- Jobs suffixed with `-sast` run static analysis on the current code to check for potential
- Jobs suffixed with `-sast` run static analysis on the current code to check for potential
security issues, and are allowed to fail ([Auto SAST](stages.md#auto-sast-ultimate)) **(ULTIMATE)**
security issues, and are allowed to fail ([Auto SAST](stages.md#auto-sast-ultimate)) **(ULTIMATE)**
- The `secret-detection` job checks for leaked secrets and is allowed to fail ([Auto Secret Detection](stages.md#auto-secret-detection-ultimate)) **(ULTIMATE)**
- The `license_management` job searches the application's dependencies to determine each of their
- The `license_management` job searches the application's dependencies to determine each of their
To learn more about [how SAST works](../../user/application_security/sast/index.md),
To learn more about [how SAST works](../../user/application_security/sast/index.md),
see the documentation.
see the documentation.
## Auto Secret Detection **(ULTIMATE)**
> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.1.
Secret Detection uses the
[Secret Detection Docker image](https://gitlab.com/gitlab-org/security-products/analyzers/secrets) to run Secret Detection on the current code, and checks for leaked secrets. The
Auto Secret Detection stage runs only on the
[Ultimate](https://about.gitlab.com/pricing/) tier, and requires
[GitLab Runner](https://docs.gitlab.com/runner/) 11.5 or above.
After creating the report, it's uploaded as an artifact which you can later
download and evaluate. The merge request widget also displays any security
warnings.
To learn more, see [Secret Detection](../../user/application_security/secret_detection/index.md).
## Auto Dependency Scanning **(ULTIMATE)**
## Auto Dependency Scanning **(ULTIMATE)**
> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.7.
> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.7.
While you cannot directly customize Auto DevOps, you can [include the Auto DevOps template in your project's `.gitlab-ci.yml` file](../../topics/autodevops/customize.md#customizing-gitlab-ciyml).
## Maintenance and update of the vulnerabilities database
## Maintenance and update of the vulnerabilities database
The scanning tools and vulnerabilities database are updated regularly.
The scanning tools and vulnerabilities database are updated regularly.
@@ -50,6 +50,10 @@ with a dollar sign (`$`) as this likely indicates the password being used is an
...
@@ -50,6 +50,10 @@ with a dollar sign (`$`) as this likely indicates the password being used is an
variable. For example, `https://username:$password@example.com/path/to/repo` won't be
variable. For example, `https://username:$password@example.com/path/to/repo` won't be
detected, whereas `https://username:password@example.com/path/to/repo` would be detected.
detected, whereas `https://username:password@example.com/path/to/repo` would be detected.
NOTE: **Note:**
You don't have to configure Secret Detection manually as shown in this section if you're using [Auto Secret Detection](../../../topics/autodevops/stages.md#auto-secret-detection-ultimate)
provided by [Auto DevOps](../../../topics/autodevops/index.md).
## Full History Secret Scan
## Full History Secret Scan
GitLab 12.11 introduced support for scanning the full history of a repository. This new functionality
GitLab 12.11 introduced support for scanning the full history of a repository. This new functionality
