# Dependency Scanning
> 原文:[https://docs.gitlab.com/ee/user/application_security/dependency_scanning/](https://docs.gitlab.com/ee/user/application_security/dependency_scanning/)
* [Overview](#overview)
* [Requirements](#requirements)
* [Supported languages and package managers](#supported-languages-and-package-managers)
* [Contribute your scanner](#contribute-your-scanner)
* [Configuration](#configuration)
* [Customizing the Dependency Scanning settings](#customizing-the-dependency-scanning-settings)
* [Overriding Dependency Scanning jobs](#overriding-dependency-scanning-jobs)
* [Available variables](#available-variables)
* [Configuring Dependency Scanning](#configuring-dependency-scanning)
* [Configuring Docker-in-Docker orchestrator](#configuring-docker-in-docker-orchestrator)
* [Configuring specific analyzers used by Dependency Scanning](#configuring-specific-analyzers-used-by-dependency-scanning)
* [Using private Maven repos](#using-private-maven-repos)
* [Enabling Docker-in-Docker](#enabling-docker-in-docker)
* [Interacting with the vulnerabilities](#interacting-with-the-vulnerabilities)
* [Solutions for vulnerabilities (auto-remediation)](#solutions-for-vulnerabilities-auto-remediation)
* [Security Dashboard](#security-dashboard)
* [Vulnerabilities database update](#vulnerabilities-database-update)
* [Dependency List](#dependency-list)
* [Reports JSON format](#reports-json-format)
* [Versioning and release process](#versioning-and-release-process)
* [Contributing to the vulnerability database](#contributing-to-the-vulnerability-database)
* [Running Dependency Scanning in an offline environment](#running-dependency-scanning-in-an-offline-environment)
* [Requirements for offline Dependency Scanning](#requirements-for-offline-dependency-scanning)
* [Make GitLab Dependency Scanning analyzer images available inside your Docker registry](#make-gitlab-dependency-scanning-analyzer-images-available-inside-your-docker-registry)
* [Set Dependency Scanning CI job variables to use local Dependency Scanning analyzers](#set-dependency-scanning-ci-job-variables-to-use-local-dependency-scanning-analyzers)
* [Specific settings for languages and package managers](#specific-settings-for-languages-and-package-managers)
* [JavaScript (npm and yarn) projects](#javascript-npm-and-yarn-projects)
* [Ruby (gem) projects](#ruby-gem-projects)
* [Python (setuptools)](#python-setuptools)
* [Limitations](#limitations)
* [Referencing local dependencies using a path in JavaScript projects](#referencing-local-dependencies-using-a-path-in-javascript-projects)
* [Troubleshooting](#troubleshooting)
* [`Error response from daemon: error processing tar file: docker-tar: relocation error`](#error-response-from-daemon-error-processing-tar-file-docker-tar-relocation-error)
# Dependency Scanning[](#dependency-scanning-ultimate "Permalink")
[Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/5105) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.7.
在開發和測試應用程序時,例如當應用程序使用已知的易受攻擊的外部(開源)庫時,"依賴關系掃描"有助于自動在依賴項中查找安全漏洞.
## Overview[](#overview "Permalink")
如果您使用的是[GitLab CI / CD](../../../ci/README.html) ,則可以使用"依賴關系掃描"來分析依賴關系中的已知漏洞. 掃描所有依賴項,包括傳遞性依賴項(也稱為嵌套依賴項). 您可以通過在現有`.gitlab-ci.yml`文件中[包括依賴掃描模板](#configuration) ,或通過隱式使用[Auto DevOps](../../../topics/autodevops/index.html)提供的[自動依賴掃描](../../../topics/autodevops/stages.html#auto-dependency-scanning-ultimate)來利用[依賴掃描](../../../topics/autodevops/stages.html#auto-dependency-scanning-ultimate) .
GitLab 檢查"依賴性掃描"報告,比較發現的源分支和目標分支之間的漏洞,并顯示有關合并請求的信息.
[](img/dependency_scanning_v13_2.png)
結果按漏洞的嚴重性排序:
1. Critical
2. High
3. Medium
4. Low
5. Unknown
6. 其他一切
## Requirements[](#requirements "Permalink")
要運行依賴掃描作業,默認情況下,你需要 GitLab 亞軍與[`docker`](https://docs.gitlab.com/runner/executors/docker.html)或[`kubernetes`](https://docs.gitlab.com/runner/install/kubernetes.html)執行. 如果您在 GitLab.com 上使用共享的 Runners,則默認啟用該功能.
**注意:**如果使用自己的 Runners,請確保已安裝的 Docker 版本**不是** `19.03.0` . 有關詳細[信息](#error-response-from-daemon-error-processing-tar-file-docker-tar-relocation-error) ,請參見[故障排除信息](#error-response-from-daemon-error-processing-tar-file-docker-tar-relocation-error) .
從 GitLab 13.0 開始,僅當您已[啟用 Docker-in-Docker 進行依賴項掃描](#enabling-docker-in-docker)時,才需要 Docker 特權模式.
## Supported languages and package managers[](#supported-languages-and-package-managers "Permalink")
GitLab 依賴于[`rules`](../../../ci/yaml/README.html#rules)來啟動相關分析器,具體取決于存儲庫中檢測到的語言. 當前的檢測邏輯將最大搜索深度限制為兩個級別. 例如,如果存儲庫包含`Gemfile`或`api/Gemfile`文件,則啟用`gemnasium-dependency_scanning`作業,但如果唯一受支持的依賴性文件是`api/client/Gemfile` .
