►
From YouTube: GitLab 12.5 Kickoff - Defend and Secure:Static Analysis
Description
Walk through of planned priorities for 12.5 iteration of GitLab, focused on Defend stage and Secure::Static Analysis group.
A
B
Good
fingers
crossed
swear
it
this
time
to
work.
It's
yeah
perfect,
all
right.
Well,
we
are
five
minutes
and
apologies
for
getting
the
late
start.
So
let's
go
ahead
and
jump
in.
So
thanks.
Everyone
for
joining
today,
I
really
appreciate
you
making
the
time
this
is
going
to
be
the
12
v
group
kickoff.
B
For
cure
and
defend,
my
name
is
Sam
Kerr
I'm,
a
principal
product
manager
here
get
lab,
focused
on
secure
and
defend,
and
really
what
we
want
to
do,
and
this
mean
is
discuss.
What
are
the
key
direction
items
that
are
going
to
be
deliverable
during
12/5
for
this
release
our
and
go
into
a
little
bit
more
detail
than
what's
gonna
be
covered
in
the
company.
Kickoff
call
for
twelve
five.
B
So
if
you're
coming
from
watching
the
company,
kickoff
call
recording,
you
might
have
seen
some
of
these
issue
titles
and
then
we're
gonna
dive
in
a
little
bit
deeper
on
each
of
them
provide
some
more
context
and
so
the
board
that
I'm
looking
at
right.
Now.
This
is
the
twelve
five
iteration
we're
filtering
based
on
those
deliverable
items
that
were
confident
we
can
deliver
during
the
iteration,
as
well
as
Direction
items,
which
are
some
of
the
higher
level
features
and
capabilities.
We
want
to
focus
on
during
the
release.
B
So
why
a
poor
web
application
firewall
is
something
that
we
delivered
for
the
first
time
as
part
of
the
12
three
release,
we
offered
the
ability
to
install
the
way
and
to
newly
create
clusters
in
gitlab
and
log
events,
log
traffic,
that
the
way
identifies
as
potentially
malicious.
But
what
we
want
to
focus
on
with
this
issue
is
surfacing
that
information
at
a
little
bit
higher
level
so,
rather
than
requiring
you
to
go
in
connect
to
the
cluster
directly
tail,
a
log
file
for
the
laughs
to
actually
be
able
to
see
what
it's
no
noticing.
B
We
want
to
take
that
information.
That's
in
the
log
file
do
some
calculations
on
it
and
report
some
basic
statistics
about
the
laughs,
and
so
the
things
that
we're
going
to
be
targeting
for
this
issue
initially
are
reporting
the
amount
of
traffic
that
the
wife
has
seen,
reporting
how
much
of
that
traffic
has
been
blocked
versus
how
much
has
not
been
blocked,
and
so
this
is
gonna
be
a
really
great
way
for
you
to
tell
quickly
that
a
the
wife
is
working.
B
It's
turned
on
because
it's
seeing
traffic,
and
also
secondarily
with
the
default
set
of
rules
that
we
provide
how
much
of
your
traffic
is
being
identifies,
potential,
malicious
and,
if
that's
higher
or
lower
than
expect.
You
know
that
gives
you
a
great
starting
off
points.
You
investigate
why?
What?
What's
the
reason
for
that,
and
so
this
is
one
of
the
things
we're
focusing
on
in
twelve
five,
giving
you
that
greater
level
of
visibility,
giving
you
more
detailed
information
about
how
the
laugh
is
working
when
it's
been
deployed.
B
So
going
back
to
our
list.
The
next
item
is
what
we're
calling
standalone
vulnerability
objects,
and
this
is
going
to
be
our
MVC
for
this,
offering,
if
you've
seen
this
issue
before
it
might
have
been
referred
to
as
first
class
vulnerabilities,
but
I've
up
the
title
to
be
standalone.
Vulnerability
objects
really
to
reflect
the
fact
that
these
are
going
to
be
first
class
Tanel
and
entities
inside
of
get
lab
going
forward,
and
so
what
this
issue-
and
this
MVC
is
all
about.
B
Is
we
currently
get
lab
today,
report
vulnerabilities
with
our
various
SAS
tasks
and
other
scanners
in
the
product?
If
you
do
a
merge
request
to
run
a
pipeline,
the
results
of
those
vulnerabilities
are
shown
in
line
with
the
pipeline
itself,
with
the
merge
request,
as
well
as
our
security
dashboard,
which
is
great,
but
there
are
also
times
when
you
want
to
link
directly
to
a
vulnerability.
Potentially,
perhaps
you
want
to
share
a
vulnerability
with
someone
else
in
your
organization
and
you
might
want
to
do
more.
B
B
The
next
one
on
the
list
is
SAS
support
for
the
react
framework,
and
so
what
this
is
about.
We
currently
support
a
number
of
different
languages
and
frameworks
with
our
SAS
skinning
today,
and
so
we
want
to
continue
expanding
that
coverage
for
more
languages.
More
frameworks
and
react
is
one
that
we're
targeting
in
12/5,
if
you're
not
familiar
with
it.
That
react
is
a
JavaScript
framework.
