{"id":49539,"date":"2025-05-28T08:15:38","date_gmt":"2025-05-28T08:15:38","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=49539"},"modified":"2026-02-21T07:29:01","modified_gmt":"2026-02-21T07:29:01","slug":"gitlab-secure-experience-guide-sast-dast-sca-etc","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/gitlab-secure-experience-guide-sast-dast-sca-etc\/","title":{"rendered":"GitLab Secure Experience Guide SAST, DAST, SCA etc"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"620\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/05\/image-26-1024x620.png\" alt=\"\" class=\"wp-image-49548\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/05\/image-26-1024x620.png 1024w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/05\/image-26-300x182.png 300w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/05\/image-26-768x465.png 768w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/05\/image-26.png 1109w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/05\/image-24-1024x576.png\" alt=\"\" class=\"wp-image-49540\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/05\/image-24-1024x576.png 1024w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/05\/image-24-300x169.png 300w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/05\/image-24-768x432.png 768w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/05\/image-24-1536x864.png 1536w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/05\/image-24-355x199.png 355w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/05\/image-24.png 1600w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Here&#8217;s a <strong>comprehensive, hands-on tutorial<\/strong> to help you explore and experience all the features listed under the <strong>Secure section<\/strong> of GitLab using a sample project.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/05\/image-25-1024x576.png\" alt=\"\" class=\"wp-image-49542\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/05\/image-25-1024x576.png 1024w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/05\/image-25-300x169.png 300w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/05\/image-25-768x432.png 768w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/05\/image-25-1536x864.png 1536w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/05\/image-25-355x199.png 355w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/05\/image-25.png 1600w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udd10 Full GitLab Secure Experience Guide (GitLab SaaS &#8211; Free or Ultimate Tier)<\/h2>\n\n\n\n<p><strong>\ud83e\uddea Sections Covered:<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Security Dashboard<\/li>\n\n\n\n<li>Vulnerability Report<\/li>\n\n\n\n<li>Dependency List<\/li>\n\n\n\n<li>Audit Events<\/li>\n\n\n\n<li>Compliance Center<\/li>\n\n\n\n<li>Policies<\/li>\n\n\n\n<li>On-Demand Scans<\/li>\n\n\n\n<li>Security Configuration<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udce6 Sample Repo: <\/h3>\n\n\n\n<p><a href=\"https:\/\/gitlab.com\/gitlab-examples\/security-reports\" target=\"_blank\" rel=\"noopener\">gitlab-examples\/security-reports<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/gitlab.com\/gitlab-examples\/security\" target=\"_blank\" rel=\"noopener\">https:\/\/gitlab.com\/gitlab-examples\/security<\/a><\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u2705 You\u2019ll fork and run security pipelines on this to explore all Secure features.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udee0\ufe0f Prerequisites<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>GitLab account (preferably Ultimate tier for all features)<\/li>\n\n\n\n<li>Fork access to <a href=\"https:\/\/gitlab.com\/gitlab-examples\/security-reports\" target=\"_blank\" rel=\"noopener\">gitlab-examples\/security-reports<\/a><\/li>\n\n\n\n<li>CI\/CD runners enabled (shared runners on GitLab.com are fine)<\/li>\n\n\n\n<li>Enable container registry (if testing container scanning)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\">\u2705 Step-by-Step Walkthrough<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd01 STEP 1: Fork the Repo<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Visit <a href=\"https:\/\/gitlab.com\/gitlab-examples\/security-reports\" target=\"_blank\" rel=\"noopener\">gitlab-examples\/security-reports<\/a><\/li>\n\n\n\n<li>Click <strong>Fork<\/strong><\/li>\n\n\n\n<li>Choose your namespace or group<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h3 class=\"wp-block-heading\">\u2699\ufe0f STEP 2: Enable Security Features<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>Secure \u2192 Security Configuration<\/strong><\/li>\n\n\n\n<li>Enable each of the following (GitLab creates <code>.gitlab-ci.yml<\/code> snippets for you):\n<ul class=\"wp-block-list\">\n<li>\u2705 SAST<\/li>\n\n\n\n<li>\u2705 Dependency Scanning<\/li>\n\n\n\n<li>\u2705 Secret Detection<\/li>\n\n\n\n<li>\u2705 DAST (Needs a deployed URL)<\/li>\n\n\n\n<li>\u2705 Container Scanning (Requires Docker image build)<\/li>\n\n\n\n<li>\u2705 License Compliance<\/li>\n\n\n\n<li>\u2705 Coverage Fuzzing<\/li>\n\n\n\n<li>\u2705 API Fuzzing<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p><strong>\ud83d\udca1 Tip<\/strong>: Ensure <code>CI\/CD<\/code> \u2192 <code>General pipeline settings<\/code> \u2192 <code>Auto DevOps<\/code> is <strong>disabled<\/strong> (to avoid conflicts with <code>.gitlab-ci.yml<\/code>).