Commit 943ec334 authored by Russell Dickenson's avatar Russell Dickenson Committed by Nick Gaskill

Improve security configuration docs

parent dd2d44cb
......@@ -7,23 +7,37 @@ info: To determine the technical writer assigned to the Stage/Group associated w
# Security Configuration **(ULTIMATE)**
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20711) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.6.
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20711) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.6.
> - SAST configuration was [enabled](https://gitlab.com/groups/gitlab-org/-/epics/3659) in 13.3 and [improved](https://gitlab.com/gitlab-org/gitlab/-/issues/232862) in 13.4.
> - DAST Profiles feature was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40474) in 13.4.
The Security Configuration page displays the configuration state of each security feature in the
current project. The page uses the project's latest default branch [CI pipeline](../../../ci/pipelines/index.md)
to determine each feature's configuration state. If a job with the expected security report artifact
exists in the pipeline, the feature is considered enabled.
The Security Configuration page displays the configuration state of each security control in the
current project.
You can only enable SAST from the Security Configuration page. Documentation links are included for
the other features. For details about configuring SAST, see [Configure SAST in the UI](../sast/index.md#configure-sast-in-the-ui).
To view a project's security configuration, go to the project's home page,
then in the left sidebar, go to **Security & Compliance** > **Configuration**.
## Status
For each security control, the page displays the status and either a management option or a
documentation link.
The status of each security control is determined by the project's latest default branch
[CI pipeline](../../../ci/pipelines/index.md).
If a job with the expected security report artifact exists in the pipeline, the feature's status is
_enabled_.
NOTE: **Note:**
If the latest pipeline used [Auto DevOps](../../../topics/autodevops/index.md),
all security features are configured by default.
## View Security Configuration
## Manage
To view a project's security configuration:
You can configure the following security controls:
1. Go to the project's home page.
1. In the left sidebar, go to **Security & Compliance** > **Configuration**.
- Auto DevOps
- Click **Enable Auto DevOps** to enable it for the current project. For more details, see [Auto DevOps](../../../topics/autodevops/index.md).
- SAST
- Click either **Enable** or **Configure** to use SAST for the current project. For more details, see [Configure SAST in the UI](../sast/index.md#configure-sast-in-the-ui).
- DAST Profiles
- Click **Manage** to manage the available DAST profiles used for on-demand scans. For more details, see [DAST on-demand scans](../dast/index.md#on-demand-scans).
......@@ -367,7 +367,7 @@ dast:
DAST_API_SPECIFICATION: api-specification.yml
```
#### Full scan
#### Full API scan
API scans support full scanning, which can be enabled by using the `DAST_FULL_SCAN_ENABLED`
environment variable. Domain validation is not supported for full API scans.
......@@ -622,9 +622,10 @@ project dashboard.
### Site profile
An on-demand scan requires a site profile, which includes a profile name and target URL. The profile
name allows you to describe the site to be scanned. The target URL specifies the URL against which
the DAST scan is run.
An on-demand scan requires a site profile, which includes:
- **Profile name**: A name you assign to the site to be scanned.
- **Target URL**: The URL against which the DAST scan runs.
### Run an on-demand scan
......@@ -636,23 +637,31 @@ Running an on-demand scan requires an existing site profile. If a site profile f
doesn't exist, first [create a site profile](#create-a-site-profile). An on-demand DAST scan has
a fixed timeout of 60 seconds.
- Navigate to your project's home page, then click **On-demand Scans** in the left sidebar.
- From your project's home page, go to **Security & Compliance > On-demand Scans** in the left sidebar.
- Click **Create new DAST scan**.
- Select a site profile from the profiles dropdown.
- Click **Run scan**.
#### Create a site profile
- Navigate to your project's home page, then click **On-demand Scans** in the left sidebar.
- Click **Create new DAST scan**.
- Click **New Site Profile**.
- From your project's home page, go to **Security & Compliance > Configuration** in the left sidebar.
- Click **Manage** in the **DAST Profiles** row.
- Click **New Profile > Site Profile**.
- Type in a unique **Profile name** and **Target URL** then click **Save profile**.
#### Edit a site profile
- From your project's home page, go to **Security & Compliance > Configuration** in the left sidebar.
- Click **Manage** in the **DAST Profiles** row.
- Click **Edit** in the row of the profile to edit.
- Edit the **Profile name** and **Target URL** then click **Save profile**.
#### Delete a site profile
- Navigate to your project's home page, then click **On-demand Scans** in the left sidebar.
- Click **Create new DAST scan**.
- Click **Delete** in the matching site profile's row.
- From your project's home page, go to **Security & Compliance > Configuration** in the left sidebar.
- Click **Manage** in the **DAST Profiles** row.
- Click **{remove}** in the row of the profile to delete.
- Click **Delete**.
### Enable or disable On-demand Scans
......@@ -665,8 +674,6 @@ feature flag enabled.
[GitLab administrators with access to the GitLab Rails console](../../../administration/feature_flags.md)
can disable or enable the feature flags.
#### Enable or disable On-demand Scans
To disable On-demand Scans:
```ruby
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment