►
Description
CSM/CSE enablement around the following topics:
- [Docs] Compliance pipelines: https://docs.gitlab.com/ee/user/group/compliance_frameworks.html#compliance-pipelines
- [Docs] Scan execution policies: https://docs.gitlab.com/ee/user/application_security/policies/scan-execution-policies.html
A
Hi
everyone
today
we're
going
to
be
going
over
an
enablement
on
compliance
pipelines
and
scan
execution
policies
on
the
agenda,
we'll
be
going
over
number
one.
Compliance
pipelines
we'll
be
looking
at
what
is
a
compliance
framework
and
compliance
pipeline?
Why
do
you
need
a
compliance
pipeline?
How
do
you
implement
a
compliance
pipeline?
Number
two
we'll
look
at
scan
execution
policies.
What
are
scan
execution
policies?
Why
do
you
need
scan
execution
policies
and
how
do
you
implement
scan
execution
policies?
A
Overall,
key
goals
and
guiding
principles
include
scalability
allows
organizations
with
large
numbers
of
projects
essentially
manage
and
enforce
when
scans
are
run.
Ease
of
use
lowers
the
knowledge
requirement
to
use
gitlab
scanners.
Appropriate
permissions
limit,
who
can
make
policy
changes,
support
auditing
and
approvals
unified
experience
provides
a
consistent
way
to
manage
policies
regardless
of
scanner
or
technology
type.
Flexibility
allows
users
to
work
in
either
GUI
or
code
based
on
their
preferences.
A
A
A
Policy
enforcement
developers
enforce
specific
policies
within
pipelines
guaranteeing
code
gold
undergoes
necessary
compliance
checks
before
deployment
compliance
pipelines,
provide
clear
visibility
into
Code
Compliance,
generating
detailed
reports
to
identify
and
address
issues
promptly.
Collaboration
and
governance
compliance
pipeline,
centralized
compliance
management,
facilitating
collaboration
among
teams
and
ensuring
governance
throughout
the
development
life
cycle.
A
A
From
this
point,
we'll
go
ahead
and
add
a
compliance
pipeline
configuration
to
our
newly
created
project
we'll
do
that
by
clicking
on
build
pipeline
editor
configure
pipeline
and
in
the
pipeline
editor
we're
going
to
D
we're
going
to
actually
replace
this
default
configuration
with
a
generic
compliance.
Job.
A
As
you
can
see,
there
are
existing
Frameworks
here.
So
this
will
give
you
an
idea
of
how
it
looks
whenever
you're
actually
going
through
multiple
Frameworks,
but
from
here
we'll
actually
go
ahead
and
click
on
ADD
framework,
we'll
name
our
framework,
give
it
a
description
and
using
the
URL
we'll
be
able
to
derive
the
actual
pipeline
configuration
here
so
we'll
paste
the
URL
after
the
gitlab
CI
yaml
at
but
will
remove
the
Remain
the
beginning
portion.
A
That's
that
has
the
gitlab.com
so
it'd
be
the
dot
CI
gitlab
CI
ammo
at
in
the
URL
minus
getlab.com
as
you'll
see
here.
This
actual
field
will
allow
you
to
debug
the
entry
that
you
put
in
after
I,
complete
that
entry
you'll
see
that
the
error
is
removed.
So
you
can
use
that
as
a
way
to
debug
go
ahead
and
select
the
color
and
we'll
click
on
ADD
framework.
A
A
Without
any
other
pipeline
configuration
defend,
calc
project
can
now
automatically
run
the
jobs
that
are
defined
in
the
compliance
pipeline.
Configuration
in
the
TF
compliance
project
so
go
to
build
Pipelines
and
we'll
click
on
run
pipeline
and
within
the
Run
pipeline
page.
We'll
click
run
pipeline
again.
A
You'll
notice
that
the
pipeline
runs
a
job
called
compliance
job
in
the
test
stage,
so
Tanuki
financially
has
Financial
has
successfully
run
its
first
compliance
pipeline.
The
fincalc
application
will
also
have
its
own
pipeline,
so
we
can
go
ahead
and
combine
the
compliance
pipeline
configuration
with
the
regular
pipeline
configuration
of
this
project
so
we'll
go
ahead
and
Define
a
regular
pipeline
configuration
for
fincalc
and
then
update
the
compliance
pipeline
configuration
to
refer
back
to
it
we'll
do
that
by
going
to
build
pipeline
editor.
A
A
A
Now
we'll
see
that
the
pipeline
runs
two
jobs
in
the
test
stage,
the
compliance
job
as
well
as
the
project
job,
so
we've
successfully
created
and
configured
a
compliance
pipeline
proof
of
concept
for
Tanuki
Financial
to
use
on
new
and
existing
projects.
We
can
also
add
that
compliance
pipeline
to
existing
projects
by
following
similar
steps
as
before
So
within
Tanuki
Financial,
we'll
go
ahead
and
go
to
one
of
the
existing
applications.
The
Ledger
manager.
A
We'll
go
to
settings
General,
we'll
scroll
down
to
compliance
framework,
hit,
expand
and
we'll
select
the
newly
created
compliance
framework
that
we
made
earlier
TF
compliance
framework
and
we'll
click
on
Save
changes,
and
once
we
go
back
to
snooky,
Financial
you'll
see
that
we
have
two
different
projects
with
compliance.
Frameworks
applied
an
existing
project
as
well
as
a
newly
created
project
that
pulled
it
by
default.
A
Policies
in
gitlab
provide
security
teams
a
way
to
require
scans
of
their
choice,
to
be
run
whenever
project
pipeline
runs
according
to
the
configuration
specified,
gitlab
supports
the
following
security
policies,
scan
execution
policy
which
we'll
go
over
here
shortly,
as
well
as
scan
result
policy
order,
scan
execution
policies,
scan
execution
policies,
allow
owners
of
groups
subgroups
or
projects
to
enforce,
scheduled
or
pipeline
based
security
scans
by
defining
the
policy
at
the
group
or
subgroup
level.
The
required
scans
are
automatically
integrated
into
the
CI
pipeline
as
new
jobs,
ensuring
comprehensive
Security
checks
across
multiple
project
Pipelines.
A
So,
let's
go
back
to
Tanuki
financial
and
take
a
look
at
scan
execution
policies
we'll
go
ahead
and
create
one
at
the
top
level
group
for
Tanuki
Financial
that
automatically
checks
for
Secrets
across
all
branches,
we'll
click
on
secure
policies
and
from
here
we'll
click
on
new
policy
underneath
scan
execution
policy,
we'll
click
on
select
policy
we'll
go
ahead
and
name.
The
policy
check
for
secrets
check
for
secrets
across
the
board.