►
From YouTube: Contributing to GitLab's Container scanning analyzer
Description
This video is part of our Community Office hour calls and highlights how to identify an issue to contribute to, figure out where to apply code changes, and what to keep in mind while contributing, testing, and opening a merge request.
The issue Brian is tackling is: https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/merge_requests/2720
For the project: https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning
Start contributing to GitLab: https://about.gitlab.com/community/contribute/
You can check for upcoming Community Office hour calls on our meetup.com group: https://www.meetup.com/gitlab-virtual-meetups/
A
Nice
for
the
people
that
is
joining
the
recording
hello,
welcome,
I'm
christos
I'm
here
with
unschool,
marco
jamie
and
brian.
It's
one
of
our
regular
office
articles
and
we're
talking
about
upcoming
campaigns,
and
my
dog
is
going
crazy
again
because
I'm
in
a
meeting
it's
like
no
you're,
not
gonna,
go
into
a
meeting.
You
need
to
play
with
me
sorry
about
that.
So
yeah
we
have
a
light
agenda,
but
here
it's
all
about
you
know
bringing
questions,
analyzing
topics.
A
I
have
some
topics
to
discuss
and
share
with
all
of
you
but
yeah.
If
you
have
any
questions,
marco
anschulo
or
anything
that
would
like
to
to
discuss
here,
yeah,
we
can
start
from
there
jamie's
asserting
the
chat,
the
gitlab
release,
15
meetup
campaign,
epic,
I'm
gonna
link
it
in
I'm.
Gonna
put
it
into
our
agenda.
Talk.
A
B
I
do
see
some
familiar
names
from
the
people
who
are
here.
I
do
think
I've
reviewed
some
of
your
merch
requests,
so
thank
you
for
contributing.
A
Thank
you
thanks
for
good
for
reviewing
brian
as
well,
hello,
donna
welcome.
Let
me
share
again
with
everyone.
The
link
to
our
agenda
doc,
just
in
case
so
ryan,
says
that
you're
here
again,
if
people
have
any
questions,
feel
free
to
drop
them
here
into
the
chat
on
on
zoom
other.
I
added
some
of
our
names
on
the
agenda
doc
as
well.
There
are
some
like
topics
yeah.
A
I
also
see
some
of
their
names,
something
that
I
would
like
brian,
maybe
since
that
you're
here
we're
trying
to
from
the
previous
office
article
that
we
had
there
was-
and
we
from
the
contributor
survey
that
we
ran
a
few
months
ago-
that's
still
running.
Actually
we
got
some
feedback
from
people
like
hey
would
like
to
better
understand
how
to
approach
how
to
solve
an
issue,
how
to
approach
this,
how
to
understand
the
source
code.
A
So
the
idea
is
like
start
having
like
more
regular
office
circles
invite
for
this
month,
back-end
engineers
to
help
us
address.
Some
of
this
I
mean
address
like
find
some
issues,
pick
up
an
issue
and
just
like
walk
us,
walk
us
through
the
thinking
of
how
to
solve
it
and
record
this
and
make
like
as
a
series
of
of
videos
like
walkthroughs,
and
we
can
use
them
for
assisting
people
who
are
beginning
to
contribute
to
gitlab.
So
I
I
don't
want
to
you
know
if
you're
interested
to
do
something
like
that.
A
That
will
really
help.
I
would
really
great,
even
today,.
A
We
want
to
have
to
start
having
of
a
weekly
up
circles
actually
to
be
able
to
achieve
that.
Last
month
we
had
like
in
april
we
had
the
april
front
end
day,
which
is
more
focused
in
front
then,
and
would
like
to
focus
the
rest
of
the
may
and
june
into
back
end.
But
you
know
back
in
that.
Gitlab
is
like
it's
a
lot
of
different,
a
lot
of
different
stage
groups,
so
the
idea
is
like
invite
different
people
to
just
talk
about
their
their
stage
group
yeah.
B
With
more
of
that
yeah,
I
think
that
sounds
like
a
pretty
cool
idea.
I
think
we
could
do
that.
We
could
try
it
now
if
you'd
like
I'm,
not
prepared
at
all,
but
that's
great,
but
you
know
that
I
could
try
it
and
see
what
it's
like
for
a
contributor.
A
A
Oh
bro
mark
also
has
a
question.
Maybe
he
has
a
question
martha
by
the
way
marco
cannot
verbal.
I
cannot
speak
he's
in
an
office
environment
so,
but
he's
typing
in
a
chat
also
don
and
oscar.
If
you
have
any
questions,
feel
free
to
unmute
them
yourself.
B
A
B
Yeah,
that's
not
a
problem,
I'm
actually
I'm
actually
deaf.
I
don't
hear
very
well
so
it's
easier
for
me
to
read
chat
than
try
to
listen
to
somebody.
I
use
the
captions
on
zoom,
usually.
A
Wait,
let
me
do
the
caption
there.
Sorry.
Can
we
do
the
captions
here
thanks
for
erasing
this
whoop,
like
captions.