支持以下語言和依賴項管理器:
| 語言(程序包管理器) | 支援的檔案 | 掃描工具 |
| --- | --- | --- |
| Java ([Gradle](https://s0gradle0org.icopy.site/), [Maven](https://maven.apache.org/)) | `build.gradle`, `build.gradle.kts`, `pom.xml` | [Gemnasium](https://gitlab.com/gitlab-org/security-products/gemnasium) |
| JavaScript( [npm](https://s0www0npmjs0com.icopy.site/) , [yarn](https://classic.yarnpkg.com/en/) ) | `package-lock.json`, `npm-shrinkwrap.json`, `yarn.lock` | [Gemnasium](https://gitlab.com/gitlab-org/security-products/gemnasium), [Retire.js](https://retirejs.github.io/retire.js/) |
| 去( [Golang](https://s0golang0org.icopy.site/) ) | `go.sum` | [Gemnasium](https://gitlab.com/gitlab-org/security-products/gemnasium) |
| PHP( [作曲家](https://s0getcomposer0org.icopy.site/) ) | `composer.lock` | [Gemnasium](https://gitlab.com/gitlab-org/security-products/gemnasium) |
| Python( [setuptools](https://setuptools.readthedocs.io/en/latest/) , [pip](https://pip.pypa.io/en/stable/) , [Pipenv](https://pipenv.pypa.io/en/latest/) ) | `setup.py`, `requirements.txt`, `requirements.pip`, `requires.txt`, `Pipfile` | [Gemnasium](https://gitlab.com/gitlab-org/security-products/gemnasium) |
| 紅寶石( [Bundler](https://bundler.io/) ) | `Gemfile.lock`, `gems.locked` | [Gemnasium](https://gitlab.com/gitlab-org/security-products/gemnasium), [bundler-audit](https://github.com/rubysec/bundler-audit) |
| Scala( [sbt](https://www.scala-sbt.org/) ) | `build.sbt` | [Gemnasium](https://gitlab.com/gitlab-org/security-products/gemnasium) |
正在制定支持以下語言,依賴性管理器和依賴性文件的計劃. 有關詳細信息,請參見每個的問題鏈接.
| 語言(程序包管理器) | 支援的檔案 | 掃描工具 | Issue |
| --- | --- | --- | --- |
| Python( [詩歌](https://python-poetry.org/) ) | `poetry.lock` | [Gemnasium](https://gitlab.com/gitlab-org/security-products/gemnasium) | [GitLab#7006](https://gitlab.com/gitlab-org/gitlab/-/issues/7006) |
| Python( [Pipenv](https://pipenv.pypa.io/en/latest/) ) | `Pipfile.lock` | [Gemnasium](https://gitlab.com/gitlab-org/security-products/gemnasium) | [GitLab#11756](https://gitlab.com/gitlab-org/gitlab/-/issues/11756) |
## Contribute your scanner[](#contribute-your-scanner "Permalink")
[安全掃描程序集成](../../../development/integrations/secure.html)文檔說明了如何將其他安全掃描[程序集成](../../../development/integrations/secure.html)到 GitLab 中.
## Configuration[](#configuration "Permalink")
To enable Dependency Scanning for GitLab 11.9 and later, you must [include](../../../ci/yaml/README.html#includetemplate) the [`Dependency-Scanning.gitlab-ci.yml` template](https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml) that’s provided as a part of your GitLab installation. For GitLab versions earlier than 11.9, you can copy and use the job as defined that template.
將以下內容添加到您的`.gitlab-ci.yml`文件中:
```
include:
- template: Dependency-Scanning.gitlab-ci.yml
```
隨附的模板將在 CI / CD 管道中創建"依賴關系掃描"作業,并掃描項目的源代碼以查找可能的漏洞. 結果將保存為" [依賴關系掃描"報告工件](../../../ci/pipelines/job_artifacts.html#artifactsreportsdependency_scanning-ultimate) ,您以后可以下載和分析該[工件](../../../ci/pipelines/job_artifacts.html#artifactsreportsdependency_scanning-ultimate) . 由于實施限制,我們始終采用最新的"依賴關系掃描"工件.
### Customizing the Dependency Scanning settings[](#customizing-the-dependency-scanning-settings "Permalink")
可以使用`.gitlab-ci.yml`的[`variables`](../../../ci/yaml/README.html#variables)參數通過[環境變量](#available-variables)來更改"依賴項掃描"設置. 例如:
```
include:
- template: Dependency-Scanning.gitlab-ci.yml
variables:
DS_PYTHON_VERSION: 2
```
因為模板是[在](../../../ci/yaml/README.html#include)管道配置[之前評估](../../../ci/yaml/README.html#include)的,所以最后提到的變量將具有優先權.
### Overriding Dependency Scanning jobs[](#overriding-dependency-scanning-jobs "Permalink")
**棄用:**從 GitLab 13.0 開始,不再支持[`only`和`except`](../../../ci/yaml/README.html#onlyexcept-basic)的使用. 覆蓋模板時,必須使用[`rules`](../../../ci/yaml/README.html#rules) .
要覆蓋作業定義(例如,更改諸如`variables`或`dependencies`類的屬性),請聲明一個與要覆蓋的作業同名的新作業. 將此新作業放置在包含模板之后,并在其下指定其他任何鍵. 例如,這將禁用`DS_REMEDIATE`為`gemnasium`分析器:
```
include:
- template: Dependency-Scanning.gitlab-ci.yml
gemnasium-dependency_scanning:
variables:
DS_REMEDIATE: "false"
```
### Available variables[](#available-variables "Permalink")
可以使用環境變量[配置](#customizing-the-dependency-scanning-settings)依賴性掃描.
#### Configuring Dependency Scanning[](#configuring-dependency-scanning "Permalink")
以下變量允許配置全局依賴項掃描設置.
| 環境變量 | Description |
| --- | --- |
| `SECURE_ANALYZERS_PREFIX` | 覆蓋提供正式默認映像(代理)的 Docker 注冊表名稱. 閱讀有關[自定義分析器的](analyzers.html)更多信息. |
| `DS_DEFAULT_ANALYZERS` | 覆蓋正式默認圖像的名稱. 閱讀有關[自定義分析器的](analyzers.html)更多信息. |
| `DS_DISABLE_DIND` | 禁用 Docker-in-Docker 并[單獨](#enabling-docker-in-docker)運行分析器. 默認情況下,此變量為`true` . |
| `ADDITIONAL_CA_CERT_BUNDLE` | 捆綁的 CA 證書可信任. |
| `DS_EXCLUDED_PATHS` | 根據路徑從輸出中排除漏洞. 以逗號分隔的模式列表. 模式可以是全局變量,也可以是文件或文件夾路徑(例如`doc,spec` ). 父目錄也匹配模式. 默認值: `"spec, test, tests, tmp"` |
| `SECURE_LOG_LEVEL` | 默認日志級別為`info` ,您可以將其設置為以下任意字符串: `fatal` , `error` , `warn` , `info` , `debug` . |
#### Configuring Docker-in-Docker orchestrator[](#configuring-docker-in-docker-orchestrator "Permalink")
以下變量配置 Docker-in-Docker 協調器,因此僅在[啟用](#enabling-docker-in-docker) Docker-in-Docker 模式時才使用.
