Document how/when security scanning data is updated
Customers sometimes ask about how and when security scanning data is updated. It would be great if this were in the documentation somewhere. Typical questions:
- How often? How? Who does this?
- Is it possible there would be a discrepancy between tool’s list and latest risks/vulnerabilities?
- Would our lists match those of Black Duck, Fortify, etc.?
Answers (The following info is 3rd hand; definitely should be confirmed.)
- For SAST, we rely exclusively on the tool we’re wrapping. We update the analyzers at least once per month.
- For Dependency Scanning, we have a private database we update weekly.
- For Container Scanning, we’re using the latest version for each job run: https://gitlab.com/gitlab-org/gitlab-ee/blob/master/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml#L31
- For DAST, we update the image every week (Sundays); Zaproxy downloads fresh rules at startup as well.