Security Configuration
- Introduced in GitLab 12.6.
- SAST configuration was enabled in 13.3 and improved in 13.4.
- DAST Profiles feature was introduced in 13.4.
- A simplified version was made available in all tiers in GitLab 13.10.
- Redesigned in 14.2.
The Security Configuration page lists the following for the security testing and compliance tools:
- Name, description, and a documentation link.
- Whether or not it is available.
- A configuration button or a link to its configuration guide.
To determine the status of each security control, GitLab checks for a CI/CD pipeline in the most recent commit on the default branch.
If GitLab finds a CI/CD pipeline, then it inspects each job in the .gitlab-ci.yml
file.
- If a job defines an
artifacts:reports
keyword for a security scanner, then GitLab considers the security scanner enabled and shows the Enabled status. - If no jobs define an
artifacts:reports
keyword for a security scanner, then GitLab considers the security scanner disabled and shows the Not enabled status.
If GitLab does not find a CI/CD pipeline, then it considers all security scanners disabled and shows the Not enabled status.
Failed pipelines and jobs are included in this process. If a scanner is configured but the job fails, that scanner is still considered enabled. This process also determines the scanners and statuses returned through the API.
If the latest pipeline uses Auto DevOps, all security features are configured by default.
To view a project’s security configuration:
- On the top bar, select Main menu > Projects and find your project.
- On the left sidebar, select Security & Compliance > Configuration.
Select Configuration history to see the .gitlab-ci.yml
file’s history.
Security testing
You can configure the following security controls:
-
Static Application Security Testing (SAST)
- Select Enable SAST to configure SAST for the current project. For more details, read Configure SAST in the UI.
-
Dynamic Application Security Testing (DAST)
- Select Enable DAST to configure DAST for the current project.
- Select Manage scans to manage the saved DAST scans, site profiles, and scanner profiles. For more details, read DAST on-demand scans.
-
Dependency Scanning
- Select Configure with a merge request to create a merge request with the changes required to enable Dependency Scanning. For more details, see Enable Dependency Scanning via an automatic merge request.
-
Container Scanning
- Select Configure with a merge request to create a merge request with the changes required to enable Container Scanning. For more details, see Enable Container Scanning through an automatic merge request.
-
Operational Container Scanning
- Can be configured by adding a configuration block to your agent configuration. For more details, read Operational Container Scanning.
-
Secret Detection
- Select Configure with a merge request to create a merge request with the changes required to enable Secret Detection. For more details, read Use an automatically configured merge request.
-
API Fuzzing
- Select Enable API Fuzzing to use API Fuzzing for the current project. For more details, read API Fuzzing.
-
Coverage Fuzzing
- Can be configured with
.gitlab-ci.yml
. For more details, read Coverage Fuzzing.
- Can be configured with
Compliance
You can configure the following security controls:
-
License Compliance
- Can be configured with
.gitlab-ci.yml
. For more details, read License Compliance.
- Can be configured with
-
Security Training
- Enable Security training for the current project. For more details, read security training.