Security Configuration

Version history

The Security Configuration page lists the following for the security testing and compliance tools:

  • Name, description, and a documentation link.
  • Whether or not it is available.
  • A configuration button or a link to its configuration guide.

The status of each security control is determined by the following process:

  1. Check for a CI pipeline in the most recent commit on the default branch.
  2. If no CI pipelines exist, then consider all security scanners disabled. Show the Not enabled status.
  3. If a pipeline is found, then inspect the CI YAML for each job in the CI/CD pipeline. If a job in the pipeline defines an artifacts:reports keyword for a security scanner, then consider the security scanner enabled. Show the Enabled status.

Failed pipelines and jobs are included in this process. If a scanner is configured but the job fails, that scanner is still considered enabled. This process also determines the scanners and statuses returned through our API.

If the latest pipeline used Auto DevOps, all security features are configured by default.

To view a project’s security configuration:

  1. On the top bar, select Main menu > Projects and find your project.
  2. On the left sidebar, select Security & Compliance > Configuration.

Select Configuration history to see the .gitlab-ci.yml file’s history.

Security testing

You can configure the following security controls:

Compliance

You can configure the following security controls: