Introduced in GitLab 12.6.
  • SAST configuration was enabled in 13.3 and improved in 13.4.
  • DAST Profiles feature was introduced in 13.4.
  • A simplified version was made available in all tiers in GitLab 13.10.
  • Redesigned in 14.2.
  • The Security configuration page lists the following for the security testing and compliance tools:

    • Name, description, and a documentation link.
    • Whether or not it is available.
    • A configuration button or a link to its configuration guide.

    To determine the status of each security control, GitLab checks for a CI/CD pipeline in the most recent commit on the default branch.

    If GitLab finds a CI/CD pipeline, then it inspects each job in the .gitlab-ci.yml file.

    • If a job defines an artifacts:reports keyword for a security scanner, then GitLab considers the security scanner enabled and shows the Enabled status.
    • If no jobs define an artifacts:reports keyword for a security scanner, then GitLab considers the security scanner disabled and shows the Not enabled status.

    If GitLab does not find a CI/CD pipeline, then it considers all security scanners disabled and shows the Not enabled status.

    Failed pipelines and jobs are included in this process. If a scanner is configured but the job fails, that scanner is still considered enabled. This process also determines the scanners and statuses returned through the API .

    If the latest pipeline uses Auto DevOps , all security features are configured by default.

    To view a project’s security configuration:

    1. On the left sidebar, at the top, select Search GitLab ( ) to find your project.
    2. Select Secure > Security configuration .

    Select Configuration history to see the .gitlab-ci.yml file’s history.

    Security testing

    You can configure the following security controls:

  • Dynamic Application Security Testing (DAST)
  • Select Enable DAST to configure DAST for the current project.
  • Select Manage scans to manage the saved DAST scans, site profiles, and scanner profiles. For more details, read DAST on-demand scans .
  • Dependency Scanning
  • Select Configure with a merge request to create a merge request with the changes required to enable Dependency Scanning. For more details, see Enable Dependency Scanning via an automatic merge request .
  • Container Scanning
  • Select Configure with a merge request to create a merge request with the changes required to enable Container Scanning. For more details, see Enable Container Scanning through an automatic merge request .
  • Operational Container Scanning
  • Can be configured by adding a configuration block to your agent configuration. For more details, read Operational Container Scanning .
  • Secret Detection
  • Select Configure with a merge request to create a merge request with the changes required to enable Secret Detection. For more details, read Use an automatically configured merge request .
  • API Fuzzing
  • Select Enable API Fuzzing to use API Fuzzing for the current project. For more details, read API Fuzzing .
  • Coverage Fuzzing
  • Can be configured with .gitlab-ci.yml . For more details, read Coverage Fuzzing .
  • Compliance

    You can configure the following security controls:

  • Security Training
  • Enable Security training for the current project. For more details, read security training .
  • Help & feedback

    Docs

    Edit this page to fix an error or add an improvement in a merge request.
    Create an issue to suggest an improvement to this page.

    Product

    Create an issue if there's something you don't like about this feature.
    Propose functionality by submitting a feature request.
    Join First Look to help shape new features.

    Feature availability and product trials

    View pricing to see all GitLab tiers and features, or to upgrade.
    Try GitLab for free with access to all features for 30 days.

    Get Help

    If you didn't find what you were looking for, search the docs .
    If you want help with something specific and could use community support, post on the GitLab forum .
    For problems setting up or using this feature (depending on your GitLab subscription).

    Request support