Commit 9235dcd5 authored by Achilleas Pipinellis's avatar Achilleas Pipinellis

Merge branch 'docs/new-sec-dashboard' into 'master'

Copy and merge the existing security dashboard docs to a new location

Closes #10760

See merge request gitlab-org/gitlab-ee!10797
parents bf13694d e39a04a9
...@@ -193,3 +193,14 @@ Alternatively, the job name could be `sast:container` ...@@ -193,3 +193,14 @@ Alternatively, the job name could be `sast:container`
and the artifact name could be `gl-sast-container-report.json`. and the artifact name could be `gl-sast-container-report.json`.
These names have been deprecated with GitLab 11.0 These names have been deprecated with GitLab 11.0
and may be removed in the next major release, GitLab 12.0. and may be removed in the next major release, GitLab 12.0.
## Security Dashboard
The Security Dashboard is a good place to get an overview of all the security
vulnerabilities in your groups and projects. Read more about the
[Security Dashboard](../security_dashboard/index.md).
## Interacting with the vulnerabilities
Once a vulnerability is found, you can interact with it. Read more on how to
[interact with the vulnerabilities](../index.md#interacting-with-the-vulnerabilities).
...@@ -235,3 +235,14 @@ dast: ...@@ -235,3 +235,14 @@ dast:
artifacts: artifacts:
paths: [gl-dast-report.json] paths: [gl-dast-report.json]
``` ```
## Security Dashboard
The Security Dashboard is a good place to get an overview of all the security
vulnerabilities in your groups and projects. Read more about the
[Security Dashboard](../security_dashboard/index.md).
## Interacting with the vulnerabilities
Once a vulnerability is found, you can interact with it. Read more on how to
[interact with the vulnerabilities](../index.md#interacting-with-the-vulnerabilities).
...@@ -211,3 +211,14 @@ dependency_scanning: ...@@ -211,3 +211,14 @@ dependency_scanning:
artifacts: artifacts:
paths: [gl-dependency-scanning-report.json] paths: [gl-dependency-scanning-report.json]
``` ```
## Security Dashboard
The Security Dashboard is a good place to get an overview of all the security
vulnerabilities in your groups and projects. Read more about the
[Security Dashboard](../security_dashboard/index.md).
## Interacting with the vulnerabilities
Once a vulnerability is found, you can interact with it. Read more on how to
[interact with the vulnerabilities](../index.md#interacting-with-the-vulnerabilities).
---
is_hidden: true
---
# GitLab Secure **[ULTIMATE]**
Check your application for security vulnerabilities that may lead to unauthorized access,
data leaks, and denial of services. GitLab will perform static and dynamic tests on the
code of your application, looking for known flaws and report them in the merge request
so you can fix them before merging. Security teams can use dashboards to get a
high-level view on projects and groups, and start remediation processes when needed.
## Security scanning tools
GitLab can scan and report any vulnerabilities found in your project.
| Secure scanning tools | Description |
|:-----------------------------------------------------------------------------|:-----------------------------------------------------------------------|
| [Container Scanning](container_scanning/index.md) **[ULTIMATE]** | Scan Docker containers for known vulnerabilities. |
| [Dependency Scanning](dependency_scanning/index.md) **[ULTIMATE]** | Analyze your dependencies for known vulnerabilities. |
| [Dynamic Application Security Testing (DAST)](dast/index.md) **[ULTIMATE]** | Analyze running web applications for known vulnerabilities. |
| [License Management](license_management/index.md) **[ULTIMATE]** | Search your project's dependencies for their licenses. |
| [Security Dashboard](security_dashboard/index.md) **[ULTIMATE]** | View vulnerabilities in all your projects and groups. |
| [Static Application Security Testing (SAST)](sast/index.md) **[ULTIMATE]** | Analyze source code for known vulnerabilities. |
## Interacting with the vulnerabilities
> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing) 10.8.
CAUTION: **Warning:**
This feature is currently [Alpha](https://about.gitlab.com/handbook/product/#alpha-beta-ga) and while you can start using it, it may receive important changes in the future.
Each security vulnerability in the merge request report or the
[Security Dashboard](security_dashboard/index.md) is actionable. Clicking on an
entry, a detailed information will pop up with different possible options:
- [Dismiss vulnerability](#dismissing-a-vulnerability): Dismissing a vulnerability
will place a <s>strikethrough</s> styling on it.
- [Create issue](#creating-an-issue-for-a-vulnerability): The new issue will
have the title and description pre-populated with the information from the
vulnerability report and will be created as [confidential](../project/issues/confidential_issues.md) by default.
- [Solution](#solutions-for-vulnerabilities): For some vulnerabilities
([Dependency Scanning](dependency_scanning/index.md) and [Container Scanning](container_scanning/index.md))
a solution is provided for how to fix the vulnerability.
![Interacting with security reports](img/interactive_reports.png)
### Dismissing a vulnerability
You can dismiss vulnerabilities by clicking the **Dismiss vulnerability** button.
This will dismiss the vulnerability and re-render it to reflect its dismissed state.
If you wish to undo this dismissal, you can click the **Undo dismiss** button.
### Creating an issue for a vulnerability
You can create an issue for a vulnerability by selecting the **Create issue**
button from within the vulnerability modal or using the action buttons to the right of
a vulnerability row when in the group security dashboard.
This will create a [confidential issue](../project/issues/confidential_issues.md)
on the project this vulnerability came from and pre-fill it with some useful
information taken from the vulnerability report. Once the issue is created, you
will be redirected to it so you can edit, assign, or comment on it.
Upon returning to the group security dashboard, you'll see that
the vulnerability will now have an associated issue next to the name.
![Linked issue in the group security dashboard](img/issue.png)
### Solutions for vulnerabilities
> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing) 11.7.
CAUTION: **Warning:**
Automatic Patch creation is only available for a subset of
[Dependency Scanning](dependency_scanning/index.md). At the moment only Node.JS
projects managed with yarn are supported.
Some vulnerabilities can be fixed by applying the solution that GitLab
automatically generates.
#### Manually applying the suggested patch
Some vulnerabilities can be fixed by applying a patch that is automatically
generated by GitLab. To apply the fix:
1. Click on the vulnerability.
1. Download and review the patch file `remediation.patch`.
2. Ensure your local project has the same commit checked out that was used to generate the patch.
3. Run `git apply remediation.patch`.
4. Verify and commit the changes to your branch.
![Apply patch for dependency scanning](img/vulnerability_solution.png)
#### Creating a merge request from a vulnerability
> [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/issues/9224) in
[GitLab Ultimate](https://about.gitlab.com/pricing) 11.9.
In certain cases, GitLab will allow you to create a merge request that will
automatically remediate the vulnerability. Any vulnerability that has a
[solution](#solutions-for-vulnerabilities) can have a merge request created to
automatically solve the issue.
If this action is available there will be a **Create merge request** button in the vulnerability modal.
Clicking on this button will create a merge request to apply the solution onto the source branch.
![Create merge request from vulnerability](img/create_issue_with_list_hover.png)
...@@ -243,3 +243,14 @@ Visit any pipeline page which has a `sast` job and you will be able to see ...@@ -243,3 +243,14 @@ Visit any pipeline page which has a `sast` job and you will be able to see
the security report tab with the listed vulnerabilities (if any). the security report tab with the listed vulnerabilities (if any).
![Security Report](img/security_report.png) ![Security Report](img/security_report.png)
## Security Dashboard
The Security Dashboard is a good place to get an overview of all the security
vulnerabilities in your groups and projects. Read more about the
[Security Dashboard](../security_dashboard/index.md).
## Interacting with the vulnerabilities
Once a vulnerability is found, you can interact with it. Read more on how to
[interact with the vulnerabilities](../index.md#interacting-with-the-vulnerabilities).
---
is_hidden: true
---
# GitLab Security Dashboard **[ULTIMATE]**
The Security Dashboard is a good place to get an overview of all the security
vulnerabilities in your groups and projects.
You can also drill down into a vulnerability and get extra information, see which
project it comes from, the file it's in, and various metadata to help you analyze
the risk. You can also action these vulnerabilities by creating an issue for them,
or by dismissing them.
To benefit from the Security Dashboard you must first configure one of the
[security reports](../index.md).
## Supported reports
The Security Dashboard supports the following reports:
- [Container Scanning](../container_scanning/index.md)
- [DAST](../dast/index.md)
- [Dependency Scanning](../dependency_scanning/index.md)
- [SAST](../sast/index.md)
## Requirements
To use the project or group security dashboard:
1. At least one project inside a group must be configured with at least one of
the [supported reports](#supported-reports).