| 環境變量 | Default | Description |
| --- | --- | --- |
| `DS_ANALYZER_IMAGES` | ? | 以逗號分隔的自定義圖像列表. 官方默認圖像仍處于啟用狀態. 閱讀有關[自定義分析器的](analyzers.html)更多信息. |
| `DS_ANALYZER_IMAGE_TAG` | ? | 覆蓋官方默認映像的 Docker 標簽. 閱讀有關[自定義分析器的](analyzers.html)更多信息. |
| `DS_PULL_ANALYZER_IMAGES` | ? | 從 Docker 注冊表中提取映像(設置為`0`以禁用). |
| `DS_DOCKER_CLIENT_NEGOTIATION_TIMEOUT` | 2m | Docker 客戶端協商的時間限制. 使用 Go 的[`ParseDuration`](https://s0golang0org.icopy.site/pkg/time/)解析超時. 有效時間單位為`ns` , `us` (或`μs` ), `ms` , `s` , `m`或`h` . 例如`300ms` , `1.5h`或`2h45m` . |
| `DS_PULL_ANALYZER_IMAGE_TIMEOUT` | 5m | 拉取分析儀圖像的時間限制. 使用 Go 的[`ParseDuration`](https://s0golang0org.icopy.site/pkg/time/)解析超時. 有效時間單位為`ns` , `us` (或`μs` ), `ms` , `s` , `m`或`h` . 例如`300ms` , `1.5h`或`2h45m` . |
| `DS_RUN_ANALYZER_TIMEOUT` | 20m | 運行分析儀的時間限制. 使用 Go 的[`ParseDuration`](https://s0golang0org.icopy.site/pkg/time/)解析超時. 有效時間單位為`ns` , `us` (或`μs` ), `ms` , `s` , `m`或`h` . 例如`300ms` , `1.5h`或`2h45m` . |
#### Configuring specific analyzers used by Dependency Scanning[](#configuring-specific-analyzers-used-by-dependency-scanning "Permalink")
以下變量用于配置特定的分析器(用于特定的語言/框架).
| Environment variable | Analyzer | Default | Description |
| --- | --- | --- | --- |
| `GEMNASIUM_DB_LOCAL_PATH` | `gemnasium` | `/gemnasium-db` | 本地 Gemnasium 數據庫的路徑. |
| `GEMNASIUM_DB_REMOTE_URL` | `gemnasium` | `https://gitlab.com/gitlab-org/security-products/gemnasium-db.git` | 用于獲取 Gemnasium 數據庫的存儲庫 URL. |
| `GEMNASIUM_DB_REF_NAME` | `gemnasium` | `master` | 遠程存儲庫數據庫的分支名稱. 需要`GEMNASIUM_DB_REMOTE_URL` . |
| `DS_REMEDIATE` | `gemnasium` | `"true"` | 啟用對弱勢依賴項的自動修復. |
| `PIP_INDEX_URL` | `gemnasium-python` | `https://pypi.org/simple` | Python 軟件包索引的基本 URL. |
| `PIP_EXTRA_INDEX_URL` | `gemnasium-python` | ? | 除`PIP_INDEX_URL`之外, `PIP_INDEX_URL`使用包索引的其他[URL](https://pip.pypa.io/en/stable/reference/pip_install/#cmdoption-extra-index-url)數組. 以逗號分隔. |
| `PIP_REQUIREMENTS_FILE` | `gemnasium-python` | ? | 要掃描的點子要求文件. |
| `DS_PIP_VERSION` | `gemnasium-python` | ? | 強制安裝特定的 pip 版本(例如: `"19.3"` ),否則將使用 Docker 映像中安裝的 pip. (在 GitLab 12.7 中[引入](https://gitlab.com/gitlab-org/gitlab/-/issues/12811) ) |
| `DS_PIP_DEPENDENCY_PATH` | `gemnasium-python` | ? | 從中加載 Python pip 依賴項的路徑. (在 GitLab 12.2 中[引入](https://gitlab.com/gitlab-org/gitlab/-/issues/12412) ) |
| `DS_PYTHON_VERSION` | `retire.js` | ? | Python 版本. 如果設置為 2,則將使用 Python 2.7 而非 Python 3.6 安裝依賴項. (在 GitLab 12.1 中[引入](https://gitlab.com/gitlab-org/gitlab/-/issues/12296) ) |
| `DS_JAVA_VERSION` | `gemnasium-maven` | `11` | Java 版本. 可用版本: `8` , `11` , `13` , `14` . Maven 和 Gradle 將使用此值指定的 Java 版本. |
| `MAVEN_CLI_OPTS` | `gemnasium-maven` | `"-DskipTests --batch-mode"` | 分析器將傳遞給`maven`的命令行參數列表. 請參閱[使用私有存儲庫](../index.html#using-private-maven-repos)的示例. |
| `GRADLE_CLI_OPTS` | `gemnasium-maven` | ? | 分析器將傳遞給`gradle`的命令行參數列表. |
| `SBT_CLI_OPTS` | `gemnasium-maven` | ? | 分析器將傳遞給`sbt`的命令行參數列表. |
| `BUNDLER_AUDIT_UPDATE_DISABLED` | `bundler-audit` | `"false"` | 禁用`bundler-audit`分析器的自動更新. 如果您在脫機的空白環境中運行"依賴性掃描",則很有用. |
| `BUNDLER_AUDIT_ADVISORY_DB_URL` | `bundler-audit` | `https://github.com/rubysec/ruby-advisory-db` | bundler-audit 使用的咨詢數據庫的 URL. |
| `BUNDLER_AUDIT_ADVISORY_DB_REF_NAME` | `bundler-audit` | `master` | `BUNDLER_AUDIT_ADVISORY_DB_URL`指定的咨詢數據庫的 Git ref. |
| `RETIREJS_JS_ADVISORY_DB` | `retire.js` | `https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/jsrepository.json` | `retire.js` JS 漏洞數據文件的路徑或 URL. 請注意,如果托管數據文件的 URL 使用自定義 SSL 證書(例如在脫機安裝中),則可以在`ADDITIONAL_CA_CERT_BUNDLE`環境變量中傳遞證書. |
| `RETIREJS_NODE_ADVISORY_DB` | `retire.js` | `https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/npmrepository.json` | `retire.js`節點漏洞數據文件的路徑或 URL. 請注意,如果托管數據文件的 URL 使用自定義 SSL 證書(例如在脫機安裝中),則可以在`ADDITIONAL_CA_CERT_BUNDLE`環境變量中傳遞證書. |
| `RETIREJS_ADVISORY_DB_INSECURE` | `retire.js` | `false` | 啟用使用不安全或自簽名 SSL(TLS)證書從主機獲取遠程 JS 和 Node 漏洞數據文件(由`RETIREJS_JS_ADVISORY_DB`和`RETIREJS_NODE_ADVISORY_DB`變量定義)的功能. |
### Using private Maven repos[](#using-private-maven-repos "Permalink")
如果您的私有 Maven 存儲庫需要登錄憑據,則可以使用`MAVEN_CLI_OPTS`環境變量.
