Merge branch '37278-document-custom-analyzers-non-dind' into 'master'

Document custom analyzers in non-DinD setup See merge request gitlab-org/gitlab!29121

Merge branch '37278-document-custom-analyzers-non-dind' into 'master'
Document custom analyzers in non-DinD setup See merge request gitlab-org/gitlab!29121
5a22ceb8 · Nick Gaskill · 2776699a · c49fe8ef · 5a22ceb8 · 5a22ceb8
Commit 5a22ceb8 authored Apr 09, 2020 by Nick Gaskill
2 changed files
--- a/doc/user/application_security/dependency_scanning/analyzers.md
+++ b/doc/user/application_security/dependency_scanning/analyzers.md
@@ -83,8 +83,11 @@ That's needed when one totally relies on [custom analyzers](#custom-analyzers).

 ## Custom analyzers

-You can provide your own analyzers as a comma separated list of Docker images.
-Here's how to add `analyzers/nugget` and `analyzers/perl` to the default images.
+### Custom analyzers with Docker-in-Docker
+
+When Docker-in-Docker for Dependency Scanning is enabled,
+you can provide your own analyzers as a comma-separated list of Docker images.
+Here's how to add `analyzers/nuget` and `analyzers/perl` to the default images.
 In `.gitlab-ci.yml` define:

 ```yaml
@@ -92,7 +95,7 @@ include:
  template: Dependency-Scanning.gitlab-ci.yml

 variables:
-  DS_ANALYZER_IMAGES: "my-docker-registry/analyzers/nugget,amy-docker-registry/nalyzers/perl"
+  DS_ANALYZER_IMAGES: "my-docker-registry/analyzers/nuget,amy-docker-registry/analyzers/perl"
 ```

 The values must be the full path to the container registry images,
@@ -103,6 +106,28 @@ This configuration doesn't benefit from the integrated detection step. Dependenc
 Scanning has to fetch and spawn each Docker image to establish whether the
 custom analyzer can scan the source code.

+### Custom analyzers without Docker-in-Docker
+
+When Docker-in-Docker for Dependency Scanning is disabled, you can provide your own analyzers by
+defining CI jobs in your CI configuration. For consistency, you should suffix your custom Dependency
+Scanning jobs with `-dependency_scanning`. Here's how to add a scanning job that's based on the
+Docker image `my-docker-registry/analyzers/nuget` and generates a Dependency Scanning report
+`gl-dependency-scanning-report.json` when `/analyzer run` is executed. Define the following in
+`.gitlab-ci.yml`:
+
+```yaml
+nuget-dependency_scanning:
+  image:
+    name: "my-docker-registry/analyzers/nuget"
+  script:
+    - /analyzer run
+  artifacts:
+    reports:
+      dependency_scanning: gl-dependency-scanning-report.json
+```
+
+The [Security Scanner Integration](../../../development/integrations/secure.md) documentation explains how to integrate custom security scanners into GitLab.
+
 ## Analyzers data

 The following table lists the data available for each official analyzer.

--- a/doc/user/application_security/sast/analyzers.md
+++ b/doc/user/application_security/sast/analyzers.md
@@ -92,7 +92,10 @@ That's needed when one totally relies on [custom analyzers](#custom-analyzers).

 ## Custom Analyzers

-You can provide your own analyzers as a comma separated list of Docker images.
+### Custom analyzers with Docker-in-Docker
+
+When Docker-in-Docker for SAST is enabled,
+you can provide your own analyzers as a comma-separated list of Docker images.
 Here's how to add `analyzers/csharp` and `analyzers/perl` to the default images:
 In `.gitlab-ci.yml` define:

@@ -112,8 +115,27 @@ This configuration doesn't benefit from the integrated detection step.
 SAST has to fetch and spawn each Docker image to establish whether the
 custom analyzer can scan the source code.

-CAUTION: **Caution:**
-Custom analyzers are not spawned automatically when [Docker In Docker](index.md#disabling-docker-in-docker-for-sast) is disabled.
+### Custom analyzers without Docker-in-Docker
+
+When Docker-in-Docker for SAST is disabled, you can provide your own analyzers by
+defining CI jobs in your CI configuration. For consistency, you should suffix your custom
+SAST jobs with `-sast`. Here's how to add a scanning job that's based on the
+Docker image `my-docker-registry/analyzers/csharp` and generates a SAST report
+`gl-sast-report.json` when `/analyzer run` is executed. Define the following in
+`.gitlab-ci.yml`:
+
+```yaml
+csharp-sast:
+  image:
+    name: "my-docker-registry/analyzers/csharp"
+  script:
+    - /analyzer run
+  artifacts:
+    reports:
+      sast: gl-sast-report.json
+```
+
+The [Security Scanner Integration](../../../development/integrations/secure.md) documentation explains how to integrate custom security scanners into GitLab.

 ## Analyzers Data