B
B
B
Yeah:
okay,
if,
if
you
want
to
try
out
the
the
issue
walkthrough
thing,
I
can
go
ahead
and
share
my
screen
and
we
can
try
that.
Yes,
that
would
be
amazing.
B
B
B
So
you
can
open
up
the
issues
page
and,
if
you're
looking
to
make
a
contribution.
Typically
you'd
want
to
search
for
labels.
So
we
have
good
for
new
contributors
which
you
can
use
to
find
issues
that
should
be
easier
to
implement
and
I'm
a
back-end
engineer.
So
I'm
also
going
to
want
to
search
for
back-end
issues,
because
I
don't
know
how
to
work
on
front-end.
B
B
And
I
can
look
at
this
one,
so
this
is
created
by
thiago
he's
my
manager,
so
this
belongs
to
my
team
and
this
I'd
be
pretty
familiar
with
this
one.
So
this
is
the
container
scanning
feature.
B
We
just
moved
this
to
free
tier
in
15.0.
It
used
to
be
ultimate
only,
but
this
lets
you.
This
runs
inside,
get
mci
cd
and
it
lets
you
search
for
vulnerabilities
inside
a
container
image,
and
so
this
is
a
follow-up
for
memory
requests.
B
And
one
for
enterprise
edition
and
one
for
feature
the
feature
is
it
uses
the
same
database,
but
it's
delayed
by
30
days
and
that
that
was
you
know,
kind
of
a
compromise
that
we
landed
on
to
making
our
proprietary
vulnerability
database
open
source.
B
B
And
we
sim
link
from
ee
to
the
cache
path,
which
is
where
which
is
very
trivial
to
database
from.
If
you
don't
know
what
trivia
is
it's
the
it's,
the
vulnerability
scanner
that
we
use
for
container
scanning.
B
So
the
idea
here
is
that
there
there
was
a
suggestion
from
one
of
the
reviewers
that,
rather
than
sim
linking
these
files.
B
We
we
should
use
a
flag
to
specify
which
database
we
should
use
instead.
B
So
so,
how
would
we
want
to
contribute
to
this?
B
B
B
B
I
was
about
to
mention
that
so
sorry,
if
you
you
can't
assign
it
to
yourself,
but
what
you'd
want
to
do
is
ask
the
person
who
created
the
issue.
If
you
can
work
on
it.
If,
if
it's
an
urgent
issue
that
the
team
wants
to
get
completed
really
fast,
then
they
might
say
they
might
ask
you
to
pick
something
else,
because
they
want
to
make
sure
that
it
gets
done.
B
B
So
if
I
was
a
contributor,
I
would
make
sure
you
tag
him,
because
if
you,
if
you
comment
without
tagging,
that
person
a
lot
of
git
lab
team
members
want
to
see
it
because
they
get
so
many
notifications
that
they
only
look
at
the
ones
that
they're
tagged
in
so
make
sure
you
tag
that
person
and
you
ask
them
if
you,
if
you
can
contribute
to
that
issue
and
and
if
they
think,
if
they're,
okay
with
you
working
on
it,
then
I'll
assign
it
to
you
I'll,
go
ahead
and
tell
him
that
I'm
working
on
this.
B
B
B
I
hope
I
hope
you
don't
mind
that
we're
not
working
on
actually
gitlab
it's
up
yeah,
but
I
hope
this
is
an
interesting
enough
project
to
work
on.
So
we
have
a
scan
command
here.
That
runs
tribute.
This
runs
inside
a
container
in
a
city
pipeline,
so
the
idea
here
is
instead
of
doing
this.
B
And
that's
the
easy
change
yeah,
but
now
we
have
to
test
it.
So
when
we
deleted
that
function,
there's
a
couple
things
that
we
don't
need
anymore.
We
don't
need
these.
I
think.
Let's
see,
we
need
database
path,
but
we
don't
need
the
files.
So
we
can
delete
this
one.
B
B
So
when
I
I
use
vs
code
and
I
like
to
open
files
using
command
p,
because
usually
the
file
tree
is
really
really
huge
and
it's
too
hard
for
me
to
go
search
for
the
file
and
I'm
looking
for
it
in
a
file
tree.
So
I
press
command
p
and
I
type
the
file
name
in
and
so
the
file
I'm
looking
for
here
is
triviaspic.ruby
and
you
can
see
it's
under
gcs,
which
is
kind
of
the
same
path
as
where
the
file
is
so.
These
are
the
tests
and.
B
B
I
think
so
I
think
we're
actually
inheriting
some
methods
from
scanners,
because
you
can
see
here,
trivia
inherits
from
scanner,
so.
B
B
Assert
the
command
here.
These
tests
do
a
lot
of
marking,
so
we
we
call
a
shell.
We
execute
trivia
as
a
shell
command
and
in
the
test
we
don't
want
to
actually
execute
a
shell.
So
we
mock
shell
that
execute
and
we
assert
that
it
receives
the
argument
that
we
expected
to
receive.
