Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / 12.5 Release Kickoff / 17 Oct 2019
GitLab / 12.5 Release Kickoff / 17 Oct 2019
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: GitLab 12.5 Kickoff - Secure:Software Composition Analysis

Description

Please take our survey about the Kickoff process at GitLab
https://docs.google.com/forms/d/e/1FAIpQLSdNyIB_Rk3rn2-PI-5dWhb7rUfBLmGziTlbmeKYP-mFQEESQQ/viewform?usp=sf_link

12.5 Kickoff for Secure:Software Composition Analysis

Board: https://gitlab.com/groups/gitlab-org/-/boards/364216?scope=all&utf8=✓&state=opened&milestone_title=12.5&label_name[]=direction&label_name[]=group%3A%3Acomposition%20analysis

New Kickoff Page: https://about.gitlab.com/direction/kickoff/#secure-section

See all the Kickoff Calls in this Playlist https://www.youtube.com/playlist?list=PL05JrBw4t0Krv9MyOPkGOkbi9kc1cgMvl

A

Hi everyone I'm Nicole, Schwartz and I'm the product manager for the secure composition, analysis, team and I wanted to go over what we're looking at doing for 12.5 right now. We have two deliverables. The first one is part of a long-standing goal where we would like to get rid of the doctrine docker requirement for all of our scanners in this release, we're going to be working specifically on dependency scanning.

A

This is enabling you to not use privileged runners and have retention of parameters they're being passed around. So a lot of people have been asking for this and we're happy to keep making progress on this each release. The next item that we have is a deliverable is we're going to be enabling container scanning to be run offline.

A

So there are some people who like to run their instances in an environment that doesn't have internet, sometimes called air-gapped, and at this point they cannot use a lot of our scanners, so we've been working to make each one of our scanners across all of these secure groups work in these environments, so hopefully, by the end of the release, we will have that for container scanning. Specifically, we have to stretch items and I'm hopeful that we'll get to them. If not, they will go into 12.6. The first one is.

A

We would like to make a policy tab on the license compliance list. What this will enable is that any person with the correct access, developer and above will be able to see what license specific policies are in place for the project. So you can see if there's a specific set of allows or denies already configured, so you can avoid including third-party libraries with those specific licenses right now.

A

That list is only visible to the person configuring the allow list and design list for to developer once they have added a specific license, and then they can see that it's allowed or denied, so that will hopefully make everybody's life a little bit easier and the last one we have that's also a stretch is when you are interacting with a container scanning finding.

A

We tell you that there's an issue, but we don't necessarily provide you a fix here, we'd like to where possible, if the fix is a newer version of the specific container, give you that, mr so you can just click it to run it and test it out immediately without having to hunt down if there is a newer version available. So we're hoping to make this save time and go a little bit faster for remediation of issues found for our container scanning solution and those are our major items for 12.5.

A

You have any issues or questions.

A

No, it's all very clear already.