2. The configured jobs must use the [new `reports` syntax](../../../ci/yaml/README.md#artifactsreports).
3. [GitLab Runner](https://docs.gitlab.com/runner/) 11.5 or newer must be used.
If you're using the shared Runners on GitLab.com, this is already the case.
## Project Security Dashboard
> [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/issues/6165) in [GitLab Ultimate](https://about.gitlab.com/pricing) 11.1.
At the project level, the Security Dashboard displays the latest security reports
for your project. Use it to find and fix vulnerabilities affecting the
[default branch](../../project/repository/branches/index.md#default-branch).
![Project Security Dashboard](img/project_security_dashboard.png)
## Group Security Dashboard
> [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/issues/6709) in
[GitLab Ultimate](https://about.gitlab.com/pricing) 11.5.
The group Security Dashboard gives an overview of the vulnerabilities of all the
projects in a group and its subgroups.
First, navigate to the Security Dashboard found under your group's
**Overview > Security Dashboard**.
Once you're on the dashboard, at the top you should see a series of filters for:
- Severity
- Report type
- Project
![dashboard with action buttons and metrics](img/dashboard.png)
Selecting one or more filters will filter the results in this page.
The first section is an overview of all the vulnerabilities, grouped by severity.
Underneath this overview is a timeline chart that shows how many open
vulnerabilities your projects had at various points in time. You can filter among 30, 60, and
90 days, with the default being 90. Hover over the chart to get more details about
the open vulnerabilities at a specific time.
Finally, there is a list of all the vulnerabilities in the group, sorted by severity.
In that list, you can see the severity of the vulnerability, its name, its
confidence (likelihood of the vulnerability to be a positive one), and the project
it's from.
If you hover over a row, there will appear some actions you can take:
- "More info"
- "Create issue"
- "Dismiss vulnerability"
Read more on how to [interact with the vulnerabilities](../index.md#interacting-with-the-vulnerabilities).
## Keeping the dashboards up to date
The Security Dashboard displays information from the results of the most recent
security scan on the [default branch](../../project/repository/branches/index.md#default-branch),
which means that security scans are performed every time the branch is updated.
If the default branch is updated infrequently, scans are run infrequently and the
information on the Security Dashboard can become outdated as new vulnerabilities
are discovered.
To ensure the information on the Security Dashboard is regularly updated,
[configure a scheduled pipeline](../../project/pipelines/schedules.md) to run a
daily security scan. This will update the information displayed on the Security
Dashboard regardless of how often the default branch is updated.
That way, reports are created even if no code change happens.
## Security scans using Auto DevOps
When using [Auto DevOps](../../../topics/autodevops/index.md), use
[special environment variables](../../../topics/autodevops/index.md#environment-variables)
to configure daily security scans.
---
is_hidden: true
---
# GitLab Secure
Check your application for security vulnerabilities that may lead to unauthorized access,
data leaks, and denial of services. GitLab will perform static and dynamic tests on the
code of your application, looking for known flaws and report them in the merge request
so you can fix them before merging. Security teams can use dashboards to get a
high-level view on projects and groups, and start remediation processes when needed.
The following documentation relates to the DevOps **Secure** stage:
| Secure topics | Description |
|:------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------------|
| [Container Scanning](container_scanning/index.md) **[ULTIMATE]** | Use Clair to scan docker images for known vulnerabilities. |
| [Dependency Scanning](dependency_scanning/index.md) **[ULTIMATE]** | Analyze your dependencies for known vulnerabilities. |
| [Dynamic Application Security Testing (DAST)](dast/index.md) **[ULTIMATE]** | Analyze running web applications for known vulnerabilities. |
| [Group Security Dashboard](../group/security_dashboard/index.md) **[ULTIMATE]** | View vulnerabilities in all the projects in a group and its subgroups. |
| [License Management](license_management/index.md) **[ULTIMATE]** | Search your project's dependencies for their licenses. |
| [Project Security Dashboard](../project/security_dashboard.md) **[ULTIMATE]** | View the latest security reports for your project. |
| [Static Application Security Testing (SAST)](sast/index.md) **[ULTIMATE]** | Analyze source code for known vulnerabilities. |
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment