The Security configuration page lists the following for the security testing and compliance tools:

• Name, description, and a documentation link.
• Whether or not it is available.
• A configuration button or a link to its configuration guide.

To determine the status of each security control, GitLab checks for a CI/CD pipeline in the most recent commit on the default branch.

If GitLab finds a CI/CD pipeline, then it inspects each job in the .gitlab-ci.yml file.

• If a job defines an artifacts:reports keyword for a security scanner, then GitLab considers the security scanner enabled and shows the Enabled status.
• If no jobs define an artifacts:reports keyword for a security scanner, then GitLab considers the security scanner disabled and shows the Not enabled status.

If GitLab does not find a CI/CD pipeline, then it considers all security scanners disabled and shows the Not enabled status.

Failed pipelines and jobs are included in this process. If a scanner is configured but the job fails, that scanner is still considered enabled. This process also determines the scanners and statuses returned through the API .

If the latest pipeline uses Auto DevOps , all security features are configured by default.

To view a project’s security configuration:

1. On the left sidebar, at the top, select Search GitLab ( ) to find your project.
2. Select Secure > Security configuration .

Select Configuration history to see the .gitlab-ci.yml file’s history.

Security testing

You can configure the following security controls:

Static Application Security Testing (SAST)
• Select Enable SAST to configure SAST for the current project. For more details, read Configure SAST in the UI .

Compliance

You can configure the following security controls:

License Compliance
• Can be configured with .gitlab-ci.yml . For more details, read License Compliance .