►
Description
Please take our survey about the Kickoff process at GitLab
https://docs.google.com/forms/d/e/1FAIpQLSdNyIB_Rk3rn2-PI-5dWhb7rUfBLmGziTlbmeKYP-mFQEESQQ/viewform?usp=sf_link
12.5 Kickoff for Secure:Software Composition Analysis
Board: https://gitlab.com/groups/gitlab-org/-/boards/364216?scope=all&utf8=✓&state=opened&milestone_title=12.5&label_name[]=direction&label_name[]=group%3A%3Acomposition%20analysis
New Kickoff Page: https://about.gitlab.com/direction/kickoff/#secure-section
See all the Kickoff Calls in this Playlist https://www.youtube.com/playlist?list=PL05JrBw4t0Krv9MyOPkGOkbi9kc1cgMvl
A
Hi
everyone
I'm
Nicole,
Schwartz
and
I'm
the
product
manager
for
the
secure
composition,
analysis,
team
and
I
wanted
to
go
over
what
we're
looking
at
doing
for
12.5
right
now.
We
have
two
deliverables.
The
first
one
is
part
of
a
long-standing
goal
where
we
would
like
to
get
rid
of
the
doctrine
docker
requirement
for
all
of
our
scanners
in
this
release,
we're
going
to
be
working
specifically
on
dependency
scanning.
A
This
is
enabling
you
to
not
use
privileged
runners
and
have
retention
of
parameters
they're
being
passed
around.
So
a
lot
of
people
have
been
asking
for
this
and
we're
happy
to
keep
making
progress
on
this
each
release.
The
next
item
that
we
have
is
a
deliverable
is
we're
going
to
be
enabling
container
scanning
to
be
run
offline.
A
So
there
are
some
people
who
like
to
run
their
instances
in
an
environment
that
doesn't
have
internet,
sometimes
called
air-gapped,
and
at
this
point
they
cannot
use
a
lot
of
our
scanners,
so
we've
been
working
to
make
each
one
of
our
scanners
across
all
of
these
secure
groups
work
in
these
environments,
so
hopefully,
by
the
end
of
the
release,
we
will
have
that
for
container
scanning.
Specifically,
we
have
to
stretch
items
and
I'm
hopeful
that
we'll
get
to
them.
If
not,
they
will
go
into
12.6.
The
first
one
is.
A
We
would
like
to
make
a
policy
tab
on
the
license
compliance
list.
What
this
will
enable
is
that
any
person
with
the
correct
access,
developer
and
above
will
be
able
to
see
what
license
specific
policies
are
in
place
for
the
project.
So
you
can
see
if
there's
a
specific
set
of
allows
or
denies
already
configured,
so
you
can
avoid
including
third-party
libraries
with
those
specific
licenses
right
now.
A
We
tell
you
that
there's
an
issue,
but
we
don't
necessarily
provide
you
a
fix
here,
we'd
like
to
where
possible,
if
the
fix
is
a
newer
version
of
the
specific
container,
give
you
that,
mr
so
you
can
just
click
it
to
run
it
and
test
it
out
immediately
without
having
to
hunt
down
if
there
is
a
newer
version
available.
So
we're
hoping
to
make
this
save
time
and
go
a
little
bit
faster
for
remediation
of
issues
found
for
our
container
scanning
solution
and
those
are
our
major
items
for
12.5.