B
That's
becoming
more
and
more
popular
in
the
industry,
we're
seeing
a
lot
more
adoption
of
it,
and
so
we
want
to
make
sure
that,
if
you're
developing
applications
and
projects
using
react
that
you
can
also
take
advantage
of
SAS
and
the
the
benefits
it
provides,
notably
if
you
watched
our
12
for
kickoff
video,
this
was
in
our
12
for
plans.
We
did
not
complete
it
during
that
time,
so
we're
still
continuing
to
prioritize
this
capability,
because
we
do
believe
it's
important
and
it's
why
I'm
also
focusing
on
it
in
12/5
as
well.
B
You
and
the
last
on
the
list
is
our
MVC
for
performing
secret
detection
on
the
entire
history
of
your
repository
z',
and
so
what
this
issue
is
all
about
is
today
it
get
lab.
We
do
secret
scanning
to
be
able
to
identify
potentially
sensitive
credentials,
tokens
or
various
other
pieces
of
information
in
your
repo
so
that
they
don't,
you
know,
get
committed
accidentally
and
then
abuse
later
today.
We're
able
to
identify
those
notify
you
as
part
of
our
security
dashboard
and
our
secrets
reporting.
B
But
one
thing
that
we
wanted
to
cover
is
the
use
case
where
maybe
a
secret
was
committed
in
history
of
your
repository,
but
not
necessarily
it's
in
the
head
commit
of
master
today,
and
this
could
happen.
Perhaps
if
someone
committed
a
secret
realize
they
committed
it
and
and
added
a
new
commit
to
remove
that
secret
file,
which
may
appear
that
the
secrets
been
removed.
B
There's
no
issue
at
that
point,
but
because
yet
Sora's
everything
in
the
history
and
you
can
go
back
to
older,
commits
those
secrets
and
those
tokens
are
still
going
to
be
available.
If
someone
has
access
to
your
repository
history,
and
so
we
want
to
expand
our
secret
detection
to
not
only
look
at
what's
the
current
commit,
what's
the
kind
of
state
of
the
repository,
but
with
this
NBC
expand
it
to
be
able
to
look
at
all
the
commits
through
history.
B
Look
the
entire
history
of
the
repository
so
that,
even
if
something
was
committed
in
previous
commits
you're
able
to
identify
that
and
you
can
either
rotate
delete
or
take
a
next
step
with
any
of
those
secrets
that
have
been
found.
And
so
this
is
another
one
of
our
focus
areas
for
the
12
five
release.
B
B
So,
similarly,
to
what
we
talked
about
with
the
12
3
release
of
the
laugh,
it
currently
lives
in
listen-only
mode,
so
it
will
log
and
record
traffic,
but
won't
block
traffic
that
it
identifies
as
potentially
malicious
something
we
started
working
on,
12
for
and
will
likely
deliver
as
part
of
12
5
is
enabling
you
to
actually
block
potentially
malicious
traffic.
That's
been
identified
with
the
laughs.
B
This
is
going
to
be
an
opt-in
capability
so
that
traffic
won't
start
to
be
blocked
until
you've
decided.
The
laughs
is
working
correctly
for
how
you
want
it
to
work
and
you're
ready
to
make
that
transition.
So
I
just
want
to
highlight
this,
as
this
is
likely
going
to
be
in
12
5
and
it's
gonna
continue
to
be
one
of
our
focuses
coming
from
12
for.
B
B
So
if
we
remove
the
label
filtering
you'll,
see
a
number
of
other
different
issues
so
feel
free
to
take
a
look
through
this
list.
Offline
engage
in
the
discussion
on
those
issues
directly.
These
are
issues
we
are
going
to
be
working
on,
but
these
aren't
necessarily
the
the
key
Direction
items
which
you'll
see
in
the
release
post
or
we're
not
confident
that
these
will
definitely
be
delivered
during
the
iteration
you'll
see
some
issues
marked
as
stretch
which
indicates
we.
We
think
we
have
a
good
chance
of
making
it
but
aren't
confident.
B
So
that's
gonna,
be
one
of
the
the
things
we'll
need
to
find
out,
because
there's
gonna
be
a
couple.
Different
touch
forms
for
I
could
see
II
you
know
making
the
most
sense.
It
could
be
an
on
demand
approach
that
we
use
I.
Think
there's
a
UX
design
attached
to
this,
but
we're
likely
gonna
put
a
badge
at
the
top
of
the
project
to
say
you
either
have
or
have
not
done
full
secret
scanning
and
then
based
on
that
will
likely
offer
a
way
to
trigger
the
full
scanning.
A
I'm
not
super
comfy,
not
about
that
one,
because
that
part
is
a
bit
blurry
and
that
leads
to
other
parts
of
our
brewery.
If
we
want
to
trigger
that
kind
of
scan,
that
means
we're
able
to
identify
the
secret
job
in
the
pipe
and
that
were
not
able
to
do
that
there.
It
should
listen
close
so
that
that
would
lead
me
to
more
questions.
I
guess
so
that
one!
My
point
is
it's
probably
more
stretched
and
then
there's
a
very,
very
bored
this
one.