閱讀有關[如何使用私有 Maven 存儲庫的](../index.html#using-private-maven-repos)更多[信息](../index.html#using-private-maven-repos) .
### Enabling Docker-in-Docker[](#enabling-docker-in-docker "Permalink")
在 GitLab Ultimate 12.5 中[引入](https://gitlab.com/gitlab-org/gitlab/-/issues/12487) .
如果需要,可以啟用 Docker-in-Docker 來還原 GitLab 13.0 之前存在的 Dependency Scanning 行為. 請按照以下步驟操作:
1. 在[特權模式下](https://docs.gitlab.com/runner/executors/docker.html)使用 Docker-in-Docker 配置 GitLab Runner.
2. Set the `DS_DISABLE_DIND` variable to `false`:
```
include:
- template: Dependency-Scanning.gitlab-ci.yml
variables:
DS_DISABLE_DIND: "false"
```
這將在您的 CI / CD 管道中創建一個`dependency_scanning`作業,而不是多個`<analyzer-name>-dependency_scanning`作業.
## Interacting with the vulnerabilities[](#interacting-with-the-vulnerabilities "Permalink")
一旦發現漏洞,便可以與其進行交互. 閱讀有關如何[與漏洞](../index.html#interacting-with-the-vulnerabilities)進行[交互的](../index.html#interacting-with-the-vulnerabilities)更多信息.
## Solutions for vulnerabilities (auto-remediation)[](#solutions-for-vulnerabilities-auto-remediation "Permalink")
可以通過應用 GitLab 自動生成的解決方案來修復某些漏洞. 閱讀有關[漏洞解決方案的](../index.html#solutions-for-vulnerabilities-auto-remediation)更多信息.
## Security Dashboard[](#security-dashboard "Permalink")
在"安全儀表板"中,您可以概覽您的組,項目和管道中的所有安全漏洞. 閱讀有關[安全儀表板的](../security_dashboard/index.html)更多[信息](../security_dashboard/index.html) .
## Vulnerabilities database update[](#vulnerabilities-database-update "Permalink")
有關漏洞數據庫更新的更多信息,請查看[維護表](../index.html#maintenance-and-update-of-the-vulnerabilities-database) .
## Dependency List[](#dependency-list "Permalink")
依賴項掃描的另一個好處是能夠查看項目的依賴項及其已知漏洞. 閱讀有關[依賴列表的](../dependency_list/index.html)更多信息.
## Reports JSON format[](#reports-json-format "Permalink")
依賴關系掃描工具將發出 JSON 報告文件. 有關更多信息,請參見此[報告](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/dependency-scanning-report-format.json)的[架構](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/dependency-scanning-report-format.json) .
這是一個示例依賴性掃描報告:
```
{ "version": "2.0", "vulnerabilities": [ { "id": "51e83874-0ff6-4677-a4c5-249060554eae", "category": "dependency_scanning", "name": "Regular Expression Denial of Service", "message": "Regular Expression Denial of Service in debug", "description": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.", "severity": "Unknown", "solution": "Upgrade to latest versions.", "scanner": { "id": "gemnasium", "name": "Gemnasium" }, "location": { "file": "yarn.lock", "dependency": { "package": { "name": "debug" }, "version": "1.0.5" } }, "identifiers": [ { "type": "gemnasium", "name": "Gemnasium-37283ed4-0380-40d7-ada7-2d994afcc62a", "value": "37283ed4-0380-40d7-ada7-2d994afcc62a", "url": "https://deps.sec.gitlab.com/packages/npm/debug/versions/1.0.5/advisories" } ], "links": [ { "url": "https://nodesecurity.io/advisories/534" }, { "url": "https://github.com/visionmedia/debug/issues/501" }, { "url": "https://github.com/visionmedia/debug/pull/504" } ] }, { "id": "5d681b13-e8fa-4668-957e-8d88f932ddc7", "category": "dependency_scanning", "name": "Authentication bypass via incorrect DOM traversal and canonicalization", "message": "Authentication bypass via incorrect DOM traversal and canonicalization in saml2-js", "description": "Some XML DOM traversal and canonicalization APIs may be inconsistent in handling of comments within XML nodes. Incorrect use of these APIs by some SAML libraries results in incorrect parsing of the inner text of XML nodes such that any inner text after the comment is lost prior to cryptographically signing the SAML message. Text after the comment therefore has no impact on the signature on the SAML message.\r\n\r\nA remote attacker can modify SAML content for a SAML service provider without invalidating the cryptographic signature, which may allow attackers to bypass primary authentication for the affected SAML service provider.", "severity": "Unknown", "solution": "Upgrade to fixed version.\r\n", "scanner": { "id": "gemnasium", "name": "Gemnasium" }, "location": { "file": "yarn.lock", "dependency": { "package": { "name": "saml2-js" }, "version": "1.5.0" } }, "identifiers": [ { "type": "gemnasium", "name": "Gemnasium-9952e574-7b5b-46fa-a270-aeb694198a98", "value": "9952e574-7b5b-46fa-a270-aeb694198a98", "url": "https://deps.sec.gitlab.com/packages/npm/saml2-js/versions/1.5.0/advisories" }, { "type": "cve", "name": "CVE-2017-11429", "value": "CVE-2017-11429", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11429" } ], "links": [ { "url": "https://github.com/Clever/saml2/commit/3546cb61fd541f219abda364c5b919633609ef3d#diff-af730f9f738de1c9ad87596df3f6de84R279" }, { "url": "https://github.com/Clever/saml2/issues/127" }, { "url": "https://www.kb.cert.org/vuls/id/475445" } ] } ], "remediations": [ { "fixes": [ { "id": "5d681b13-e8fa-4668-957e-8d88f932ddc7", } ], "summary": "Upgrade saml2-js", "diff": "ZGlmZiAtLWdpdCBhL...OR0d1ZUc2THh3UT09Cg==" // some content is omitted for brevity } ] }
```
## Versioning and release process[](#versioning-and-release-process "Permalink")
請檢查[發布過程文檔](https://gitlab.com/gitlab-org/security-products/release/blob/master/docs/release_process.md) .
