A User Role specifies the permissions or privileges associated with a user. Common examples of User Roles include:
Global Administrator (such as a UNIX root user)
Administrator
Group Owner
Workspace Administrator
Full User
Guest
--------------------------------------------------------------------------------
/layouts/shortcodes/attestation-letter.md:
--------------------------------------------------------------------------------
1 | The Attestation Letter is a one-page report that you can share with external stakeholders
2 | such as prospects or customers. We base the letter on our [Executive Summary](/platform-deep-dive/pentests/reports/report-contents/#executive-summary).
3 | You cannot customize an Attestation Letter.
--------------------------------------------------------------------------------
/layouts/_default/_markup/render-link.html:
--------------------------------------------------------------------------------
1 | {{ .Text | safeHTML }}
--------------------------------------------------------------------------------
/styles/Google/Latin.yml:
--------------------------------------------------------------------------------
1 | extends: substitution
2 | message: "Use '%s' instead of '%s'."
3 | link: 'https://developers.google.com/style/abbreviations'
4 | ignorecase: true
5 | level: error
6 | nonword: true
7 | action:
8 | name: replace
9 | swap:
10 | '\b(?:eg|e\.g\.)[\s,]': for example
11 | '\b(?:ie|i\.e\.)[\s,]': that is
12 |
--------------------------------------------------------------------------------
/layouts/shortcodes/comprehensive-pentest.md:
--------------------------------------------------------------------------------
1 | A Comprehensive Pentest is performed for [security audit](/getting-started/glossary/#security-audit), [compliance audit](/getting-started/glossary/#compliance-audit), or customer attestation and includes comprehensive [reports](/platform-deep-dive/pentests/reports/) intended for external stakeholders
--------------------------------------------------------------------------------
/styles/Google/LyHyphens.yml:
--------------------------------------------------------------------------------
1 | extends: existence
2 | message: "'%s' doesn't need a hyphen."
3 | link: 'https://developers.google.com/style/hyphens'
4 | level: error
5 | ignorecase: false
6 | nonword: true
7 | action:
8 | name: edit
9 | params:
10 | - replace
11 | - '-'
12 | - ' '
13 | tokens:
14 | - '\s[^\s-]+ly-'
15 |
--------------------------------------------------------------------------------
/styles/Google/OptionalPlurals.yml:
--------------------------------------------------------------------------------
1 | extends: existence
2 | message: "Don't use plurals in parentheses such as in '%s'."
3 | link: 'https://developers.google.com/style/plurals-parentheses'
4 | level: error
5 | nonword: true
6 | action:
7 | name: edit
8 | params:
9 | - remove
10 | - '(s)'
11 | tokens:
12 | - '\b\w+\(s\)'
13 |
--------------------------------------------------------------------------------
/layouts/shortcodes/pentest-report-types.md:
--------------------------------------------------------------------------------
1 | - For [Agile Pentests](/getting-started/glossary/#agile-pentest):
2 | - Automated Report
3 | - For [Comprehensive Pentests](/getting-started/glossary/#comprehensive-pentest):
4 | - Customer Letter
5 | - Attestation Report
6 | - Attestation Letter
7 | - Full Report
8 | - Full Report + Finding Details
--------------------------------------------------------------------------------
/styles/cobalt/LICENSE.md:
--------------------------------------------------------------------------------
1 | The files in this directory were created by [GitLab](https://about.gitlab.com/), licensed under [CC-BY 4.0](https://creativecommons.org/licenses/by/4.0/). We modified the contents of the files for Cobalt styles.
2 |
3 | For the current versions of these files, see https://gitlab.com/gitlab-org/gitlab/-/tree/master/doc/.vale/gitlab.
--------------------------------------------------------------------------------
/netlify.toml:
--------------------------------------------------------------------------------
1 | [build]
2 | publish = "public"
3 | command = "cd themes/docsy && git submodule update -f --init && cd ../.. && hugo"
4 |
5 | [build.environment]
6 | HUGO_VERSION = "0.104.2"
7 | HUGO_ENV = "production"
8 |
9 | [[redirects]]
10 | from = "https://cobalt-docs.netlify.app"
11 | to = "https://developer.cobalt.io"
12 | status = 301
13 |
--------------------------------------------------------------------------------
/styles/cobalt/Repetition.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Error: gitlab.Repetition
3 | #
4 | # Checks for duplicate words, like `the the` or `and and`.
5 | #
6 | # For a list of all options, see https://errata-ai.gitbook.io/vale/getting-started/styles
7 | extends: repetition
8 | message: '"%s" is repeated.'
9 | level: error
10 | alpha: true
11 | tokens:
12 | - '[^\s]+'
13 |
--------------------------------------------------------------------------------
/content/en/Platform Deep Dive/Pentests/_index.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Pentests"
3 | linkTitle: "Pentests"
4 | weight: 20
5 | description: >
6 | Pentests are the cornerstone of our PtaaS platform.
7 | ---
8 |
9 | {{% pageinfo %}}
10 | Launch a pentest to see the benefits of our offering in action.
11 | {{% /pageinfo %}}
12 |
13 | {{% getting-started-steps %}}
14 |
--------------------------------------------------------------------------------
/styles/Google/FirstPerson.yml:
--------------------------------------------------------------------------------
1 | extends: existence
2 | message: "Avoid first-person pronouns such as '%s'."
3 | link: 'https://developers.google.com/style/pronouns#personal-pronouns'
4 | ignorecase: true
5 | level: warning
6 | nonword: true
7 | tokens:
8 | - (?:^|\s)I\s
9 | - (?:^|\s)I,\s
10 | - \bI'm\b
11 | - \bme\b
12 | - \bmy\b
13 | - \bmine\b
14 |
--------------------------------------------------------------------------------
/content/en/Platform Deep Dive/Pentests/Pentest Process/_index.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Pentest Process"
3 | linkTitle: "Pentest Process"
4 | weight: 20
5 | description: >
6 | Learn how Cobalt tests your assets.
7 | ---
8 |
9 | {{% pageinfo %}}
10 | Cobalt defines a sequence of events which use specific methodologies based on your asset.
11 | {{% /pageinfo %}}
12 |
13 |
--------------------------------------------------------------------------------
/layouts/partials/analytics-gtag.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
--------------------------------------------------------------------------------
/styles/Google/HeadingPunctuation.yml:
--------------------------------------------------------------------------------
1 | extends: existence
2 | message: "Don't put a period at the end of a heading."
3 | link: 'https://developers.google.com/style/capitalization#capitalization-in-titles-and-headings'
4 | nonword: true
5 | level: warning
6 | scope: heading
7 | action:
8 | name: edit
9 | params:
10 | - remove
11 | - '.'
12 | tokens:
13 | - '[a-z0-9][.]\s*$'
14 |
--------------------------------------------------------------------------------
/styles/Readability/FleschKincaid.yml:
--------------------------------------------------------------------------------
1 | extends: metric
2 | message: "Make your content readable. Set a Flesch–Kincaid grade level (%s) below 10. To lower the score, use shorter sentences and more common words."
3 | link: https://en.wikipedia.org/wiki/Flesch%E2%80%93Kincaid_readability_tests
4 |
5 | formula: |
6 | (0.39 * (words / sentences)) + (11.8 * (syllables / words)) - 15.59
7 |
8 | condition: "> 1"
9 |
--------------------------------------------------------------------------------
/layouts/404.html:
--------------------------------------------------------------------------------
1 | {{ define "main"}}
2 |
3 |
4 |
Not found
5 |
Oops! This page doesn't exist. Try going back to our home page.
6 |
7 |
You can learn how to make a 404 page like this in Custom 404 Pages.
8 |
9 |
10 | {{ end }}
11 |
--------------------------------------------------------------------------------
/styles/Google/DateFormat.yml:
--------------------------------------------------------------------------------
1 | extends: existence
2 | message: "Use 'July 31, 2016' format, not '%s'."
3 | link: 'https://developers.google.com/style/dates-times'
4 | ignorecase: true
5 | level: error
6 | nonword: true
7 | tokens:
8 | - '\d{1,2}(?:\.|/)\d{1,2}(?:\.|/)\d{4}'
9 | - '\d{1,2} (?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)|May|Jun(?:e)|Jul(?:y)|Aug(?:ust)|Sep(?:tember)?|Oct(?:ober)|Nov(?:ember)?|Dec(?:ember)?) \d{4}'
10 |
--------------------------------------------------------------------------------
/styles/cobalt/Wordy.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Suggestion: gitlab.Wordy
3 | #
4 | # Suggests shorter versions of wordy phrases.
5 | #
6 | # For a list of all options, see https://docs.errata.ai/vale/styles
7 | extends: substitution
8 | message: 'Be concise: "%s" is less wordy than "%s".'
9 | link: https://docs.gitlab.com/ee/development/documentation/styleguide/word_list.html
10 | level: suggestion
11 | ignorecase: true
12 | swap:
13 | in order to: to
14 |
--------------------------------------------------------------------------------
/styles/cobalt/Possessive.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Warning: gitlab.Possessive
3 | #
4 | # The word GitLab should not be used in the possessive form.
5 | #
6 | # For a list of all options, see https://errata-ai.gitbook.io/vale/getting-started/styles
7 | extends: existence
8 | message: "Rewrite '%s' to not use 's."
9 | level: error
10 | ignorecase: true
11 | link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#trademark
12 | tokens:
13 | - Cobalt's
14 |
--------------------------------------------------------------------------------
/layouts/shortcodes/mermaid.html:
--------------------------------------------------------------------------------
1 |
9 |
10 |
11 | {{.Inner}}
12 |
--------------------------------------------------------------------------------
/styles/cobalt/ReferenceLinks.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Error: gitlab.ReferenceLinks
3 | #
4 | # Checks for reference-style links that should be converted to inline links.
5 | #
6 | # For a list of all options, see https://errata-ai.gitbook.io/vale/getting-started/styles
7 | extends: existence
8 | message: 'Link "%s" must be inline.'
9 | link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#basic-link-criteria
10 | level: error
11 | scope: raw
12 | raw:
13 | - '\n\[[^\]]*\]: .*'
14 |
--------------------------------------------------------------------------------
/styles/cobalt/MergeConflictMarkers.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Error: gitlab.MergeConflictMarkers
3 | #
4 | # Checks for the presence of merge conflict markers.
5 | #
6 | # For a list of all options, see https://errata-ai.gitbook.io/vale/getting-started/styles
7 | extends: existence
8 | message: 'Merge conflict marker "%s" found.'
9 | link: https://docs.gitlab.com/ee/development/code_review.html#merging-a-merge-request
10 | level: error
11 | scope: raw
12 | raw:
13 | - '\n<<<<<<< .+\n|\n=======\n|\n>>>>>>> .+\n'
14 |
--------------------------------------------------------------------------------
/styles/cobalt/SentenceLength.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Warning: gitlab.SentenceLength
3 | #
4 | # Counts words in a sentence and alerts if a sentence exceeds 25 words.
5 | #
6 | # For a list of all options, see https://errata-ai.gitbook.io/vale/getting-started/styles
7 | extends: occurrence
8 | message: 'Shorter sentences improve readability (max 28 words).'
9 | scope: sentence
10 | link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#language
11 | level: warning
12 | max: 28
13 | token: \b(\w+)\b
14 |
--------------------------------------------------------------------------------
/styles/cobalt/E-Prime.yml:
--------------------------------------------------------------------------------
1 | extends: existence
2 | message: "Try to avoid using '%s'."
3 | ignorecase: true
4 | level: suggestion
5 | tokens:
6 | - am
7 | - are
8 | - aren't
9 | - be
10 | - been
11 | - being
12 | - he's
13 | - here's
14 | - here's
15 | - how's
16 | - i'm
17 | - is
18 | - isn't
19 | - it's
20 | - she's
21 | - that's
22 | - there's
23 | - they're
24 | - was
25 | - wasn't
26 | - we're
27 | - were
28 | - weren't
29 | - what's
30 | - where's
31 | - who's
32 |
--------------------------------------------------------------------------------
/styles/cobalt/RelativeLinksDoubleSlashes.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Error: gitlab.RelativeLinksDoubleSlashes
3 | #
4 | # Checks for the presence of double slashes in relative URLs.
5 | #
6 | # For a list of all options, see https://errata-ai.gitbook.io/vale/getting-started/styles
7 | extends: existence
8 | message: 'Relative links must not include a double slash.'
9 | link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links-to-internal-documentation
10 | level: error
11 | scope: raw
12 | raw:
13 | - '\.//'
14 |
--------------------------------------------------------------------------------
/styles/cobalt/DefaultBranch.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Warning: gitlab.DefaultBranch
3 | #
4 | # Do not refer to the default branch as the "master" branch, if possible.
5 | #
6 | # For a list of all options, see https://errata-ai.gitbook.io/vale/getting-started/styles
7 | extends: existence
8 | message: 'Use "default branch" or `main` instead of `master`, when possible.'
9 | level: warning
10 | ignorecase: true
11 | link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html
12 | scope: raw
13 | raw:
14 | - '\`master\`'
15 |
--------------------------------------------------------------------------------
/layouts/shortcodes/additional-requirements.html:
--------------------------------------------------------------------------------
1 |
Additional Requirements
2 |
You’re welcome to define additional test objectives. If you follow best practices other than
3 | OWASP, ASVS, or OSSTMM, let us know. Include a link or other documentation. If it’s a
4 | “well-known” security practice, our pentesters probably already know them!
5 |
If you have special instructions for a pentest,
6 | add them later, under Special Instructions.
7 |
--------------------------------------------------------------------------------
/layouts/shortcodes/getting-started-steps.md:
--------------------------------------------------------------------------------
1 | Refer to the [Getting Started](/getting-started/) guide to set up a pentest in four stages:
2 |
3 | 1. Define your [assets](/getting-started/assets/).
4 | 1. Set pentest [requirements](/getting-started/pentest-objectives/).
5 | 1. Add pentest [details](/getting-started/details/).
6 | 1. [Plan and scope](/getting-started/planning/) the pentest.
7 |
8 | Once the pentest is complete, you can download a [pentest report](/platform-deep-dive/pentests/reports/) to explore security issues that our pentesters found.
--------------------------------------------------------------------------------
/.github/dependabot.yml:
--------------------------------------------------------------------------------
1 | version: 2
2 | updates:
3 | - package-ecosystem: "github-actions"
4 | directory: "/"
5 | schedule:
6 | interval: "daily"
7 | time: "06:00"
8 | timezone: "US/Pacific"
9 | - package-ecosystem: "gomod"
10 | directory: "/"
11 | schedule:
12 | interval: "daily"
13 | time: "06:00"
14 | timezone: "US/Pacific"
15 | - package-ecosystem: "npm"
16 | directory: "/"
17 | schedule:
18 | interval: "daily"
19 | time: "06:00"
20 | timezone: "US/Pacific"
21 |
--------------------------------------------------------------------------------
/styles/cobalt/ElementDescriptors.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Suggestion: gitlab.ElementDescriptors
3 | #
4 | # Suggests the correct way to describe elements in a form.
5 | #
6 | # For a list of all options, see https://errata-ai.github.io/vale/styles/
7 | extends: substitution
8 | message: 'When describing elements, %s "%s".'
9 | link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#language
10 | level: suggestion
11 | ignorecase: true
12 | swap:
13 | button: 'if possible, rewrite to not use'
14 | area: 'use "section" instead of'
15 |
--------------------------------------------------------------------------------
/styles/cobalt/InternalLinkExtension.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Error: gitlab.InternalLinkExtension
3 | #
4 | # Checks that internal links have .md extenstion and not .html extension.
5 | #
6 | # For a list of all options, see https://errata-ai.gitbook.io/vale/getting-started/styles
7 | extends: existence
8 | message: 'Link "%s" must use the .md file extension.'
9 | link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links-to-internal-documentation
10 | level: error
11 | scope: raw
12 | raw:
13 | - '\[.+\]\([\w\/\.-]+\.html[^)]*\)'
14 |
--------------------------------------------------------------------------------
/styles/cobalt/NonStandardQuotes.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Warning: gitlab.NonStandardQuotes
3 | #
4 | # Use only standard single and double quotes, not left or right quotes.
5 | #
6 | # For a list of all options, see https://errata-ai.gitbook.io/vale/getting-started/styles
7 | extends: existence
8 | message: 'Use standard single quotes or double quotes only. Do not use left or right quotes.'
9 | level: warning
10 | ignorecase: true
11 | link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html
12 | scope: raw
13 | raw:
14 | - '[‘’“”]'
15 |
--------------------------------------------------------------------------------
/styles/cobalt/MeaningfulLinkWords.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Warning: gitlab.MeaningfulLinkWords
3 | #
4 | # Checks for the presence of semantically unhelpful words in link text.
5 | #
6 | # For a list of all options, see https://errata-ai.gitbook.io/vale/getting-started/styles
7 | extends: existence
8 | message: 'Improve SEO and accessibility by rewriting "%s" in the link text.'
9 | level: warning
10 | scope: link
11 | ignorecase: true
12 | link: https://about.gitlab.com/handbook/communication/#writing-style-guidelines
13 | tokens:
14 | - here
15 | - this page
16 |
--------------------------------------------------------------------------------
/styles/cobalt/SentenceSpacing.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Error: gitlab.SentenceSpacing
3 | #
4 | # Checks for incorrect spacing (no spaces, or more than one space) around punctuation.
5 | #
6 | # For a list of all options, see https://errata-ai.gitbook.io/vale/getting-started/styles
7 | extends: existence
8 | message: '"%s" must contain one and only one space.'
9 | link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#punctuation
10 | level: error
11 | nonword: true
12 | tokens:
13 | - '[a-z][.?!,][A-Z]'
14 | - '[\w.?!,\(\)\-":] {2,}[\w.?!,\(\)\-":]'
15 |
--------------------------------------------------------------------------------
/assets/scss/_variables_project.scss:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Add styles or override variables from the theme here.
4 |
5 | */
6 | nav ul li a {
7 | padding-left: 0.5rem;
8 | }
9 |
10 | $td-enable-google-fonts: false;
11 |
12 | $google_font_name: "Lato";
13 | $google_font_family: "Lato:300,300i,400,400i,700,700i";
14 |
15 | $primary: #0047AB !default;
16 |
17 | $link-col: #248BD2 !default;
18 | $link-color: darken($link-col, 15%) !default;
19 | $link-decoration: none !default;
20 | $link-hover-color: darken($link-color, 15%) !default;
21 | $link-hover-decoration: none !default;
22 |
--------------------------------------------------------------------------------
/styles/cobalt/Headings.yml:
--------------------------------------------------------------------------------
1 | extends: capitalization
2 | message: "'%s' should use title-style capitalization."
3 | link: 'https://capitalizemytitle.com/style/Chicago/'
4 | level: warning
5 | scope: heading
6 | match: $title
7 | indicators:
8 | - ':'
9 | exceptions:
10 | - Azure
11 | - CLI
12 | - Code
13 | - Cosmos
14 | - Docker
15 | - Emmet
16 | - gRPC
17 | - I
18 | - Kubernetes
19 | - Linux
20 | - macOS
21 | - Marketplace
22 | - MongoDB
23 | - REPL
24 | - Studio
25 | - TypeScript
26 | - URLs
27 | - Visual
28 | - VS
29 | - Windows
30 |
--------------------------------------------------------------------------------
/styles/cobalt/LatinTerms.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Warning: gitlab.LatinTerms
3 | #
4 | # Checks for use of Latin terms.
5 | #
6 | # For a list of all options, see https://errata-ai.gitbook.io/vale/getting-started/styles
7 | extends: substitution
8 | message: 'Use "%s" instead of "%s", but consider rewriting the sentence.'
9 | link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#usage-list
10 | level: warning
11 | nonword: true
12 | ignorecase: true
13 | swap:
14 | e\.g\.: for example
15 | e\. g\.: for example
16 | i\.e\.: that is
17 | i\. e\.: that is
18 |
--------------------------------------------------------------------------------
/layouts/shortcodes/alpha-status.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
Alpha
4 | This Kubeflow component has alpha status with limited support. See the
5 | Kubeflow versioning policies.
6 | The Kubeflow team is interested in your {{ if .Get "feedbacklink"}} {{ with .Get "feedbacklink" }}
7 | feedback{{ end }} {{ else }}feedback{{ end }}
8 | about the usability of the feature.
9 |
10 |
--------------------------------------------------------------------------------
/styles/cobalt/ToDo.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Warning: gitlab.ToDo
3 | #
4 | # You should not use "To Do", unless it refers to the UI element.
5 | #
6 | # For a list of all options, see https://errata-ai.gitbook.io/vale/getting-started/styles
7 | extends: substitution
8 | message: 'Use "to-do item" in most cases, or "Add a to do" if referring to the UI button.'
9 | link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#feature-names
10 | level: warning
11 | ignorecase: false
12 | swap:
13 | '[Tt]o [Dd]o [Ii]tems?': to-do item
14 | '\w* [Aa] [Tt]o [Dd]o': Add a to do
15 |
--------------------------------------------------------------------------------
/layouts/partials/feedback.html:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/styles/cobalt/CurrentStatus.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Suggestion: gitlab.CurrentStatus
3 | #
4 | # Checks for words that indicate a product or feature may change in the future.
