Document tip to exclude temporary build files' directories

a7feec2b · Russell Dickenson · Marcel Amirault · a23bc839 · a7feec2b
Commit a7feec2b authored Dec 11, 2020 by Russell Dickenson Committed by Marcel Amirault Dec 11, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 7 deletions

doc/user/application_security/sast/index.md doc/user/application_security/sast/index.md +15 -7

No files found.
--- a/doc/user/application_security/sast/index.md
+++ b/doc/user/application_security/sast/index.md
@@ -331,7 +331,7 @@ variables:

 If your project requires custom build configurations, it can be preferable to avoid
 compilation during your SAST execution and instead pass all job artifacts from an
-earlier stage within the pipeline. This is the current strategy when requiring
+earlier stage in the pipeline. This is the current strategy when requiring
 a `before_script` execution to prepare your scan job.

 To pass your project's dependencies as artifacts, the dependencies must be included
@@ -380,7 +380,10 @@ SAST can be [configured](#customizing-the-sast-settings) using environment varia

 #### Logging level

-To control the verbosity of logs set the `SECURE_LOG_LEVEL` environment variable. Messages of this logging level or higher are output. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10880) in GitLab 13.1.
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10880) in GitLab 13.1.
+
+To control the verbosity of logs, set the `SECURE_LOG_LEVEL` environment variable. Messages of this
+logging level or higher are output.

 From highest to lowest severity, the logging levels are:

@@ -393,7 +396,7 @@ From highest to lowest severity, the logging levels are:
 #### Custom Certificate Authority

 To trust a custom Certificate Authority, set the `ADDITIONAL_CA_CERT_BUNDLE` variable to the bundle
-of CA certs that you want to trust within the SAST environment.
+of CA certs that you want to trust in the SAST environment.

 #### Docker images

@@ -411,7 +414,7 @@ Some analyzers make it possible to filter out vulnerabilities under a given thre

 | Environment variable          | Default value            | Description                                                                                                                                                                                                                 |
 |-------------------------------|--------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `SAST_EXCLUDED_PATHS`         | `spec, test, tests, tmp` | Exclude vulnerabilities from output based on the paths. This is a comma-separated list of patterns. Patterns can be globs, or file or folder paths (for example, `doc,spec` ). Parent directories also match patterns. |
+| `SAST_EXCLUDED_PATHS`         | `spec, test, tests, tmp` | Exclude vulnerabilities from output based on the paths. This is a comma-separated list of patterns. Patterns can be globs, or file or folder paths (for example, `doc,spec` ). Parent directories also match patterns. You might need to exclude temporary directories used by your build tool as these can generate false positives. |
 | `SEARCH_MAX_DEPTH`            | 4                        | SAST searches the repository to detect the programming languages used, and selects the matching analyzers. Set the value of `SEARCH_MAX_DEPTH` to specify how many directory levels the search phase should span. After the analyzers have been selected, the _entire_ repository is analyzed. |
 | `SAST_BANDIT_EXCLUDED_PATHS`  |                          | Comma-separated list of paths to exclude from scan. Uses Python's [`fnmatch` syntax](https://docs.python.org/2/library/fnmatch.html); For example: `'*/tests/*, */venv/*'`                                                  |
 | `SAST_BRAKEMAN_LEVEL`         | 1                        | Ignore Brakeman vulnerabilities under given confidence level. Integer, 1=Low 3=High.                                                                                                                                        |
@@ -458,9 +461,14 @@ analyzer containers: `DOCKER_`, `CI`, `GITLAB_`, `FF_`, `HOME`, `PWD`, `OLDPWD`,

 ### Experimental features

-Receive early access to experimental features.
+You can receive early access to experimental features. Experimental features might be added,
+removed, or promoted to regular features at any time.
+
+Experimental features available are:
+
+- Enable scanning of iOS and Android apps using the [MobSF analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/mobsf/).

-Currently, this enables scanning of iOS and Android apps via the [MobSF analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/mobsf/).
+#### Enable experimental features

 To enable experimental features, add the following to your `.gitlab-ci.yml` file:

@@ -572,7 +580,7 @@ Once a vulnerability is found, you can interact with it. Read more on how to

 ## Vulnerabilities database

-Vulnerabilities contained within the vulnerability database can be searched
+Vulnerabilities contained in the vulnerability database can be searched
 and viewed at the [GitLab vulnerability advisory database](https://advisories.gitlab.com).

 ### Vulnerabilities database update