Security Configuration
Version history
- Introduced in GitLab 12.6.
- SAST configuration was enabled in 13.3 and improved in 13.4.
- DAST Profiles feature was introduced in 13.4.
- A simplified version was made available in all tiers in GitLab 13.10.
- Redesigned in 14.2.
The Security Configuration page lists the following for the security testing and compliance tools:
- Name, description, and a documentation link.
- Whether or not it is available.
- A configuration button or a link to its configuration guide.
The status of each security control is determined by the project’s latest default branch CI pipeline. If a job with the expected security report artifact exists in the pipeline, the feature’s status is enabled.
If the latest pipeline used Auto DevOps, all security features are configured by default.
To view a project’s security configuration:
- On the top bar, select Menu > Projects and find your project.
- On the left sidebar, select Security & Compliance > Configuration.
Select Configuration history to see the .gitlab-ci.yml file’s history.
Security testing
You can configure the following security controls:
-
Static Application Security Testing (SAST)
- Select Enable SAST to configure SAST for the current project. For more details, read Configure SAST in the UI.
-
Dynamic Application Security Testing (DAST)
- Select Enable DAST to configure DAST for the current project.
- Select Manage scans to manage the saved DAST scans, site profiles, and scanner profiles. For more details, read DAST on-demand scans.
-
Dependency Scanning
- Select Configure with a merge request to create a merge request with the changes required to enable Dependency Scanning. For more details, see Enable Dependency Scanning via an automatic merge request.
-
Container Scanning
- Select Configure with a merge request to create a merge request with the changes required to enable Container Scanning. For more details, see Enable Container Scanning through an automatic merge request.
-
Cluster Image Scanning
- Can be configured with
.gitlab-ci.yml. For more details, read Cluster Image Scanning.
- Can be configured with
-
Secret Detection
- Select Configure with a merge request to create a merge request with the changes required to enable Secret Detection. For more details, read Enable Secret Detection via an automatic merge request.
-
API Fuzzing
- Select Enable API Fuzzing to use API Fuzzing for the current project. For more details, read API Fuzzing.
-
Coverage Fuzzing
- Can be configured with
.gitlab-ci.yml. For more details, read Coverage Fuzzing.
- Can be configured with
Compliance
You can configure the following security controls:
-
License Compliance
- Can be configured with
.gitlab-ci.yml. For more details, read License Compliance.
- Can be configured with
-
Security Training
- Enable Security training for the current project. For more details, read security training.