## Contributing to the vulnerability database[](#contributing-to-the-vulnerability-database "Permalink")
您可以搜索[gemnasium-db](https://gitlab.com/gitlab-org/security-products/gemnasium-db)項目,以在 Gemnasium 數據庫中找到漏洞. 您還可以[提交新漏洞](https://gitlab.com/gitlab-org/security-products/gemnasium-db/blob/master/CONTRIBUTING.md) .
## Running Dependency Scanning in an offline environment[](#running-dependency-scanning-in-an-offline-environment "Permalink")
對于在通過 Internet 限制,限制或間歇性訪問外部資源的環境中進行自我管理的 GitLab 實例,需要進行一些調整才能使"依賴關系掃描"作業成功運行. 有關更多信息,請參閱[脫機環境](../offline_deployments/index.html) .
### Requirements for offline Dependency Scanning[](#requirements-for-offline-dependency-scanning "Permalink")
以下是在脫機環境中使用依賴關系掃描的要求:
* Keep Docker-In-Docker disabled (default).
* GitLab 亞軍與[`docker`或`kubernetes`執行](#requirements) .
* Docker 容器注冊表以及 Dependency Scanning [分析器](https://gitlab.com/gitlab-org/security-products/analyzers)映像的本地可用副本.
* 托管[gemnasium-db 咨詢數據庫](https://gitlab.com/gitlab-org/security-products/gemnasium-db/)的脫機 Git 副本
* *僅在掃描 Ruby 項目時* :托管[咨詢數據庫](https://github.com/rubysec/ruby-advisory-db)的脫機 Git 副本.
* *僅在掃描 npm / yarn 項目時* :托管[retire.js](https://github.com/RetireJS/retire.js/) [節點](https://github.com/RetireJS/retire.js/blob/master/repository/npmrepository.json)和[js](https://github.com/RetireJS/retire.js/blob/master/repository/jsrepository.json)咨詢數據庫的脫機副本.
**注意:** GitLab Runner 的[默認`pull policy`為`always`](https://docs.gitlab.com/runner/executors/docker.html) ,這意味著即使本地副本可用,Runner 也會嘗試從 GitLab 容器注冊表中拉取 Docker 映像. 如果您只喜歡使用本地可用的 Docker 映像,則可以在離線環境[`pull_policy`](https://docs.gitlab.com/runner/executors/docker.html) GitLab Runner 的[`pull_policy`設置為`if-not-present`](https://docs.gitlab.com/runner/executors/docker.html) . 但是,如果不在離線環境中,我們建議將拉取策略設置保持為`always` ,因為這樣可以在 CI / CD 管道中使用更新的掃描儀.
### Make GitLab Dependency Scanning analyzer images available inside your Docker registry[](#make-gitlab-dependency-scanning-analyzer-images-available-inside-your-docker-registry "Permalink")
對于具有所有[受支持的語言和框架的](#supported-languages-and-package-managers)依賴關系掃描,請將以下默認的依賴關系掃描分析器映像從`registry.gitlab.com`導入[本地 Docker 容器注冊表](../../packages/container_registry/index.html) :
```
registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium:2
registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven:2
registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium-python:2
registry.gitlab.com/gitlab-org/security-products/analyzers/retire.js:2
registry.gitlab.com/gitlab-org/security-products/analyzers/bundler-audit:2
```
將 Docker 映像導入本地脫機 Docker 注冊表的過程取決于**您的網絡安全策略** . 請咨詢您的 IT 員工,以找到可以導入或臨時訪問外部資源的已接受和批準的流程. 請注意,這些掃描程序會[定期](../index.html#maintenance-and-update-of-the-vulnerabilities-database)使用新定義進行[更新](../index.html#maintenance-and-update-of-the-vulnerabilities-database) ,因此請考慮是否可以自己進行定期更新.
有關將 Docker 映像保存和傳輸為文件的詳細信息,請參閱 Docker 有關[`docker save`](https://s0docs0docker0com.icopy.site/engine/reference/commandline/save/) , [`docker load`](https://s0docs0docker0com.icopy.site/engine/reference/commandline/load/) , [`docker export`](https://s0docs0docker0com.icopy.site/engine/reference/commandline/export/)和[`docker import`](https://s0docs0docker0com.icopy.site/engine/reference/commandline/import/)的文檔.
### Set Dependency Scanning CI job variables to use local Dependency Scanning analyzers[](#set-dependency-scanning-ci-job-variables-to-use-local-dependency-scanning-analyzers "Permalink")
將以下配置添加到您的`.gitlab-ci.yml`文件. 您必須替換`SECURE_ANALYZERS_PREFIX`才能引用本地 Docker 容器注冊表:
```
include:
- template: Dependency-Scanning.gitlab-ci.yml
variables:
SECURE_ANALYZERS_PREFIX: "docker-registry.example.com/analyzers"
GEMNASIUM_DB_REMOTE_URL: "gitlab.example.com/gemnasium-db.git"
GIT_SSL_NO_VERIFY: "true"
```
請參閱[配置部分中](#configuration)以上變量的說明.
### Specific settings for languages and package managers[](#specific-settings-for-languages-and-package-managers "Permalink")
請參閱以下各節,以配置特定的語言和程序包管理器.
