Security Configuration

Version history

The Security Configuration page lists the following for the security testing and compliance tools:

  • Name, description, and a documentation link.
  • Whether or not it is available.
  • A configuration button or a link to its configuration guide.

To determine the status of each security control, GitLab checks for a CI/CD pipeline in the most recent commit on the default branch.

If GitLab finds a CI/CD pipeline, then it inspects each job in the .gitlab-ci.yml file.

  • If a job defines an artifacts:reports keyword for a security scanner, then GitLab considers the security scanner enabled and shows the Enabled status.
  • If no jobs define an artifacts:reports keyword for a security scanner, then GitLab considers the security scanner disabled and shows the Not enabled status.

If GitLab does not find a CI/CD pipeline, then it considers all security scanners disabled and shows the Not enabled status.

Failed pipelines and jobs are included in this process. If a scanner is configured but the job fails, that scanner is still considered enabled. This process also determines the scanners and statuses returned through the API.

If the latest pipeline uses Auto DevOps, all security features are configured by default.

To view a project’s security configuration:

  1. On the top bar, select Main menu > Projects and find your project.
  2. On the left sidebar, select Security & Compliance > Configuration.

Select Configuration history to see the .gitlab-ci.yml file’s history.

Security testing

You can configure the following security controls:

Compliance

You can configure the following security controls: