►
From YouTube: GitLab Secure Stage Update
Description
Cindy Blake, Senior Product Marketing Manager, and Fernando Diaz, Technical Marketing Manager present an update on GitLabs Secure Stage. Topics covered include DevSecOps solutions and strategies, How to best manage head-to-head comparison of our OOTB open-source analyzers, followed by a technical workshop.
A
Hi
everyone
and
thank
you
so
much
for
joining
us
for
another,
exciting
installment
of
the
customer
success
skills
exchange.
We
are
so
lucky
today
to
have
Cindy
Blake
in
Fernando
Diaz
with
us.
Today
we
are
going
to
be
talking
about
security,
everybody's
favorite
topic
so
specifically
we'll
be
talking
about
dev,
psych,
ops,
solutions
and
strategies
how
to
best
manage
head-to-head
comparison
of
our
out-of-the-box,
open
source,
analyzers
and
we'll
be
doing
a
little
technical
workshop,
and
then
questions
and
answers.
So
I
will
put
the
doc
into
the
chat.
B
All
right
well,
thank
you,
so
I
don't
want
to
go
over
a
lot
of
the
material
that
was
in
the
pre-work
and
I
fern
and
I
have
kind
of
a
rich
list
of
content
there.
But
what
I'd
like
to
do
is
just
point
out
a
couple
of
things
that
have
either
changed
recently
or
are
you
know,
unique
or
different
just
to
draw
attention
to
those?
B
So
the
first
is
it's
been
a
while
since
I've
done
a
talk
with
the
Tam's
and
the
essays
and
our
approach
on
integrations
has
improved
since
since
even
since
go
earlier
this
year,
and
so
we've
got
some
integrations
that
have
been
done.
That
partners
have
done
like
white
source
check
marks
is
working
on
one
and
there's.
There
are
others,
and
we
have
an
integration
page.
You
can
direct
people
to
if
they
say
hey,
could
you
integrate
with
so-and-so
absolutely
here's
a
page
on
what
they
need
to
do
and
how
to
do
it?
B
The
other
is
the
vulnerability.
Management
is
somewhat
new,
and
so
we,
you
may
have
heard
it
referred
to
as
standalone
vulnerabilities
or
vulnerabilities
as
first-class
first-class
vulnerabilities.
The
idea
is,
it
was
reacted.
A
bit
so
that
we
could
do
vulnerability
management
and
treat
them
a
more
like
a
security
person
would
and
what
we're
moving
towards
is
the
ability
to
do
more
risk
management.
B
So
we
highlight
the
actual
risk,
not
just
the
fact
that
you've
got
a
vulnerable
code,
but
what's
the
likelihood
of
its
exploit
another
key
direction,
we're
going
is
around
policy,
automation
and
so
being
able
to
set
the
policy.
Whatever
your
risk
appetite
is
set
your
policy
to
reflect
that
appetite
and
have
get
lab.
Do
the
automation
so
you'll
see
some
improvements
coming
out
around
how
how
we
do
that.
B
B
If
you
haven't
seen
the
the
slides
that
accompany
that
got
fuzzing
topic,
please
look
at
I'm
gonna,
be
adding
this
I
think
to
the
security
overview
deck.
It
shows
how
to
position
fuzzing,
it's
really
about
finding
unknown
things.
So
when
most
of
the
scanning
that
we
do
is
around
known
vulnerabilities,
so
do
you
have
anything
that
we
know
would
be
a
vulnerability
in
your
code,
but
fuzzing
is
really
about
finding
things
you
did.
You
know
you
didn't
know
to
ask
and
there's
two
ways
of
doing
it.
B
The
market
may
recur
may
refer
to
these
as
Blackrock
black
box
and
white
box,
meaning
black
box.
Is
you
can't
see
inside
it's
kind
of
hidden
you
it's
a
testing
method
method
that
you
may
not
really
see
the
details
out
white
box
being
more
transparent,
but
we
wanted
to
get
rid
of
those
terms,
so
we're
calling
them
coverage
guided
and
protocol
based,
fuzzing
and
those
things
are
very
complementary
to
the
other
types
of
scanning
that
we
do
they're
also
proprietary
through
those
acquisitions
and
will
not
be
moved
down
to
the
lower
tiers.
B
B
There's
an
external
deficit
cops
page
and
an
internal
page.
This
external
page
is
solution.
Slash
dev,
suck-ups!
It's
going
to
get
a
new
facelift
here
in
the
next
few
weeks,
we're
trying
to
make
the
pages
more
actionable
and
more
marketing
ish
there's
one
already
before
you
go,
you
thought
about,
and
then
this
internal
resource
page
we
just
in
fact
I
just
had
the
an
activation
team
meeting.
