Edits per SME review

doc/user/application_security/index.md

@@ -18,22 +18,20 @@ actionable information _before_ changes are merged enables you to be proactive.
 GitLab also provides high-level statistics of vulnerabilities across projects and groups:
 - The [Security Dashboard](security_dashboard/index.md) provides a
-  high-level view of vulnerabilities detected in your projects, pipeline, and groups.
+  high-level view of vulnerabilities detected in individual projects or across groups.
 <i class="fa fa-youtube-play youtube" aria-hidden="true"></i>
 For an overview of GitLab application security, see [Shifting Security Left](https://www.youtube.com/watch?v=XnYstHObqlA&t).
 ## Application coverage
-GitLab analyzes various aspects of your application, including:
-- Source code
-- Dependencies
-- Runtime behavior
-- Infrastructure, including:
-  - Containers
-  - Infrastructure as code configuration
-  - Kubernetes clusters
+GitLab analyzes various details of your application, either on a schedule or as part of your CI/CD
+pipeline. Analysis includes:
+- Source code.
+- Dependencies in your projects or container images.
+- Runtime behavior.
+- Infrastructure as code configuration.
 To help with the task of managing and addressing vulnerabilities, GitLab also provides a security
 dashboard, at the project and group levels. For more details, see
@@ -46,32 +44,40 @@ in the MR.
 Source code analysis includes:
-- Analyze source code for vulnerabilities - [Static Application Security Testing (SAST)](sast/index.md)
-- Analyze the Git repository's history for secrets - [Secret Detection](secret_detection/index.md)
+- Analyze source code for vulnerabilities - [Static Application Security Testing (SAST)](sast/index.md).
+- Analyze the Git repository's history for secrets - [Secret Detection](secret_detection/index.md).
 ### Runtime behavior analysis
 Runtime behavior analysis occurs on every code commit. As part of the CI/CD pipeline, your
 application is built, deployed to a test environment, and subjected to the following tests:
-- Known application vectors - [Dynamic Application Security Testing (DAST)](dast/index.md)
-- Analyze APIs for known attack vectors - [DAST API](dast_api/index.md)
-- Find unknown bugs and vulnerabilities in web APIs - [API fuzzing](api_fuzzing/index.md)
+- Known application vectors - [Dynamic Application Security Testing (DAST)](dast/index.md).
+- Analyze APIs for known attack vectors - [DAST API](dast_api/index.md).
+- Find unknown bugs and vulnerabilities in web APIs - [API fuzzing](api_fuzzing/index.md).
 ### Dependency analysis
-Dependency analysis occurs on every merge request. Your application's dependencies are
-collated and checked against a database of known vulnerabilities. For more details, see
-[Dependency Scanning](dependency_scanning/index.md).
+Dependency analysis occurs on every code commit. Your application's dependencies are collated and
+checked against a database of known vulnerabilities.
+
+- Analysis is done at build time - [Dependency Scanning](dependency_scanning/index.md).
+- For projects that use container images, analysis is also done after the final container
+image is built - [Container Scanning](container_scanning/index.md).
+
+For more details, see
+[Dependency Scanning compared to Container Scanning](dependency_scanning/index.md#dependency-scanning-compared-to-container-scanning).
+
+Additionally, dependencies in operational container images can be analyzed for vulnerabilities
+on a regular schedule or cadence. For more details, see [Cluster Image Scanning](cluster_image_scanning/index.md).
 ### Infrastructure analysis
 Your application's infrastructure is a source of potential vulnerabilities. To help defend
 against this, infrastructure analysis occurs on every merge request. Checks are run against:
-- Docker containers required by your application - [Container Scanning](container_scanning/index.md)
-- IaC configuration files that define your application's deployment environment - [Infrastructure as Code (IaC) Scanning](iac_scanning/index.md)
-- Kubernetes clusters to which your application is deployed - [Cluster Image Scanning](cluster_image_scanning/index.md)
+- Infrastructure as Code (IaC) configuration files that define your application's deployment
+  environment - [Infrastructure as Code (IaC) Scanning](iac_scanning/index.md).
 ## Vulnerability scanner maintenance

doc/user/application_security/security_dashboard/index.md

@@ -9,12 +9,12 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 You can use Security Dashboards to view trends about vulnerabilities
 detected by [security scanners](../index.md#application-coverage).
-These details are shown in pipelines, projects, and groups.
+These trends are shown in projects, groups, and the Security Center.
 To use the Security Dashboards, you must:
 - Configure at least one [security scanner](../index.md#application-coverage) in a project.
-        - Configure jobs to use the [`reports` syntax](../../../ci/yaml/index.md#artifactsreports).
+- Configure jobs to use the [`reports` syntax](../../../ci/yaml/index.md#artifactsreports).
 - Use [GitLab Runner](https://docs.gitlab.com/runner/) 11.5 or later. If you use the
   shared runners on GitLab.com, you are using the correct version.
 - Have the [correct role](../../permissions.md) for the project or group.