5 | #
6 | # For a list of all options, see https://errata-ai.gitbook.io/vale/getting-started/styles
7 | extends: existence
8 | message: 'Avoid words like "%s" that promise future changes, because documentation is about the current state of the product.'
9 | level: suggestion
10 | ignorecase: true
11 | link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#usage-list
12 | tokens:
13 | - currently
14 |
--------------------------------------------------------------------------------
/styles/cobalt/FirstPerson.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Warning: gitlab.FirstPerson
3 | #
4 | # Checks for use of first person pronouns.
5 | #
6 | # For a list of all options, see https://errata-ai.gitbook.io/vale/getting-started/styles
7 | extends: existence
8 | message: '"%s" is a first-person pronoun. Use second- or third-person pronouns (like we, you, us, one) instead.'
9 | level: warning
10 | ignorecase: true
11 | link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#usage-list
12 | tokens:
13 | - '\bI[ ,;:?!"]|\bI\x27.{1,2}'
14 | - me
15 | - myself
16 | - mine
17 |
--------------------------------------------------------------------------------
/styles/cobalt/InclusionAbleism.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Suggestion: gitlab.InclusionAbleism
3 | #
4 | # Suggests alternatives for words that foster ableism.
5 | #
6 | # For a list of all options, see https://errata-ai.gitbook.io/vale/getting-started/styles
7 | extends: substitution
8 | message: 'Use inclusive language. Consider "%s" instead of "%s".'
9 | link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#inclusive-language
10 | level: suggestion
11 | ignorecase: true
12 | swap:
13 | sanity (?:check|test): check for completeness
14 | dummy: placeholder, sample, fake
15 |
--------------------------------------------------------------------------------
/styles/cobalt/OxfordComma.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Warning: gitlab.OxfordComma
3 | #
4 | # Checks for the lack of an Oxford comma. In some cases, will catch overly complex sentence structures with lots of commas.
5 | #
6 | # For a list of all options, see https://errata-ai.gitbook.io/vale/getting-started/styles
7 | extends: existence
8 | message: 'Use a comma before the last "and" or "or" in a list of three or more items.'
9 | link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#punctuation
10 | level: warning
11 | raw:
12 | - '(?:[\w-_` ]+,){2,}(?:[\w-_` ]+) (and |or )'
13 |
--------------------------------------------------------------------------------
/layouts/_default/content.html:
--------------------------------------------------------------------------------
1 |
15 |
--------------------------------------------------------------------------------
/styles/cobalt/BadgeCapitalization.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Error: gitlab.BadgeCapitalization
3 | #
4 | # Verifies that badges are not mixed case, which won't render properly.
5 | #
6 | # For a list of all options, see https://errata-ai.gitbook.io/vale/getting-started/styles
7 | extends: existence
8 | message: 'Badge "%s" must be capitalized.'
9 | link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#product-tier-badges
10 | level: error
11 | scope: raw
12 | raw:
13 | - '(?!\*\*\((FREE|PREMIUM|ULTIMATE)( (SELF|SAAS))?\)\*\*)'
14 | - '(?i)\*\*\((free|premium|ultimate)( (self|saas))?\)\*\*'
15 |
--------------------------------------------------------------------------------
/layouts/shortcodes/invite-help.md:
--------------------------------------------------------------------------------
1 | ### Invite Help
2 |
3 | You may not have all the information that you need. To invite others to help define your pentest,
4 | look for the Add Collaborator icon:
5 |
6 | 
7 |
8 | If you select the icon, we save the current pentest, in draft format. We then prompt you for an
9 | email address of a coworker who could have more information about your pentest needs.
10 |
11 | Next, your coworker receives an email to sign up for Cobalt, with a link directly to the pentest
12 | that you're working on.
13 |
--------------------------------------------------------------------------------
/styles/cobalt/InclusionGender.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Suggestion: gitlab.InclusionGender
3 | #
4 | # Suggests alternatives for words that are gender-specific.
5 | #
6 | # For a list of all options, see https://errata-ai.gitbook.io/vale/getting-started/styles
7 | extends: substitution
8 | message: 'Use inclusive language. Consider "%s" instead of "%s".'
9 | link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#inclusive-language
10 | level: suggestion
11 | ignorecase: true
12 | swap:
13 | mankind: humanity, people
14 | manpower: Cobalt team members
15 | he: they
16 | his: their
17 | she: they
18 | hers: their
19 |
--------------------------------------------------------------------------------
/content/en/Platform Deep Dive/_index.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Platform Deep Dive"
3 | linkTitle: "Platform Deep Dive"
4 | weight: 10
5 | description: >
6 | Explore the features of the Cobalt platform.
7 | ---
8 |
9 | {{% pageinfo %}}
10 | We're working to expand this section of our Product Documentation. Stay tuned.
11 | {{% /pageinfo %}}
12 |
13 | You've [signed in](/getting-started/sign-in/) and purchased {{% cobalt-credits %}}. Now it's time to explore the functionality of the [PtaaS](/getting-started/glossary/#pentest-as-a-service-ptaas) platform.
14 |
15 | In this section, you'll learn about the features that we offer in the Cobalt app.
16 |
--------------------------------------------------------------------------------
/styles/cobalt/InclusionCultural.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Warning: gitlab.InclusionCultural
3 | #
4 | # Suggests alternatives for words that are culturally inappropriate.
5 | #
6 | # For a list of all options, see https://errata-ai.gitbook.io/vale/getting-started/styles
7 | extends: substitution
8 | message: 'Use inclusive language. Consider "%s" instead of "%s".'
9 | link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#inclusive-language
10 | level: warning
11 | ignorecase: true
12 | swap:
13 | blacklist(?:ed|ing|s)?: denylist
14 | whitelist(?:ed|ing|s)?: allowlist
15 | master: primary, main
16 | slave: secondary
17 |
--------------------------------------------------------------------------------
/styles/cobalt/Simplicity.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Suggestion: gitlab.Simplicity
3 | #
4 | # Checks for words implying ease of use, to avoid cognitive dissonance for frustrated users.
5 | #
6 | # For a list of all options, see https://errata-ai.gitbook.io/vale/getting-started/styles
7 | extends: existence
8 | message: 'Avoid words like "%s" that imply ease of use, because the user may find this action hard.'
9 | level: suggestion
10 | ignorecase: true
11 | link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#usage-list
12 | tokens:
13 | - easy
14 | - easily
15 | - handy
16 | - simple
17 | - simply
18 | - useful
19 |
--------------------------------------------------------------------------------
/content/en/Getting started/Assets/asset-type.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Specify Asset Type"
3 | linkTitle: "Specify Asset Type"
4 | weight: 20
5 | description: >
6 | What kind of asset do you have?
7 | ---
8 |
9 | {{% pageinfo %}}
10 | Help us find the right pentesters for your asset.
11 | {{% /pageinfo %}}
12 |
13 | For each asset, we provide guidance for each of the following asset types:
14 |
15 | {{% asset-types-table %}}
16 |
17 | Once you've classified your asset, select an Asset Type:
18 |
19 | 
20 |
21 | The next step is to [Describe Your Assets](../asset-description).
22 |
--------------------------------------------------------------------------------
/styles/cobalt/Admin.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Warning: gitlab.Admin
3 | #
4 | # Checks for "admin" and recommends using the full word instead. "Admin Area" is OK.
5 | #
6 | # For a list of all options, see https://errata-ai.gitbook.io/vale/getting-started/styles
7 | extends: substitution
8 | message: 'Verify this use of the word "admin". Can it be updated to "administration", "administrator", "administer", or "Admin Area"?'
9 | link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html
10 | level: suggestion
11 | ignorecase: false
12 | swap:
13 | '[Aa]dmin ?\w*': '(?:Admin( Area| Mode)?|[Aa]dminist(ration|rator|rators|er|rative))'
14 |
--------------------------------------------------------------------------------
/layouts/_default/search.html:
--------------------------------------------------------------------------------
1 | {{ define "main" }}
2 |
3 |
4 |
{{ .Title }}
5 | {{ with .Site.Params.gcs_engine_id }}
6 |
17 |
18 | {{ end }}
19 |
17 | {{ end }}
18 |
--------------------------------------------------------------------------------
/styles/cobalt/UnclearAntecedent.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Warning: gitlab.UnclearAntecedent
3 | #
4 | # Checks for words that need a noun for clarity.
5 | #
6 | # For a list of all options, see https://docs.errata.ai/vale/styles
7 | extends: existence
8 | message: "'%s' is not precise. Try rewriting with a specific subject and verb."
9 | link: https://docs.gitlab.com/ee/development/documentation/styleguide/word_list.html#this-these-that-those
10 | level: warning
11 | ignorecase: false
12 | tokens:
13 | - 'That is'
14 | - 'That was'
15 | - 'These are'
16 | - 'These were'
17 | - 'There are'
18 | - 'There were'
19 | - 'This is'
20 | - 'This was'
21 | - 'Those are'
22 | - 'Those were'
23 |
--------------------------------------------------------------------------------
/styles/Spelling.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Warning: gitlab.Spelling
3 | #
4 | # Checks for possible spelling mistakes in content, not code. Results from links using angle brackets () should be corrected.
5 | #
6 | # If a word is flagged as a spelling mistake incorrectly, such as a product name,
7 | # you can submit an MR to update `spelling-exceptions.txt` with the missing word.
8 | # Commands, like `git clone` must use backticks, and must not be added to the
9 | # exceptions.
10 | #
11 | # For a list of all options, see https://errata-ai.gitbook.io/vale/getting-started/styles
12 | extends: spelling
13 | message: 'Spelling check: "%s"?'
14 | level: warning
15 | ignore:
16 | - cobalt/spelling-exceptions.txt
17 |
--------------------------------------------------------------------------------
/styles/cobalt/Spelling.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Warning: gitlab.Spelling
3 | #
4 | # Checks for possible spelling mistakes in content, not code. Results from links using angle brackets () should be corrected.
5 | #
6 | # If a word is flagged as a spelling mistake incorrectly, such as a product name,
7 | # you can submit an MR to update `spelling-exceptions.txt` with the missing word.
8 | # Commands, like `git clone` must use backticks, and must not be added to the
9 | # exceptions.
10 | #
11 | # For a list of all options, see https://errata-ai.gitbook.io/vale/getting-started/styles
12 | extends: spelling
13 | message: 'Spelling check: "%s"?'
14 | level: warning
15 | ignore:
16 | - cobalt/spelling-exceptions.txt
17 |
--------------------------------------------------------------------------------
/styles/cobalt/Contractions.yml:
--------------------------------------------------------------------------------
1 | extends: substitution
2 | message: "Feel free to use '%s' instead of '%s'."
3 | link: 'https://developers.google.com/style/contractions'
4 | level: suggestion
5 | ignorecase: true
6 | action:
7 | name: replace
8 | swap:
9 | are not: aren't
10 | cannot: can't
11 | could not: couldn't
12 | did not: didn't
13 | do not: don't
14 | does not: doesn't
15 | has not: hasn't
16 | have not: haven't
17 | how is: how's
18 | is not: isn't
19 | it is: it's
20 | should not: shouldn't
21 | that is: that's
22 | they are: they're
23 | was not: wasn't
24 | we are: we're
25 | were not: weren't
26 | what is: what's
27 | when is: when's
28 | where is: where's
29 | will not: won't
30 |
--------------------------------------------------------------------------------
/content/en/Getting started/Assets/coverage.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Understand Pentest Scoping"
3 | linkTitle: "Understand Pentest Scoping"
4 | weight: 40
5 | toc_hide: true
6 | hide_summary: true
7 | description: >
8 | The pentest scope determines the number of credits required for a pentest.
9 | ---
10 |
11 | {{% pageinfo %}}
12 | Refer to [Plan and Scope the Pentest](/getting-started/planning/) for details.
13 | {{% /pageinfo %}}
14 |
15 |
16 |
17 | ## Pentest Reports
18 |
19 | See [Pentest Reports](/platform-deep-dive/pentests/reports/) for more information about reports.
20 |
--------------------------------------------------------------------------------
/deploy.sh:
--------------------------------------------------------------------------------
1 | #Copyright 2018 Google LLC
2 | #
3 | #Licensed under the Apache License, Version 2.0 (the "License");
4 | #you may not use this file except in compliance with the License.
5 | #You may obtain a copy of the License at
6 | #
7 | # https://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | #Unless required by applicable law or agreed to in writing, software
10 | #distributed under the License is distributed on an "AS IS" BASIS,
11 | #WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | #See the License for the specific language governing permissions and
13 | #limitations under the License.
14 | #
15 | rm -rf public/
16 | HUGO_ENV="production" hugo --gc || exit 1
17 | s3deploy -source=public/ -region=eu-west-1 -bucket=bep.is -distribution-id=E8OKNT7W9ZYZ2 -path temp/td
18 |
--------------------------------------------------------------------------------
/layouts/shortcodes/expand.html:
--------------------------------------------------------------------------------
1 | {{ $_hugo_config := `{ "version": 1 }` }}
2 |
--------------------------------------------------------------------------------
/styles/cobalt/AlertBoxStyle.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Error: gitlab.AlertBoxStyle
3 | #
4 | # Makes sure alert boxes are used with block quotes. Checks for 3 formatting issues:
5 | #
6 | # - Alert boxes inside a block quote (">")
7 | # - Alert boxes with the note text on the same line
8 | # - Alert boxes using words other than "NOTE" or "WARNING"
9 | #
10 | # For a list of all options, see https://errata-ai.gitbook.io/vale/getting-started/styles
11 | extends: existence
12 | message: 'Alert box "%s" must use the formatting in the style guide.'
13 | link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#alert-boxes
14 | level: error
15 | nonword: true
16 | scope: raw
17 | raw:
18 | - '(\n *\> *(?:NOTE|WARNING)|'
19 | - '\n\n(NOTE|WARNING):[^\n]|'
20 | - '\n\n *(?:> )?\**(Note|note|TIP|Tip|tip|CAUTION|Caution|caution|DANGER|Danger|danger|Warning|warning):.*)'
21 |
--------------------------------------------------------------------------------
/styles/cobalt/SubstitutionWarning.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Warning: gitlab.SubstitutionWarning
3 | #
4 | # Checks for misused terms or common shorthand that should never be used at GitLab, but can't be flagged as errors.
5 | # Substitutions.yml and SubstitionSuggestions.yml also exist.
6 | #
7 | # For a list of all options, see https://errata-ai.gitbook.io/vale/getting-started/styles
8 | extends: substitution
9 | message: 'If possible, use "%s" instead of "%s".'
10 | link: https://about.gitlab.com/handbook/communication/#top-misused-terms
11 | level: warning
12 | ignorecase: true
13 | swap:
14 | code base: codebase
15 | distro: distribution
16 | file name: filename
17 | filesystem: file system
18 | info: information
19 | repo: repository
20 | timezone: time zone
21 | utilize: use
22 | administrator access: the Administrator role
23 | administrator permission: the Administrator role
24 | administrator permissions: the Administrator role
25 |
--------------------------------------------------------------------------------
/styles/cobalt/SubstitutionSuggestions.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Suggestion: gitlab.SubstitutionSuggestions
3 | #
4 | # Suggests better options for frequently misused terms that are often - but not always - incorrect.
5 | # SubstitutionWarning.yml and Substitutions.yml also exist.
6 | #
7 | # For a list of all options, see https://errata-ai.github.io/vale/styles/
8 | extends: substitution
9 | message: 'Consider %s instead of "%s".'
10 | link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#language
11 | level: suggestion
12 | ignorecase: true
13 | swap:
14 | active user: '"billable user"'
15 | active users: '"billable users"'
16 | docs: '"documentation"'
17 | e-mail: '"email"'
18 | GFM: '"GitLab Flavored Markdown"'
19 | it is recommended: '"we recommend"'
20 | OAuth2: '"OAuth 2.0"'
21 | once that: '"after that"'
22 | once the: '"after the"'
23 | once you: '"after you"'
24 | since: '"because" or "after"'
25 | sub-group: '"subgroup"'
26 | sub-groups: '"subgroups"'
27 | within: '"in"'
28 |
--------------------------------------------------------------------------------
/styles/cobalt/VersionText.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Error: gitlab.VersionText
3 | #
4 | # Checks that version text is formatted correctly.
5 | #
6 | # Specifically looks for either of the following that is immediately followed on the next line
7 | # by content, which will break rendering:
8 | #
9 | # - `> Introduced` (version text without a link)
10 | # - `> [Introduced` (version text with a link)
11 | #
12 | # Because it excludes the prefix `> - `, it doesn't look for multi-line version text, for which
13 | # content immediately on the next line is ok. However, this will often highlight where multi-line
14 | # version text is attempted without `-` characters.
15 | #
16 | # For a list of all options, see https://errata-ai.gitbook.io/vale/getting-started/styles
17 | extends: existence
18 | message: 'This introduced-in line is not formatted correctly.'
19 | link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#version-text-in-the-version-history
20 | level: error
21 | scope: raw
22 | raw:
23 | - '> \[?Introduced.+\n[^\n]'
24 |
--------------------------------------------------------------------------------
/layouts/_default/sitemap.xml:
--------------------------------------------------------------------------------
1 | {{ printf "" | safeHTML }}
2 |
4 | {{ range .Data.Pages }}
5 |
6 | https://developer.cobalt.io{{ .Permalink }}{{ if not .Lastmod.IsZero }}
7 | {{ safeHTML ( .Lastmod.Format "2006-01-02T15:04:05-07:00" ) }}{{ end }}{{ with .Sitemap.ChangeFreq }}
8 | {{ . }}{{ end }}{{ if ge .Sitemap.Priority 0.0 }}
9 | {{ .Sitemap.Priority }}{{ end }}{{ if .IsTranslated }}{{ range .Translations }}
10 | {{ end }}
15 | {{ end }}
20 |
21 | {{ end }}
22 |
23 |
--------------------------------------------------------------------------------
/.github/workflows/auto_merge.yml:
--------------------------------------------------------------------------------
1 | name: auto_merge
2 |
3 | on: pull_request
4 |
5 | permissions:
6 | pull-requests: write
7 | contents: write
8 |
9 | jobs:
10 | dependabot:
11 | runs-on: ubuntu-latest
12 | if: ${{ github.actor == 'dependabot[bot]' }}
13 | steps:
14 | - name: Dependabot metadata
15 | id: metadata
16 | uses: dependabot/fetch-metadata@v1.3.4
17 | with:
18 | github-token: "${{ secrets.GITHUB_TOKEN }}"
19 | - name: Approve a PR
20 | run: gh pr review --approve "$PR_URL"
21 | env:
22 | PR_URL: ${{github.event.pull_request.html_url}}
23 | GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
24 | - name: Enable auto-merge for Dependabot PRs
25 | if: ${{ steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor'}}
26 | run: gh pr merge --auto --squash "$PR_URL"
27 | env:
28 | PR_URL: ${{github.event.pull_request.html_url}}
29 | GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
30 |
--------------------------------------------------------------------------------
/.github/PULL_REQUEST_TEMPLATE.md:
--------------------------------------------------------------------------------
1 | ## Changelog
2 |
3 | ### Added
4 |
5 | | Page | Deploy Preview | Comment |
6 | | ----- | ----- | ----- |
7 | | [Name] | [Link] | [Comment] |
8 |
9 | ### Updated
10 |
11 | | Page | Deploy Preview | Comment |
12 | | ----- | ----- | ----- |
13 | | [Name] | [Link] | [Comment] |
14 |
15 | ## Preview This Change
16 |
17 | To see how this change looks in production, scroll down to **Deploy Preview**. Select the link that looks like `https://deploy-preview---cobalt-docs.netlify.app/`
18 |
19 | ## Variables
20 |
21 | Help us support a “Write once, publish everywhere” single source of truth. If you see a line that looks like:
22 |
23 | `{{ % asset-categories % }}`
24 |
25 | You’ve found a [shortcode](https://gohugo.io/content-management/shortcodes/) that we include in multiple documents.
26 |
27 | You’ll find the content of the shortcode in the following directory:
28 |
29 | https://github.com/cobalthq/cobalt-product-public-docs/tree/main/layouts/shortcodes
30 |
31 | That shortcode has the same base name as what you see in the PR, such as `asset-categories.html`.
32 |
--------------------------------------------------------------------------------
/layouts/shortcodes/asset-details.md:
--------------------------------------------------------------------------------
1 | The **Asset** screen prompts you for the following information:
2 |
3 | - **Asset Title**: Set up a descriptive name to attract attention from the best pentesters.
4 | - **Asset Image**: Use it to help identify what you need from a list of assets.
5 | - [Asset Type](/getting-started/assets/asset-type/): Select one of the options described in the linked page.
6 | - [Technology Stack](/platform-deep-dive/assets/risk-advisories/#add-a-technology-stack-for-your-asset) (for Web, Mobile, API, and combined [asset types](/platform-deep-dive/assets/#asset-types)): Add a technology stack for your asset. You can preview [potential vulnerabilities](/platform-deep-dive/assets/risk-advisories/) based on the [Common Vulnerabilities and Exposures (CVE)](https://www.cve.org/) standard for this stack.