#### JavaScript (npm and yarn) projects[](#javascript-npm-and-yarn-projects "Permalink")
將以下內容添加到`.gitlab-ci.yml`的變量部分:
```
RETIREJS_JS_ADVISORY_DB: "example.com/jsrepository.json"
RETIREJS_NODE_ADVISORY_DB: "example.com/npmrepository.json"
```
#### Ruby (gem) projects[](#ruby-gem-projects "Permalink")
將以下內容添加到`.gitlab-ci.yml`的變量部分:
```
BUNDLER_AUDIT_ADVISORY_DB_REF_NAME: "master"
BUNDLER_AUDIT_ADVISORY_DB_URL: "gitlab.example.com/ruby-advisory-db.git"
```
#### Python (setuptools)[](#python-setuptools "Permalink")
當為私有 PyPi 存儲庫使用自簽名證書時,不需要額外的作業配置(除了上面的模板`.gitlab-ci.yml` ). 但是,您必須更新`setup.py`以確保它可以到達您的私有存儲庫. 這是一個示例配置:
1. 更新`setup.py` ,以為`install_requires`列表中的每個依賴項創建一個指向您的私有存儲庫的`dependency_links`屬性:
```
install_requires=['pyparsing>=2.0.3'],
dependency_links=['https://pypi.example.com/simple/pyparsing'],
```
2. 從存儲庫 URL 中獲取證書并將其添加到項目中:
```
echo -n | openssl s_client -connect pypi.example.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > internal.crt
```
3. 將`setup.py`指向新下載的證書:
```
import setuptools.ssl_support
setuptools.ssl_support.cert_paths = ['internal.crt']
```
## Limitations[](#limitations "Permalink")
### Referencing local dependencies using a path in JavaScript projects[](#referencing-local-dependencies-using-a-path-in-javascript-projects "Permalink")
[Retire.js](https://gitlab.com/gitlab-org/security-products/analyzers/retire.js)分析器不支持使用 JavaScript 項目的`package.json`的[本地路徑](https://s0docs0npmjs0com.icopy.site/files/package.json)進行的依賴項引用. 依賴項掃描針對此類引用輸出以下錯誤:
```
ERROR: Could not find dependencies: <dependency-name>. You may need to run npm install
```
解決方法是,從[DS_DEFAULT_ANALYZERS](#configuring-dependency-scanning)刪除[`retire.js`](analyzers.html#selecting-specific-analyzers)分析器.
## Troubleshooting[](#troubleshooting "Permalink")
### `Error response from daemon: error processing tar file: docker-tar: relocation error`[](#error-response-from-daemon-error-processing-tar-file-docker-tar-relocation-error "Permalink")
當運行 Dependency Scanning 作業的 Docker 版本為`19.03.00`時,會發生此錯誤. 考慮更新到 Docker `19.03.1`或更高版本. 舊版本不受影響. 閱讀[本期的](https://gitlab.com/gitlab-org/gitlab/-/issues/13830#note_211354992 "當前的 SAST 容器失敗")更多內容.
- GitLab Docs
- Installation
- Requirements
- GitLab cloud native Helm Chart
- Install GitLab with Docker
- Installation from source
- Install GitLab on Microsoft Azure
- Installing GitLab on Google Cloud Platform
- Installing GitLab on Amazon Web Services (AWS)
- Analytics
- Code Review Analytics
- Productivity Analytics
- Value Stream Analytics
- Kubernetes clusters
- Adding and removing Kubernetes clusters
- Adding EKS clusters
- Adding GKE clusters
- Group-level Kubernetes clusters
- Instance-level Kubernetes clusters
- Canary Deployments
- Cluster Environments
- Deploy Boards
- GitLab Managed Apps
- Crossplane configuration
- Cluster management project (alpha)
- Kubernetes Logs
- Runbooks
- Serverless
- Deploying AWS Lambda function using GitLab CI/CD
- Securing your deployed applications
- Groups
- Contribution Analytics
- Custom group-level project templates
- Epics
- Manage epics
- Group Import/Export
- Insights
- Issues Analytics
- Iterations
- Public access
- SAML SSO for GitLab.com groups
- SCIM provisioning using SAML SSO for GitLab.com groups
- Subgroups
- Roadmap
- Projects
- GitLab Secure
- Security Configuration
- Container Scanning
- Dependency Scanning
- Dependency List
- Static Application Security Testing (SAST)
- Secret Detection
- Dynamic Application Security Testing (DAST)
- GitLab Security Dashboard
- Offline environments
- Standalone Vulnerability pages
- Security scanner integration
- Badges
- Bulk editing issues and merge requests at the project level
- Code Owners
- Compliance
- License Compliance
- Compliance Dashboard
- Create a project
- Description templates
- Deploy Keys
- Deploy Tokens
- File finder
- Project integrations
- Integrations
- Atlassian Bamboo CI Service
- Bugzilla Service
- Custom Issue Tracker service
- Discord Notifications service
- Enabling emails on push
- GitHub project integration
- Hangouts Chat service
- Atlassian HipChat
- Irker IRC Gateway
- GitLab Jira integration
- Mattermost Notifications Service
- Mattermost slash commands
- Microsoft Teams service
- Mock CI Service
- Prometheus integration
- Redmine Service
- Slack Notifications Service
- Slack slash commands
- GitLab Slack application
- Webhooks
- YouTrack Service
- Insights
- Issues
- Crosslinking Issues
- Design Management
- Confidential issues
- Due dates
- Issue Boards
- Issue Data and Actions
- Labels
- Managing issues
- Milestones
- Multiple Assignees for Issues
- Related issues
- Service Desk
- Sorting and ordering issue lists
- Issue weight
- Associate a Zoom meeting with an issue
- Merge requests
- Allow collaboration on merge requests across forks
- Merge Request Approvals
- Browser Performance Testing
- How to create a merge request
- Cherry-pick changes
- Code Quality
- Load Performance Testing
- Merge Request dependencies
- Fast-forward merge requests
- Merge when pipeline succeeds
- Merge request conflict resolution
- Reverting changes
- Reviewing and managing merge requests
- Squash and merge
- Merge requests versions
- Draft merge requests
- Members of a project
- Migrating projects to a GitLab instance
- Import your project from Bitbucket Cloud to GitLab
- Import your project from Bitbucket Server to GitLab
- Migrating from ClearCase
- Migrating from CVS
- Import your project from FogBugz to GitLab
- Gemnasium
- Import your project from GitHub to GitLab
- Project importing from GitLab.com to your private GitLab instance
- Import your project from Gitea to GitLab
- Import your Jira project issues to GitLab
- Migrating from Perforce Helix
- Import Phabricator tasks into a GitLab project
- Import multiple repositories by uploading a manifest file
- Import project from repo by URL
- Migrating from SVN to GitLab
- Migrating from TFVC to Git
- Push Options
- Releases
- Repository
- Branches
- Git Attributes
- File Locking
- Git file blame
- Git file history
- Repository mirroring
- Protected branches
- Protected tags
- Push Rules
- Reduce repository size
- Signing commits with GPG
- Syntax Highlighting
- GitLab Web Editor
- Web IDE
- Requirements Management
- Project settings
- Project import/export
- Project access tokens (Alpha)
