Refactor the SAST docs

- Rearrange to look like the DAST docs
- Replace with new SAST image

doc/ci/examples/sast.md

@@ -9,10 +9,12 @@ This example shows how to run
 on your project's source code by using GitLab CI/CD.
 
 First, you need GitLab Runner with [docker-in-docker executor](https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#use-docker-in-docker-executor).
- You can then add a new job to `.gitlab-ci.yml`,
- called `sast`:
+You can then add a new job to `.gitlab-ci.yml`, called `sast`:
 
 ```yaml
+before_script:
+  - *functions
+
 sast:
   image: docker:latest
   variables:
@@ -26,8 +28,8 @@ sast:
   artifacts:
     paths: [gl-sast-report.json]
 
-.auto_devops: &auto_devops |
-  # Auto DevOps variables and functions
+.functions: &functions |
+  # Variables and functions
 
   function setup_docker() {
     if ! docker info &>/dev/null; then
@@ -48,25 +50,16 @@ sast:
                    "registry.gitlab.com/gitlab-org/security-products/sast:$SAST_VERSION" /app/bin/run /code
         ;;
       *)
-        echo "GitLab EE is required"
+        echo "GitLab Enterprise Edition is required"
         ;;
     esac
   }
-
-before_script:
-  - *auto_devop
 ```
 
-Please check the [Auto-DevOps template](https://gitlab.com/gitlab-org/gitlab-ci-yml/blob/master/Auto-DevOps.gitlab-ci.yml) for full reference.
-
-Behind the scenes, the [GitLab SAST Docker image](https://gitlab.com/gitlab-org/security-products/sast)
-is used to detect the languages/frameworks and in turn runs the matching scan tools.
-
-Some security scanners require to send a list of project dependencies to GitLab central servers to check for vulnerabilities. To learn more about this or to disable it please
-check [GitLab SAST documentation](https://gitlab.com/gitlab-org/security-products/sast#remote-checks).
-
 The above example will create a `sast` job in your CI pipeline and will allow
-you to download and analyze the report artifact in JSON format.
+you to download and analyze the report artifact in JSON format. Check the
+[Auto-DevOps template](https://gitlab.com/gitlab-org/gitlab-ci-yml/blob/master/Auto-DevOps.gitlab-ci.yml)
+for a full reference.
 
 The results are sorted by the priority of the vulnerability:
 
@@ -76,6 +69,13 @@ The results are sorted by the priority of the vulnerability:
 1. Unknown
 1. Everything else
 
+Behind the scenes, the [GitLab SAST Docker image](https://gitlab.com/gitlab-org/security-products/sast)
+is used to detect the languages/frameworks and in turn runs the matching scan tools.
+
+Some security scanners require to send a list of project dependencies to GitLab
+central servers to check for vulnerabilities. To learn more about this or to
+disable it, check the [GitLab SAST tool documentation](https://gitlab.com/gitlab-org/security-products/sast#remote-checks).
+
 TIP: **Tip:**
 Starting with [GitLab Ultimate][ee] 10.3, this information will
 be automatically extracted and shown right in the merge request widget. To do

doc/user/project/merge_requests/dast.md

@@ -40,7 +40,7 @@ prerequisites:
   you try to also include other files, it will break the vulnerability display
   in the merge request.
 
-The `sast` job will perform an analysis on the running web application, the
+The `dast` job will perform an analysis on the running web application, the
 resulting JSON file will be uploaded as an artifact, and GitLab will then check
 this file and show the information inside the merge request.
 

doc/user/project/merge_requests/sast.md

@@ -11,9 +11,7 @@ by implicitly using [Auto SAST](../../../topics/autodevops/index.md#auto-sast)
 that is provided by [Auto DevOps](../../../topics/autodevops/index.md).
 
 Going a step further, GitLab can show the vulnerability list right in the merge
-request widget area:
-
-![SAST Widget](img/sast.png)
+request widget area.
 
 ## Use cases
 
@@ -25,7 +23,7 @@ request widget area:
 
 ## Supported languages and frameworks
 
-The following languages and frameworks are supported:
+The following languages and frameworks are supported.
 
 | Language (package managers) / framework | Scan tool |
 | ---------------------- | --------- |
@@ -38,17 +36,21 @@ The following languages and frameworks are supported:
 
 ## How it works
 
-In order for the report to show in the merge request, you need to specify a
-`sast` job (exact name) that will analyze the code and upload the resulting
-`gl-sast-report.json` file as an artifact. GitLab will then check this file and
-show the information inside the merge request.
+First of all, you need to define a job named `sast` in your `.gitlab-ci.yml`
+file. [Check how the `sast` job should look like][cc-docs].
+
+In order for the report to show in the merge request, there are two
+prerequisites:
+
+- the specified job **must** be named `sast`
+- the resulting report **must** be named `gl-sast-report.json` and uploaded as
+  an artifact
 
-This JSON file needs to be the only artifact file for the job. If you try
-to also include other files, it will break the vulnerability display in the
-merge request.
+The `sast` job will perform an analysis on the running web application, the
+resulting JSON file will be uploaded as an artifact, and GitLab will then check
+this file and show the information inside the merge request.
 
-For more information on how the `sast` job should look like, check the
-[example on analyzing a project's code for vulnerabilities][cc-docs].
+![SAST Widget](img/gemnasium.png)
 
 [ee-3775]: https://gitlab.com/gitlab-org/gitlab-ee/issues/3775
 [ee]: https://about.gitlab.com/products/

doc/user/project/merge_requests/sast_docker.md

@@ -11,7 +11,7 @@ a Vulnerability Static Analysis tool for containers.
 Going a step further, GitLab can show the vulnerability list right in the merge
 request widget area.
 
-![SAST Widget](img/sast-image.png)
+![SAST Docker Widget](img/sast_docker.png)
 
 ## Use cases