7 | - [Asset Description](/getting-started/assets/asset-description/): Add information that can help your pentesters fully analyze your asset.
8 | - [Attachment(s)](/getting-started/assets/asset-description/#attachments): Upload documentation, architecture diagrams, images, spreadsheets, or videos related to your asset.
--------------------------------------------------------------------------------
/styles/Google/Acronyms.yml:
--------------------------------------------------------------------------------
1 | extends: conditional
2 | message: "Spell out '%s', if it's unfamiliar to the audience."
3 | link: 'https://developers.google.com/style/abbreviations'
4 | level: suggestion
5 | ignorecase: false
6 | # Ensures that the existence of 'first' implies the existence of 'second'.
7 | first: '\b([A-Z]{3,5})\b'
8 | second: '(?:\b[A-Z][a-z]+ )+\(([A-Z]{3,5})\)'
9 | # ... with the exception of these:
10 | exceptions:
11 | - API
12 | - ASP
13 | - CLI
14 | - CPU
15 | - CSS
16 | - CSV
17 | - DEBUG
18 | - DOM
19 | - DPI
20 | - FAQ
21 | - GCC
22 | - GDB
23 | - GET
24 | - GPU
25 | - GTK
26 | - GUI
27 | - HTML
28 | - HTTP
29 | - HTTPS
30 | - IDE
31 | - JAR
32 | - JSON
33 | - JSX
34 | - LESS
35 | - LLDB
36 | - NET
37 | - NOTE
38 | - NVDA
39 | - OSS
40 | - PATH
41 | - PDF
42 | - PHP
43 | - POST
44 | - RAM
45 | - REPL
46 | - RSA
47 | - SCM
48 | - SCSS
49 | - SDK
50 | - SQL
51 | - SSH
52 | - SSL
53 | - SVG
54 | - TBD
55 | - TCP
56 | - TODO
57 | - URI
58 | - URL
59 | - USB
60 | - UTF
61 | - XML
62 | - XSS
63 | - YAML
64 | - ZIP
65 |
--------------------------------------------------------------------------------
/assets/js/feedback.js:
--------------------------------------------------------------------------------
1 | const yesButton = document.querySelector('.feedback-yes');
2 | const noButton = document.querySelector('.feedback-no');
3 |
4 | const disableButtons = () => {
5 | yesButton.disabled = true;
6 | noButton.disabled = true;
7 | };
8 |
9 | function thanksFeedback(button){
10 | button.blur();
11 | buttonText = button.innerText
12 | button.innerText = 'Thanks for the feedback!'
13 | setTimeout(function () {
14 | button.innerText = buttonText;
15 | }, 2000);
16 | }
17 |
18 | const sendFeedback = (value) => {
19 | if (typeof ga !== 'function') return;
20 | const args = {
21 | command: 'send',
22 | hitType: 'event',
23 | category: 'Feedback Buttons',
24 | action: 'click',
25 | label: window.location.pathname,
26 | value: value
27 | };
28 | ga(args.command, args.hitType, args.category, args.action, args.label, args.value);
29 | };
30 |
31 | if (yesButton !== null ) {
32 | yesButton.addEventListener('click', () => {
33 | thanksFeedback(yesButton);
34 | disableButtons();
35 | sendFeedback(1);
36 | });
37 | }
38 |
39 | if (noButton !== null ) {
40 | noButton.addEventListener('click', () => {
41 | thanksFeedback(noButton);
42 | disableButtons();
43 | sendFeedback(0);
44 | });
45 | }
--------------------------------------------------------------------------------
/layouts/shortcodes/asset-types-table.md:
--------------------------------------------------------------------------------
1 | | Asset Type | Description |
2 | |------------------|---------------------------------------------------------------------------------------------------|
3 | | Web | An online application (app). **Includes APIs that supply data to the (Web) app**. |
4 | | Mobile | Any application intended for mobile phones or tablets. |
5 | | API | API is an Application Programming Interface. Use for APIs independent of a Web app. |
6 | | External Network | Any network that's directly exposed to the internet. |
7 | | Internal Network | Any network with either a limited or no interface to the internet. |
8 | | Cloud Config | For systems on "the Cloud," using services such as Amazon AWS, Microsoft Azure, or Google GCP. |
9 |
10 | We also support tests that span two categories, including:
11 |
12 | - Web + API
13 | - If the only APIs you use supply information to your web app, select the
14 | **Web** asset type. We test those APIs as part of web-only tests.
15 | - Web + External Network
16 | - Web + Mobile
--------------------------------------------------------------------------------
/layouts/partials/section-index.html:
--------------------------------------------------------------------------------
1 |
2 | {{ $pages := (where .Site.Pages "Section" .Section).ByWeight }}
3 | {{ if .IsHome }}
4 | {{ $pages = .Site.Pages.ByWeight }}
5 | {{ end }}
6 | {{ $parent := .Page }}
7 | {{ if $parent.Params.no_list }}
8 | {{/* If no_list is true we don't show a list of subpages */}}
9 | {{ else if $parent.Params.simple_list }}
10 | {{/* If simple_list is true we show a bulleted list of subpages */}}
11 |
12 | {{ range $pages }}
13 | {{ if eq .Parent $parent }}
14 |
18 | {{ else }}
19 | {{/* Otherwise we show a nice formatted list of subpages with page descriptions */}}
20 |
21 | {{ range $pages }}
22 | {{ if eq .Parent $parent }}
23 |
33 |
--------------------------------------------------------------------------------
/BestPracticesSecurityGuide.md:
--------------------------------------------------------------------------------
1 | ## Best Practices for Security
2 |
3 | We're writing a [Best Practices for Security](./content/en/BestPractices/_index.md) guide. In
4 | this guide, we feature content from our [Cobalt Core](https://cobalt.io/our-pentesters) pentesters.
5 |
6 | We'll work towards content that's more readable than most security documentation. We want
7 | content that's readable by people at US Grade Level 10, using criteria developed
8 | for the US Navy ([Flesch-Kincaid](https://en.wikipedia.org/wiki/Flesch%E2%80%93Kincaid_readability_tests)).
9 |
10 |
11 |
12 | We're focusing our efforts on the [OWASP Top 10](https://owasp.org/Top10/) from 2021.
13 |
14 | To help our pentesters, we've set up a grammar linter known as
15 | [Vale](https://errata.ai/vale-server/), based on the [Google Developer Style
16 | Guide](https://developers.google.com/style/), modified for Cobalt requirements. For
17 | installation instructions, see our [Grammar Linter](./GrammarLinter.md) page.
18 |
19 | We use the [Creative Commons CC-BY-4.0](https://creativecommons.org/licenses/by/4.0/) license.
20 |
21 | We ask our selected Cobalt Core authors to sign a freelance [contract](./static/bestprac/Content_Contributor_Agreement_Template.pdf).
--------------------------------------------------------------------------------
/layouts/_default/baseof.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | {{ if .Site.Params.GoogleAnalyticsID }}
5 | {{ partial "analytics-gtag.html" . }}
6 | {{ end }}
7 | {{ partial "head.html" . }}
8 | {{ if .IsHome }}{{ .Site.Title }}{{ else }}{{ with .Title }}{{ . }} | {{ end }}{{ .Site.Title }}{{ end }}
9 |
10 |
11 |
12 | {{ partial "navbar.html" . }}
13 |
14 |
15 |
16 |
17 |
20 |
23 |
24 | {{ if not .Site.Params.ui.breadcrumb_disable }}{{ partial "breadcrumb.html" . }}{{ end }}
25 | {{ block "main" . }}{{ end }}
26 |
27 |
28 |
29 | {{ partial "footer.html" . }}
30 |
31 | {{ partial "scripts.html" . }}
32 |
33 |
34 |
--------------------------------------------------------------------------------
/content/en/Getting started/track-credits.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Track Your Credits"
3 | linkTitle: "Track Your Credits"
4 | weight: 380
5 | description: >
6 | View and track your credits in the dashboard.
7 | ---
8 |
9 | {{% pageinfo %}}
10 | Navigate to the **Credits** tab to analyze how your company uses Cobalt [credits](https://www.cobalt.io/pentest-pricing#cobaltcredits).
11 | {{% /pageinfo %}}
12 |
13 | Here, you can see the following:
14 |
15 | - Current credit balance
16 | - Contract end date showing when your credits expire
17 | - History of pending and completed credit transactions
18 | - You may also see your {{% ptaas-tier %}} shown as "Subscription Plan."
19 |
20 | Whenever the credit balance changes, the transaction history updates with the following details:
21 |
22 | - Transaction date
23 | - Category: Contract or Pentest
24 | - Description:
25 | - Contract: Shows credit changes related to your subscription.
26 | - Pentest: Displays the title and ID of the pentest for which credits were used.
27 | - Transaction amount showing the number of added or subtracted credits
28 | - Number of credits remaining on the account balance once the transaction is completed
29 |
30 | To download the history of completed transactions in CSV format, select **Download CSV**. You can import the file into the spreadsheet software of your choice.
31 |
--------------------------------------------------------------------------------
/styles/write-good/README.md:
--------------------------------------------------------------------------------
1 | Based on [write-good](https://github.com/btford/write-good).
2 |
3 | > Naive linter for English prose for developers who can't write good and wanna learn to do other stuff good too.
4 |
5 | ```
6 | The MIT License (MIT)
7 |
8 | Copyright (c) 2014 Brian Ford
9 |
10 | Permission is hereby granted, free of charge, to any person obtaining a copy
11 | of this software and associated documentation files (the "Software"), to deal
12 | in the Software without restriction, including without limitation the rights
13 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
14 | copies of the Software, and to permit persons to whom the Software is
15 | furnished to do so, subject to the following conditions:
16 |
17 | The above copyright notice and this permission notice shall be included in all
18 | copies or substantial portions of the Software.
19 |
20 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
21 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
22 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
23 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
24 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
25 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
26 | SOFTWARE.
27 | ```
28 |
--------------------------------------------------------------------------------
/.github/workflows/check-branch-name.yml:
--------------------------------------------------------------------------------
1 | name: "Check the branch name"
2 | on:
3 | push:
4 | branches:
5 | # All branches.
6 | - '**' # Matches all branches.
7 | - '!master' # Excludes master.
8 | jobs:
9 | build:
10 | runs-on: ubuntu-latest
11 | steps:
12 | - uses: actions/checkout@v3
13 | - name: Check if the branch uses standardized naming scheme.
14 | shell: bash
15 | run: |
16 | # Make the match case insensitive
17 | shopt -s nocasematch
18 |
19 | BRANCH_NAME=$(git rev-parse --abbrev-ref HEAD)
20 | # Regex to match the Jira ticket naming convention.
21 | REGEX="(revert|hotfix|no-ticket|dependabot)|([A-Z]|[a-z])+-[0-9]+"
22 |
23 | if [[ "${BRANCH_NAME}" =~ ${REGEX} ]]; then
24 | exit 0
25 | fi
26 |
27 | cat <<\EOF
28 | ========================================================================
29 | Error: Invalid branch name.
30 |
31 | The branch name should contain the name of the corresponding ticket in Jira e.g.
32 |
33 | INFRA-123, CIT-51, EX-2, OFFICE-43, etc...
34 |
35 | This is a requirement from our SOC2 auditors.
36 |
37 | If you for any reason cannot connect this PR to a ticket, add the string "HOTFIX"
38 | anywhere in the name of the pull request and GitHub Actions build will pass.
39 |
40 | Please contact secops@cobalt.io or infra@cobalt.io for more details.
41 | ========================================================================
42 | EOF
43 |
44 | exit 1
45 |
--------------------------------------------------------------------------------
/content/en/Getting started/Pentest objectives/pentest-target.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Pentest Target"
3 | linkTitle: "Pentest Target"
4 | weight: 10
5 | description: >
6 | Define where our pentesters can find your asset.
7 | ---
8 |
9 | {{% pageinfo %}}
10 | Typically, all you need is a URL, IP address, or link.
11 | {{% /pageinfo %}}
12 |
13 | To set up a pentest, you need to define the location of your asset.
14 | Since the pentests that we support are all "online," you would set a pentest target to
15 | their location on the internet.
16 |
17 | | Asset Type | Typical Target |
18 | |------------------|-------------------------------------------------------------------------------------------|
19 | | Web | Fully-Qualified Domain Name (FQDN) such as www.example.com. May also specify an IP or network address. |
20 | | Mobile | URL where anyone can download a mobile app, such as on Google Play or the Apple App Store. |
21 | | API | Base URL of the API. You can define the endpoints / queries in the Instructions text box. |
22 | | External Network | IP addresses or the IP network address. |
23 | | Internal Network | IP network address. External IP address for the [Jump Box](../../glossary/#jump-box). |
24 | | Cloud Config | IP address(es) and FQDNs of your cloud components. |
25 |
26 | After you've defined the target, proceed with the [Pentest Methodology](../methodologies).
27 |
--------------------------------------------------------------------------------
/content/en/Getting started/Pentest objectives/_index.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Set Pentest Requirements"
3 | linkTitle: "Set Pentest Requirements"
4 | weight: 50
5 | description: >
6 | Now that you've defined an asset, it's time to define requirements for the pentest.
7 | ---
8 |
9 | {{% pageinfo %}}
10 | Define what you want our pentesters to test.
11 | {{% /pageinfo %}}
12 |
13 |
14 | {{% big-pic-UI-steps %}}
15 |
16 | This section can help you set pentest requirements. In the Cobalt UI, you can
17 | define pentest requirements in the following screen:
18 |
19 | 
20 |
21 | On this page of the UI, you can:
22 |
23 | - Specify a [Pentest Target](./pentest-target).
24 | - Define a [Pentest Methodology](./methodologies), with detailed objectives. You can
25 | read about the objectives associated with each [asset](../glossary#asset) type.
26 | - Include [Test Credentials](./test-credentials).
27 | - Add special [Instructions](./special-instructions).
28 | - Define the [Technology Stack](./stack).
29 |
30 | If you're not sure what to include in the UI, follow the links associated with each
31 | bullet. If you're experienced with defining pentests, fill out the page, and continue
32 | to [Pentest Detail Requirements](../details).
33 |
34 | We use the penetration testing methodologies listed on the page. If you want to know more
35 | about each methodology, navigate to the page associated with your asset.
36 |
37 | If you start at the top of the pentest requirements page, your next step is to specify a [target](./pentest-target).
38 |
--------------------------------------------------------------------------------
/styles/cobalt/Substitutions.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Error: gitlab.Substitutions
3 | #
4 | # Checks for misused terms that should never be used at GitLab.
5 | # SubstitutionWarning.yml and SubstitionSuggestions.yml also exist.
6 | #
7 | # For a list of all options, see https://docs.errata.ai/vale/styles
8 | extends: substitution
9 | message: 'Use "%s" instead of "%s".'
10 | link: https://about.gitlab.com/handbook/communication/#top-misused-terms
11 | level: error
12 | ignorecase: true
13 | swap:
14 | Agile pentest: Agile Pentest
15 | Comprehensive pentest: Comprehensive Pentest
16 | Cobalt App: Cobalt app
17 | codequality: code quality
18 | Customer [Pp]ortal: Customers Portal
19 | frontmatter: front matter
20 | GitLabber: GitLab team member
21 | GitLabbers: GitLab team members
22 | GitLab-shell: GitLab Shell
23 | gitlab omnibus: Omnibus GitLab
24 | param: parameter
25 | params: parameters
26 | pg: PostgreSQL
27 | 'postgres$': PostgreSQL
28 | raketask: Rake task
29 | raketasks: Rake tasks
30 | rspec: RSpec
31 | self hosted: self-managed
32 | self-hosted: self-managed
33 | styleguide: style guide
34 | to login: to log in
35 | can login: can log in
36 | to log-in: to log in
37 | can log-in: can log in
38 | to signin: to sign in
39 | can signin: can sign in
40 | to sign-in: to sign in
41 | can sign-in: can sign in
42 | x509: X.509
43 | yaml: YAML
44 | developer access: the Developer role
45 | developer permission: the Developer role
46 | developer permissions: the Developer role
47 | maintainer access: the Maintainer role
48 | maintainer permission: the Maintainer role
49 | maintainer permissions: the Maintainer role
50 | owner access: the Owner role
51 | owner permission: the Owner role
52 | owner permissions: the Owner role
53 |
--------------------------------------------------------------------------------
/content/en/APIUseCases/_index.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "API Use Cases"
3 | linkTitle: "API Use Cases"
4 | weight: 100
5 | description: >
6 | Includes practical uses for our API.
7 | ---
8 |
9 | {{% pageinfo %}}
10 | The pages in this book describe how you can work with the Cobalt platform using
11 | our API.
12 | {{% /pageinfo %}}
13 |
14 | This document assumes that you can run `curl` in a command line on your system.
15 | You can also set up the REST calls in this book in other API clients such as:
16 |
17 | - [Postman](https://learning.postman.com/docs/getting-started/introduction/)
18 | - [Insomnia](https://docs.insomnia.rest/)
19 |
20 | If you run `curl` from the command line, we recommend that you use the
21 | [`jq`](https://stedolan.github.io/jq/) command line JSON processor to format output.
22 |
23 | ## Format JSON Responses
24 |
25 | Without the `| jq.`, you may have output that looks like:
26 |
27 | ```json
28 | {"pagination":{"next_page":null,"prev_page":null},"data":[{"resource":{"id":"YOUR-ORG-ID","name":"ORG-NAME","token":"YOUR-V2-ORGANIZATION-TOKEN"},"links":{"ui":{"url":"URL-WITH-YOUR-PENTESTS"}}}]}
29 | ```
30 |
31 | If you add a `| jq .` to the end of your REST call, you may find it easier to
32 | read the output:
33 |
34 | ```json
35 | {
36 | "pagination": {
37 | "next_page": null,
38 | "prev_page": null
39 | },
40 | "data": [
41 | {
42 | "resource": {
43 | "id": "YOUR-ORG-ID",
44 | "name": "ORG-NAME",
45 | "token": "YOUR-V2-ORGANIZATION-TOKEN"
46 | },
47 | "links": {
48 | "ui": {
49 | "url": "URL-WITH-YOUR-PENTESTS"
50 | }
51 | }
52 | }
53 | ]
54 | }
55 |
56 | ```
57 |
58 | For your convenience, we include `| jq .` in all of our sample REST calls that
59 | provide actual output.
60 |
--------------------------------------------------------------------------------
/content/en/BestPractices/_index.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Best Practices for Security"
3 | linkTitle: "Best Practices"
4 | weight: 600
5 | description: >
6 | Recommendations for developers focused on security.
7 | ---
8 |
9 | {{% pageinfo %}}
10 | This document collects content from [our pentesters](https://cobalt.io/our-pentesters) to
11 | help you secure your systems.
12 | {{% /pageinfo %}}
13 |
14 | You want to start an [application security](../getting-started/glossary/#application-security-appsec)
15 | program. You've read through the 2021 version of the [OWASP Top 10](https://owasp.org/Top10/).
16 | We'll provide practical examples that you can use as patterns to secure your
17 | [assets](../getting-started/glossary/#asset).
18 |
19 |
20 |
22 |
23 | ## Available Articles
24 |
25 | Once we've merged content into this guide, we'll list them in the following table with the
26 | date of release.
27 |
28 | | Article | Release Date | Author |
29 | |----------------------------------------------------------------------|--------------|-----------------------|
30 | | [Validate User Input](./input-validation) | 2022-08-19 | {{% payloadartist %}} |
31 | | [Prevent Security Misconfiguration](./prevent-security-misconfig) | 2022-08-19 | {{% shashank %}} |
32 | | [Protect Against Server-Side Request Forgery](./protect-against-ssrf) | 2022-08-19 | {{% harsh-bothra %}} |
33 |
34 |
--------------------------------------------------------------------------------
/content/en/Getting started/Assets/_index.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Define Your Assets"
3 | linkTitle: "Define Your Assets"
4 | weight: 10
5 | description: >
6 | Security professionals perform pentests on your assets. Collect the info they need.
7 | ---
8 |
9 | {{% pageinfo %}}
10 | Help our pentesters test your [assets](/getting-started/glossary/#asset) faster.
11 | {{% /pageinfo %}}
12 |
13 | Once you select **Create a Pentest**, you land on the **Let's Get Started** screen.
14 |
15 | 
16 |
17 | Before you start defining your assets, select the [pentest type](/platform-deep-dive/pentests/pentest-types/) that you want to launch.
18 |
19 | - {{% agile-pentest %}}
20 | - {{% comprehensive-pentest %}}
21 |
22 | Select how you want to proceed with your asset:
23 |
24 | - **Create a new asset**:
25 | - On the **Asset** page, specify the [asset details](#asset-details). Once you select **Create Asset**, you land on the **Assets** page.
26 | - To set up a pentest for this asset, select the three-dot icon under **Action**, and then select **Create a Pentest**.
27 | - **Use an existing asset**:
28 | - Select an asset from the list. Once you select **Continue**, you can see asset details on the **Review Asset** screen. To update asset information, select **Edit Asset**.