- Share Projects with other Groups
- Snippets
- Static Site Editor
- Wiki
- Project operations
- Monitor metrics for your CI/CD environment
- Set up alerts for Prometheus metrics
- Embedding metric charts within GitLab-flavored Markdown
- Embedding Grafana charts
- Using the Metrics Dashboard
- Dashboard YAML properties
- Metrics dashboard settings
- Panel types for dashboards
- Using Variables
- Templating variables for metrics dashboards
- Prometheus Metrics library
- Monitoring AWS Resources
- Monitoring HAProxy
- Monitoring Kubernetes
- Monitoring NGINX
- Monitoring NGINX Ingress Controller
- Monitoring NGINX Ingress Controller with VTS metrics
- Alert Management
- Error Tracking
- Tracing
- Incident Management
- GitLab Status Page
- Feature Flags
- GitLab CI/CD
- GitLab CI/CD pipeline configuration reference
- GitLab CI/CD include examples
- Introduction to CI/CD with GitLab
- Getting started with GitLab CI/CD
- How to enable or disable GitLab CI/CD
- Using SSH keys with GitLab CI/CD
- Migrating from CircleCI
- Migrating from Jenkins
- Auto DevOps
- Getting started with Auto DevOps
- Requirements for Auto DevOps
- Customizing Auto DevOps
- Stages of Auto DevOps
- Upgrading PostgreSQL for Auto DevOps
- Cache dependencies in GitLab CI/CD
- GitLab ChatOps
- Cloud deployment
- Docker integration
- Building Docker images with GitLab CI/CD
- Using Docker images
- Building images with kaniko and GitLab CI/CD
- GitLab CI/CD environment variables
- Predefined environment variables reference
- Where variables can be used
- Deprecated GitLab CI/CD variables
- Environments and deployments
- Protected Environments
- GitLab CI/CD Examples
- Test a Clojure application with GitLab CI/CD
- Using Dpl as deployment tool
- Testing a Phoenix application with GitLab CI/CD
- End-to-end testing with GitLab CI/CD and WebdriverIO
- DevOps and Game Dev with GitLab CI/CD
- Deploy a Spring Boot application to Cloud Foundry with GitLab CI/CD
- How to deploy Maven projects to Artifactory with GitLab CI/CD
- Testing PHP projects
- Running Composer and NPM scripts with deployment via SCP in GitLab CI/CD
- Test and deploy Laravel applications with GitLab CI/CD and Envoy
- Test and deploy a Python application with GitLab CI/CD
- Test and deploy a Ruby application with GitLab CI/CD
- Test and deploy a Scala application to Heroku
- GitLab CI/CD for external repositories
- Using GitLab CI/CD with a Bitbucket Cloud repository
- Using GitLab CI/CD with a GitHub repository
- GitLab Pages
- GitLab Pages
- GitLab Pages domain names, URLs, and baseurls
- Create a GitLab Pages website from scratch
- Custom domains and SSL/TLS Certificates
- GitLab Pages integration with Let's Encrypt
- GitLab Pages Access Control
- Exploring GitLab Pages
- Incremental Rollouts with GitLab CI/CD
- Interactive Web Terminals
- Optimizing GitLab for large repositories
- Metrics Reports
- CI/CD pipelines
- Pipeline Architecture
- Directed Acyclic Graph
- Multi-project pipelines
- Parent-child pipelines
- Pipelines for Merge Requests
- Pipelines for Merged Results
- Merge Trains
- Job artifacts
- Pipeline schedules
- Pipeline settings
- Triggering pipelines through the API
- Review Apps
- Configuring GitLab Runners
- GitLab CI services examples
- Using MySQL
- Using PostgreSQL
- Using Redis
- Troubleshooting CI/CD
- GitLab Package Registry
- GitLab Container Registry
- Dependency Proxy
- GitLab Composer Repository
- GitLab Conan Repository
- GitLab Maven Repository
- GitLab NPM Registry
- GitLab NuGet Repository
- GitLab PyPi Repository
- API Docs
- API resources
- .gitignore API
- GitLab CI YMLs API
- Group and project access requests API
- Appearance API
- Applications API
- Audit Events API
- Avatar API
- Award Emoji API
- Project badges API
- Group badges API
- Branches API
- Broadcast Messages API
- Project clusters API
- Group clusters API
- Instance clusters API
- Commits API
- Container Registry API
- Custom Attributes API
- Dashboard annotations API
- Dependencies API
- Deploy Keys API
- Deployments API
- Discussions API
- Dockerfiles API
- Environments API
- Epics API
- Events
- Feature Flags API
- Feature flag user lists API
- Freeze Periods API
- Geo Nodes API
- Group Activity Analytics API
- Groups API
- Import API
- Issue Boards API
- Group Issue Boards API
- Issues API
- Epic Issues API
- Issues Statistics API
- Jobs API
- Keys API
- Labels API
- Group Labels API
- License
- Licenses API
- Issue links API
- Epic Links API
- Managed Licenses API
- Markdown API
- Group and project members API
- Merge request approvals API
- Merge requests API
- Project milestones API
- Group milestones API
- Namespaces API
- Notes API
- Notification settings API
- Packages API
- Pages domains API
- Pipeline schedules API
- Pipeline triggers API
- Pipelines API
- Project Aliases API
- Project import/export API
- Project repository storage moves API
- Project statistics API
- Project templates API
- Projects API
- Protected branches API
- Protected tags API
- Releases API
- Release links API
- Repositories API
- Repository files API
- Repository submodules API
- Resource label events API
- Resource milestone events API
- Resource weight events API
- Runners API
- SCIM API
- Search API
- Services API
- Application settings API
- Sidekiq Metrics API
- Snippets API
- Project snippets
- Application statistics API
- Suggest Changes API
- System hooks API
- Tags API
- Todos API
- Users API
- Project-level Variables API
- Group-level Variables API
- Version API
- Vulnerabilities API
- Vulnerability Findings API
- Wikis API
- GraphQL API
- Getting started with GitLab GraphQL API
- GraphQL API Resources
- API V3 to API V4
- Validate the .gitlab-ci.yml (API)
- User Docs
- Abuse reports
- User account
- Active sessions
- Deleting a User account
- Permissions
- Personal access tokens
- Profile preferences
- Threads
- GitLab and SSH keys
- GitLab integrations
- Git
- GitLab.com settings
- Infrastructure as code with Terraform and GitLab
- GitLab keyboard shortcuts
- GitLab Markdown
- AsciiDoc
- GitLab Notification Emails
- GitLab Quick Actions
- Autocomplete characters
- Reserved project and group names
- Search through GitLab
- Advanced Global Search
- Advanced Syntax Search
- Time Tracking
- GitLab To-Do List
- Administrator Docs
- Reference architectures
