE)**
 
@@ -44,7 +32,7 @@ The results are sorted by the priority of the vulnerability:
 1. Everything else
 
 NOTE: **Note:**
-A pipeline consists of multiple jobs, including SAST and DAST scanning. If any job fails to finish for any reason, the security dashboard won't show SAST scanner output. For example, if the SAST job finishes but the DAST job fails, the security dashboard won't show SAST results. The analyzer will output an [exit code](../../../development/integrations/secure.md#exit-code) on failure.
+A pipeline consists of multiple jobs, including SAST and DAST scanning. If any job fails to finish for any reason, the security dashboard doesn't show SAST scanner output. For example, if the SAST job finishes but the DAST job fails, the security dashboard doesn't show SAST results. The analyzer outputs an [exit code](../../../development/integrations/secure.md#exit-code) on failure.
 
 ## Use cases
 
@@ -63,7 +51,7 @@ If you're using the shared Runners on GitLab.com, this is enabled by default.
 Beginning with GitLab 13.0, Docker privileged mode is necessary only if you've [enabled Docker-in-Docker for SAST](#enabling-docker-in-docker-ultimate).
 
 CAUTION: **Caution:**
-Our SAST jobs currently expect a Linux container type. Windows containers are not yet supported.
+Our SAST jobs require a Linux container type. Windows containers are not yet supported.
 
 CAUTION: **Caution:**
 If you use your own Runners, make sure the Docker version installed
@@ -129,9 +117,14 @@ The [Security Scanner Integration](../../../development/integrations/secure.md)
 
 ## Configuration
 
-NOTE: **Note:**
-You don't have to configure SAST manually as shown in this section if you're using [Auto SAST](../../../topics/autodevops/stages.md#auto-sast-ultimate)
-provided by [Auto DevOps](../../../topics/autodevops/index.md).
+To configure SAST for a project you can:
+
+- Use [Auto SAST](../../../topics/autodevops/stages.md#auto-sast-ultimate) provided by
+  [Auto DevOps](../../../topics/autodevops/index.md).
+- [Configure SAST manually](#configure-sast-manually).
+- [Configure SAST using the UI](#configure-sast-in-the-ui) (introduced in GitLab 13.3).
+
+### Configure SAST manually
 
 For GitLab 11.9 and later, to enable SAST you must [include](../../../ci/yaml/README.md#includetemplate)
 the [`SAST.gitlab-ci.yml` template](https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml)
@@ -145,10 +138,10 @@ include:
   - template: SAST.gitlab-ci.yml
 ```
 
-The included template will create SAST jobs in your CI/CD pipeline and scan
+The included template creates SAST jobs in your CI/CD pipeline and scans
 your project's source code for possible vulnerabilities.
 
-The results will be saved as a
+The results are saved as a
 [SAST report artifact](../../../ci/pipelines/job_artifacts.md#artifactsreportssast-ultimate)
 that you can later download and analyze. Due to implementation limitations, we
 always take the latest SAST artifact available.
@@ -157,14 +150,16 @@ always take the latest SAST artifact available.
 
 > [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/3659) in GitLab Ultimate 13.3.
 
-For projects that do not already have a `.gitlab-ci.yml` file, the above
-configuration can also be achieved by using the **SAST Configuration** tool.
-
-1. Navigate to **Security & Compliance > Configuration**.
-1. Click **Enable** on the Static Application Security Testing (SAST)
-row.
+For a project that does not have a `.gitlab-ci.yml` file, you can enable SAST with a basic
+configuration using the **SAST Configuration** page:
 
-A merge request is created, containing the necessary changes for you to review and merge.
+1. From the project's home page, go to **Security & Configuration** > **Configuration** in the
+   left sidebar.
+1. Click **Enable via Merge Request** on the Static Application Security Testing (SAST) row.
+1. Enter the appropriate SAST details into the fields on the page. See [Available variables](#available-variables)
+   for a description of these variables.
+1. Click **Create Merge Request**.
+1. Review and merge the merge request.
 
 ### Customizing the SAST settings