So
all
of
the
use
cases
or
solutions
that
kind
of
use
those
terms
interchangeably
are
oriented
around.
We've
got
all
these
great
get
lab
capabilities.
B
Now,
how
do
you
package
those
in
a
way
that
aligns
to
what
people
are
buying
and
so
for
deaf
sack,
ops,
there's
a
set
of
things
that
people
are
looking
for
and
that
is
in
this
market
requirement.
So
this
resource
page
begins
with
an
external
outside
interview.
What
are
people
looking
for
in
the
market
when
they
have
a
project
or
a
budget
for
to
accomplish
dev,
suck-ups
and
they're,
trying
to
do
security
in
there
in
a
DevOps
and
agile
environment?
B
What
are
they
usually
looking
for,
and
this
gathered
that
information
together
and
with
that
outside
view,
and
then
look
at?
How
does
get
lab
do
that?
So
we
take
those
outside
market
requirements
and
we
say
how
does
get
lab
deliver
those?
How
does
that
align
to
our
categories
and
firm
has
created
these
fabulous
demos
that
go
into
a
lot
more
detail
on
how
to
set
them
up
how
to
use
them?
What
are
the
benefits
so
I
want
to
make
sure
that
you
know
that
those
things
are
there.
B
Another
thing
I
just
added
in
the
last
couple
weeks
that
I
think
will
be
particularly
useful
for
this
group
are
the
discovery,
questions
and
the
idea
the
way
to
read
this
is
here's
like
six
questions
to
figure
out?
What's
their
pain
point,
because
different
people
do
deficit,
cops
for
different
reasons,
so
they
might
be
doing
it
because
they
want
to
remediate
faster.
They
might
be
doing
it
for
compliance
reason.
B
But
so
this
is
helpful
for
you,
as
well
as
potential
objections
and
I
want
to
dig
in
here
for
just
a
minute
and
make
sure
that
you,
you
know
things
about
a
couple
of
the
objections
that
we
tend
to
get
and
how
to
respond
to
those.
So
the
first
is
I
have
an
incumbent
tool,
I
have
fortify
or
ver
code
or
whatever
and
I
want
to
know.
B
B
We
do
have
one
scan
study
that
compares
our
Java
static
and
analyzer
with
that
of
Coverity,
which
is
synopsis
and
fortify
which
belongs
to
micro
focus,
and
so
we've
added
that
to
those
comparison
pages,
just
kind
of
FYI
and
I'm
running
over
time
here
so
I'm
going
to
I'm
going
to
wrap
up
real
quick.
The
other
thing
is
we
get
into
trouble
and
have
lately
with
some
misunderstandings
around.
Why
we're
a
niche
player
in
that
Gartner,
Magic
Quadrant,
so
I
would
encourage
you
to
please
please.
Please
read
that
blog.
B
We
are
a
niche
player
not
because
our
scanners
are
subpar,
but
because
of
our
market.
So
you
got
to
remember
that
analysts
look
at
our
business
strategy
in
our
market.
In
addition
to
the
product
capabilities,
they
put
us
as
a
niche
because
we're
really
intended
for
get
lab
users,
you,
probably
if
you're,
not
using
it
lab
for
source
code
management
nor
for
CI
or
maybe
for
anything
else.
It
really
wouldn't
make
sense
to
use
get
labs,
secure
capabilities
as
a
standalone.
B
That's
why
we're
in
it,
but
so
a
couple
of
key
points
that
I
wanted
to
make
sure
I
pointed
out
and
now
I'm
gonna
turn
it
over
to
stop
sharing.
You
need
to
turn
it
over
to
fern
here,
because
he's
got
some
great
technical
demos
and
things
that
he
wants
to
point
out
and
the
first
part
I'm
real
excited
about,
because
this
is
the
first
time
we've
really
shown
what
we're
doing
around
the
defend
category
so
defend
is
starting
to
mature
starting
to
get
some
really
cool
products
out
there.
B
C
Thank
You
sandy,
we
have
a
chance
for
a
couple
questions
sure
so,
Cindy
really
good
to
see
you
DT
really
quick
and
sorry
fern.
You've
done
some
amazing
work.
I
love
your
videos
so
start
interrupt.
Two
quick
questions.
One
is:
do
we
have
on
any
other
languages
doing
that
like
comparison
of
our
scanners,
you
mentioned
Java
other
others
like
in
the
queue.
B
There
are
I'm,
not
sure
exactly
which
ones,
because
it's
kind
of
the
security
research
team
is
research.
Team
is
doing
it
and
it's
kind
of
taken
as
they
can
work
stuff
in
so
I.
Don't
I
don't
want
to
set
up
any
expectations
there.
What
the
way
I
positioned
it
on
those
comparison
pages
is
you
know
you
should
expect
that
other
scanners
would
be
similarly
compared.
So
you
know
we're
we're
pulling
in
open
source
scanners
that
are
have
been
proven
and
it
lots
of
people
are
using
them
and
working
on
them.
Yeah.
C
And
I
love
it
I
love
the
graph.
It's
it's
a
great
first
example.
If
there's
more
to
come,
I'm
looking
forward
to
it,
the
second
one
is
regarding
fuzz
testing.
When
we
think
about
guest
Earth's
are
fast
so
starts
fast.
We
have
been
evolving
over
the
quarters
of
language
support
for
different
languages
when
talking
about
asses
just
for
web
portals
through.
Oh,
oh,
what's
that
for
fuzz
testing.
Quick
question
is:
do
we
have
what
kind
of
constraints
do
we
have
for
what
fuss
testing
can
provide?
Is
it
like?
C
B
B
Do
we
want
to
do
the
API
question?
Fern
you've
got
an
answer
here.
D
Let
me
see
so
for
the
API
question
it
says:
is
there
an
API
that
allows
people
to
programmatically
export
the
report
into
the
for
dashboarding
tool
so
right
now
you
only
be
able
to
export
it
as
a
CSV
with
the
endpoint,
and
that
right
now
is
not
documented.
But
there
is
a
merge
request
that
shows
that
that
API
endpoint
is
available
and
you
can
make
requests
to
it
and
and
grab
the
CSV
file.
D
D
So,
just
just
to
start
the
two
topics:
I'm
going
to
start
with
our
part
of
Defense,
as
Cindy
mentioned,
which
means
exactly
how
we
protect
the
system
and
how
we
secure
the
system
after
the
code
has
already
made
its
way
to
production.
So,
instead
of
catching
the
vulnerabilities,
you
know
before
they
go
into
the
code
and
before
they're
in
production
machines.
How
do
we
defend
the
system
after
everything
has
already
been
merged
and
there's
to
think?
D
Well,
there's
three
things
we
have
in
place:
one
is
the
Web
Application
Firewall
one
is
the
container
network
security
and
the
third
piece
is
the
container
host
security.
So
I'm
gonna
go
over
a
short
demo
that
I've
put
together
just
to
showcase
how
to
install
these
tools
and
how
to
actually
get
some
results
from
them.
So
let
me
go
ahead
and
share
my
screen.
D
So,
okay,
can
everyone
see
okay,
so
I've
created
this
project
just
so
you're
aware
of
it.
It's
called
simply
simple
notes.
It's
a
simple
note:
taking
application
that
I
created
just
to
demo
off
all
the
different
secure
features,
so
it's
there
in
the
pre-work,
if
you
ever
want
to
use
it
for
customer
engagement
or
just
to
show
off
some
of
the
capabilities
or
make
demos
you're
more
than
welcome
to
use
this
project.
It's
already
been
set
up
with
you
know,
with
a
couple
of
different
I'm
going
abilities
within
it
and
really
showcases
our
tools.
D
So
once
you
have
that
once
you're
in
this
project,
there's
a
few
things
that
you
need
to
do
to
setup,
container,
network
security
and
container
host
security
and
that's
create
get
lab
manage
tasks.
So
this
tells
get
left
to
install
these
applications
on
earth.
Nice
cluster
and
the
ones
that
we
need
installed
are
psyllium
and
we're
also
gonna
need
Falco
and
in
order
to
display
some
of
the
graphs
we
need
Prometheus
and
we'll
need
ingress
to
be
able
to.
You
know
just
have
a
way
to
access
our
applications
through
through
the
external
world.
D
Template
to
the
collab
CI
mo,
which
is
managed
cluster
applications
and
that'll,
tell
get
left
to
use
that
previous
file.
That
I
showed
you
to
go
ahead
and
install
these
applications
on
a
pipeline
built.
So
once
you
have
those
two
things
in
place,
as
well
as
a
kubernetes
cluster,
that's
linked
to
the
project
and
making
sure
that
in
the
Advanced
Settings
that
under
cluster
management
project,
you
have
your
gate
lab
project
selected.
So
once
you
have
those
three
things
in
place,
what's
gonna
happen
is
the
pipeline
is
gonna
run,
and
this
is.
D
This
is
a
pipeline
which
I
created,
which
will
build
the
container
and
to
run
all
these
different
static,
static
scans.
It
will
deploy
it
a
staging
environment
and
then
run
fast
on
it.
So
I
have
a
full
security
configuration
and
what
happens
is
everything
that
I
showed?
You
is
gonna,
be
part
of
this
apply
phase
which
will
go
ahead
and
install
all
the
components
and
all
the
gate
lab
managed
apps
to
my
cluster.