29 | 
30 |
31 | ## Asset Details
32 |
33 | {{% asset-details %}}
34 |
35 | 
36 |
37 | The UI provides the information that you need to add an **Asset Title** and **Image**. Now take the next step and define your [Asset Type](/getting-started/assets/asset-type/).
38 |
--------------------------------------------------------------------------------
/content/en/Platform Deep Dive/Pentests/Pentest Process/Methodologies/mobile.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Mobile Pentest Methodologies"
3 | linkTitle: "Mobile Methodologies"
4 | weight: 110
5 | description: >
6 | Review methodologies for Mobile Apps.
7 | aliases:
8 | - /getting-started/pentest-objectives/methodologies/mobile/
9 | ---
10 |
11 | {{% pageinfo %}}
12 | Overview of test methodologies for mobile assets.
13 | {{% /pageinfo %}}
14 |
15 | We use the penetration testing objectives listed on this page. If you want to know more
16 | about each methodology, navigate to the [Pentest Methodologies](..) page associated with your asset.
17 |
18 | ## Mobile
19 |
20 | The Cobalt team of pentesters do not need access to the underlying mobile application source code,
21 | unless you specify it as a requirement.
22 |
23 | When you set up a pentest for a mobile asset in the UI, you'll see the following in the
24 | Objectives text box:
25 |
26 | ```
27 | Coverage of OWASP top 10, ASVS and application logic.
28 | ```
29 |
30 | Learn more about these objectives from OWASP:
31 |
32 | - [OWASP Mobile Top 10](https://owasp.org/www-project-mobile-top-10)
33 | - [OWASP Application Security Verification Standard (ASVS)](https://owasp.org/www-project-application-security-verification-standard)
34 |
35 | We look at application logic by working with your app.
36 |
37 | We follow an industry standard methodology primarily based on the OWASP Application Security
38 | Verification Standard (ASVS) and Testing Guide. Our team takes the following steps to ensure
39 | full coverage:
40 |
41 | - Reconnaissance
42 | - Share the mobile application files
43 | - Android: .apk
44 | - iOS: .ipa
45 | - Automated and Manual Testing
46 | - Exploit Discovered Vulnerabilities
47 | - Report, triage, and retest
48 |
49 | 
50 |
51 | {{% additional-requirements %}}
52 |
--------------------------------------------------------------------------------
/content/en/Getting started/Pentest objectives/special-instructions.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Special Instructions"
3 | linkTitle: "Instructions for Each Pentest"
4 | weight: 170
5 | description: >
6 | Every asset is unique. What do your pentesters need to know about it?
7 | ---
8 |
9 | {{% pageinfo %}}
10 | You may have unique requirements and concerns about assets in production use.
11 | {{% /pageinfo %}}
12 |
13 | 
14 |
15 | You've already shared [details about your asset](../../assets/asset-description), ideally
16 | including its architecture. Beyond the standards, you should share any or all special
17 | concerns about the asset. The following checklist includes examples to help you decide
18 | what to share with your pentesters. While you're not required to include any such
19 | details, we encourage you to include concerns that affect your production systems.
20 |
21 | - Highlight areas for special attention, such as:
22 | - Recent releases
23 | - Specific functionality
24 | - Vulnerabilities that you're concerned about
25 | - Be specific. Include CVE numbers (or equivalent) if available.
26 | - Requirements to access the target environment:
27 | - For example, if you're looking for a test on the internal network, include instructions on
28 | how to access the [Jump Box](../../glossary#jump-box) on that network.
29 | - Production concerns. If you're setting up a test on production systems, share details that could affect
30 | your network.
31 | - Out-of-scope subjects. Highlight any features or workflows that are out of scope for this test.
32 | - **We discourage "out of scope" lists.**
33 |
34 | {{% alert title="Note" color="note" %}}
35 | Denial of Service (DoS) tests, by default, are out of scope. If allowed by the
36 | desired standard or regulation, you can explicitly request DoS tests.
37 | {{% /alert %}}
38 |
39 | Proceed to the next step, the [Technology Stack](../stack).
40 |
--------------------------------------------------------------------------------
/content/en/Getting started/Pentest objectives/test-credentials.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Test Credentials"
3 | linkTitle: "Test Credentials"
4 | weight: 160
5 | description: >
6 | Your pentesters need dedicated accounts to test your systems.
7 | ---
8 |
9 | {{% pageinfo %}}
10 | Be sure to delete these pentester accounts after the process is complete.
11 | {{% /pageinfo %}}
12 |
13 | In our journey through **Pentest Requirements**, we now discuss **Test Credentials**.
14 | When you see that title, select from the following options:
15 |
16 | - `You will provide credentials for each pentester`
17 | - `You need pentester email addresses`
18 | - We'll share email addresses once your pentest is in the [Planned](../../../penteststates/) state.
19 | - `Pentesters can create their own credentials / No authentication required`
20 |
21 | Explain the process in the special [Instructions](../special-instructions), based on the
22 | following use cases:
23 | - If our pentesters can create their own accounts on your system
24 | - If our pentesters can test your system without credentials
25 |
26 |
27 | If you've set up dedicated accounts:
28 |
29 | - Remember to create one (1) account per pentester.
30 | - Make sure each test account works.
31 | - Share documentation on how your pentesters can set their own passwords.
32 | - If necessary, share username/password (or other credential) information using the _secure_ channel of your choice.
33 | - Describe the user role along with associated permissions and/or privileges.
34 | - Include other authentication requirements such as [multi-factor authentication (MFA)](../../glossary/#multi-factor-authentication).
35 | - Once the pentest (and any retests) are complete, delete the dedicated accounts.
36 |
37 | Depending on the methodology, we may also perform
38 | [black-box](../../glossary/#black-box-testing) and
39 | [gray-box](../../glossary/#gray-box-testing) tests.
40 |
41 | Now proceed to the next step, special [Instructions](../special-instructions).
42 |
--------------------------------------------------------------------------------
/content/en/Platform Deep Dive/Pentests/Pentest Process/Methodologies/_index.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Pentest Methodologies"
3 | linkTitle: "Pentest Methodologies"
4 | weight: 10
5 | description: >
6 | An overview of available pentest methodologies.
7 | aliases:
8 | - /getting-started/pentest-objectives/methodologies/
9 | ---
10 |
11 | {{% pageinfo %}}
12 | Our pentesters follow specific methodologies for different types of assets.
13 | {{% /pageinfo %}}
14 |
15 | By default, our pentesters test for industry standard vulnerabilities from:
16 |
17 | - [Open Web Application Security Project (OWASP)](https://owasp.org).
18 | - Includes different "Top 10" lists for web, API, mobile, and cloud systems.
19 | - [Open Source Security Testing Methodology Manual (OSSTMM)](https://www.isecom.org/OSSTMM.3.pdf) (PDF).
20 | - Used for internal and external networks.
21 |
22 | For more information on how we pentest, refer to the detailed pages associated with your
23 | asset.
24 |
25 | - [Web](./web-methodologies)
26 | - [API](./api-methodologies)
27 | - [Mobile](./mobile)
28 | - [Internal Network](./internal-network)
29 | - [External Network](./external-network)
30 | - [Cloud](./cloud)
31 |
32 | In most cases, the Methodology is fixed, based on the [Asset Type](../../assets/asset-type)
33 | you defined earlier. However, if you selected a combined asset type, such as Web + API, you
34 | can limit the test to either of the individual methodologies:
35 |
36 | 
37 |
38 | Review the methodology for your asset, from the links shown earlier. Each methodology
39 | includes default requirements based on standards such as:
40 |
41 | - [OWASP](../../glossary/#open-web-application-security-project-owasp)
42 | - [OSSTMM](../../glossary/#open-source-security-testing-methodology-manual-osstmm)
43 |
44 | You're welcome to include additional requirements.
45 |
46 | Next, you'll want to set up and share [Test Credentials](../test-credentials) for your
47 | pentesters.
48 |
--------------------------------------------------------------------------------
/content/en/Platform Deep Dive/Pentests/Pentest Process/Methodologies/api-methodologies.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "API Pentest Methodologies"
3 | linkTitle: "API Methodologies"
4 | weight: 120
5 | description: >
6 | Review methodologies for APIs.
7 | aliases:
8 | - /getting-started/pentest-objectives/methodologies/api/
9 | ---
10 |
11 | {{% pageinfo %}}
12 | Overview of test methodologies for API assets. Includes microservices.
13 | {{% /pageinfo %}}
14 |
15 | We use the penetration testing methodologies listed on the page. If you want to know more
16 | about each methodology, navigate to the page associated with your asset.
17 |
18 | ## API
19 |
20 | The Cobalt team of pentesters do not need access to the underlying web application source code,
21 | unless you specify it as a requirement.
22 |
23 | When you set up a pentest for an API asset in the UI, you'll see the following in the
24 | Objectives text box:
25 |
26 | ```
27 | Coverage of OWASP top 10, ASVS and application logic.
28 | ```
29 |
30 | Learn more about these objectives from OWASP:
31 |
32 | - [OWASP API Security Top 10](https://owasp.org/www-project-api-security)
33 | - [OWASP Application Security Verification Standard (ASVS)](https://owasp.org/www-project-application-security-verification-standard)
34 |
35 | We look at application logic by working with your app.
36 |
37 | We base our methodology primarily on the OWASP Application Security Verification Standard (ASVS)
38 | and Testing Guide. Our team takes the following steps to ensure full coverage:
39 |
40 | - Target scope reconnaissance
41 | - Business and application logic mapping
42 | - Automated web crawling and web scanner configuration tweaking
43 | - Authenticated vulnerability scanning
44 | - Manual crawling to ensure better coverage
45 | - Manual API vulnerability tests and exploit reviews
46 | - Also covers microservices
47 | - Ongoing assessments
48 | - Report results to clients through the platform
49 | - Report, triage, and retest
50 |
51 | 
52 |
53 | {{% additional-requirements %}}
54 |
--------------------------------------------------------------------------------
/styles/Google/GenderBias.yml:
--------------------------------------------------------------------------------
1 | extends: substitution
2 | message: "Consider using '%s' instead of '%s'."
3 | link: 'https://developers.google.com/style/inclusive-documentation'
4 | ignorecase: true
5 | level: error
6 | swap:
7 | (?:alumna|alumnus): graduate
8 | (?:alumnae|alumni): graduates
9 | air(?:m[ae]n|wom[ae]n): pilot(s)
10 | anchor(?:m[ae]n|wom[ae]n): anchor(s)
11 | authoress: author
12 | camera(?:m[ae]n|wom[ae]n): camera operator(s)
13 | chair(?:m[ae]n|wom[ae]n): chair(s)
14 | congress(?:m[ae]n|wom[ae]n): member(s) of congress
15 | door(?:m[ae]|wom[ae]n): concierge(s)
16 | draft(?:m[ae]n|wom[ae]n): drafter(s)
17 | fire(?:m[ae]n|wom[ae]n): firefighter(s)
18 | fisher(?:m[ae]n|wom[ae]n): fisher(s)
19 | fresh(?:m[ae]n|wom[ae]n): first-year student(s)
20 | garbage(?:m[ae]n|wom[ae]n): waste collector(s)
21 | lady lawyer: lawyer
22 | ladylike: courteous
23 | landlord: building manager
24 | mail(?:m[ae]n|wom[ae]n): mail carriers
25 | man and wife: husband and wife
26 | man enough: strong enough
27 | mankind: human kind
28 | manmade: manufactured
29 | manpower: personnel
30 | men and girls: men and women
31 | middle(?:m[ae]n|wom[ae]n): intermediary
32 | news(?:m[ae]n|wom[ae]n): journalist(s)
33 | ombuds(?:man|woman): ombuds
34 | oneupmanship: upstaging
35 | poetess: poet
36 | police(?:m[ae]n|wom[ae]n): police officer(s)
37 | repair(?:m[ae]n|wom[ae]n): technician(s)
38 | sales(?:m[ae]n|wom[ae]n): salesperson or sales people
39 | service(?:m[ae]n|wom[ae]n): soldier(s)
40 | steward(?:ess)?: flight attendant
41 | tribes(?:m[ae]n|wom[ae]n): tribe member(s)
42 | waitress: waiter
43 | woman doctor: doctor
44 | woman scientist[s]?: scientist(s)
45 | work(?:m[ae]n|wom[ae]n): worker(s)
46 |
--------------------------------------------------------------------------------
/layouts/partials/head.html:
--------------------------------------------------------------------------------
1 |
2 |
3 | {{ hugo.Generator }}
4 | {{- $outputFormat := partial "outputformat.html" . -}}
5 |
6 | {{ range .AlternativeOutputFormats -}}
7 |
8 | {{ end -}}
9 |
10 | {{ if and (eq (getenv "HUGO_ENV") "production") (ne $outputFormat "print") -}}
11 |
12 | {{ else -}}
13 |
14 | {{ end -}}
15 |
16 | {{ partialCached "favicons.html" . }}
17 | {{ if .IsHome -}}
18 | {{ .Site.Title }} | {{ "Cobalt" }}
19 | {{- else -}}
20 | {{ .Title }} – {{ .Site.Title }} | {{ "Cobalt" }}
21 | {{- end }}
22 |
26 | {{- template "_internal/opengraph.html" . -}}
27 | {{- template "_internal/google_news.html" . -}}
28 | {{- template "_internal/schema.html" . -}}
29 | {{- template "_internal/twitter_cards.html" . -}}
30 |
31 | {{ partialCached "head-css.html" . "asdf" }}
32 |
36 | {{ if .Site.Params.offlineSearch }}
37 |
41 | {{end}}
42 | {{ if .Site.Params.prism_syntax_highlighting }}
43 |
44 |
45 | {{ end }}
46 | {{ partial "hooks/head-end.html" . }}
47 |
48 | {{ if eq (getenv "HUGO_ENV") "production" }}
49 | {{ template "_internal/google_analytics.html" . }}
50 | {{ end }}
51 |
--------------------------------------------------------------------------------
/content/en/Platform Deep Dive/Pentests/Pentest Process/Methodologies/external-network.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "External Network Pentests"
3 | linkTitle: "External Network Methodologies"
4 | weight: 130
5 | description: >
6 | Review methodologies for External Networks.
7 | aliases:
8 | - /getting-started/pentest-objectives/methodologies/external-network/
9 | ---
10 |
11 | {{% pageinfo %}}
12 | Overview of test methodologies for external networks. Includes instances of
13 | Microsoft Office 365.
14 | {{% /pageinfo %}}
15 |
16 | We use the penetration testing methodologies listed on the page. If you want to know more
17 | about each methodology, navigate to the page associated with your asset.
18 |
19 | ## External Networks
20 |
21 | The Cobalt team of pentesters can proceed with a minimum of information, such as the IP addresses
22 | in question. However, you can include the following details in the scope of your desired pentest:
23 |
24 | - Network diagrams
25 | - Infrastructure diagrams
26 | - Accounts (even temporary accounts for pentests)
27 | - User information
28 |
29 | When you set up a pentest for an external network asset in the UI, you'll see the following in the
30 | Objectives text box:
31 |
32 | ```
33 | Coverage of OSSTMM and SANS top 20 security controls.
34 | ```
35 |
36 | Learn more about these objectives:
37 |
38 | - [Open Source Security Testing Methodology Manual (OSSTMM)](https://www.isecom.org/OSSTMM.3.pdf) (PDF).
39 | - SANS Top 20 Security Controls [CIS Controls v8](https://www.sans.org/blog/cis-controls-v8/)
40 |
41 | We follow an industry standard methodology primarily based on the OSSTMM standard for
42 | penetration testing.
43 |
44 | - Reconnaissance
45 | - Corporate website
46 | - Related websites, databases
47 | - DNS
48 | - Public records (such as WHOIS information)
49 | - Service discovery
50 | - Port scans on specific IP ranges
51 | - Focus on public-facing services
52 | - Follow-up with further tests
53 | - Vulnerability scans
54 | - Test for penetration of the internal network
55 | - Manual assessment
56 | - Public-facing services (Web, FTP, Email, Firewalls, Routers, DNS, VPNs, and more)
57 | - Report, triage, and retest
58 |
59 | 
60 |
61 | {{% additional-requirements %}}
62 |
--------------------------------------------------------------------------------
/content/en/BestPractices/style_suggestions.md:
--------------------------------------------------------------------------------
1 | # Style Guidance for Pentester Writers
2 |
3 | We're looking for product documentation, What you write here is not a pentest
4 | report, but a guide primarily for developers who want to improve the security of
5 | their products.
6 |
7 | When you write your article, remember your readers. They need your help learning
8 | what to do (and what not to do) to secure their systems.
9 |
10 | ## Readability
11 |
12 | Our readers are typically not English majors. Our concepts are already complex.
13 | It helps our readers if you use the simplest possible language.
14 |
15 | While you don't need to define common technical concepts like _domain name_ and
16 | _IP address_, we recommend that you use links to help define more complex terms
17 | like [Server Side Request Forgery](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/).
18 |
19 | To promote readability, use the following checklist:
20 |
21 | - Write in plain English. Provide brief descriptions for technical terms that
22 | our audience of developers may not know.
23 | - Stay positive. Avoid words like `don't` or `can't`. Readers frequently miss
24 | the `not` in a sentence.
25 | - Consider using our implementation of [Vale](https://github.com/cobalthq/cobalt-product-public-docs/blob/main/GrammarLinter.md). When
26 | integrated with your IDE, it highlights writing styles that we want you to
27 | follow.
28 |
29 | - Keep your sentences relatively short. Our implementation of
30 | [Vale](https://github.com/cobalthq/cobalt-product-public-docs/blob/main/GrammarLinter.md) discourages the use of sentences of more than 28 words.
31 | - Use active voice and the present tense. Examples:
32 | - Run the _ps_ command.
33 | - Include a second factor for authentication.
34 | - Encrypt the system with a ECDSA key.
35 |
36 | - Exception: it is OK to use passive voice for definitions. Example:
37 | - A [Pentest Team Member](https://developer.cobalt.io/getting-started/glossary/#pentest-team-member) is a customer (organization) representative during a specific pentest.
38 |
39 | - In lists, use the serial comma (also known as the Oxford comma)
40 |
41 | For more information, see the Google Developer Style Guide discussion on
42 | [voice and tone](https://developers.google.com/style/tone).
43 |
--------------------------------------------------------------------------------
/layouts/_default/list.rss.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | {{ .Site.Title }} – {{ .Title }}
4 | {{ .Permalink }}
5 | Recent content {{ if ne .Title .Site.Title }}{{ with .Title }}in {{.}} {{ end }}{{ end }}on {{ .Site.Title }}
6 | Hugo -- gohugo.io{{ with .Site.LanguageCode }}
7 | {{.}}{{end}}{{ with .Site.Author.email }}
8 | {{.}}{{ with $.Site.Author.name }} ({{.}}){{end}}{{end}}{{ with .Site.Author.email }}
9 | {{.}}{{ with $.Site.Author.name }} ({{.}}){{end}}{{end}}{{ with .Site.Copyright }}
10 | {{.}}{{end}}{{ if not .Date.IsZero }}
11 | {{ .Date.Format "Mon, 02 Jan 2006 15:04:05 -0700" | safeHTML }}{{ end }}
12 | {{ with .OutputFormats.Get "RSS" }}
13 | {{ printf "" .Permalink .MediaType | safeHTML }}
14 | {{ end }}
15 | {{ if not $.Section }}
16 | {{ $sections := .Site.Params.rss_sections | default (slice "blog") }}
17 | {{ .Scratch.Set "rss_pages" (first 50 (where $.Site.RegularPages "Type" "in" $sections )) }}
18 | {{ else }}
19 | {{ if $.Parent.IsHome }}
20 | {{ .Scratch.Set "rss_pages" (first 50 (where $.Site.RegularPages "Type" $.Section )) }}
21 | {{ else }}
22 | {{ .Scratch.Set "rss_pages" (first 50 $.Pages) }}
23 | {{ end }}
24 | {{ end }}
25 | {{ range (.Scratch.Get "rss_pages") }}
26 |
27 | {{ .Section | title }}: {{ .Title }}
28 | {{ .Permalink }}
29 | {{ .Date.Format "Mon, 02 Jan 2006 15:04:05 -0700" | safeHTML }}
30 | {{ with .Site.Author.email }}{{.}}{{ with $.Site.Author.name }} ({{.}}){{end}}{{end}}
31 | {{ .Permalink }}
32 |
33 | {{ $img := (.Resources.ByType "image").GetMatch "*featured*" }}
34 | {{ with $img }}
35 | {{ $img := .Resize "640x" }}
36 | {{ printf "]]>" $img.Permalink $img.Width $img.Height | safeHTML }}
37 | {{ end }}
38 | {{ .Content | html }}
39 |
40 |
41 | {{ end }}
42 |
43 |
44 |
--------------------------------------------------------------------------------
/content/en/Platform Deep Dive/Pentests/pentest-types.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Pentest Types"
3 | linkTitle: "Pentest Types"
4 | weight: 10
5 | description: >
6 | Select the pentest type based on your scope and goals.
7 | ---
8 |
9 | {{% pageinfo %}}
10 | Learn about the pentest types that we offer.
11 | {{% /pageinfo %}}
12 |
13 | Before creating a pentest, determine why you want to perform it and what results you expect.
14 |
15 | We offer Agile and Comprehensive Pentests. Refer to the table below to learn the difference between them.
16 |
17 | | | Agile Pentest | Comprehensive Pentest |
18 | | --- | --- | --- |
19 | | **Definition** | {{% agile-pentest %}} | {{% comprehensive-pentest %}} |
20 | | **Credit Requirements**1 | {{% agile-credits %}} | {{% comprehensive-credits %}} |
21 | | **Pentest Scope** | Specific part of an [asset](/getting-started/glossary/#asset) | Broad area of an [asset](/getting-started/glossary/#asset) |
22 | | **Use Cases** |
New release testing
Delta testing
Single [OWASP](https://owasp.org/) category testing
[Compliance audit](/getting-started/glossary/#compliance-audit) testing based on the frameworks such as [SOC 2](https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc2report.html), [ISO 27001](https://www.iso.org/isoiec-27001-information-security.html), [PCI-DSS](https://www.pcisecuritystandards.org/), [CREST](https://www.crest-approved.org/), or [HIPAA](https://www.hhs.gov/hipaa/index.html)
|
25 | | **Report Target Audience** | Internal stakeholders | External stakeholders |
26 |
27 | 1 _{{% pentest-big-scope %}}_
28 |
29 | You can change the type of your pentest before we move it to the [Planned](/penteststates/) state. Select **Edit** on the pentest brief, and then select the **Pentest Type**.
30 |
31 | ## Next Steps
32 |
33 | {{% getting-started-steps %}}
34 |
--------------------------------------------------------------------------------
/content/en/Platform Deep Dive/Pentests/Reports/customize-report.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Customize Your Pentest Report"
3 | linkTitle: "Customize Your Report"
4 | weight: 30
5 | description: >
6 | You may be able to create a customized pentest report.
7 | ---
8 |
9 | {{% pageinfo %}}
10 | This feature may be limited to subscribers with a specific {{% ptaas-tier %}}.
11 | {{% /pageinfo %}}
12 |
13 | You can modify what's included in your pentest reports. You cannot customize [Automated Reports](/getting-started/glossary/#automated-report) and [Attestation Letters](/getting-started/glossary/#attestation-letter).
14 |
15 | In our application, we make pentest reports available when they're ready for
16 | [Remediation](/penteststates/), or when they're [Closed](/penteststates/).
17 | To find and customize what you see in a report, take the following steps:
18 |
19 | 1. Select **Pentests**, select the **State** list, and select **Remediation**.
20 |
21 | 1. Now select your pentest, and select the **Report** tab. You'll see report sections,
22 | along with the **Report** list that allows you to select from the [Pentest Report
23 | Types](/platform-deep-dive/pentests/reports/#pentest-report-types) shown in the linked table.
24 |
25 |
27 |
28 | 1. You can now customize the selected report type. Select **Customize**, and scroll to a
29 | report section.
30 |
31 | - You can start from any of the other report templates, except the Attestation Letter.
32 |
33 | 1. If you want to leave out a report section, select the eye icon next to the section title.
34 | As we report all findings, we do not allow you to leave out any finding details.
35 |
36 | 
37 |
38 | 1. When you've finished customizing your report, scroll to the top of the page and select **Apply**.
39 |
40 | 1. Now you can select **Download** to download your pentest report, as a PDF file, with the
41 | changes you configured.
42 |
43 | {{% alert title="Note" color="note" %}}
44 | Unless you've customized a report, you won't see a **Customized Report** option in the list of report types. If you repeat the process, you'll overwrite any existing Customized Report.
45 | {{% /alert %}}
46 |
--------------------------------------------------------------------------------
/styles/Google/WordList.yml:
--------------------------------------------------------------------------------
1 | extends: substitution
2 | message: "Use '%s' instead of '%s'."
3 | link: 'https://developers.google.com/style/word-list'
4 | level: warning
5 | ignorecase: false
6 | action:
7 | name: replace
8 | swap:
9 | '(?:API Console|dev|developer) key': API key
10 | '(?:cell ?phone|smart ?phone)': phone|mobile phone
11 | '(?:dev|developer|APIs) console': API console
12 | '(?:e-mail|Email|E-mail)': email
13 | '(?:file ?path|path ?name)': path
14 | '(?:kill|terminate|abort)': stop|exit|cancel|end
15 | '(?:OAuth ?2|Oauth)': OAuth 2.0
16 | '(?:ok|Okay)': OK|okay
17 | '(?:WiFi|wifi)': Wi-Fi
18 | '[\.]+apk': APK
19 | '3\-D': 3D
20 | 'Google (?:I\-O|IO)': Google I/O
21 | 'tap (?:&|and) hold': touch & hold
22 | 'un(?:check|select)': clear
23 | above: preceding
24 | account name: username
25 | action bar: app bar
26 | admin: administrator
27 | Ajax: AJAX
28 | Android device: Android-powered device
29 | android: Android
30 | API explorer: APIs Explorer
31 | approx\.: approximately
32 | authN: authentication
33 | authZ: authorization
34 | autoupdate: automatically update
35 | cellular data: mobile data
36 | cellular network: mobile network
37 | chapter: documents|pages|sections
38 | check box: checkbox
39 | check: select
40 | CLI: command-line tool
41 | click on: click|click in
42 | Container Engine: Kubernetes Engine
43 | content type: media type
44 | curated roles: predefined roles
45 | data are: data is
46 | Developers Console: Google API Console|API Console
47 | disabled?: turn off|off
48 | ephemeral IP address: ephemeral external IP address
49 | fewer data: less data
50 | file name: filename
51 | firewalls: firewall rules
52 | Google account: Google Account
53 | Google accounts: Google Accounts
54 | Googling: search with Google
55 | grayed-out: unavailable
56 | HTTPs: HTTPS
57 | in order to: to
58 | ingest: import|load
59 | k8s: Kubernetes
60 | long press: touch & hold
61 | network IP address: internal IP address
62 | omnibox: address bar
63 | open-source: open source
64 | overview screen: recents screen
65 | regex: regular expression
66 | SHA1: SHA-1|HAS-SHA1
67 | sign into: sign in to
68 | sign-?on: single sign-on
69 | static IP address: static external IP address
70 | stylesheet: style sheet
71 | synch: sync
72 | tablename: table name
73 | tablet: device
74 | touch: tap
75 | url: URL
76 | vs\.: versus
77 | World Wide Web: web
78 |
--------------------------------------------------------------------------------
/content/en/Platform Deep Dive/Assets/risk-advisories.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Explore Risk Advisories"
3 | linkTitle: "Risk Advisories"
4 | weight: 20
5 | description: >
6 | Preview potential vulnerabilities for your assets.
7 | ---
8 |
9 | {{% pageinfo %}}
10 | Add a technology stack for your software asset, and we’ll show you a preview of risk advisories based on the [Common Vulnerabilities and Exposures (CVE)](https://www.cve.org/) standard for that stack.
11 | {{% /pageinfo %}}
12 |
13 | This integration supports the following [asset types](/platform-deep-dive/assets/#asset-types):
14 |
15 | - Web
16 | - Mobile
17 | - API
18 | - Combined assets that include the listed types
19 |
20 | ## Add a Technology Stack for Your Asset
21 |
22 | When you [create](/platform-deep-dive/assets/#create-an-asset) or update an asset in the Cobalt app, add a technology stack for it:
23 |
24 | 1. Once you’ve specified the [asset type](/platform-deep-dive/assets/#asset-types), select **Add Technology**, and start typing the technology name. We’ll show you a list of technologies that match your input.
25 | 1. Select a technology with the exact version number.
26 | 1. Add more technologies to the stack.
27 |
28 | 
29 |
30 | When you create a pentest for this asset, the technologies that you added populate in the [Technology Stack](/getting-started/pentest-objectives/stack/) field on the **Set Requirements** page.
31 |
32 | ## Preview Risk Advisories
33 |
34 | Now you can preview potential vulnerabilities for your asset on the **Risk Advisory** tab. Here, you can see the following details for each vulnerability:
35 |
36 | - Vulnerability ID in the [CVE](https://www.cve.org/) system
37 | - Severity level in the [Common Vulnerability Scoring System (CVSS)](https://nvd.nist.gov/vuln-metrics/cvss)
38 | - Technology with the version number that you added
39 |
40 | Select a vulnerability to view detailed information on the [National Vulnerability Database (NVD)](https://nvd.nist.gov/) website. Learn how to remediate potential issues with your asset, and take the required action.
41 |
42 | 
43 |
44 | {{% alert title="Note" color="note" %}}
45 | Potential vulnerabilities on the **Risk Advisory** tab don’t belong to your pentests. These are potential risks based on the Common Vulnerabilities and Exposures (CVE) standard that we show for your reference.
46 | {{% /alert %}}
47 |
--------------------------------------------------------------------------------
/content/en/Platform Deep Dive/Pentests/Reports/_index.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Pentest Reports"
3 | linkTitle: "Reports"
4 | weight: 50
5 | description: >
6 | Get a summary of vulnarabilities in your software.
7 | ---
8 |
9 | {{% pageinfo %}}
10 | Download a pentest report to view security issues that our pentesters found.
11 | {{% /pageinfo %}}
12 |
13 | You can download a report for a pentest once we move it to the _Remediation_ [state](/penteststates/). Report types and their [contents](/platform-deep-dive/pentests/reports/report-contents/) differ for each [pentest type](/platform-deep-dive/pentests/pentest-types/).
14 |
15 | ## Pentest Report Types
16 |
17 | | Report Type | Available for [Pentest Type](/platform-deep-dive/pentests/pentest-types/) | Description | [Customizable](/platform-deep-dive/pentests/reports/customize-report/) |
18 | |-----|-----|-----|-----|
19 | | Automated Report | Agile Pentest | A system-generated report for an [Agile Pentest](/getting-started/glossary/#agile-pentest) intended for internal use. Includes the following sections:
- Pentester user information - Executive Summary - Methodology - Post-Test Remediation - Finding Details | No |
20 | | Customer Letter | Comprehensive Pentest | An executive summary of the pentest. May be used as a certificate of completion. Great for external shareholders. Includes:
- Executive Summary - Methodology | Yes |
21 | | Attestation Report | Comprehensive Pentest | Adds the following information to the customer letter:
- Pentester user information - An overall list of findings | Yes |
22 | | Attestation Letter | Comprehensive Pentest | Includes the [executive summary](./report-contents/#executive-summary) as a formal letter, suitable for external stakeholders or customers | No |
23 | | Full Report | Comprehensive Pentest | Includes the following report sections, beyond attestation:
- Executive Summary - Scope of Work - Methodology - Summary of Findings - Recommendations - Post-Test Remediation | Yes |
24 | | Full Report + Finding Details | Comprehensive Pentest | Adds details of every test finding to the full report. Details include:
- Vulnerability Type - Description - Proof of Concept - Severity - Suggested Fix | Yes |
25 |
26 | {{% alert title="Note" color="note" %}}
27 | We do not create multiple pentest reports for large assets. For example, if you want separate pentest reports for different APIs, set up different pentests for each API.
28 | {{% /alert %}}
29 |
--------------------------------------------------------------------------------
/content/en/BestPractices/template.md:
--------------------------------------------------------------------------------
1 | ---
2 | Title: ""
3 | linkTitle: ""
4 | # Change this weight, based on where it should go in the "Best Practices"
5 | # section
6 | weight: 600
7 | # The `toc_hide` entry hides the link from the menu. The content still available
8 | # at /bestpractices/. We'll remove the entry when we publish your work
9 | toc_hide: true
10 | description: >
11 |
12 | ---
13 |
14 | We include this template for your convenience. You're welcome to copy this file
15 | (and change the filename) to help you write your article. Examine the source
16 | code for this article, as you'll see some help text in comments.
17 |
18 |
23 |
24 | {{% pageinfo %}}
25 |
27 | {{% /pageinfo %}}
28 |
29 | If you're confident in your ability to organize written information, you're welcome to ignore this template. Otherwise, we present this template as one way to organize your work.
30 |
31 | ## Description
32 |
33 | Introduce your topic to our audience of developers. While they'll certainly understand concepts like hostnames and IP addresses, you may need to explain security-specific concepts like ABAC and SELinux.
34 |
35 | ## Examples
36 |
37 | Describe how problems might happen. Include consequences. When possible, incorporate code samples and commands. Developers are known to focus on code samples and commands as patterns (and anti-patterns).
38 |
39 | ## Prevention
40 |
41 | Address each example. If you've included code samples and commands earlier, include related samples to illustrate "good" patterns.
42 |
43 | You could also set up a table of "bad" and "good" patterns.
44 |
45 | ## Alternatives
46 |
47 | You could combine Examples and Prevention in different scenarios; some authors have organized articles with the following outline:
48 |
49 | - Description
50 | - Scenarios
51 | - Scenario 1 (with some descriptive title)
52 | - Example (with code sample)
53 | - Prevention (with code sample)
54 | - Scenario 2
55 | - ...
56 | - Commentary
57 |
58 | ## References
59 |
60 | Many readers want to read more about security. You're welcome to add references to other articles related to what you've written, such as those you've used to research your work. To avoid plagiarism, do reference and quote content that you use from others.
61 |
--------------------------------------------------------------------------------
/content/en/Getting started/Sign In/account-recovery.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Account Recovery"
3 | linkTitle: "Account Recovery"
4 | weight: 10
5 | description: >
6 | Learn how to recover your Cobalt account.
7 | ---
8 |
9 | {{% pageinfo %}}
10 | Refer to this page if you lose access to your authenticator app or forget your password. If you have problems signing in through [SAML SSO](../#saml-sso), contact your administrator for help.
11 | {{% /pageinfo %}}
12 |
13 | ## Lost Access to Your Authenticator
14 |
15 | Users in the following roles can ask an [_Organization Owner_](../../glossary/#organization-owner) to turn off [two-factor authentication](../#two-factor-authentication) (2FA) for their account:
16 |
17 | - [_Organization Owner_](../../glossary/#organization-owner)
18 | - [_Organization Member_](../../glossary/#organization-member)
19 | - [_Pentest Team Member_](../../glossary/#pentest-team-member)
20 |
21 | Follow these steps:
22 |
23 | 1. Sign in to Cobalt from the {{% sign-in %}} page in one of the following ways:
24 | - With your username and password
25 | - By selecting **Sign in with Google**
26 |
27 | 1. On the page prompting you to enter a one-time code, select **Start account recovery process**.
28 |
29 | 1. Once you get an email with a one-time verification code, enter the code, and select **Verify**.
30 |
31 | 1. Your _Organization Owner_ gets notified and turns off 2FA for your account.
32 | - If you are the only _Organization Owner_, we'll turn off 2FA for you.
33 |
34 | 1. You get an email notification confirming that your 2FA settings were updated.
35 |
36 | 1. You can now sign in without a second authentication factor.
37 | - If your organization enforces 2FA, enable it upon signing in.
38 |
39 | Once you've set up a new authenticator, you can turn on 2FA again.
40 |
41 | ### Turn Off 2FA for a User
42 |
43 | As an [_Organization Owner_](../../glossary/#organization-owner), you can turn off two-factor authentication for a user following their request.
44 |
45 | 1. Once you get an email notification requesting you to turn off 2FA, select **Recover Account** in the email.
46 |
47 | 1. On the **People** page of your dashboard, locate the user who submitted the request.
48 |
49 | 1. Select the three-dot icon on the right, and then select **Turn Off 2FA**.
50 | - We verified the user's identity with a one-time verification code. However, we recommend that you verify their identity again before turning off 2FA.
51 |
52 | 1. Select **Confirm** in the overlay that appears.
53 |
54 | ## Forgot Your Password
55 |
56 | To reset your password:
57 |
58 | 1. On the {{% sign-in %}} page, select **Forgot password?**.
59 |
60 | 1. Enter your email address, and select **Reset Password**.
61 |
62 | 1. Follow the instructions in the email you receive.
63 |
--------------------------------------------------------------------------------
/content/en/SeverityLevels/_index.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Severity Levels"
3 | linkTitle: "Severity Levels"
4 | weight: 400
5 | description: >
6 | Pentest report severity levels.
7 | ---
8 |
9 | {{% pageinfo %}}
10 | When our pentesters find vulnerabilities, they also identify severity
11 | levels.
12 | {{% /pageinfo %}}
13 |
14 | As noted by [OWASP](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology),
15 | while you need to find vulnerabilities, you should also understand
16 | the associated risk to the business.
17 |
18 | We follow the standard risk model described by OWASP, where:
19 |
20 | ```
21 | Risk = Likelihood * Impact
22 | ```
23 |
24 | In this case, the risk rating is based on the following factors:
25 |
26 | - Likelihood: Specifies the probability of exploiting the [finding](../getting-started/glossary/#finding).
27 | May include factors such as:
28 |
29 | - Skill required for an attacker to exploit a [vulnerability](../getting-started/glossary/#vulnerability)
30 | - Availability of documented exploits
31 | - Ease of exploiting the vulnerability
32 |
33 |
34 |
35 | - Impact: Depends on the effect on technical and business operations. May include:
36 |
37 | - Loss of confidentiality
38 | - Problems with data integrity
39 | - Reduced availability of data or systems
40 | - Potential losses of money or reputation
41 |
42 | The OWASP Risk Rating Methodology specifies High, Medium, and Low levels. We've
43 | added Critical and Informational levels to help you prioritize our findings.
44 |
45 | When our pentesters find vulnerabilities, they use the standard OWASP risk model
46 | and then classify them into one of the following levels:
47 |
48 | | Category | Score | Description |
49 | |:-------------|:------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|
50 | | Critical | 25 | Includes vulnerabilities that require immediate attention. |
51 | | High | 16-24 | Impacts the security of your application/platform/hardware, including supported systems. Includes high probability vulnerabilities with a high business impact. |
52 | | Medium | 5-15 | Includes vulnerabilities that are: medium risk, medium impact; low risk, high impact; high risk, low impact. |
53 | | Low | 2-4 | Specifies common vulnerabilities with minimal impact.
54 | | Informational | 1 | Notes vulnerabilities of minimal risk to your business. |
55 |
--------------------------------------------------------------------------------
/content/en/Getting started/Sign In/_index.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Sign In to Cobalt"
3 | linkTitle: "Sign In"
4 | weight: 9
5 | description: >
6 | Start the pentest process. Sign in to the Cobalt app.
7 | ---
8 |
9 | {{% pageinfo %}}
10 | This page assumes that you've received a welcome email from Cobalt.
11 | {{% /pageinfo %}}
12 |
13 | Even if you haven't yet purchased Cobalt credits, this page (and document)
14 | can help you visualize how you can set up a pentest with the Cobalt UI.
15 |
16 | You've just received an email with the following title:
17 |
18 | ```
19 | Welcome to the Cobalt Platform: Let's Get Started
20 | ```
21 |
22 | Open the email. It should include a link to Get Started:
23 |
24 | 
25 |
26 | Now you can:
27 |
28 | 1. Select the link in your email.
29 |
30 | 1. From the webpage that appears, create a password. Follow the complexity
31 | requirements on the screen. We require passwords with at least:
32 | - Eight (8) characters
33 | - One (1) uppercase letter
34 | - One (1) lowercase letter
35 | - One (1) digit
36 |
37 | We also include a link to our [Terms and Conditions](https://cobalt.io/terms/general).
38 |
39 | 1. Once you've set a password, you should see the Cobalt app.
40 |
41 | 1. Next time you can sign in to Cobalt in the following ways:
42 | - From the {{% sign-in %}} page, with:
43 | - A username and password. Your username is your email address.
44 | - A Google account that you used to sign in to Cobalt
45 | 
46 | - Through [SAML SSO](#saml-sso), if configured
47 |
48 | ## SAML SSO
49 |
50 | We support single sign-on (SSO) based on [Security Assertion Markup Language](../glossary/#security-assertion-markup-language) 2.0 (SAML 2.0). Once enabled, you can sign in to the Cobalt app through a third-party identity provider selected by your company.
51 |
52 | {{% alert title="Note" color="note" %}}
53 | SAML-based single sign-on (SSO) is available to all PtaaS tiers.
54 | {{% /alert %}}
55 |
56 | Once your [_Organization Owner_](../glossary/#organization-owner) has configured SAML SSO, you need to sign in to the Cobalt app through the identity provider instead of the Cobalt {{% sign-in %}} page. Procedures differ for each identity provider.
57 |
58 | Learn more about [configuring SAML SSO](https://cobaltio.zendesk.com/hc/en-us/sections/360012774052--SAML-SSO-).
59 |
60 | ## Two-Factor Authentication
61 |
62 | We support two-factor authentication (2FA). After you sign in, select the profile icon in the upper-right corner, and then select **Security Settings**.
63 |
64 | If you’re using [SAML SSO](#saml-sso) to sign in, you don’t need to turn on 2FA.
65 |
66 | ## Next Step
67 |
68 | You can now start setting up a Pentest. Select **Create a Pentest**, and proceed to the next step to [define your assets](../assets).
