diff --git a/doc/user/application_security/dependency_scanning/index.md b/doc/user/application_security/dependency_scanning/index.md index 6ef3fa18b35ee16330b748ead6310ecd29e66446..b65283825f2ef1b5229cd75b0eb76c360f728d17 100644 --- a/doc/user/application_security/dependency_scanning/index.md +++ b/doc/user/application_security/dependency_scanning/index.md @@ -216,6 +216,14 @@ variables: This will create individual `-dependency_scanning` jobs for each analyzer that runs in your CI/CD pipeline. +By removing Docker-in-Docker (DIND), GitLab relies on [Linguist](https://github.com/github/linguist) +to start relevant analyzers depending on the detected repository language(s) instead of the +[orchestrator](https://gitlab.com/gitlab-org/security-products/dependency-scanning/). However, there +are some differences in the way repository languages are detected between DIND and non-DIND. You can +observe these differences by checking both Linguist and the common library. For instance, Linguist +looks for `*.java` files to spin up the [gemnasium-maven](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven) +image, while orchestrator only looks for the existence of `pom.xml` or `build.gradle`. + ## Interacting with the vulnerabilities Once a vulnerability is found, you can interact with it. Read more on how to diff --git a/doc/user/application_security/sast/index.md b/doc/user/application_security/sast/index.md index 5991fe8cf01df19a32384925dd74edbf746fdc86..3dd7d7b18b78d4bceb44342b2abc377c55014aeb 100644 --- a/doc/user/application_security/sast/index.md +++ b/doc/user/application_security/sast/index.md @@ -194,6 +194,15 @@ variables: This will create individual `-sast` jobs for each analyzer that runs in your CI/CD pipeline. +By removing Docker-in-Docker (DIND), GitLab relies on [Linguist](https://github.com/github/linguist) +to start relevant analyzers depending on the detected repository language(s) instead of the +[orchestrator](https://gitlab.com/gitlab-org/security-products/dependency-scanning/). However, there +are some differences in the way repository languages are detected between DIND and non-DIND. You can +observe these differences by checking both Linguist and the common library. For instance, Linguist +looks for `*.java` files to spin up the [spotbugs](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) +image, while orchestrator only looks for the existence of `pom.xml`, `build.xml`, `gradlew`, +`grailsw`, or `mvnw`. + #### Enabling kubesec analyzer > [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/12752) in GitLab Ultimate 12.6.