docs: fix md formatting (097fd48b) · Commits · to be continuous... / DefectDojo

README.md

+59 −60

Original line number	Diff line number	Diff line
		@@ -22,7 +22,7 @@ All GitLab projects you are developer / maintainer / owner of will be automatica

		Once you have your API v2 key, you may use it :

		- by including the current template in your `.gitlab-ci.yml`. This is the recommended solution, and the reason why the current template exists (see [usage](#usage)). Don't forget to define DEFECTDOJO_ variables listed in [defectdojo job](#defectdojo-job). If needed, you might also update DEFECTDOJO_ variables in [Global variables](#global-variables).
		- by including the current template in your `.gitlab-ci.yml`. This is the recommended solution, and the reason why the current template exists (see [usage](#usage)). Don't forget to define DEFECTDOJO* variables listed in [defectdojo job](#defectdojo-job). If needed, you might also update DEFECTDOJO* variables in [Global variables](#global-variables).
		- through DefectDojo API, making your own calls to the API

		### Check you use at least one security tool
		@@ -63,9 +63,9 @@ Add the following to your `gitlab-ci.yml`:
		```yaml
		include:
		# 1: include the template
		- project: 'to-be-continuous/defectdojo'
		ref: '2.6.4'
		file: '/templates/gitlab-ci-defectdojo.yml'
		- project: "to-be-continuous/defectdojo"
		ref: "2.6.4"
		file: "/templates/gitlab-ci-defectdojo.yml"

		variables:
		# 2: set/override template variables
		@@ -79,7 +79,7 @@ This job uploads security reports found in the artifacts to a DefectDojo server.
		It is bound to the `.post` stage, and uses the following variables:

		\| Input / Variable \| Description \| Default value \|
		\| ----------------------------- \| -------------------------------------- \| ----------------- \|
		\| -------------------------------------- \| -------------------------------------------------------------------------------------------- \| ------------- \|
		\| `dir` / `DEFECTDOJO_DIR` \| DefectDojo working directory \| `.` \|
		\| `server-url` / `DEFECTDOJO_SERVER_URL` \| URL of DefectDojo server \| _none_ \|
		\| :lock: `DEFECTDOJO_API_KEY` \| Your DefectDojo API v2 Key (see [below](#first-connection-to-defectdojo) how to retrieve it) \| _none_ \|
		@@ -89,11 +89,12 @@ It is bound to the `.post` stage, and uses the following variables:
		Depending on the security tools you launch, and their configuration, you may have to redefine some of the following variables in your `gitlab-ci.yml`:

		\| Input / Variable \| Description \| Default value \|
		\|------------------------------------------\|----------------------------------------------------------------------------------------------------------------------------------------\| ----------------------------------------- \|
		\| ------------------------------------------------------------------------ \| -------------------------------------------------------------------------------------------------------------------------------------- \| ------------------------------------------------------------------------------------------ \|
		\| `bandit-reports` / `DEFECTDOJO_BANDIT_REPORTS` \| path to Bandit JSON reports \| `bandit*.json reports/py-bandit.bandit.json` \|
		\| `dc-gradle-reports` / `DEFECTDOJO_DC_GRADLE_REPORTS` \| path to Dependency Check XML reports (Gradle template) \| `dependency-check*.xml` \|
		\| `dc-reports` / `DEFECTDOJO_DC_REPORTS` \| path to Dependency Check XML reports (Maven template) \| `dependency-check*.xml` \|
		\| `gitleaks-reports` / `DEFECTDOJO_GITLEAKS_REPORTS` \| path to Gitleaks JSON reports \| `gitleaks/gitleaks-report.json reports/gitleaks.native.json` \|\| `hadolint-reports` / `DEFECTDOJO_HADOLINT_REPORTS` \| path to Hadolint JSON reports \| `hadolint-json-.json reports/docker-hadolint-.native.json` \|
		\| `gitleaks-reports` / `DEFECTDOJO_GITLEAKS_REPORTS` \| path to Gitleaks JSON reports \| `gitleaks/gitleaks-report.json reports/gitleaks.native.json` \|
		\| `hadolint-reports` / `DEFECTDOJO_HADOLINT_REPORTS` \| path to Hadolint JSON reports \| `hadolint-json-.json reports/docker-hadolint-.native.json` \|
		\| `mobsf-reports` / `DEFECTDOJO_MOBSF_REPORTS` \| path to MobSF JSON reports \| `mobsf*.json` \|
		\| `nodejsscan-reports` / `DEFECTDOJO_NODEJSSCAN_REPORTS` \| path to NodeJSScan SARIF reports \| `nodejsscan-report-sarif.json` \|
		\| `npmaudit-reports` / `DEFECTDOJO_NPMAUDIT_REPORTS` \| path to NPM Audit JSON reports \| `npm-audit*.json` \|
		@@ -104,7 +105,7 @@ Depending on the security tools you launch, and their configuration, you may hav
		\| `zap-tpl-project` / `ZAP_TPL_PROJECT` \| path to Zap template (if any) \| _none_ \|
