Commit b3e18f18 authored by Nick Gaskill's avatar Nick Gaskill

Merge branch 'sam-update-cs-docs' into 'master'

Update and clarify scan execution policies

See merge request gitlab-org/gitlab!80772
parents 4db2ea4b ca4f6224
...@@ -456,28 +456,24 @@ GitLab provides two methods of accomplishing this, each with advantages and disa ...@@ -456,28 +456,24 @@ GitLab provides two methods of accomplishing this, each with advantages and disa
- [Compliance framework pipelines](../project/settings/#compliance-pipeline-configuration) - [Compliance framework pipelines](../project/settings/#compliance-pipeline-configuration)
are recommended when: are recommended when:
- Scan execution enforcement is required for SAST IaC, Container Scanning, Dependency Scanning, - Scan execution enforcement is required for SAST IaC, Dependency Scanning,
License Compliance, API Fuzzing, or Coverage-guided Fuzzing. License Compliance, API Fuzzing, or Coverage-guided Fuzzing.
- Scan execution enforcement of SAST or Secret Detection when customization of the default scan
variables is required.
- Scan execution enforcement is required for scanners external to GitLab. - Scan execution enforcement is required for scanners external to GitLab.
- Enforced execution is required for custom jobs other than security scans. - Enforced execution is required for custom jobs other than security scans.
- [Scan execution policies](policies/#scan-execution-policies) - [Scan execution policies](policies/scan-execution-policies.md)
are recommended when: are recommended when:
- Scan execution enforcement is required for DAST. - Scan execution enforcement is required for DAST, SAST, Secret Detection, or Container Scanning.
- Scan execution enforcement is required for SAST or Secret Detection with the default scan
variables.
- Scans are required to run on a regular, scheduled cadence. - Scans are required to run on a regular, scheduled cadence.
Additional details about the differences between the two solutions are outlined below: Additional details about the differences between the two solutions are outlined below:
| | Compliance Framework Pipelines | Scan Execution Policies | | | Compliance Framework Pipelines | Scan Execution Policies |
| ------ | ------ | ------ | | ------ | ------ | ------ |
| **Flexibility** | Supports anything that can be done in a CI file. | Limited to only the items for which GitLab has explicitly added support. DAST, SAST, and Secret Detection scans are supported. | | **Flexibility** | Supports anything that can be done in a CI file. | Limited to only the items for which GitLab has explicitly added support. DAST, SAST, Secret Detection, and Container Scanning scans are supported. |
| **Usability** | Requires knowledge of CI YAML. | Follows a `rules` and `actions`-based YAML structure. | | **Usability** | Requires knowledge of CI YAML. | Follows a `rules` and `actions`-based YAML structure. |
| **Inclusion in CI pipeline** | The compliance pipeline is executed instead of the project's `gitlab-ci.yml` file. To include the project's `gitlab-ci.yml` file, use an `include` statement. Defined variables aren't allowed to be overwritten by the included project's YAML file. | Forced inclusion of a new job into the CI pipeline. DAST jobs that must be customized on a per-project basis can have project-level Site Profiles and Scan Profiles defined. To ensure separation of duties, these profiles are immutable when referenced in a scan execution policy. | | **Inclusion in CI pipeline** | The compliance pipeline is executed instead of the project's `gitlab-ci.yml` file. To include the project's `gitlab-ci.yml` file, use an `include` statement. Defined variables aren't allowed to be overwritten by the included project's YAML file. | Forced inclusion of a new job into the CI pipeline. DAST jobs that must be customized on a per-project basis can have project-level Site Profiles and Scan Profiles defined. To ensure separation of duties, these profiles are immutable when referenced in a scan execution policy. All jobs can be customized as part of the security policy itself with the same variables that are normally available to the CI job. |
| **Schedulable** | Can be scheduled through a scheduled pipeline on the group. | Can be scheduled natively through the policy configuration itself. | | **Schedulable** | Can be scheduled through a scheduled pipeline on the group. | Can be scheduled natively through the policy configuration itself. |
