From cacdee955bf1a932104badf07bf19b1fd43fc868 Mon Sep 17 00:00:00 2001 From: Julian Thome <jthome@gitlab.com> Date: Wed, 18 Dec 2024 04:17:50 +0000 Subject: [PATCH] Apply 1 suggestion(s) to 1 file(s) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Thiago Figueiró <tfigueiro@gitlab.com> --- doc/development/integrations/secure.md | 7 +++++++ doc/user/application_security/sast/customize_rulesets.md | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/doc/development/integrations/secure.md b/doc/development/integrations/secure.md index 5ebe321fd07ab..f8baa669b1c7d 100644 --- a/doc/development/integrations/secure.md +++ b/doc/development/integrations/secure.md @@ -178,6 +178,13 @@ As documented in the [Docker Official Images](https://github.com/docker-library/ it is strongly encouraged that version number tags be given aliases which allows the user to easily refer to the "most recent" release of a particular series. See also [Docker Tagging: Best practices for tagging and versioning Docker images](https://learn.microsoft.com/en-us/archive/blogs/stevelasker/docker-tagging-best-practices-for-tagging-and-versioning-docker-images). +### Permissions + +To run a Docker container with non-root privileges the following user and group must be present in the container: + +- User `gitlab` with user ID `1000` +- Group `gitlab` with group ID `1000` + ## Command line A scanner is a command-line tool that takes environment variables as inputs, diff --git a/doc/user/application_security/sast/customize_rulesets.md b/doc/user/application_security/sast/customize_rulesets.md index f5e83464a4f0b..03df1166be435 100644 --- a/doc/user/application_security/sast/customize_rulesets.md +++ b/doc/user/application_security/sast/customize_rulesets.md @@ -145,7 +145,7 @@ differ based on the kind of configuration you're making. | `[[$analyzer.ruleset]]` | Predefined rules | Defines modifications to an existing rule. | | `interpolate` | All | If set to `true`, you can use `$VAR` in the configuration to evaluate environment variables. Use this feature with caution, so you don't leak secrets or tokens. (Default: `false`) | | `description` | Passthroughs | Description of the custom ruleset. | -| `targetdir` | Passthroughs | The directory where the final configuration should be persisted. If empty, a directory with a random name is created. The directory can contain up to 100 MB of files. | +| `targetdir` | Passthroughs | The directory where the final configuration should be persisted. If empty, a directory with a random name is created. The directory can contain up to 100 MB of files. In case the SAST job is running with non-root user privileges, ensure that the [active user](../../../development/integrations/secure.md#permissions) has read and write permissions for this directory. | | `validate` | Passthroughs | If set to `true`, the content of each passthrough is validated. The validation works for `yaml`, `xml`, `json` and `toml` content. The proper validator is identified based on the extension used in the `target` parameter of the `[[$analyzer.passthrough]]` section. (Default: `false`) | | `timeout` | Passthroughs | The maximum time to spend to evaluate the passthrough chain, before timing out. The timeout cannot exceed 300 seconds. (Default: 60) | -- GitLab