69 |
--------------------------------------------------------------------------------
/styles/write-good/Passive.yml:
--------------------------------------------------------------------------------
1 | extends: existence
2 | message: "'%s' may be passive voice. Use active voice if you can. Exception: definitions"
3 | ignorecase: true
4 | level: suggestion
5 | raw:
6 | - \b(am|are|were|being|is|been|was|be)\b\s*
7 | tokens:
8 | - '[\w]+ed'
9 | - awoken
10 | - beat
11 | - become
12 | - been
13 | - begun
14 | - bent
15 | - beset
16 | - bet
17 | - bid
18 | - bidden
19 | - bitten
20 | - bled
21 | - blown
22 | - born
23 | - bought
24 | - bound
25 | - bred
26 | - broadcast
27 | - broken
28 | - brought
29 | - built
30 | - burnt
31 | - burst
32 | - cast
33 | - caught
34 | - chosen
35 | - clung
36 | - come
37 | - cost
38 | - crept
39 | - cut
40 | - dealt
41 | - dived
42 | - done
43 | - drawn
44 | - dreamt
45 | - driven
46 | - drunk
47 | - dug
48 | - eaten
49 | - fallen
50 | - fed
51 | - felt
52 | - fit
53 | - fled
54 | - flown
55 | - flung
56 | - forbidden
57 | - foregone
58 | - forgiven
59 | - forgotten
60 | - forsaken
61 | - fought
62 | - found
63 | - frozen
64 | - given
65 | - gone
66 | - gotten
67 | - ground
68 | - grown
69 | - heard
70 | - held
71 | - hidden
72 | - hit
73 | - hung
74 | - hurt
75 | - kept
76 | - knelt
77 | - knit
78 | - known
79 | - laid
80 | - lain
81 | - leapt
82 | - learnt
83 | - led
84 | - left
85 | - lent
86 | - let
87 | - lighted
88 | - lost
89 | - made
90 | - meant
91 | - met
92 | - misspelt
93 | - mistaken
94 | - mown
95 | - overcome
96 | - overdone
97 | - overtaken
98 | - overthrown
99 | - paid
100 | - pled
101 | - proven
102 | - put
103 | - quit
104 | - read
105 | - rid
106 | - ridden
107 | - risen
108 | - run
109 | - rung
110 | - said
111 | - sat
112 | - sawn
113 | - seen
114 | - sent
115 | - set
116 | - sewn
117 | - shaken
118 | - shaven
119 | - shed
120 | - shod
121 | - shone
122 | - shorn
123 | - shot
124 | - shown
125 | - shrunk
126 | - shut
127 | - slain
128 | - slept
129 | - slid
130 | - slit
131 | - slung
132 | - smitten
133 | - sold
134 | - sought
135 | - sown
136 | - sped
137 | - spent
138 | - spilt
139 | - spit
140 | - split
141 | - spoken
142 | - spread
143 | - sprung
144 | - spun
145 | - stolen
146 | - stood
147 | - stridden
148 | - striven
149 | - struck
150 | - strung
151 | - stuck
152 | - stung
153 | - stunk
154 | - sung
155 | - sunk
156 | - swept
157 | - swollen
158 | - sworn
159 | - swum
160 | - swung
161 | - taken
162 | - taught
163 | - thought
164 | - thrived
165 | - thrown
166 | - thrust
167 | - told
168 | - torn
169 | - trodden
170 | - understood
171 | - upheld
172 | - upset
173 | - wed
174 | - wept
175 | - withheld
176 | - withstood
177 | - woken
178 | - won
179 | - worn
180 | - wound
181 | - woven
182 | - written
183 | - wrung
184 |
--------------------------------------------------------------------------------
/styles/Google/Passive.yml:
--------------------------------------------------------------------------------
1 | extends: existence
2 | link: 'https://developers.google.com/style/voice'
3 | message: "In general, use active voice instead of passive voice ('%s')."
4 | ignorecase: true
5 | level: suggestion
6 | raw:
7 | - \b(am|are|were|being|is|been|was|be)\b\s*
8 | tokens:
9 | - '[\w]+ed'
10 | - awoken
11 | - beat
12 | - become
13 | - been
14 | - begun
15 | - bent
16 | - beset
17 | - bet
18 | - bid
19 | - bidden
20 | - bitten
21 | - bled
22 | - blown
23 | - born
24 | - bought
25 | - bound
26 | - bred
27 | - broadcast
28 | - broken
29 | - brought
30 | - built
31 | - burnt
32 | - burst
33 | - cast
34 | - caught
35 | - chosen
36 | - clung
37 | - come
38 | - cost
39 | - crept
40 | - cut
41 | - dealt
42 | - dived
43 | - done
44 | - drawn
45 | - dreamt
46 | - driven
47 | - drunk
48 | - dug
49 | - eaten
50 | - fallen
51 | - fed
52 | - felt
53 | - fit
54 | - fled
55 | - flown
56 | - flung
57 | - forbidden
58 | - foregone
59 | - forgiven
60 | - forgotten
61 | - forsaken
62 | - fought
63 | - found
64 | - frozen
65 | - given
66 | - gone
67 | - gotten
68 | - ground
69 | - grown
70 | - heard
71 | - held
72 | - hidden
73 | - hit
74 | - hung
75 | - hurt
76 | - kept
77 | - knelt
78 | - knit
79 | - known
80 | - laid
81 | - lain
82 | - leapt
83 | - learnt
84 | - led
85 | - left
86 | - lent
87 | - let
88 | - lighted
89 | - lost
90 | - made
91 | - meant
92 | - met
93 | - misspelt
94 | - mistaken
95 | - mown
96 | - overcome
97 | - overdone
98 | - overtaken
99 | - overthrown
100 | - paid
101 | - pled
102 | - proven
103 | - put
104 | - quit
105 | - read
106 | - rid
107 | - ridden
108 | - risen
109 | - run
110 | - rung
111 | - said
112 | - sat
113 | - sawn
114 | - seen
115 | - sent
116 | - set
117 | - sewn
118 | - shaken
119 | - shaven
120 | - shed
121 | - shod
122 | - shone
123 | - shorn
124 | - shot
125 | - shown
126 | - shrunk
127 | - shut
128 | - slain
129 | - slept
130 | - slid
131 | - slit
132 | - slung
133 | - smitten
134 | - sold
135 | - sought
136 | - sown
137 | - sped
138 | - spent
139 | - spilt
140 | - spit
141 | - split
142 | - spoken
143 | - spread
144 | - sprung
145 | - spun
146 | - stolen
147 | - stood
148 | - stridden
149 | - striven
150 | - struck
151 | - strung
152 | - stuck
153 | - stung
154 | - stunk
155 | - sung
156 | - sunk
157 | - swept
158 | - swollen
159 | - sworn
160 | - swum
161 | - swung
162 | - taken
163 | - taught
164 | - thought
165 | - thrived
166 | - thrown
167 | - thrust
168 | - told
169 | - torn
170 | - trodden
171 | - understood
172 | - upheld
173 | - upset
174 | - wed
175 | - wept
176 | - withheld
177 | - withstood
178 | - woken
179 | - won
180 | - worn
181 | - wound
182 | - woven
183 | - written
184 | - wrung
185 |
--------------------------------------------------------------------------------
/content/en/_index.md:
--------------------------------------------------------------------------------
1 |
2 | ---
3 | title: "Overview of Cobalt Documentation"
4 | linkTitle: "Overview"
5 | no_list: true
6 | type: "docs"
7 | weight: 20
8 |
9 | cascade:
10 | - type: "blog"
11 | # set to false to include a blog section in the section nav along with docs
12 | toc_root: false
13 | _target:
14 | path: "/blog/**"
15 | - type: "docs"
16 | _target:
17 | path: "/**"
18 | menu:
19 | main:
20 | weight: 20
21 | ---
22 |
23 | This page includes links to other Cobalt literature, including our
24 | [Getting Started](./getting-started) guide.
25 |
26 |
27 |
38 |
39 | ## Support Articles
40 |
41 | When customers need help with the Cobalt app, they frequently rely on support articles, available through the [Cobalt Zendesk](https://cobaltio.zendesk.com/hc/en-us/categories/360005476672-Cobalt-Platform) interface.
42 |
43 | If you're a Cobalt customer, connect to Zendesk and select the **Sign in** link.
44 | Once connected, you'll have access to more support articles.
45 |
46 | ## API Documentation
47 |
48 | Cobalt has a [RESTful API](https://docs.cobalt.io)
49 | that allows you to call the following data related to your pentests:
50 |
51 | - Organizations
52 | - Assets
53 | - Pentests
54 | - Findings
55 | - Events
56 | - Tokens
57 |
58 | To use our REST calls, you'll need an API Token from your
59 | [Cobalt profile](https://app.cobalt.io/settings/api-token).
60 |
61 |
62 | ## Blog Posts
63 |
64 | Cobalt has an extensive library of [blog posts](https://cobalt.io/blog),
65 | designed to help and inform you about:
66 |
67 | - Cobalt and our product
68 | - Profiles for our pentesters
69 | - Advice for our customers
70 | - Standards and how you can meet them
71 | - Life at Cobalt
72 |
73 |
78 |
79 | {{% pageinfo %}}
80 | Cobalt is creating product documentation. As we build it, we hope to help you
81 | visualize how our product can help you simplify the pentest process.
82 |
83 | We hope that future docs can help you make best use of Cobalt software.
84 | {{% /pageinfo %}}
85 |
86 | This documentation is a product of Cobalt Labs, Inc. As noted in our
87 | [Terms of use](https://cobalt.io/terms/general), when we use "Us", "We", "Our", "Cobalt.io",
88 | or "Cobalt, we're referring to Cobalt Labs, Inc., a Delaware Corporation.
89 |
90 |
--------------------------------------------------------------------------------
/styles/cobalt/British.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Error: gitlab.British
3 | #
4 | # Checks that US spelling is used instead of British spelling.
5 | #
6 | # For a list of all options, see https://errata-ai.gitbook.io/vale/getting-started/styles
7 | extends: substitution
8 | message: 'Use the US spelling "%s" instead of the British "%s", except for verified formal names.'
9 | link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#language
10 | level: warning
11 | ignorecase: true
12 | swap:
13 | aeon: eon
14 | aeroplane: airplane
15 | ageing: aging
16 | aluminium: aluminum
17 | anaemia: anemia
18 | anaesthesia: anesthesia
19 | analyse: analyze
20 | annexe: annex
21 | apologise: apologize
22 | behaviour: behavior
23 | busses: buses
24 | calibre: caliber
25 | categorise: categorize
26 | categorised: categorized
27 | categorises: categorizes
28 | categorising: categorizing
29 | centre: center
30 | cheque: check
31 | civilisation: civilization
32 | civilise: civilize
33 | colour: color
34 | cosy: cozy
35 | cypher: cipher
36 | dependant: dependent
37 | defence: defense
38 | distil: distill
39 | draught: draft
40 | encyclopaedia: encyclopedia
41 | enquiry: inquiry
42 | enrol: enroll
43 | enrolment: enrollment
44 | enthral: enthrall
45 | # equalled: equaled // Under discussion
46 | # equalling: equaling // Under discussion
47 | favourite: favorite
48 | fibre: fiber
49 | fillet: filet
50 | flavour: flavor
51 | furore: furor
52 | fulfil: fulfill
53 | gaol: jail
54 | grey: gray
55 | humour: humor
56 | honour: honor
57 | initialled: initialed
58 | initialling: initialing
59 | instil: instill
60 | jewellery: jewelry
61 | labelling: labeling
62 | labelled: labeled
63 | labour: labor
64 | libellous: libelous
65 | licence: license
66 | likeable: likable
67 | liveable: livable
68 | lustre: luster
69 | manoeuvre: maneuver
70 | marvellous: marvelous
71 | matt: matte
72 | meagre: meager
73 | metre: meter
74 | modelling: modeling
75 | moustache: mustache
76 | neighbour: neighbor
77 | normalise: normalize
78 | offence: offense
79 | organise: organize
80 | orientated: oriented
81 | paralyse: paralyze
82 | plough: plow
83 | pretence: pretense
84 | programme: program
85 | pyjamas: pajamas
86 | rateable: ratable
87 | realise: realize
88 | recognise: recognize
89 | reconnoitre: reconnoiter
90 | rumour: rumor
91 | sabre: saber
92 | saleable: salable
93 | saltpetre: saltpeter
94 | sceptic: skeptic
95 | sepulchre: sepulcher
96 | signalling: signaling
97 | sizeable: sizable
98 | skilful: skillful
99 | sombre: somber
100 | smoulder: smolder
101 | speciality: specialty
102 | spectre: specter
103 | splendour: splendor
104 | standardise: standardize
105 | standardised: standardized
106 | sulphur: sulfur
107 | theatre: theater
108 | travelled: traveled
109 | traveller: traveler
110 | travelling: traveling
111 | unshakeable: unshakable
112 | wilful: willful
113 | yoghurt: yogurt
114 |
--------------------------------------------------------------------------------
/content/en/Platform Deep Dive/Pentests/Pentest Process/Methodologies/internal-network.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Internal Network Pentests"
3 | linkTitle: "Internal Network Methodologies"
4 | weight: 150
5 | description: >
6 | Review methodologies for Internal Networks.
7 | aliases:
8 | - /getting-started/pentest-objectives/methodologies/internal-network/
9 | ---
10 |
11 | {{% pageinfo %}}
12 | Overview of test methodologies for Internal networks.
13 | {{% /pageinfo %}}
14 |
15 | We use the penetration testing methodologies listed on the page, based in large part on the
16 | [OSSTMM](../../../glossary#open-source-security-testing-methodology-manual-osstmm).
17 |
18 | ## Special Pentester Needs
19 |
20 | Our pentests of internal networks are all performed remotely. To support this access, our
21 | pentesters need:
22 |
23 | - Access to your internal network through a stable VPN.
24 | - A lightweight Linux server inside the network, used as a [jump box](../../../glossary#jump-box).
25 | - If you use AWS for your internal network, you can use
26 | [this link](https://aws.amazon.com/marketplace/pp/prodview-fznsw3f7mq7to) to set up a virtual machine.
27 | - You can also download a [Kali VM Image](https://www.kali.org/get-kali).
28 | - You'll need to set up [key-based SSH access](https://docs.gitlab.com/ee/ssh) for each pentester.
29 |
30 | ## Internal Networks
31 |
32 | The Cobalt team of pentesters can proceed with a minimum of information, such as the IP addresses
33 | in question. However, you can include the following details in the scope of your desired pentest:
34 |
35 | - Network diagrams
36 | - Infrastructure diagrams
37 | - Accounts (even temporary accounts for pentests)
38 | - User information
39 |
40 | When you set up a pentest for an internal network asset in the UI, you'll see the following in the
41 | Objectives text box:
42 |
43 | ```
44 | Coverage of OSSTMM and SANS top 20 security controls.
45 | ```
46 |
47 | Learn more about these objectives:
48 |
49 | - [Open Source Security Testing Methodology Manual (OSSTMM)](https://www.isecom.org/OSSTMM.3.pdf) (PDF).
50 | - SANS Top 20 Security Controls [CIS Controls v8](https://www.sans.org/blog/cis-controls-v8)
51 |
52 | We follow an industry standard methodology primarily based on the OSSTMM standard for
53 | penetration testing.
54 |
55 | - Reconnaissance
56 | - Corporate website
57 | - Related websites, databases
58 | - DNS
59 | - Public records (such as WHOIS information)
60 | - Service Discovery
61 | - Port scans on specific IP ranges
62 | - Focus on public-facing services
63 | - Follow-up with further tests
64 | - Vulnerability scans
65 | - Test for penetration of the internal network
66 | - Manual assessment
67 | - Public-facing services (Web, FTP, email, firewalls, routers, DNS, VPNs, and more)
68 | - Access control systems such as Microsoft Active Directory
69 | - Less secure email protocols (SMTP, POP3, IMAP)
70 | - Printers
71 | - Report, triage, and retest
72 |
73 | 
74 |
75 |
76 |
77 | {{% additional-requirements %}}
78 |
--------------------------------------------------------------------------------
/content/en/Integrations/_index.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Cobalt Integrations"
3 | linkTitle: "Integrations"
4 | weight: 110
5 | toc_hide: true
6 | hide_summary: true
7 | description: >
8 | Integrate third-party apps and configure webhooks.
9 | ---
10 |
11 | {{% pageinfo %}}
12 | Streamline your pentesting and development workflows with Cobalt integrations.
13 | {{% /pageinfo %}}
14 |
15 | {{% alert title="Note" color="note" %}}
16 | The availability of this feature is based on your PtaaS tier.
17 | {{% /alert %}}
18 |
19 | To get started, navigate to the **Integrations** page in the Cobalt app.
20 |
21 | - Set up **Native** integrations in the Cobalt app to push Cobalt data to external apps. Here, you can also create [webhooks](/integrations/webhooks/) to get real-time pentest updates.
22 | - Enable **Partner** integrations in third-party apps. You need an [API token](/apiusecases/create_asset/#create-an-api-token-in-the-cobalt-ui) to pull Cobalt data to external apps.
23 |
24 |
25 | | Integration | Type | Use |
26 | |:---|:---|:---|
27 | | [Jira](https://cobaltio.zendesk.com/hc/en-us/sections/4407694113044-Integration-Guides) | Native |
Push Cobalt findings as issues to Jira Cloud, Server, or Data Center
Synchronize Cobalt findings with Jira tickets bi-directionally
28 | | [GitHub](https://cobaltio.zendesk.com/hc/en-us/articles/360058712591-How-do-I-set-up-GitHub-Integration-) | Native | Push Cobalt findings as issues to GitHub
29 | | [Webhooks](/integrations/webhooks/) | Native | Subscribe to real-time notifications for pentest events using API-based webhooks
30 | | [JupiterOne](https://community.askj1.com/kb/articles/994-cobalt-integration-with-jupiterone) | Partner | Analyze pentest data with JupiterOne tools
31 | | [Tugboat Logic](https://tugboatlogic.com/integrations/cobalt/) | Partner | Pull Cobalt pentest information into a Tugboat Logic-based InfoSec program
32 | | [DefectDojo](https://defectdojo.github.io/django-DefectDojo/integrations/parsers/#cobaltio-api-import) | Partner | Import your Cobalt pentest findings into DefectoDojo with Cobalt API
33 | | [Kenna Security](https://github.com/KennaSecurity/toolkit/tree/main/tasks/connectors/cobaltio#readme) | Partner | Import Cobalt pentest findings
34 |
35 | ## Build Your Own Integration
36 |
37 | Use our API to build your own integrations. You need a Cobalt [API token](/apiusecases/create_asset/#create-an-api-token-in-the-cobalt-ui) to make REST calls.
38 |
39 | Refer to the [API documentation](https://docs.cobalt.io/) for details.
40 |
41 | ## Suggest an Integration
42 |
43 | We're working to integrate more solutions with the Cobalt platform. You can suggest a tool that would support your workflows:
44 |
45 | - On the **Integrations** page under **Suggest an Integration**
46 | - By sending an email to [integrations@cobalt.io](mailto:integrations@cobalt.io)
47 |
--------------------------------------------------------------------------------
/styles/cobalt/Acronyms.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Warning: cobalt.Acronyms
3 | #
4 | # Checks for unexpanded acronyms.
5 | #
6 | # For a list of all options, see https://errata-ai.gitbook.io/vale/getting-started/styles
7 | extends: conditional
8 | message: '"%s" has no definition.'
9 | link: https://about.gitlab.com/handbook/marketing/growth-marketing/content/editorial-team/#acronyms
10 | level: warning
11 | ignorecase: false
12 | # Ensures that the existence of 'first' implies the existence of 'second'.
