Merge remote-tracking branch 'origin/master' into pre-main-jh

35162da3 · JH_SYNC_TOKEN · c3b62c46 · ebe280e5 · 35162da3 · 35162da3
--- a/doc/ci/variables/index.md
+++ b/doc/ci/variables/index.md
@@ -278,11 +278,15 @@ The method used to mask variables [limits what can be included in a masked varia
 The value of the variable must:

 - Be a single line.
- Be 8 characters or longer, consisting only of:
-  - Characters from the Base64 alphabet (RFC4648).
-  - The `@`, `:`, `.`, or `~` characters.
+- Be 8 characters or longer.
 - Not match the name of an existing predefined or custom CI/CD variable.

+Additionally, if [variable expansion](#prevent-cicd-variable-expansion) is enabled,
+the value can contain only:
+
+- Characters from the Base64 alphabet (RFC4648).
+- The `@`, `:`, `.`, or `~` characters.
+
 Different versions of [GitLab Runner](../runners/index.md) have different masking limitations:

 | Version             | Limitations |

--- a/doc/user/application_security/vulnerability_report/index.md
+++ b/doc/user/application_security/vulnerability_report/index.md
@@ -11,7 +11,8 @@ The Vulnerability Report provides information about vulnerabilities from scans o
 cumulative results of all successful jobs, regardless of whether the pipeline was successful. The scan results from a
 pipeline are only ingested after all the jobs in the pipeline complete.

-The report is available for users with the [correct role](../../permissions.md) on projects, groups, and the Security Center.
+<i class="fa fa-youtube-play youtube" aria-hidden="true"></i>
+For an overview, see [Vulnerability Management](https://www.youtube.com/watch?v=8SJHz6BCgXM).

 At all levels, the Vulnerability Report contains:

@@ -19,8 +20,11 @@ At all levels, the Vulnerability Report contains:
 - Filters for common vulnerability attributes.
 - Details of each vulnerability, presented in tabular layout.

-<i class="fa fa-youtube-play youtube" aria-hidden="true"></i>
-For an overview, see [Vulnerability Management](https://www.youtube.com/watch?v=8SJHz6BCgXM).
+At the project level, the Vulnerability Report also contains:
+
+- A time stamp showing when it was updated, including a link to the latest pipeline.
+- The number of failures that occurred in the most recent pipeline. Select the failure
+  notification to view the **Failed jobs** tab of the pipeline's page.

 The **Activity** column contains icons to indicate the activity, if any, taken on the vulnerability
 in that row:
@@ -38,54 +42,38 @@ status of a Jira issue is not shown in the GitLab UI.

 ![Example project-level Vulnerability Report](img/project_level_vulnerability_report_v14_5.png)

-## Project-level Vulnerability Report
-
-At the project level, the Vulnerability Report also contains:
-
- A time stamp showing when it was updated, including a link to the latest pipeline.
- The number of failures that occurred in the most recent pipeline. Select the failure
-  notification to view the **Failed jobs** tab of the pipeline's page.
-
 When vulnerabilities originate from a multi-project pipeline setup,
 this page displays the vulnerabilities that originate from the selected project.

-### View the project-level vulnerability report
+## View the vulnerability report

-To view the project-level vulnerability report:
+View the vulnerability report to list all vulnerabilities in the project or group.

-1. On the left sidebar, select **Search or go to** and find your project.
-1. Select **Secure > Vulnerability report**.
+Prerequisites:

-## Vulnerability Report actions
+- You must have at least the Developer role for the project or group.

-From the Vulnerability Report you can:
+To view the vulnerability report:

- [Filter the list of vulnerabilities](#filter-the-list-of-vulnerabilities).
- [View more details about a vulnerability](#view-details-of-a-vulnerability).
- [View vulnerable source location](#view-vulnerable-source-location) (if available).
- [Change the status of vulnerabilities](#change-status-of-vulnerabilities).
- [Export details of vulnerabilities](#export-vulnerability-details).
- [Sort vulnerabilities by date](#sort-vulnerabilities-by-date-detected).
- [Manually add a vulnerability finding](#manually-add-a-vulnerability-finding).
- [Grouping vulnerability report](#group-vulnerabilities)
+1. On the left sidebar, select **Search or go to** and find your project or group.
+1. Select **Secure > Vulnerability report**.

 ## Vulnerability Report filters

 You can filter the Vulnerability Report to narrow focus on only vulnerabilities matching specific
 criteria.

-The available filters are:
+The filters available at all levels are:

 <!-- vale gitlab.SubstitutionWarning = NO -->

- **Status**: Detected, Confirmed, Dismissed, Resolved. For details on what each status means, see
+- **Status**: Detected, confirmed, dismissed, resolved. For details on what each status means, see
  [vulnerability status values](../vulnerabilities/index.md#vulnerability-status-values).
- **Severity**: Critical, High, Medium, Low, Info, Unknown.
+- **Severity**: Critical, high, medium, low, info, unknown.
 - **Tool**: For more details, see [Tool filter](#tool-filter).
- **Project**: For more details, see [Project filter](#project-filter).
 - **Activity**: For more details, see [Activity filter](#activity-filter).

-The filters' criteria are combined to show only vulnerabilities matching all criteria.
+Additionally, the [project filter](#project-filter) is available at the group level.

 <!-- vale gitlab.SubstitutionWarning = YES -->