		\| `trivy-reports` / `DEFECTDOJO_TRIVY_REPORTS` \| path to Trivy JSON reports \| `trivy/.json trivy-.json reports/docker-trivy-*.native.json reports/py-trivy.trivy.json` \|
		\| `DEFECTDOJO_SONARQUBE_APPLICATION` \| your application name in Sonar \| ex: project-name \|
		\| `DEFECTDOJO_SONARQUBE_PROJECT_KEY` \| your project key in Sonar (be careful, the project key might be distinct from project-dir-project-name, sometimes Sonar adds a suffix) \| ex: project-dir-project-name or project-dir-project-name__AXjLJ76cpGZrj3BUYg10 \|
		\| `DEFECTDOJO_SONARQUBE_PROJECT_KEY` \| your project key in Sonar (be careful, the project key might be distinct from project-dir-project-name, sometimes Sonar adds a suffix) \| ex: project-dir-project-name or project-dir-project-name\_\_AXjLJ76cpGZrj3BUYg10 \|
		\| `sonarqube-sinceleakperiod` / `DEFECTDOJO_SONARQUBE_SINCELEAKPERIOD` \| determines if delta analysis is activated \| false \|
		\| `sonarqube-nosecurityhotspot` / `DEFECTDOJO_SONARQUBE_NOSECURITYHOTSPOT` \| if true, disable hotspots processing \| true \|
		\| `DEFECTDOJO_SONARQUBE_ALLBUGS ` \| true if all bugs are returned, false if only vulnerabilities are returned \| false \|
		@@ -114,7 +115,6 @@ Depending on the security tools you launch, and their configuration, you may hav
		\| `timezone` / `DEFECTDOJO_TIMEZONE` \| timezone used for naming engagements and setting engagements start and end \| `Europe/Paris` \|
		\| `noprod-enabled` / `DEFECTDOJO_NOPROD_ENABLED` \| determines if defectdojo job is launched on non production branches \| false \|


		## First connection to DefectDojo

		Connect to the DefectDojo server and click on "Login with GitLab". You will be redirected to the GitLab login screen. Once logged in, you will be presented with a consent screen where you can accept to share your information with DefectDojo. DefectDojo will then automatically create a DefectDojo Product for each GitLab project in which you have either owner or maintainer role.
		@@ -123,7 +123,6 @@ Connect to the DefectDojo server and click on "Login with GitLab". You will be r

		Once logged into DefectDojo for the first time, retrieve your API v2 key by clicking on the user logo in the top-right corner. Store this API key into a variable named `DEFECTDOJO_API_KEY`.


		## Supported security tools

		For now, the current template allows to import reports from the following tools:
		@@ -176,6 +175,7 @@ sonar-report \
		## Manual actions during pipeline

		Since some security tools (Bandit, Safety...) must be launched manually in the pipeline, proceed in two steps:

		- click manually on the corresponding jobs
		- when they are all finished, click on defectdojo-publish job to launch it manually

		@@ -187,7 +187,6 @@ The current instance of DefectDojo is deployed on the Zener K8S cluster, so ever

		The data stored in the database is not encrypted at rest. Intra-platform network flows (including flows towards the database) are not encrypted (but external traffic is encrypted). There is no network segmentation.


		## Version history

		See [Tags page](https://gitlab.com/to-be-continuous/defectdojo/-/tags)
		@@ -205,7 +204,7 @@ This variant allows delegating your secrets management to a [Vault](https://www.
		In order to be able to communicate with the Vault server, the variant requires the additional configuration parameters:

		\| Input / Variable \| Description \| Default value \|
		\| ----------------- \| -------------------------------------- \| ----------------- \|
		\| ----------------------------------- \| ------------------------------------------------------------------------------------------------------------------------------- \| -------------------------------------------------------------------------- \|
		\| `TBC_VAULT_IMAGE` \| The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) \| `registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:latest` \|
		\| `vault-base-url` / `VAULT_BASE_URL` \| The Vault server base API url \| _none_ \|
		\| `vault-oidc-aud` / `VAULT_OIDC_AUD` \| The `aud` claim for the JWT \| `$CI_SERVER_URL` \|
		@@ -223,7 +222,7 @@ Then you may retrieve any of your secret(s) from Vault using the following synta
		With:

		\| Parameter \| Description \|
		\| -------------------------------- \| -------------------------------------- \|
		\| -------------------------------- \| --------------------------------------------------------------------- \|
		\| `secret_path` (_path parameter_) \| this is your secret location in the Vault server \|
		\| `field` (_query parameter_) \| parameter to access a single basic field from the secret JSON payload \|