| **Separation of Duties** | Only group owners can create compliance framework labels. Only project owners can apply compliance framework labels to projects. The ability to make or approve changes to the compliance pipeline definition is limited to individuals who are explicitly given access to the project that contains the compliance pipeline. | Only project owners can define a linked security policy project. The ability to make or approve changes to security policies is limited to individuals who are explicitly given access to the security policy project. | | **Separation of Duties** | Only group owners can create compliance framework labels. Only project owners can apply compliance framework labels to projects. The ability to make or approve changes to the compliance pipeline definition is limited to individuals who are explicitly given access to the project that contains the compliance pipeline. | Only project owners can define a linked security policy project. The ability to make or approve changes to security policies is limited to individuals who are explicitly given access to the security policy project. |
| **Ability to apply one standard to multiple projects** | The same compliance framework label can be applied to multiple projects inside a group. | The same security policy project can be used for multiple projects across GitLab with no requirement of being located in the same group. | | **Ability to apply one standard to multiple projects** | The same compliance framework label can be applied to multiple projects inside a group. | The same security policy project can be used for multiple projects across GitLab with no requirement of being located in the same group. |
......
...@@ -101,7 +101,7 @@ rule in the defined policy are met. ...@@ -101,7 +101,7 @@ rule in the defined policy are met.
| `scan` | `string` | `dast`, `secret_detection`, `sast`, `container_scanning`, `cluster_image_scanning` | The action's type. | | `scan` | `string` | `dast`, `secret_detection`, `sast`, `container_scanning`, `cluster_image_scanning` | The action's type. |
| `site_profile` | `string` | Name of the selected [DAST site profile](../dast/index.md#site-profile). | The DAST site profile to execute the DAST scan. This field should only be set if `scan` type is `dast`. | | `site_profile` | `string` | Name of the selected [DAST site profile](../dast/index.md#site-profile). | The DAST site profile to execute the DAST scan. This field should only be set if `scan` type is `dast`. |
| `scanner_profile` | `string` or `null` | Name of the selected [DAST scanner profile](../dast/index.md#scanner-profile). | The DAST scanner profile to execute the DAST scan. This field should only be set if `scan` type is `dast`.| | `scanner_profile` | `string` or `null` | Name of the selected [DAST scanner profile](../dast/index.md#scanner-profile). | The DAST scanner profile to execute the DAST scan. This field should only be set if `scan` type is `dast`.|
| `variables` | `object` | | Set of variables applied and enforced for the selected scan. The object's key is the variable name with a value provided as a string. | | `variables` | `object` | | A set of CI variables, supplied as an array of `key: value` pairs, to apply and enforce for the selected scan. The `key` is the variable name, with its `value` provided as a string. This parameter supports any variable that the GitLab CI job supports for the specified scan. |
Note the following: Note the following:
......
...@@ -93,7 +93,7 @@ executed in place of the local project's `gitlab-ci.yml` file. As part of this p ...@@ -93,7 +93,7 @@ executed in place of the local project's `gitlab-ci.yml` file. As part of this p
files are merged together any time the pipeline runs. Jobs and variables defined in the compliance files are merged together any time the pipeline runs. Jobs and variables defined in the compliance
pipeline can't be changed by variables in the local project's `gitlab-ci.yml` file. pipeline can't be changed by variables in the local project's `gitlab-ci.yml` file.
When used to enforce scan execution, this feature has some overlap with [scan execution policies](../../application_security/policies/#scan-execution-policies), When used to enforce scan execution, this feature has some overlap with [scan execution policies](../../application_security/policies/scan-execution-policies.md),
as we have not [unified the user experience for these two features](https://gitlab.com/groups/gitlab-org/-/epics/7312). as we have not [unified the user experience for these two features](https://gitlab.com/groups/gitlab-org/-/epics/7312).
For details on the similarities and differences between these features, see For details on the similarities and differences between these features, see
[Enforce scan execution](../../application_security/#enforce-scan-execution). [Enforce scan execution](../../application_security/#enforce-scan-execution).
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment