Add latest changes from gitlab-org/gitlab@master
This commit is contained in:
parent
45ccc5610c
commit
b37467967e
|
@ -29,6 +29,7 @@ export default {
|
|||
name: 'CommentForm',
|
||||
components: {
|
||||
issueWarning,
|
||||
epicWarning: () => import('ee_component/vue_shared/components/epic/epic_warning.vue'),
|
||||
noteSignedOutWidget,
|
||||
discussionLockedWidget,
|
||||
markdownField,
|
||||
|
@ -60,6 +61,7 @@ export default {
|
|||
'getCurrentUserLastNote',
|
||||
'getUserData',
|
||||
'getNoteableData',
|
||||
'getNoteableDataByProp',
|
||||
'getNotesData',
|
||||
'openState',
|
||||
'getBlockedByIssues',
|
||||
|
@ -135,6 +137,9 @@ export default {
|
|||
? __('merge request')
|
||||
: __('issue');
|
||||
},
|
||||
isIssueType() {
|
||||
return this.noteableDisplayName === constants.ISSUE_NOTEABLE_TYPE;
|
||||
},
|
||||
trackingLabel() {
|
||||
return slugifyWithUnderscore(`${this.commentButtonTitle} button`);
|
||||
},
|
||||
|
@ -346,13 +351,13 @@ export default {
|
|||
<div class="error-alert"></div>
|
||||
|
||||
<issue-warning
|
||||
v-if="hasWarning(getNoteableData)"
|
||||
v-if="hasWarning(getNoteableData) && isIssueType"
|
||||
:is-locked="isLocked(getNoteableData)"
|
||||
:is-confidential="isConfidential(getNoteableData)"
|
||||
:locked-issue-docs-path="lockedIssueDocsPath"
|
||||
:confidential-issue-docs-path="confidentialIssueDocsPath"
|
||||
/>
|
||||
|
||||
<epic-warning :is-confidential="isConfidential(getNoteableData)" />
|
||||
<markdown-field
|
||||
ref="markdownField"
|
||||
:is-submitting="isSubmitting"
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
title: Add secret detection template to Auto DevOps
|
||||
merge_request: 34467
|
||||
author:
|
||||
type: changed
|
|
@ -396,7 +396,6 @@ documentation](index.md#configure-gitaly-servers).
|
|||
postgresql['enable'] = false
|
||||
redis['enable'] = false
|
||||
nginx['enable'] = false
|
||||
prometheus['enable'] = false
|
||||
grafana['enable'] = false
|
||||
puma['enable'] = false
|
||||
sidekiq['enable'] = false
|
||||
|
@ -406,6 +405,9 @@ documentation](index.md#configure-gitaly-servers).
|
|||
# Enable only the Gitaly service
|
||||
gitaly['enable'] = true
|
||||
|
||||
# Enable Prometheus if needed
|
||||
prometheus['enable'] = true
|
||||
|
||||
# Prevent database connections during 'gitlab-ctl reconfigure'
|
||||
gitlab_rails['rake_cache_clear'] = false
|
||||
gitlab_rails['auto_migrate'] = false
|
||||
|
@ -739,7 +741,9 @@ strategy in the future.
|
|||
|
||||
## Identifying Impact of a Primary Node Failure
|
||||
|
||||
When a primary Gitaly node fails, there is a chance of data loss. Data loss can occur if there were outstanding replication jobs the secondaries did not manage to process before the failure. The Praefect `dataloss` sub-command helps identify these cases by counting the number of dead replication jobs for each repository within a given time frame.
|
||||
When a primary Gitaly node fails, there is a chance of data loss. Data loss can occur if there were outstanding replication jobs the secondaries did not manage to process before the failure. The `dataloss` Praefect sub-command helps identify these cases by counting the number of dead replication jobs for each repository. This command must be executed on a Praefect node.
|
||||
|
||||
A time frame to search can be specified with `-from` and `-to`:
|
||||
|
||||
```shell
|
||||
sudo /opt/gitlab/embedded/bin/praefect -config /var/opt/gitlab/praefect/config.toml dataloss -from <rfc3339-time> -to <rfc3339-time>
|
||||
|
|
|
@ -209,6 +209,8 @@ you can enable this in the project settings:
|
|||
1. Check the **Auto-cancel redundant, pending pipelines** checkbox.
|
||||
1. Click **Save changes**.
|
||||
|
||||
Note that only jobs with [interruptible](../yaml/README.md#interruptible) set to `true` will be cancelled.
|
||||
|
||||
## Skip outdated deployment jobs
|
||||
|
||||
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/25276) in GitLab 12.9.
|
||||
|
|
|
@ -85,6 +85,7 @@ project in a simple and automatic way:
|
|||
1. [Auto Test](stages.md#auto-test)
|
||||
1. [Auto Code Quality](stages.md#auto-code-quality-starter) **(STARTER)**
|
||||
1. [Auto SAST (Static Application Security Testing)](stages.md#auto-sast-ultimate) **(ULTIMATE)**
|
||||
1. [Auto Secret Detection](stages.md#auto-secret-detection-ultimate) **(ULTIMATE)**
|
||||
1. [Auto Dependency Scanning](stages.md#auto-dependency-scanning-ultimate) **(ULTIMATE)**
|
||||
1. [Auto License Compliance](stages.md#auto-license-compliance-ultimate) **(ULTIMATE)**
|
||||
1. [Auto Container Scanning](stages.md#auto-container-scanning-ultimate) **(ULTIMATE)**
|
||||
|
|
|
@ -182,6 +182,7 @@ The jobs are separated into stages:
|
|||
([Auto Dependency Scanning](stages.md#auto-dependency-scanning-ultimate)) **(ULTIMATE)**
|
||||
- Jobs suffixed with `-sast` run static analysis on the current code to check for potential
|
||||
security issues, and are allowed to fail ([Auto SAST](stages.md#auto-sast-ultimate)) **(ULTIMATE)**
|
||||
- The `secret-detection` job checks for leaked secrets and is allowed to fail ([Auto Secret Detection](stages.md#auto-secret-detection-ultimate)) **(ULTIMATE)**
|
||||
- The `license_management` job searches the application's dependencies to determine each of their
|
||||
licenses and is allowed to fail
|
||||
([Auto License Compliance](stages.md#auto-license-compliance-ultimate)) **(ULTIMATE)**
|
||||
|
|
|
@ -144,6 +144,22 @@ warnings.
|
|||
To learn more about [how SAST works](../../user/application_security/sast/index.md),
|
||||
see the documentation.
|
||||
|
||||
## Auto Secret Detection **(ULTIMATE)**
|
||||
|
||||
> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.1.
|
||||
|
||||
Secret Detection uses the
|
||||
[Secret Detection Docker image](https://gitlab.com/gitlab-org/security-products/analyzers/secrets) to run Secret Detection on the current code, and checks for leaked secrets. The
|
||||
Auto Secret Detection stage runs only on the
|
||||
[Ultimate](https://about.gitlab.com/pricing/) tier, and requires
|
||||
[GitLab Runner](https://docs.gitlab.com/runner/) 11.5 or above.
|
||||
|
||||
After creating the report, it's uploaded as an artifact which you can later
|
||||
download and evaluate. The merge request widget also displays any security
|
||||
warnings.
|
||||
|
||||
To learn more, see [Secret Detection](../../user/application_security/secret_detection/index.md).
|
||||
|
||||
## Auto Dependency Scanning **(ULTIMATE)**
|
||||
|
||||
> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.7.
|
||||
|
|
Binary file not shown.
After Width: | Height: | Size: 50 KiB |
|
@ -17,14 +17,15 @@ For an overview of application security with GitLab, see
|
|||
|
||||
## Quick start
|
||||
|
||||
Get started quickly with Dependency Scanning, License Scanning, and Static Application Security
|
||||
Testing (SAST) by adding the following to your `.gitlab-ci.yml`:
|
||||
Get started quickly with Dependency Scanning, License Scanning, Static Application Security
|
||||
Testing (SAST), and Secret Detection by adding the following to your `.gitlab-ci.yml`:
|
||||
|
||||
```yaml
|
||||
include:
|
||||
- template: Dependency-Scanning.gitlab-ci.yml
|
||||
- template: License-Scanning.gitlab-ci.yml
|
||||
- template: SAST.gitlab-ci.yml
|
||||
- template: Secret-Detection.gitlab-ci.yml
|
||||
```
|
||||
|
||||
To add Dynamic Application Security Testing (DAST) scanning, add the following to your
|
||||
|
@ -64,6 +65,19 @@ GitLab uses the following tools to scan and report known vulnerabilities found i
|
|||
| [Security Dashboard](security_dashboard/index.md) **(ULTIMATE)** | View vulnerabilities in all your projects and groups. |
|
||||
| [Static Application Security Testing (SAST)](sast/index.md) **(ULTIMATE)** | Analyze source code for known vulnerabilities. |
|
||||
|
||||
## Security Scanning with Auto DevOps
|
||||
|
||||
When [Auto DevOps](../../topics/autodevops/) is enabled, all GitLab Security scanning tools will be configured using default settings.
|
||||
|
||||
- [Auto SAST](../../topics/autodevops/stages.md#auto-sast-ultimate)
|
||||
- [Auto Secret Detection](../../topics/autodevops/stages.md#auto-secret-detection-ultimate)
|
||||
- [Auto DAST](../../topics/autodevops/stages.md#auto-dast-ultimate)
|
||||
- [Auto Dependency Scanning](../../topics/autodevops/stages.md#auto-dependency-scanning-ultimate)
|
||||
- [Auto License Compliance](../../topics/autodevops/stages.md#auto-license-compliance-ultimate)
|
||||
- [Auto Container Scanning](../../topics/autodevops/stages.md#auto-container-scanning-ultimate)
|
||||
|
||||
While you cannot directly customize Auto DevOps, you can [include the Auto DevOps template in your project's `.gitlab-ci.yml` file](../../topics/autodevops/customize.md#customizing-gitlab-ciyml).
|
||||
|
||||
## Maintenance and update of the vulnerabilities database
|
||||
|
||||
The scanning tools and vulnerabilities database are updated regularly.
|
||||
|
@ -216,9 +230,15 @@ rating.
|
|||
|
||||
### Enabling Security Approvals within a project
|
||||
|
||||
To enable Security Approvals, a [project approval rule](../project/merge_requests/merge_request_approvals.md#multiple-approval-rules-premium)
|
||||
To enable Security Approvals, a [project approval rule](../project/merge_requests/merge_request_approvals.md#adding--editing-a-default-approval-rule)
|
||||
must be created with the case-sensitive name `Vulnerability-Check`. This approval group must be set
|
||||
with the number of approvals required greater than zero.
|
||||
with the number of approvals required greater than zero. You must have Maintainer or Owner [permissions](../permissions.md#project-members-permissions) to manage approval rules.
|
||||
|
||||
1. Navigate to your project's **{settings}** **Settings > General** and expand **Merge request approvals**.
|
||||
1. Click **Add approval rule**, or **Edit**.
|
||||
- Add or change the **Rule name** to `Vulnerability-Check` (case sensitive).
|
||||
|
||||
![Vulnerability Check Approver Rule](img/vulnerability-check_v13_0.png)
|
||||
|
||||
Once this group is added to your project, the approval rule is enabled for all merge requests.
|
||||
|
||||
|
|
|
@ -317,6 +317,8 @@ Some analyzers can be customized with environment variables.
|
|||
| Environment variable | Analyzer | Description |
|
||||
|-----------------------------|----------|-------------|
|
||||
| `SCAN_KUBERNETES_MANIFESTS` | Kubesec | Set to `"true"` to scan Kubernetes manifests. |
|
||||
| `KUBESEC_HELM_CHARTS_PATH` | Kubesec | Optional path to Helm charts that `helm` will use to generate a Kubernetes manifest that `kubesec` will scan. If dependencies are defined, `helm dependency build` should be ran in a `before_script` to fetch the necessary dependencies. |
|
||||
| `KUBESEC_HELM_OPTIONS` | Kubesec | Additional arguments for the `helm` executable. |
|
||||
| `ANT_HOME` | SpotBugs | The `ANT_HOME` environment variable. |
|
||||
| `ANT_PATH` | SpotBugs | Path to the `ant` executable. |
|
||||
| `GRADLE_PATH` | SpotBugs | Path to the `gradle` executable. |
|
||||
|
|
|
@ -50,6 +50,10 @@ with a dollar sign (`$`) as this likely indicates the password being used is an
|
|||
variable. For example, `https://username:$password@example.com/path/to/repo` won't be
|
||||
detected, whereas `https://username:password@example.com/path/to/repo` would be detected.
|
||||
|
||||
NOTE: **Note:**
|
||||
You don't have to configure Secret Detection manually as shown in this section if you're using [Auto Secret Detection](../../../topics/autodevops/stages.md#auto-secret-detection-ultimate)
|
||||
provided by [Auto DevOps](../../../topics/autodevops/index.md).
|
||||
|
||||
## Full History Secret Scan
|
||||
|
||||
GitLab 12.11 introduced support for scanning the full history of a repository. This new functionality
|
||||
|
|
|
@ -13,6 +13,7 @@
|
|||
# * license_management: LICENSE_MANAGEMENT_DISABLED
|
||||
# * performance: PERFORMANCE_DISABLED
|
||||
# * sast: SAST_DISABLED
|
||||
# * secret_detection: SECRET_DETECTION_DISABLED
|
||||
# * dependency_scanning: DEPENDENCY_SCANNING_DISABLED
|
||||
# * container_scanning: CONTAINER_SCANNING_DISABLED
|
||||
# * dast: DAST_DISABLED
|
||||
|
@ -160,3 +161,4 @@ include:
|
|||
- template: Security/Dependency-Scanning.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
|
||||
- template: Security/License-Scanning.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Security/License-Scanning.gitlab-ci.yml
|
||||
- template: Security/SAST.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
|
||||
- template: Security/Secret-Detection.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Security/Secret-Detection.gitlab-ci.yml
|
||||
|
|
|
@ -22783,6 +22783,9 @@ msgstr ""
|
|||
msgid "This is a Work in Progress"
|
||||
msgstr ""
|
||||
|
||||
msgid "This is a confidential epic."
|
||||
msgstr ""
|
||||
|
||||
msgid "This is a confidential issue."
|
||||
msgstr ""
|
||||
|
||||
|
|
Loading…
Reference in New Issue