Merge branch 'doc/deployment-agnostic' into 'main'

### DefectDojo instance

You must have access to a DefectDojo server and set `DEFECTDOJO_SERVER_URL` variable according to this server's URL. This server must be configured to allow "Login with GitLab" for the GitLab which hosts your projects.

You must have access to a DefectDojo server and set `DEFECTDOJO_SERVER_URL` variable according to this server's URL.

### Login with GitLab, include template and define variables in your project

### Define variables in your project

The initial mandatory step for a developer is to click on "Login with GitLab" button on login page (see [dedicated section](#first-connection-to-defectdojo)) in order to retrieve his DefectDojo API v2 key.

The name of the DefectDojo product will be set to the `CI_PROJECT_PATH` variable of the GitLab project.

All GitLab projects you are developer / maintainer / owner of will be automatically imported into DefectDojo dashboard. The name of the DefectDojo product will be set to the `CI_PROJECT_PATH` variable of the GitLab project.

Once you have your API v2 key, you may use it :

- by including the current template in your `.gitlab-ci.yml`. This is the recommended solution, and the reason why the current template exists (see [usage](#usage)). Don't forget to define DEFECTDOJO* variables listed in [defectdojo job](#defectdojo-job). If needed, you might also update DEFECTDOJO* variables in [Global variables](#global-variables).

- through DefectDojo API, making your own calls to the API

The initial mandatory step for a developer is to retrieve his DefectDojo API v2 key.

Once logged into DefectDojo, retrieve your API v2 key by clicking on the user logo in the top-right corner.

Store this API key into a variable named `DEFECTDOJO_API_KEY`.

### Check you use at least one security tool

| `timezone` / `DEFECTDOJO_TIMEZONE`                                       | timezone used for naming engagements and setting engagements start and end                                                             | `Europe/Paris`                                                                             |

| `noprod-enabled` / `DEFECTDOJO_NOPROD_ENABLED`                           | determines if defectdojo job is launched on non production branches                                                                    | false                                                                                      |

## First connection to DefectDojo

Connect to the DefectDojo server and click on "Login with GitLab". You will be redirected to the GitLab login screen. Once logged in, you will be presented with a consent screen where you can accept to share your information with DefectDojo. DefectDojo will then automatically create a DefectDojo Product for each GitLab project in which you have either owner or maintainer role.

:warning: Synchronization between your GitLab projects and your DefectDojo products occurs only each time you "login with GitLab". Therefore, if you have a new GitLab project, or if you leave a GitLab project, you need to login to DefectDojo once again.

Once logged into DefectDojo for the first time, retrieve your API v2 key by clicking on the user logo in the top-right corner. Store this API key into a variable named `DEFECTDOJO_API_KEY`.

## Supported security tools

For now, the current template allows to import reports from the following tools:

- click manually on the corresponding jobs

- when they are all finished, click on defectdojo-publish job to launch it manually

## Security considerations

Every DefectDojo admin is authorized to access all data.

The current instance of DefectDojo is deployed on the Zener K8S cluster, so every Zener admin can technically access all data related to DefectDojo.

The data stored in the database is not encrypted at rest. Intra-platform network flows (including flows towards the database) are not encrypted (but external traffic is encrypted). There is no network segmentation.

## Version history

See [Tags page](https://gitlab.com/to-be-continuous/defectdojo/-/tags)