diff --git a/doc/user/application_security/dependency_scanning/analyzers.md b/doc/user/application_security/dependency_scanning/analyzers.md index 3b4b341739b583c39a0b405895db6e0ed92a181e..26352f21cfb5b75debcbda8d2f49accd7e32f26c 100644 --- a/doc/user/application_security/dependency_scanning/analyzers.md +++ b/doc/user/application_security/dependency_scanning/analyzers.md @@ -83,8 +83,11 @@ That's needed when one totally relies on [custom analyzers](#custom-analyzers). ## Custom analyzers -You can provide your own analyzers as a comma separated list of Docker images. -Here's how to add `analyzers/nugget` and `analyzers/perl` to the default images. +### Custom analyzers with Docker-in-Docker + +When Docker-in-Docker for Dependency Scanning is enabled, +you can provide your own analyzers as a comma-separated list of Docker images. +Here's how to add `analyzers/nuget` and `analyzers/perl` to the default images. In `.gitlab-ci.yml` define: ```yaml @@ -92,7 +95,7 @@ include: template: Dependency-Scanning.gitlab-ci.yml variables: - DS_ANALYZER_IMAGES: "my-docker-registry/analyzers/nugget,amy-docker-registry/nalyzers/perl" + DS_ANALYZER_IMAGES: "my-docker-registry/analyzers/nuget,amy-docker-registry/analyzers/perl" ``` The values must be the full path to the container registry images, @@ -103,6 +106,28 @@ This configuration doesn't benefit from the integrated detection step. Dependenc Scanning has to fetch and spawn each Docker image to establish whether the custom analyzer can scan the source code. +### Custom analyzers without Docker-in-Docker + +When Docker-in-Docker for Dependency Scanning is disabled, you can provide your own analyzers by +defining CI jobs in your CI configuration. For consistency, you should suffix your custom Dependency +Scanning jobs with `-dependency_scanning`. Here's how to add a scanning job that's based on the +Docker image `my-docker-registry/analyzers/nuget` and generates a Dependency Scanning report +`gl-dependency-scanning-report.json` when `/analyzer run` is executed. Define the following in +`.gitlab-ci.yml`: + +```yaml +nuget-dependency_scanning: + image: + name: "my-docker-registry/analyzers/nuget" + script: + - /analyzer run + artifacts: + reports: + dependency_scanning: gl-dependency-scanning-report.json +``` + +The [Security Scanner Integration](../../../development/integrations/secure.md) documentation explains how to integrate custom security scanners into GitLab. + ## Analyzers data The following table lists the data available for each official analyzer. diff --git a/doc/user/application_security/sast/analyzers.md b/doc/user/application_security/sast/analyzers.md index c27c61a52e2c62850c05f423a00f620e23682859..3ce52a024bd6f3a13db538df6cf1054f6105d728 100644 --- a/doc/user/application_security/sast/analyzers.md +++ b/doc/user/application_security/sast/analyzers.md @@ -92,7 +92,10 @@ That's needed when one totally relies on [custom analyzers](#custom-analyzers). ## Custom Analyzers -You can provide your own analyzers as a comma separated list of Docker images. +### Custom analyzers with Docker-in-Docker + +When Docker-in-Docker for SAST is enabled, +you can provide your own analyzers as a comma-separated list of Docker images. Here's how to add `analyzers/csharp` and `analyzers/perl` to the default images: In `.gitlab-ci.yml` define: @@ -112,8 +115,27 @@ This configuration doesn't benefit from the integrated detection step. SAST has to fetch and spawn each Docker image to establish whether the custom analyzer can scan the source code. -CAUTION: **Caution:** -Custom analyzers are not spawned automatically when [Docker In Docker](index.md#disabling-docker-in-docker-for-sast) is disabled. +### Custom analyzers without Docker-in-Docker + +When Docker-in-Docker for SAST is disabled, you can provide your own analyzers by +defining CI jobs in your CI configuration. For consistency, you should suffix your custom +SAST jobs with `-sast`. Here's how to add a scanning job that's based on the +Docker image `my-docker-registry/analyzers/csharp` and generates a SAST report +`gl-sast-report.json` when `/analyzer run` is executed. Define the following in +`.gitlab-ci.yml`: + +```yaml +csharp-sast: + image: + name: "my-docker-registry/analyzers/csharp" + script: + - /analyzer run + artifacts: + reports: + sast: gl-sast-report.json +``` + +The [Security Scanner Integration](../../../development/integrations/secure.md) documentation explains how to integrate custom security scanners into GitLab. ## Analyzers Data