- Reference architecture: up to 1,000 users
- Reference architecture: up to 2,000 users
- Reference architecture: up to 3,000 users
- Reference architecture: up to 5,000 users
- Reference architecture: up to 10,000 users
- Reference architecture: up to 25,000 users
- Reference architecture: up to 50,000 users
- Troubleshooting a reference architecture set up
- Working with the bundled Consul service
- Configuring PostgreSQL for scaling
- Configuring GitLab application (Rails)
- Load Balancer for multi-node GitLab
- Configuring a Monitoring node for Scaling and High Availability
- NFS
- Working with the bundled PgBouncer service
- Configuring Redis for scaling
- Configuring Sidekiq
- Admin Area settings
- Continuous Integration and Deployment Admin settings
- Custom instance-level project templates
- Diff limits administration
- Enable and disable GitLab features deployed behind feature flags
- Geo nodes Admin Area
- GitLab Pages administration
- Health Check
- Job logs
- Labels administration
- Log system
- PlantUML & GitLab
- Repository checks
- Repository storage paths
- Repository storage types
- Account and limit settings
- Service templates
- System hooks
- Changing your time zone
- Uploads administration
- Abuse reports
- Activating and deactivating users
- Audit Events
- Blocking and unblocking users
- Broadcast Messages
- Elasticsearch integration
- Gitaly
- Gitaly Cluster
- Gitaly reference
- Monitoring GitLab
- Monitoring GitLab with Prometheus
- Performance Bar
- Usage statistics
- Object Storage
- Performing Operations in GitLab
- Cleaning up stale Redis sessions
- Fast lookup of authorized SSH keys in the database
- Filesystem Performance Benchmarking
- Moving repositories managed by GitLab
- Run multiple Sidekiq processes
- Sidekiq MemoryKiller
- Switching to Puma
- Understanding Unicorn and unicorn-worker-killer
- User lookup via OpenSSH's AuthorizedPrincipalsCommand
- GitLab Package Registry administration
- GitLab Container Registry administration
- Replication (Geo)
- Geo database replication
- Geo with external PostgreSQL instances
- Geo configuration
- Using a Geo Server
- Updating the Geo nodes
- Geo with Object storage
- Docker Registry for a secondary node
- Geo for multiple nodes
- Geo security review (Q&A)
- Location-aware Git remote URL with AWS Route53
- Tuning Geo
- Removing secondary Geo nodes
- Geo data types support
- Geo Frequently Asked Questions
- Geo Troubleshooting
- Geo validation tests
- Disaster Recovery (Geo)
- Disaster recovery for planned failover
- Bring a demoted primary node back online
- Automatic background verification
- Rake tasks
- Back up and restore GitLab
- Clean up
- Namespaces
- Maintenance Rake tasks
- Geo Rake Tasks
- GitHub import
- Import bare repositories
- Integrity check Rake task
- LDAP Rake tasks
- Listing repository directories
- Praefect Rake tasks
- Project import/export administration
- Repository storage Rake tasks
- Generate sample Prometheus data
- Uploads migrate Rake tasks
- Uploads sanitize Rake tasks
- User management
- Webhooks administration
- X.509 signatures
- Server hooks
- Static objects external storage
- Updating GitLab
- GitLab release and maintenance policy
- Security
- Password Storage
- Custom password length limits
- Restrict allowed SSH key technologies and minimum length
- Rate limits
- Webhooks and insecure internal web services
- Information exclusivity
- How to reset your root password
- How to unlock a locked user from the command line
- User File Uploads
- How we manage the TLS protocol CRIME vulnerability
- User email confirmation at sign-up
- Security of running jobs
- Proxying assets
- CI/CD Environment Variables
- Contributor and Development Docs
- Contribute to GitLab
- Community members & roles
- Implement design & UI elements
- Issues workflow
- Merge requests workflow
- Code Review Guidelines
- Style guides
- GitLab Architecture Overview
- CI/CD development documentation
- Database guides
- Database Review Guidelines
- Database Review Guidelines
- Migration Style Guide
- What requires downtime?
- Understanding EXPLAIN plans
- Rake tasks for developers
- Mass inserting Rails models
- GitLab Documentation guidelines
- Documentation Style Guide
- Documentation structure and template
- Documentation process
- Documentation site architecture
- Global navigation
- GitLab Docs monthly release process
- Telemetry Guide
- Usage Ping Guide
- Snowplow Guide
- Experiment Guide
- Feature flags in development of GitLab
- Feature flags process
- Developing with feature flags
- Feature flag controls
- Document features deployed behind feature flags
- Frontend Development Guidelines
- Accessibility & Readability
- Ajax
- Architecture
- Axios
- Design Patterns
- Frontend Development Process
- DropLab
- Emojis
- Filter
- Frontend FAQ
- GraphQL
- Icons and SVG Illustrations
- InputSetter
- Performance
- Principles
- Security
- Tooling
- Vuex
- Vue
- Geo (development)
- Geo self-service framework (alpha)
- Gitaly developers guide
- GitLab development style guides
- API style guide
- Go standards and style guidelines
- GraphQL API style guide
- Guidelines for shell commands in the GitLab codebase
- HTML style guide
- JavaScript style guide
- Migration Style Guide
- Newlines style guide
- Python Development Guidelines
- SCSS style guide
- Shell scripting standards and style guidelines
- Sidekiq debugging
- Sidekiq Style Guide
- SQL Query Guidelines
- Vue.js style guide
- Instrumenting Ruby code
- Testing standards and style guidelines
- Flaky tests
- Frontend testing standards and style guidelines
- GitLab tests in the Continuous Integration (CI) context
- Review Apps
- Smoke Tests
- Testing best practices
- Testing levels
- Testing Rails migrations at GitLab
- Testing Rake tasks
- End-to-end Testing
- Beginner's guide to writing end-to-end tests
- End-to-end testing Best Practices
- Dynamic Element Validation
- Flows in GitLab QA
- Page objects in GitLab QA
- Resource class in GitLab QA
- Style guide for writing end-to-end tests
- Testing with feature flags
- Translate GitLab to your language
- Internationalization for GitLab
- Translating GitLab
- Proofread Translations
- Merging translations from CrowdIn
- Value Stream Analytics development guide
- GitLab subscription
- Activate GitLab EE with a license