13 | first: '\b([A-Z]{3,5})\b'
14 | second: '(?:\b[A-Z][a-z]+ )+\(([A-Z]{3,5})\)'
15 | # ... with the exception of these:
16 | exceptions:
17 | - AJAX
18 | - ANSI
19 | - API
20 | - APM
21 | - ARM
22 | - ARN
23 | - ASCII
24 | - AWS
25 | - BSD
26 | - CAS
27 | - CDN
28 | - CDN
29 | - CHD
30 | - CIDR
31 | - CIS
32 | - CLI
33 | - CNA
34 | - CNAME
35 | - CORE
36 | - CPU
37 | - CRIME
38 | - CSRF
39 | - CSM
40 | - CSS
41 | - CSV
42 | - CVE
43 | - CVS
44 | - DAG
45 | - DAST
46 | - DHCP
47 | - DMZ
48 | - DNS
49 | - DOM
50 | - DSA
51 | - DSL
52 | - DVCS
53 | - ECDSA
54 | - ECS
55 | - EFS
56 | - EKS
57 | - ELB
58 | - EOL
59 | - EXIF
60 | - FAQ
61 | - FIFO
62 | - FIPS
63 | - FOSS
64 | - FQDN
65 | - FREE
66 | - FTP
67 | - GCP
68 | - GDK
69 | - GDPR
70 | - GET
71 | - GID
72 | - GIF
73 | - GKE
74 | - GNU
75 | - GPG
76 | - GPL
77 | - GPU
78 | - GUI
79 | - HAML
80 | - HDD
81 | - HEAD
82 | - HIPAA
83 | - HLL
84 | - HTML
85 | - HTTP
86 | - HTTPS
87 | - IAM
88 | - IANA
89 | - IBM
90 | - ICMP
91 | - IDE
92 | - IEC
93 | - IID
94 | - IMAP
95 | - IOPS
96 | - IRC
97 | - ISO
98 | - JPEG
99 | - JPG
100 | - JSON
101 | - JVM
102 | - JWT
103 | - LAN
104 | - LDAP
105 | - LDAPS
106 | - LESS
107 | - LFS
108 | - LRU
109 | - LTM
110 | - LTS
111 | - MIME
112 | - MIT
113 | - MITRE
114 | - MVC
115 | - NAT
116 | - NDA
117 | - NFS
118 | - NGINX
119 | - NIST
120 | - NOTE
121 | - NPM
122 | - NTP
123 | - ONLY
124 | - OSS
125 | - OTP
126 | - OWASP
127 | - PAT
128 | - PCI-DSS
129 | - PDF
130 | - PEM
131 | - PEP
132 | - PGP
133 | - PID
134 | - PKCS
135 | - PHP
136 | - PNG
137 | - POSIX
138 | - POST
139 | - PUT
140 | - RAID
141 | - RAM
142 | - RBAC
143 | - RDMS
144 | - RDP
145 | - RDS
146 | - REST
147 | - RFC
148 | - RHEL
149 | - RPC
150 | - RPM
151 | - RPS
152 | - RSA
153 | - RSS
154 | - RVM
155 | - SAAS
156 | - SAML
157 | - SAN
158 | - SANS
159 | - SAST
160 | - SATA
161 | - SCIM
162 | - SCP
163 | - SCSS
164 | - SDK
165 | - SELF
166 | - SEO
167 | - SFTP
168 | - SHA
169 | - SLA
170 | - SMS
171 | - SMTP
172 | - SOC
173 | - SOX
174 | - SPDX
175 | - SPF
176 | - SQL
177 | - SSD
178 | - SSG
179 | - SSH
180 | - SSL
181 | - SSO
182 | - SVG
183 | - SVN
184 | - TCP
185 | - TIFF
186 | - TIP
187 | - TLD
188 | - TLS
189 | - TODO
190 | - TOML
191 | - TTL
192 | - UID
193 | - UDP
194 | - UID
195 | - UNIX
196 | - URI
197 | - URL
198 | - USB
199 | - UTC
200 | - UTF
201 | - UUID
202 | - VCS
203 | - VPC
204 | - VPN
205 | - WHOIS
206 | - WIP
207 | - WSL
208 | - XML
209 | - XSS
210 | - YAML
211 | - ZAP
212 | - ZIP
213 |
--------------------------------------------------------------------------------
/content/en/Platform Deep Dive/Assets/_index.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Assets"
3 | linkTitle: "Assets"
4 | weight: 10
5 | description: >
6 | Assets are _what_ we pentest.
7 | ---
8 |
9 | {{% pageinfo %}}
10 | Our security professionals perform pentests on different types of assets. Learn how to set up your assets for our pentests.
11 | {{% /pageinfo %}}
12 |
13 | {{% asset-definition %}} Once you've created an asset, you can launch pentests for it.
14 |
15 | ## Asset Types
16 |
17 | We can perform pentests on assets in the following categories:
18 |
19 | {{% asset-types-table %}}
20 |
21 | For assets of multiple types, you may want to set up one or more pentests, depending on the characteristics of your software.
22 |
23 | {{%expand "Learn more." %}}
24 |
25 | For example, if your asset combines a web and mobile application, you may want us to test them together, in one pentest, if:
26 |
27 | - The two applications share some of the same code and functionalities.
28 | - One pentest report is sufficient for your purposes.
29 | - One team is responsible for both applications.
30 |
31 | Otherwise, you may need to set up two pentests to get more granular results.
32 | {{% /expand%}}
33 |
34 | ## Create an Asset
35 |
36 | You can create assets in the following ways:
37 | - On the **Assets** page:
38 | - To add a single asset, select **New Asset**.
39 | - To upload assets in bulk in CSV or XLSX format, select **Bulk Assets**. Once uploaded, you can select an asset to add an image, [technology stack](/platform-deep-dive/assets/risk-advisories/#add-a-technology-stack-for-your-asset), and [attachments](/getting-started/assets/asset-description/#attachments).
40 | - If the upload is successful, all your assets from the file are added. Otherwise, no assets are created. Our algorithm doesn't process the request partially.
41 | - We don't prevent you from creating duplicate assets.
42 | - When setting up a pentest, on the [Let's Get Started](/getting-started/assets/) screen, select **Create a new asset**.
43 |
44 | You can also use the [Cobalt API](/apiusecases/create_asset/#create-an-asset) to create assets.
45 |
46 | ### Asset Details
47 |
48 | {{% asset-details %}}
49 |
50 | ## View and Modify Assets
51 |
52 | Once you've [created](#create-an-asset) assets, you can view and manage them on the **Assets** page.
53 |
54 | Select the three-dot icon under **Action**, and then select the desired option:
55 |
56 | - **Create a Pentest** for this asset
57 | - **Edit Asset** to modify [asset details](#asset-details)
58 | - **Delete Asset**, if it doesn't have associated pentests
59 |
60 | To preview a summary of [potential vulnerabilities](/platform-deep-dive/assets/risk-advisories/) based on the [Common Vulnerabilities and Exposures (CVE)](https://www.cve.org/) standard, hold the pointer over the number under **Risk Advisory**. To navigate to the detailed list, select the number.
61 |
62 | 
63 |
64 | To view asset details, select an asset. From here, you can:
65 |
66 | - Create a pentest for this asset
67 | - Edit asset details
68 | - Delete the asset, if it doesn't have associated pentests
69 | - View associated pentests
70 | - Preview [risk advisories](/platform-deep-dive/assets/risk-advisories/) for this asset
71 |
72 |
73 |
--------------------------------------------------------------------------------
/content/en/PentestStates/_index.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Pentest States"
3 | linkTitle: "Pentest States"
4 | weight: 500
5 | description: >
6 | Describes the status of your pentest.
7 | ---
8 |
9 | {{% pageinfo %}}
10 | Learn the meaning of the labels associated with your pentests.
11 | {{% /pageinfo %}}
12 |
13 | From the moment you've started saving a draft of a pentest, we assign a label
14 | for that pentest. We've set up these definitions as if you've set up the pentest
15 | through our user interface. Here's the meaning of each label:
16 |
17 | | Label | Description |
18 | |-------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
19 | | Draft | You've started the **Create a Pentest** process. However, you may not have added the information that we need to start work on your pentest. |
20 | | In Review | You've submitted the pentest. We're reviewing your submission. We may have questions for you. |
21 | | Planned | We've accepted your proposed pentest. We'll assign pentesters based on your technology stacks and methodology. You should also have access to a Slack channel dedicated to your pentest. |
22 | | Live | We've started working on your pentest. Use the pentest chat channel to communicate directly with your pentesters. When we have questions and discover [findings](../getting-started/glossary#finding), we'll share them in the channel. |
23 | | Paused | We're unable to continue the pentest. You should see a reason in the Slack channel associated with your pentest. |
24 | | Remediation | We've completed and shared the results of our pentest, including our vulnerability findings. You can either accept or [remediate](../getting-started/glossary#remediate) each vulnerability. Once complete, resubmit your request. We'll retest your asset. |
25 | | Closed | You may have accepted our findings. Or we've retested each of our findings, and cannot reproduce them. We may have not found any vulnerabilities, or you've accepted any vulnerabilities that we've found. |
26 | | Cancelled | If you no longer need a pentest, you're always welcome to cancel it. We'll keep the pentest in our records in case you change your mind. |
27 |
28 | {{% alert title="Note" color="note" %}}
29 | Pentests remain in _Remediation_ until you've addressed all findings. You can address each finding by either:
30 |
31 | - Remediating the finding.
32 | - Accepting the finding, and any associated security risk.
33 | {{% /alert %}}
34 |
35 |
--------------------------------------------------------------------------------
/content/en/Getting started/_index.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Getting Started"
3 | linkTitle: "Getting Started"
4 | weight: 2
5 | description: >
6 | How to get started with Cobalt software.
7 | menu:
8 | main:
9 | weight: 2
10 | ---
11 |
12 | {{% pageinfo %}}
13 | Use this document to visualize your journey through Cobalt to secure your systems.
14 | {{% /pageinfo %}}
15 |
16 | You want to enhance the security of your software. You're ready to set up
17 | penetration tests (pentests) to elevate your security posture. With
18 | pentest-driven solutions, you can comply with regulations and enhance
19 | the confidence of your customers. You want results as soon as possible.
20 |
21 | You've come to the right place.
22 |
23 | {{%expand "Learn more." %}}
24 |
25 | If you're considering Cobalt, use this document to help you visualize the process.
26 | If you've already purchased Cobalt credits, use this document to start your journey.
27 |
28 | While it's helpful if you have a background in security, it's not required
29 | to understand the pentest process. If the language of software security confuses
30 | you, refer to our [Glossary](./glossary).
31 |
32 | In this Getting Started Guide, we take you through the process to create a pentest,
33 | step by step, and set [expectations](./what-to-expect).
34 |
35 | 
36 |
37 | When you've finished this Getting Started Guide, you'll have a plan and scope that
38 | our pentesters can use to test your assets. When you purchase credits from Cobalt,
39 | we send you an email invitation, which you can use to [Sign in to Cobalt](./sign-in).
40 | {{% /expand%}}
41 |
42 | ## Overview
43 |
44 | Our journey takes you through the steps required to create a pentest:
45 |
46 | 1. Select the [pentest type](/platform-deep-dive/pentests/pentest-types/). We offer [Agile](/getting-started/glossary/#agile-pentest) and [Comprehensive Pentests](/getting-started/glossary/#comprehensive-pentest).
47 | 1. Define your [assets](/getting-started/assets/). Our pentesters analyze all kinds of
48 | assets, from web apps to internal networks.
49 | 1. Set [requirements](./pentest-objectives) for your pentest.
50 | - By default, our pentesters use standards defined by the
51 | [Open Web Application Security
52 | Project (OWASP)](./glossary#open-web-application-security-project-owasp) and in
53 | the [Open Source Security Testing Methodology
54 | Manual](./glossary/#open-source-security-testing-methodology-manual-osstmm).
55 | - Add and modify the objectives of your choice.
56 | - To help our penetration testers, include more information about your asset,
57 | such as architecture and coding language. You'll see more details about
58 | what to include when you [define your assets](/getting-started/assets/).
59 | 1. Define [details](/getting-started/details/) of your environment.
60 | Is your asset in production or in development? Is part of your system
61 | on a Cloud platform?
62 | 1. [Plan and scope](/getting-started/planning/) the test. Define your desired pentest start
63 | date, and specify the pentest scope. We need time to find the best available pentesters for your assets.
64 | 1. Review your pentest request. Use our [Pentest Checklist](/getting-started/checklist/) to make
65 | sure you've included _all_ information that our pentesters need.
66 |
67 | Once you've set up a pentest, we start analyzing your asset. When
68 | possible, we share results even before we create your report. Here's what
69 | you can [expect](./what-to-expect).
70 |
71 | Assuming you've received an email invitation, take the next step.
72 | [Sign in to Cobalt](./sign-in).
73 |
--------------------------------------------------------------------------------
/GrammarLinter.md:
--------------------------------------------------------------------------------
1 | # English Grammar Linter (Vale)
2 |
3 | This repository includes `beta` rules based on the [Vale grammar linter](https://docs.errata.ai/#vale). To install Vale on a Mac, run:
4 |
5 | ```
6 | brew install vale
7 | ```
8 |
9 | You can set up Vale with several different IDEs. For this repository,
10 | we've tested the integration between Vale and VSCode, and described some tips and tricks
11 | in [Use Vale in Your IDE](#use-vale-in-your-ide).
12 |
13 | Vale pulls rules from YAML files in the `styles/` subdirectory. They include grammar rules in the following subdirectories:
14 |
15 | - Modified rules from GitLab in the `styles/cobalt/` subdirectory
16 | - [Google Developer Style Guide](https://github.com/errata-ai/Google) rules, customized for Vale, in the `styles/Google` subdirectory
17 | - Rules associated with the [write-good](https://github.com/btford/write-good) grammar linter
18 |
19 | These rules are a "Work in Progress"; we may overrule/modify them as we use them to review Cobalt content. For example, if you find a common word / acronym that we use, you're
20 | welcome to add it (with a PR) to our `styles/cobalt/spelling-exceptions.txt` file.
21 |
22 | For more information, see the [Vale documentation](https://docs.errata.ai/).
23 |
24 | ## Vale Configuration
25 |
26 | The Vale configuration file is .vale.ini. In this file, we see:
27 |
28 | - The `StylesPath` points to rules in the `styles/` subdirectory.
29 | - The `BasedOnStyles` parameter specifies style subdirectories.
30 | - The `IgnoredScopes` tells Vale to ignore content such as code samples, as described in [Vale Documentation](https://docs.errata.ai/vale/config#ignoredscopes).
31 |
32 | ## Use Vale in Your Repository
33 |
34 | If you want to use this Vale configuration in your repository, copy:
35 |
36 | - `.vale.ini`
37 | - The `styles/` subdirectory
38 |
39 | If you copy Vale configuration files to your repository, and want to "change the rules,"
40 | open a PR against this cobalt-product-public-docs repository.
41 |
42 | ## Use Vale in Your IDE
43 |
44 | You can set up Vale with several different IDEs. For more information, see the
45 | [Integrations](https://docs.errata.ai) section of the Vale documentation.
46 |
47 | For example, you can set up a Vale plugin with the VSCode IDE, per
48 | https://github.com/errata-ai/vale-vscode#using-vale .
49 |
50 | **_Note:_** if you're working with Markdown or text files, you do not need "Vale Server."
51 |
52 | If you have problems with Vale in VSCode, you may need to:
53 |
54 | - Restart VSCode
55 | - Disable / re-enable the Vale plugin
56 | - Save changes to the Markdown file that you're analyzing
57 |
58 | If you're successful, you'll see linting messages similar to what's shown in the following screenshot:
59 |
60 |
Once we've processed your request, you get access to specific functionality as a Cobalt Partner, which you can verify on the People tab next to your name.
76 |
77 |
To enable co-branded reports for an organization you manage:
78 |
Select the organization in the upper-left corner.
79 |
Navigate to the Settings tab, and scroll down to the Report Branding section.
80 |
Upload the logo image, and select Apply.
81 |
82 |
To verify that co-branding is enabled:
83 |
Go to the Pentests tab, and select a pentest in the Remediation or Closed state.
84 |
On the Report tab, download a report, and verify that it has your company logo.
85 |
86 |
87 | As a _Cobalt Partner_, you can edit your company logo or turn off co-branded reports for a client organization on the **Settings** tab under **Report Branding**.
88 | {{% /expand%}}
89 |
90 | ## When You're Ready
91 |
92 | If you're ready with your pentest, select **Submit for Review**.
93 |
94 | Once you do so, learn [what to expect after you create a
95 | pentest](../what-to-expect).
96 |
--------------------------------------------------------------------------------
/styles/write-good/TooWordy.yml:
--------------------------------------------------------------------------------
1 | extends: existence
2 | message: "'%s' is too wordy."
3 | ignorecase: true
4 | level: suggestion
5 | tokens:
6 | - a number of
7 | - abundance
8 | - accede to
9 | - accelerate
10 | - accentuate
11 | - accompany
12 | - accomplish
13 | - accorded
14 | - accrue
15 | - acquiesce
16 | - acquire
17 | - adjacent to
18 | - adjustment
19 | - admissible
20 | - advantageous
21 | - adversely impact
22 | - advise
23 | - aforementioned
24 | - aggregate
25 | - aircraft
26 | - all of
27 | - all things considered
28 | - alleviate
29 | - allocate
30 | - along the lines of
31 | - already existing
32 | - alternatively
33 | - amazing
34 | - ameliorate
35 | - anticipate
36 | - apparent
37 | - appreciable
38 | - as a matter of fact
39 | - as a means of
40 | - as far as I'm concerned
41 | - as of yet
42 | - as to
43 | - as yet
44 | - ascertain
45 | - assistance
46 | - at the present time
47 | - at this time
48 | - attain
49 | - attributable to
50 | - authorize
51 | - because of the fact that
52 | - belated
53 | - benefit from
54 | - bestow
55 | - by means of
56 | - by virtue of
57 | - by virtue of the fact that
58 | - cease
59 | - close proximity
60 | - commence
61 | - comply with
62 | - concerning
63 | - consequently
64 | - consolidate
65 | - constitutes
66 | - demonstrate
67 | - depart
68 | - designate
69 | - discontinue
70 | - due to the fact that
71 | - each and every
72 | - economical
73 | - eliminate
74 | - elucidate
75 | - employ
76 | - endeavor
77 | - enumerate
78 | - equitable
79 | - equivalent
80 | - evaluate
81 | - evidenced
82 | - exclusively
83 | - expedite
84 | - expend
85 | - expiration
86 | - facilitate
87 | - factual evidence
88 | - feasible
89 | - finalize
90 | - first and foremost
91 | - for all intents and purposes
92 | - for the most part
93 | - for the purpose of
94 | - forfeit
95 | - formulate
96 | - have a tendency to
97 | - honest truth
98 | - if and when
99 | - impacted
100 | - implement
101 | - in a manner of speaking
102 | - in a timely manner
103 | - in a very real sense
104 | - in accordance with
105 | - in addition
106 | - in all likelihood
107 | - in an effort to
108 | - in between
109 | - in excess of
110 | - in lieu of
111 | - in light of the fact that
112 | - in many cases
113 | - in my opinion
114 | - in order to
115 | - in regard to
116 | - in some instances
117 | - in terms of
118 | - in the case of
119 | - in the event that
120 | - in the final analysis
121 | - in the nature of
122 | - in the near future
123 | - in the process of
124 | - inception
125 | - incumbent upon
126 | - indicate
127 | - indication
128 | - initiate
129 | - irregardless
130 | - is applicable to
131 | - is authorized to
132 | - is responsible for
133 | - it is
134 | - it is essential
135 | - it seems that
136 | - it was
137 | - magnitude
138 | - maximum
139 | - minimize
140 | - minimum
141 | - modify
142 | - monitor
143 | - multiple
144 | - necessitate
145 | - nevertheless
146 | - not certain
147 | - not many
148 | - not often
149 | - not unless
150 | - not unlike
151 | - notwithstanding
152 | - null and void
153 | - numerous
154 | - objective
155 | - obligate
156 | - obtain
157 | - on the contrary
158 | - on the other hand
159 | - one particular
160 | - optimum
161 | - overall
162 | - owing to the fact that
163 | - participate
164 | - particulars
165 | - pass away
166 | - pertaining to
167 | - point in time
168 | - portion
169 | - possess
170 | - preclude
171 | - previously
172 | - prior to
173 | - prioritize
174 | - procure
175 | - proficiency
176 | - provided that
177 | - purchase
178 | - put simply
179 | - readily apparent
180 | - refer back
181 | - regarding
182 | - relocate
183 | - remainder
184 | - remuneration
185 | - requirement
186 | - reside
187 | - residence
188 | - retain
189 | - satisfy
190 | - shall
191 | - should you wish
192 | - similar to
193 | - solicit
194 | - span across
195 | - strategize
196 | - subsequent
197 | - substantial
198 | - successfully complete
199 | - sufficient
200 | - terminate
201 | - the month of
202 | - the point I am trying to make
203 | - therefore
204 | - time period
205 | - took advantage of
206 | - transmit
207 | - transpire
208 | - until such time as
209 | - utilization
210 | - utilize
211 | - various different
212 | - what I mean to say is
213 | - whether or not
214 | - with respect to
215 | - with the exception of
216 | - witnessed
217 |
--------------------------------------------------------------------------------
/content/en/Getting started/Assets/asset-description.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Describe Your Assets"
3 | linkTitle: "Describe Your Assets"
4 | weight: 50
5 | description: >
6 | Better descriptions help our pentesters test your assets properly.
7 | ---
8 |
9 | {{% pageinfo %}}
10 | Help our pentesters test your assets faster.
11 | {{% /pageinfo %}}
12 |
13 |
15 |
16 | Our pentesters need all relevant information about your asset. To help
17 | you understand what to share, we include a description template.
18 |
19 | For all assets, we'd appreciate a:
20 |
21 | - High-level overview
22 | - Description of important functions or features
23 | - Business risks associated with each function and feature
24 |
25 | Include links to published documentation related to the
26 | asset. You can upload documentation, diagrams, and more in various
27 | file formats under [Attachment(s)](#attachments).
28 |
29 | The following sections detail additional needs for different kinds of assets:
30 |
31 | ### Web, API, Mobile
32 |
33 | Web, API, and Mobile assets frequently include user roles in different
34 | categories such as:
35 |
36 | - Administrator
37 | - Service user
38 | - Regular user
39 |
40 | Each of these roles typically have different sets of rights, privileges,
41 | or permissions. We can verify whether such roles are appropriately limited.