B
B
We
want
to
assert
that
we're
passing
the
correct
database
directory
to
this
argument,
so
we
need
to
test
what
happens
when
we're
using
a
ulti
when
we're
scanning
the
ultimate
project
and
what
happens
when
we're
scanning
a
project
that
is
not
ultimate.
B
B
B
Another
test
for
when,
when
we
do
not
have
enterprise
edition.
B
B
B
B
B
B
Yeah,
let
me
let
me
get
this
working
on
one
test
first
and
then,
and
we
can
do
that-
read
vectors
so
for
this
one
we'd
want
to
have
something
like
context.
A
And
brian
you
don't
we
don't
have
to
fix
it
to
solve
it
like
during
the
observable
completely.
The
idea
is,
like
you
know,
to
walk
us
through
the.
How
do
we
approach
this?
Where
is
the
code
that
we
need
to
change
testing
which
is
really
important
as
as
you're
mentioning
right
now
so
yeah?
Don't
we
don't
have
to
fully
solve
the
ac
right
now.
B
Right
right,
exactly
so,
yeah
that's
fun.
We
we
yeah.
The
tests
are
always
important
like
whenever
you
change
a
file.
You
also
have
to
change
the
text
with
that
file
and
on
the
gitlab
project.
We
actually
have
a.
We
actually
have
a
pipeline
that
runs
a
tool
called
undercoverage
and
if
your
chain
does
not
have
100
test
coverage,
the
pipeline
will
fail
and
you
will
not
be
allowed
to
merge
your
changes
so
on
the
gitlab
project.
B
We
don't
have
that
on
this
project,
but
on
the
github
project,
you're
required
to
always
have
100
test
coverage
and
what
you
would
do
once
you
finally
get
this
working.
What
you
would
do
is
run
the
test,
so
you
do
like
you,
do
bundle,
exec
or
stick
and
run.
You
know.
Spec.
B
B
Yeah,
but
that
that's
that's
how
you
would
approach
this
one.
The
the
code
is
not
always
necessarily
in
to
get
that
project.
You
know,
as
you
saw
here,
but
we
can.
B
A
Sure
sure,
first
I
want
to
make
sure
whether
there
are
any
questions.
So
far
there
is
a.
There
is
one
question
from
monaco
which
is
not
relevant
to
this.
I
was
before,
but
if
there
are
any
questions
right
now
for
brian
specifically
about
this
issue
on
wait,
what
is
it
on
the
three
databases,
the
content,
gitlab
advisor
database,
the
one
that
just
walk
us
through.
C
So
yeah
there
is
one
first
of
all
brian.
Thank
you
so
much.
It's
really
helpful.
All
this
thing
the
process,
so
I
I
this
also
happened
with
me
many
times.
I
do
some
changes
and
I'm
sometimes
some
test
cases
to
shape
and
update
accordingly,
and
the
reason
is
like
I
don't
have
that
valid
profile
so
like
I
need
to
verify
myself
using
credit
card
to
to
get
to
to
verify
my
pipeline
right
so
like
is
there
a
way
to
bypass
that
and
run
my
own
pipeline.
B
Yeah,
I
know
that
that's
really
unfortunate,
so
this
is
a
known
problem
that
I'm
really
hoping
that
we
can
get
fixed.
It's
frustrating
for
us
as
much
quest
coaches
too,
that
you
can't
run
your
own
pipeline,
but
right
now,
there's
there's
not
really
a
solution
for
that
you
you
either
have
to
verify
your
credit
card
or
you
can
ask
on
a
merge
request
to
have
a
github
team
member
run
the
pipeline
for
you.
B
B
One
thing
that
we're
looking
at
is
we're
hoping
to
allow
you
to
verify
with
sms
with
the
text
message
instead
of
using
your
credit
card,
so
you
can
put
your
phone
number
in
and
you
get
a
text
message
and
you
can
use
that
to
verify
your
account
and
start
using
csd
instead
of
a
credit
card.
Would
that
work
for
you.
C
B
Okay,
great
so
yeah
we're
hoping
to
we're
hoping
to
implement
that
at
some
point
where
you
can
verify
with
the
text
message
instead
and
hopefully,
hopefully
that'll
make
it
more
approachable
for
a
lot
of
people.
But
right
now
we
don't
really
have
a
good
solution
for
that
yeah,
it's
unfortunate,
but
it's
something
that
we
had
to
implement
because
we
had
a
lot
of
people
abusing
the
pre-ci
cd
minutes
and
there
were
people
who
would
create
a
bunch
of
projects
and
mine
cryptocurrency
in
the
city
pipelines
yeah
and
they
would.
B
A
And
something
to
others
like
if
there
is
any
whenever
you
need
to
have
your
pipelines
around.
You
can
also
tag
me
on
your
emergency
voice
and
I'll
make
sure
like
for
whenever
the
moment
I
see
it,
that
gives
you
notification
to
go
and
to
run
the
pipelines
for
you.