<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h3 class=\"wp-block-heading\">\u25b6\ufe0f STEP 3: Trigger the Pipeline<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Push a commit or go to <strong>CI\/CD &gt; Pipelines<\/strong> and click <strong>Run pipeline<\/strong><\/li>\n\n\n\n<li>Wait for the full security pipeline to complete<\/li>\n\n\n\n<li>Each tool (SAST, DAST, etc.) generates artifacts GitLab uses in Secure dashboards<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udee1\ufe0f STEP 4: Explore Secure Menu Options<\/h3>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h3 class=\"wp-block-heading\">\u2705 1. <strong>Security Dashboard<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Navigate:<\/strong> <code>Secure &gt; Security Dashboard<\/code><\/li>\n\n\n\n<li>See:\n<ul class=\"wp-block-list\">\n<li>Open vulnerabilities by severity<\/li>\n\n\n\n<li>Merge requests with unresolved issues<\/li>\n\n\n\n<li>Projects under your namespace grouped by security posture<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h3 class=\"wp-block-heading\">\u2705 2. <strong>Vulnerability Report<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Navigate:<\/strong> <code>Secure &gt; Vulnerability Report<\/code><\/li>\n\n\n\n<li>View all findings from your pipeline:\n<ul class=\"wp-block-list\">\n<li>SAST, DAST, Container, Dependency scans<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Use filters to sort by:\n<ul class=\"wp-block-list\">\n<li>Severity<\/li>\n\n\n\n<li>Scanner type<\/li>\n\n\n\n<li>Status (detected, dismissed, resolved)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h3 class=\"wp-block-heading\">\u2705 3. <strong>Dependency List<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Navigate:<\/strong> <code>Secure &gt; Dependency List<\/code><\/li>\n\n\n\n<li>Shows a full tree of project dependencies (pulled from your <code>package.json<\/code>, <code>pom.xml<\/code>, etc.)<\/li>\n\n\n\n<li>Any library with known vulnerabilities is flagged<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h3 class=\"wp-block-heading\">\u2705 4. <strong>Audit Events<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Navigate:<\/strong> <code>Secure &gt; Audit Events<\/code><\/li>\n\n\n\n<li>Shows:\n<ul class=\"wp-block-list\">\n<li>Group\/project-level permission changes<\/li>\n\n\n\n<li>Settings changes<\/li>\n\n\n\n<li>Login attempts, pipeline trigger activity<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Enterprise feature<\/strong> (requires Ultimate Tier)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h3 class=\"wp-block-heading\">\u2705 5. <strong>Compliance Center<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Navigate:<\/strong> <code>Secure &gt; Compliance Center<\/code><\/li>\n\n\n\n<li>Create compliance pipelines (separate from project pipelines)<\/li>\n\n\n\n<li>Enforce MR approval rules<\/li>\n\n\n\n<li>View audit compliance reports<\/li>\n\n\n\n<li>Monitor adherence to internal policies<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h3 class=\"wp-block-heading\">\u2705 6. <strong>Policies<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Navigate:<\/strong> <code>Secure &gt; Policies<\/code><\/li>\n\n\n\n<li>Types of policies:\n<ul class=\"wp-block-list\">\n<li>Scan Execution Policies (e.g., always run secret detection)<\/li>\n\n\n\n<li>Scan Result Policies (e.g., block merge if high vulnerability)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Click \u201cNew Policy\u201d<\/li>\n\n\n\n<li>Use GUI to define:\n<ul class=\"wp-block-list\">\n<li>Trigger condition<\/li>\n\n\n\n<li>Actions (e.g., approve requirement, MR block)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h3 class=\"wp-block-heading\">\u2705 7. <strong>On-Demand Scans<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Navigate:<\/strong> <code>Secure &gt; On-Demand Scans<\/code><\/li>\n\n\n\n<li>Great for ad hoc DAST\/API scans<\/li>\n\n\n\n<li>Choose:\n<ul class=\"wp-block-list\">\n<li>Target site URL (for DAST)<\/li>\n\n\n\n<li>OpenAPI spec (for API fuzzing)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>No CI\/CD pipeline required<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h3 class=\"wp-block-heading\">\u2705 8. <strong>Security Configuration<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Navigate:<\/strong> <code>Secure &gt; Security Configuration<\/code><\/li>\n\n\n\n<li>All tools toggled here<\/li>\n\n\n\n<li>Edit variables, scan schedules, timeouts<\/li>\n\n\n\n<li>Links to pipelines that used each security tool<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udd04 OPTIONAL: Enable Advanced Features<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Enable <code>License Compliance<\/code><\/li>\n\n\n\n<li>Build &amp; scan Docker images \u2192 View <strong>Container Scanning<\/strong> results<\/li>\n\n\n\n<li>Add intentionally vulnerable code\/libraries to test deeper scanning<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udcca STEP 5: Automate Reporting (Optional)<\/h2>\n\n\n\n<p>You can set up <strong>email reports or export results<\/strong> via API:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/docs.gitlab.com\/ee\/api\/vulnerabilities.html\" target=\"_blank\" rel=\"noopener\">GitLab Vulnerability API<\/a><\/li>\n\n\n\n<li>Export JSON \u2192 Use in dashboards like Grafana or Google Sheets<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udcda Learning Summary<\/h2>\n\n\n\n<p>By the end of this guide, you\u2019ve:<\/p>\n\n\n\n<p>\u2714\ufe0f Enabled full suite of GitLab Secure features<br>\u2714\ufe0f Explored each report and dashboard<br>\u2714\ufe0f Configured On-Demand scans and Policies<br>\u2714\ufe0f Seen real security results and recommendations<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Here&#8217;s a comprehensive, hands-on tutorial to help you explore and experience all the features listed under the Secure section of GitLab using a sample project. \ud83d\udd10 Full GitLab Secure Experience Guide (GitLab SaaS &#8211; Free or Ultimate Tier) \ud83e\uddea Sections Covered: \ud83d\udce6 Sample Repo: gitlab-examples\/security-reports https:\/\/gitlab.com\/gitlab-examples\/security \u2705 You\u2019ll fork and run security pipelines on this&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","_joinchat":[],"footnotes":""},"categories":[2],"tags":[],"class_list":["post-49539","post","type-post","status-publish","format-standard","hentry","category-uncategorised"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/49539","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=49539"}],"version-history":[{"count":6,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/49539\/revisions"}],"predecessor-version":[{"id":58993,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/49539\/revisions\/58993"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=49539"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=49539"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=49539"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}