42 |
43 | For web assets, define the application type. For example, some web assets may be a:
44 |
45 | - Page-driven website
46 | - [Single-page application](https://developer.mozilla.org/en-US/docs/Glossary/SPA)
47 |
48 | Web and API assets frequently include dedicated reference documentation. For example,
49 | RESTful API assets frequently include OpenAPI-based documents that describe the
50 | properties associated with each endpoint.
51 |
52 | ### Web Asset Description
53 |
54 | Help us find the right pentesters for your asset. Include a high-level overview
55 | of the application. Add details such as:
56 |
57 | - Coding Language.
58 | - Functions or features central to the capability of your asset.
59 | - Business risks associated with specific functions or features.
60 | - Special endpoints associated with your dynamic pages.
61 | - While our pentesters can find the API endpoints used by your web app with
62 | browser "Developer Tools," let us know if you have special concerns with
63 | one or more endpoints.
64 |
65 | ### Network Assets (External and Internal)
66 |
67 | Our pentesters need network diagrams to know what to test on a network.
68 | If you've set up a [jump box](../../glossary#jump-box) for our pentesters on your
69 | network, include the location in the diagram.
70 |
71 | Add network information, including the IP address / hostname of the
72 | jump box.
73 |
74 | ### Cloud Configuration Assets
75 |
76 | Our pentesters need to know how you've set up and use your cloud assets.
77 | Even when your cloud assets stand alone, they may share features with
78 | other types of assets.
79 |
80 | For example, if you have dedicated roles to maintain cloud assets, describe
81 | them as you would describe a web app asset.
82 |
83 | Make sure to include the:
84 |
85 | - Cloud provider
86 | - Service
87 | - Unique users / roles
88 | - Applicable network / architecture diagrams
89 |
90 | ## Attachments
91 |
92 | To share more about your assets, you can upload the documentation of your choice under **Attachment(s)**. Our app accepts files
93 | in the following categories and formats:
94 |
95 | - Archives (.gz, .rar, .tar, .zip)
96 | - Documents (.doc, .docx, .pdf, .txt)
97 | - Images (.gif, .jpg, .jpeg, .png)
98 | - Spreadsheets (.csv, .xls, .xlsx)
99 | - Videos (.mov, .mp4)
100 |
101 | Our app limits uploads to 100 MB.
102 |
103 | 
104 |
105 | If you'd like to upload files in a different format, you can try to:
106 |
107 | - Compress or archive the files into one of the noted formats.
108 | - For example, you can use a "Zip" tool built for your operating system to
109 | save your file with a **.zip** file extension.
110 | - {{% contact-csm-support %}} for guidance.
111 |
112 | For complex assets, we encourage spreadsheets. The UI includes links to the following
113 | templates:
114 |
115 | - Workflow/Priority Target
116 | - User role matrix
117 |
118 | We've included suggested data in the downloadable Excel (.xlsx) files.
119 | We encourage you to replace this information with other data, and upload it
120 | with any other documentation for your asset.
121 |
122 | At this point, you've completed all entries in the **Review Assets** section of the pentest wizard.
123 | You can now select **Next** to move to the next part of the wizard and set the pentest [requirements](/getting-started/pentest-objectives/).
124 |
--------------------------------------------------------------------------------
[Jira](https://cobaltio.zendesk.com/hc/en-us/sections/4407694113044-Integration-Guides) | Native | 
[GitHub](https://cobaltio.zendesk.com/hc/en-us/articles/360058712591-How-do-I-set-up-GitHub-Integration-) | Native | Push Cobalt findings as issues to GitHub
29 | | 
[Webhooks](/integrations/webhooks/) | Native | Subscribe to real-time notifications for pentest events using API-based webhooks
30 | | 
[JupiterOne](https://community.askj1.com/kb/articles/994-cobalt-integration-with-jupiterone) | Partner | Analyze pentest data with JupiterOne tools
31 | | 
[Tugboat Logic](https://tugboatlogic.com/integrations/cobalt/) | Partner | Pull Cobalt pentest information into a Tugboat Logic-based InfoSec program
32 | | 
[DefectDojo](https://defectdojo.github.io/django-DefectDojo/integrations/parsers/#cobaltio-api-import) | Partner | Import your Cobalt pentest findings into DefectoDojo with Cobalt API
33 | | 
[Kenna Security](https://github.com/KennaSecurity/toolkit/tree/main/tasks/connectors/cobaltio#readme) | Partner | Import Cobalt pentest findings
34 |
35 | ## Build Your Own Integration
36 |
37 | Use our API to build your own integrations. You need a Cobalt [API token](/apiusecases/create_asset/#create-an-api-token-in-the-cobalt-ui) to make REST calls.
38 |
39 | Refer to the [API documentation](https://docs.cobalt.io/) for details.
40 |
41 | ## Suggest an Integration
42 |
43 | We're working to integrate more solutions with the Cobalt platform. You can suggest a tool that would support your workflows:
44 |
45 | - On the **Integrations** page under **Suggest an Integration**
46 | - By sending an email to [integrations@cobalt.io](mailto:integrations@cobalt.io)
47 |
--------------------------------------------------------------------------------
/styles/cobalt/Acronyms.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Warning: cobalt.Acronyms
3 | #
4 | # Checks for unexpanded acronyms.
5 | #
6 | # For a list of all options, see https://errata-ai.gitbook.io/vale/getting-started/styles
7 | extends: conditional
8 | message: '"%s" has no definition.'
9 | link: https://about.gitlab.com/handbook/marketing/growth-marketing/content/editorial-team/#acronyms
10 | level: warning
11 | ignorecase: false
12 | # Ensures that the existence of 'first' implies the existence of 'second'.
13 | first: '\b([A-Z]{3,5})\b'
14 | second: '(?:\b[A-Z][a-z]+ )+\(([A-Z]{3,5})\)'
15 | # ... with the exception of these:
16 | exceptions:
17 | - AJAX
18 | - ANSI
19 | - API
20 | - APM
21 | - ARM
22 | - ARN
23 | - ASCII
24 | - AWS
25 | - BSD
26 | - CAS
27 | - CDN
28 | - CDN
29 | - CHD
30 | - CIDR
31 | - CIS
32 | - CLI
33 | - CNA
34 | - CNAME
35 | - CORE
36 | - CPU
37 | - CRIME
38 | - CSRF
39 | - CSM
40 | - CSS
41 | - CSV
42 | - CVE
43 | - CVS
44 | - DAG
45 | - DAST
46 | - DHCP
47 | - DMZ
48 | - DNS
49 | - DOM
50 | - DSA
51 | - DSL
52 | - DVCS
53 | - ECDSA
54 | - ECS
55 | - EFS
56 | - EKS
57 | - ELB
58 | - EOL
59 | - EXIF
60 | - FAQ
61 | - FIFO
62 | - FIPS
63 | - FOSS
64 | - FQDN
65 | - FREE
66 | - FTP
67 | - GCP
68 | - GDK
69 | - GDPR
70 | - GET
71 | - GID
72 | - GIF
73 | - GKE
74 | - GNU
75 | - GPG
76 | - GPL
77 | - GPU
78 | - GUI
79 | - HAML
80 | - HDD
81 | - HEAD
82 | - HIPAA
83 | - HLL
84 | - HTML
85 | - HTTP
86 | - HTTPS
87 | - IAM
88 | - IANA
89 | - IBM
90 | - ICMP
91 | - IDE
92 | - IEC
93 | - IID
94 | - IMAP
95 | - IOPS
96 | - IRC
97 | - ISO
98 | - JPEG
99 | - JPG
100 | - JSON
101 | - JVM
102 | - JWT
103 | - LAN
104 | - LDAP
105 | - LDAPS
106 | - LESS
107 | - LFS
108 | - LRU
109 | - LTM
110 | - LTS
111 | - MIME
112 | - MIT
113 | - MITRE
114 | - MVC
115 | - NAT
116 | - NDA
117 | - NFS
118 | - NGINX
119 | - NIST
120 | - NOTE
121 | - NPM
122 | - NTP
123 | - ONLY
124 | - OSS
125 | - OTP
126 | - OWASP
127 | - PAT
128 | - PCI-DSS
129 | - PDF
130 | - PEM
131 | - PEP
132 | - PGP
133 | - PID
134 | - PKCS
135 | - PHP
136 | - PNG
137 | - POSIX
138 | - POST
139 | - PUT
140 | - RAID
141 | - RAM
142 | - RBAC
143 | - RDMS
144 | - RDP
145 | - RDS
146 | - REST
147 | - RFC
148 | - RHEL
149 | - RPC
150 | - RPM
151 | - RPS
152 | - RSA
153 | - RSS
154 | - RVM
155 | - SAAS
156 | - SAML
157 | - SAN
158 | - SANS
159 | - SAST
160 | - SATA
161 | - SCIM
162 | - SCP
163 | - SCSS
164 | - SDK
165 | - SELF
166 | - SEO
167 | - SFTP
168 | - SHA
169 | - SLA
170 | - SMS
171 | - SMTP
172 | - SOC
173 | - SOX
174 | - SPDX
175 | - SPF
176 | - SQL
177 | - SSD
178 | - SSG
179 | - SSH
180 | - SSL
181 | - SSO
182 | - SVG
183 | - SVN
184 | - TCP
185 | - TIFF
186 | - TIP
187 | - TLD
188 | - TLS
189 | - TODO
190 | - TOML
191 | - TTL
192 | - UID
193 | - UDP
194 | - UID
195 | - UNIX
196 | - URI
197 | - URL
198 | - USB
199 | - UTC
200 | - UTF
201 | - UUID
202 | - VCS
203 | - VPC
204 | - VPN
205 | - WHOIS
206 | - WIP
207 | - WSL
208 | - XML
209 | - XSS
210 | - YAML
211 | - ZAP
212 | - ZIP
213 |
--------------------------------------------------------------------------------
/content/en/Platform Deep Dive/Assets/_index.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Assets"
3 | linkTitle: "Assets"
4 | weight: 10
5 | description: >
6 | Assets are _what_ we pentest.
7 | ---
8 |
9 | {{% pageinfo %}}
10 | Our security professionals perform pentests on different types of assets. Learn how to set up your assets for our pentests.
11 | {{% /pageinfo %}}
12 |
13 | {{% asset-definition %}} Once you've created an asset, you can launch pentests for it.
14 |
15 | ## Asset Types
16 |
17 | We can perform pentests on assets in the following categories:
18 |
19 | {{% asset-types-table %}}
20 |
21 | For assets of multiple types, you may want to set up one or more pentests, depending on the characteristics of your software.
22 |
23 | {{%expand "Learn more." %}}
24 |
25 | For example, if your asset combines a web and mobile application, you may want us to test them together, in one pentest, if:
26 |
27 | - The two applications share some of the same code and functionalities.
28 | - One pentest report is sufficient for your purposes.
29 | - One team is responsible for both applications.
30 |
31 | Otherwise, you may need to set up two pentests to get more granular results.
32 | {{% /expand%}}
33 |
34 | ## Create an Asset
35 |
36 | You can create assets in the following ways:
37 | - On the **Assets** page:
38 | - To add a single asset, select **New Asset**.
39 | - To upload assets in bulk in CSV or XLSX format, select **Bulk Assets**. Once uploaded, you can select an asset to add an image, [technology stack](/platform-deep-dive/assets/risk-advisories/#add-a-technology-stack-for-your-asset), and [attachments](/getting-started/assets/asset-description/#attachments).
40 | - If the upload is successful, all your assets from the file are added. Otherwise, no assets are created. Our algorithm doesn't process the request partially.
41 | - We don't prevent you from creating duplicate assets.
42 | - When setting up a pentest, on the [Let's Get Started](/getting-started/assets/) screen, select **Create a new asset**.
43 |
44 | You can also use the [Cobalt API](/apiusecases/create_asset/#create-an-asset) to create assets.
45 |
46 | ### Asset Details
47 |
48 | {{% asset-details %}}
49 |
50 | ## View and Modify Assets
51 |
52 | Once you've [created](#create-an-asset) assets, you can view and manage them on the **Assets** page.
53 |
54 | Select the three-dot icon under **Action**, and then select the desired option:
55 |
56 | - **Create a Pentest** for this asset
57 | - **Edit Asset** to modify [asset details](#asset-details)
58 | - **Delete Asset**, if it doesn't have associated pentests
59 |
60 | To preview a summary of [potential vulnerabilities](/platform-deep-dive/assets/risk-advisories/) based on the [Common Vulnerabilities and Exposures (CVE)](https://www.cve.org/) standard, hold the pointer over the number under **Risk Advisory**. To navigate to the detailed list, select the number.
61 |
62 | 
63 |
64 | To view asset details, select an asset. From here, you can:
65 |
66 | - Create a pentest for this asset
67 | - Edit asset details
68 | - Delete the asset, if it doesn't have associated pentests
69 | - View associated pentests
70 | - Preview [risk advisories](/platform-deep-dive/assets/risk-advisories/) for this asset
71 |
72 | 
73 |
--------------------------------------------------------------------------------
/content/en/PentestStates/_index.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Pentest States"
3 | linkTitle: "Pentest States"
4 | weight: 500
5 | description: >
6 | Describes the status of your pentest.
7 | ---
8 |
9 | {{% pageinfo %}}
10 | Learn the meaning of the labels associated with your pentests.
11 | {{% /pageinfo %}}
12 |
13 | From the moment you've started saving a draft of a pentest, we assign a label
14 | for that pentest. We've set up these definitions as if you've set up the pentest
15 | through our user interface. Here's the meaning of each label:
16 |
17 | | Label | Description |
18 | |-------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
19 | | Draft | You've started the **Create a Pentest** process. However, you may not have added the information that we need to start work on your pentest. |
20 | | In Review | You've submitted the pentest. We're reviewing your submission. We may have questions for you. |
21 | | Planned | We've accepted your proposed pentest. We'll assign pentesters based on your technology stacks and methodology. You should also have access to a Slack channel dedicated to your pentest. |
22 | | Live | We've started working on your pentest. Use the pentest chat channel to communicate directly with your pentesters. When we have questions and discover [findings](../getting-started/glossary#finding), we'll share them in the channel. |
23 | | Paused | We're unable to continue the pentest. You should see a reason in the Slack channel associated with your pentest. |
24 | | Remediation | We've completed and shared the results of our pentest, including our vulnerability findings. You can either accept or [remediate](../getting-started/glossary#remediate) each vulnerability. Once complete, resubmit your request. We'll retest your asset. |
25 | | Closed | You may have accepted our findings. Or we've retested each of our findings, and cannot reproduce them. We may have not found any vulnerabilities, or you've accepted any vulnerabilities that we've found. |
26 | | Cancelled | If you no longer need a pentest, you're always welcome to cancel it. We'll keep the pentest in our records in case you change your mind. |
27 |
28 | {{% alert title="Note" color="note" %}}
29 | Pentests remain in _Remediation_ until you've addressed all findings. You can address each finding by either:
30 |
31 | - Remediating the finding.
32 | - Accepting the finding, and any associated security risk.
33 | {{% /alert %}}
34 |
35 |
--------------------------------------------------------------------------------
/content/en/Getting started/_index.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Getting Started"
3 | linkTitle: "Getting Started"
4 | weight: 2
5 | description: >
6 | How to get started with Cobalt software.
7 | menu:
8 | main:
9 | weight: 2
10 | ---
11 |
12 | {{% pageinfo %}}
13 | Use this document to visualize your journey through Cobalt to secure your systems.
14 | {{% /pageinfo %}}
15 |
16 | You want to enhance the security of your software. You're ready to set up
17 | penetration tests (pentests) to elevate your security posture. With
18 | pentest-driven solutions, you can comply with regulations and enhance
19 | the confidence of your customers. You want results as soon as possible.
20 |
21 | You've come to the right place.
22 |
23 | {{%expand "Learn more." %}}
24 |
25 | If you're considering Cobalt, use this document to help you visualize the process.
26 | If you've already purchased Cobalt credits, use this document to start your journey.
27 |
28 | While it's helpful if you have a background in security, it's not required
29 | to understand the pentest process. If the language of software security confuses
30 | you, refer to our [Glossary](./glossary).
31 |
32 | In this Getting Started Guide, we take you through the process to create a pentest,
33 | step by step, and set [expectations](./what-to-expect).
34 |
35 | 
36 |
37 | When you've finished this Getting Started Guide, you'll have a plan and scope that
38 | our pentesters can use to test your assets. When you purchase credits from Cobalt,
39 | we send you an email invitation, which you can use to [Sign in to Cobalt](./sign-in).
40 | {{% /expand%}}
41 |
42 | ## Overview
43 |
44 | Our journey takes you through the steps required to create a pentest:
45 |
46 | 1. Select the [pentest type](/platform-deep-dive/pentests/pentest-types/). We offer [Agile](/getting-started/glossary/#agile-pentest) and [Comprehensive Pentests](/getting-started/glossary/#comprehensive-pentest).
47 | 1. Define your [assets](/getting-started/assets/). Our pentesters analyze all kinds of
48 | assets, from web apps to internal networks.
49 | 1. Set [requirements](./pentest-objectives) for your pentest.
50 | - By default, our pentesters use standards defined by the
51 | [Open Web Application Security
52 | Project (OWASP)](./glossary#open-web-application-security-project-owasp) and in
53 | the [Open Source Security Testing Methodology
54 | Manual](./glossary/#open-source-security-testing-methodology-manual-osstmm).
55 | - Add and modify the objectives of your choice.
56 | - To help our penetration testers, include more information about your asset,
57 | such as architecture and coding language. You'll see more details about
58 | what to include when you [define your assets](/getting-started/assets/).
59 | 1. Define [details](/getting-started/details/) of your environment.
60 | Is your asset in production or in development? Is part of your system
61 | on a Cloud platform?
62 | 1. [Plan and scope](/getting-started/planning/) the test. Define your desired pentest start
63 | date, and specify the pentest scope. We need time to find the best available pentesters for your assets.
64 | 1. Review your pentest request. Use our [Pentest Checklist](/getting-started/checklist/) to make
65 | sure you've included _all_ information that our pentesters need.
66 |
67 | Once you've set up a pentest, we start analyzing your asset. When
68 | possible, we share results even before we create your report. Here's what
69 | you can [expect](./what-to-expect).
70 |
71 | Assuming you've received an email invitation, take the next step.
72 | [Sign in to Cobalt](./sign-in).
73 |
--------------------------------------------------------------------------------
/GrammarLinter.md:
--------------------------------------------------------------------------------
1 | # English Grammar Linter (Vale)
2 |
3 | This repository includes `beta` rules based on the [Vale grammar linter](https://docs.errata.ai/#vale). To install Vale on a Mac, run:
4 |
5 | ```
6 | brew install vale
7 | ```
8 |
9 | You can set up Vale with several different IDEs. For this repository,
10 | we've tested the integration between Vale and VSCode, and described some tips and tricks
11 | in [Use Vale in Your IDE](#use-vale-in-your-ide).
12 |
13 | Vale pulls rules from YAML files in the `styles/` subdirectory. They include grammar rules in the following subdirectories:
14 |
15 | - Modified rules from GitLab in the `styles/cobalt/` subdirectory
16 | - [Google Developer Style Guide](https://github.com/errata-ai/Google) rules, customized for Vale, in the `styles/Google` subdirectory
17 | - Rules associated with the [write-good](https://github.com/btford/write-good) grammar linter
18 |
19 | These rules are a "Work in Progress"; we may overrule/modify them as we use them to review Cobalt content. For example, if you find a common word / acronym that we use, you're
20 | welcome to add it (with a PR) to our `styles/cobalt/spelling-exceptions.txt` file.
21 |
22 | For more information, see the [Vale documentation](https://docs.errata.ai/).
23 |
24 | ## Vale Configuration
25 |
26 | The Vale configuration file is .vale.ini. In this file, we see:
27 |
28 | - The `StylesPath` points to rules in the `styles/` subdirectory.
29 | - The `BasedOnStyles` parameter specifies style subdirectories.
30 | - The `IgnoredScopes` tells Vale to ignore content such as code samples, as described in [Vale Documentation](https://docs.errata.ai/vale/config#ignoredscopes).
31 |
32 | ## Use Vale in Your Repository
33 |
34 | If you want to use this Vale configuration in your repository, copy:
35 |
36 | - `.vale.ini`
37 | - The `styles/` subdirectory
38 |
39 | If you copy Vale configuration files to your repository, and want to "change the rules,"
40 | open a PR against this cobalt-product-public-docs repository.
41 |
42 | ## Use Vale in Your IDE
43 |
44 | You can set up Vale with several different IDEs. For more information, see the
45 | [Integrations](https://docs.errata.ai) section of the Vale documentation.
46 |
47 | For example, you can set up a Vale plugin with the VSCode IDE, per
48 | https://github.com/errata-ai/vale-vscode#using-vale .
49 |
50 | **_Note:_** if you're working with Markdown or text files, you do not need "Vale Server."
51 |
52 | If you have problems with Vale in VSCode, you may need to:
53 |
54 | - Restart VSCode
55 | - Disable / re-enable the Vale plugin
56 | - Save changes to the Markdown file that you're analyzing
57 |
58 | If you're successful, you'll see linting messages similar to what's shown in the following screenshot:
59 |
60 | 
62 |