So
now
let
me
show
you
kind
of
what
that
looks
like.
D
So,
if
I
do
a
cube,
CTL
get
pods
and
get
lab
managed.
Apps,
which
is
the
namespace
that
Gillett,
creates,
then
I'll
go
ahead
and
see
that
psyllium
was
installed.
I'll
go
ahead
and
see
that
Falco
was
installed,
which
is
the
container
host
security.
So
Liam
is
a
container
network.
Security
Hubble
is
part
of
psyllium,
and
then
we
see
the
ingress
controller,
Prometheus
and
vault,
which
I
also
installed,
which
not
part
of
this
demo.
D
But
you
can
see
that
all
these
applications
were
installed
and
now
what
I'm
gonna
do
is
I
will
go
ahead
and
show
you
a
little
bit
about
container
network
security,
so
in
the
pre-work
I
did
create
a
a
demo.
So
you
should
have
access
to
this
in
case.
You
want
to
see
it
so
what
I'm
doing
here
is
I'm,
creating
a
network
policy
which
I
have
applied
to
the
cluster,
which
says
that
incoming
traffic
to
another
pod
can
only
come
from
a
pod
that
has
a
label
with
access
equals.
True,
so
consumer
network
security.
D
Basically
what
it
is
is
a
kubernetes
firewall
and
what
it
does
is
you
can
restrict
traffic
from
different
pods
to
different
pods
or
different
containers
to
different
containers.
So
you
can
make
sure
that
containers
that
shouldn't
be
communicating
out
to
the
wrong
containers.
Don't
do
that
because
that
can
cause
a
system
to
break
or
it
can
degrade
performance,
and
it
can
also
have
someone
were
to
intrude
and
get
access
to
one
container,
you
don't
want
them
to
be
able
to
have
access
to
other
containers
within
the
namespace.
So
this
is
one
reason
why
you
apply.
D
A
network
policy
and
network
policies
have
a
variety
of
different
rules.
You
can
control
egress,
you
can
control
ingress
and
you
can
just
configure
it
via
a
whole
variety
of
ways.
So
now
we're
automatically
installing
this
and
we're
giving
the
user
the
power
to
be
able
to
configure
their
firewall
hog
or,
however,
they
wish
and
secure
kubernetes,
which
isn't
secure
off
the
bat.
D
So
so
I've
already
applied
this
network
policy
to
my
kubernetes
cluster
and
what
I'm
gonna
do
is
I'm
gonna
go
ahead
and
get
my
service,
so
this
is
a
a
plyg
called
notes,
SVC
and
what
it
does
is
yeah.
It's
a
simple
note
that
just
takes
some
that
just
takes
notes
and
responds
with
what
the
notes
are
and
it
when
I
created
the
service,
it
was
assigned
closer
I
peed
and
that's
the
way
that
pods
communicate
internally
within
the
namespace.
D
D
What
I
try
to
connect
you'll
see
that
I'm
not
able
to
access
I'm
not
able
to
access
that
endpoint
and
it
times
out-
and
this
is
and
in
this
container
I
don't
have
the
label
called
access
equals.
True,
so
I'm
gonna
go
ahead
and
exit,
and
now
what
I'm
gonna
do
is
I'm
gonna
do
the
same
exact
thing,
but
now
you
can
see
that
I'm
creating
it
with
the
label
access
equals
true.
D
Now
it
will
involve
some
research
into
how
best
to
configure
an
infrastructure
and
how
that
is
up
to
the
customer
and
their
architecture.
But
we
just
need
to
let
bit
let
them
be
aware
that
it
is
a
feature
that
we
do
provide
off
the
bat,
and
it
is
a
feature
that
we
do
automatically
installing
the
cluster
with
the
right.
You
know
templates
added
to
I
plumb,
so
just
want
to
see.
Is
there
any
questions
so
far
on
this
topic?.
E
D
D
Okay,
so
what
what
this
supports
currently
is,
if
I
go
to
security,
compliance
and
threat
monitoring,
and
let's
move
this
to
staging.
D
Policies,
you
can
see
the
policy
here,
but
it
won't
actually
show
here
and
we
won't
actually
be
able
to
edit
it
unless
it's
been
applied
through
the
CLI
on
the
kubernetes
cluster,
so
yeah
I'll
mark
that
so
it's
a
kubernetes
thing
and
and
users
will
have
to
be
familiar
with
kubernetes
in
order
to
use
this.
Thank.
E
F
D
So
the
gila
feature
is
that
we
manage
and
install
cilium,
which
manages
the
network
policies.
That's
on
get
that
feature,
and
then
the
second
collab
feature
is
that
you
can
see
your
policies
on
via
their
GUI,
but
everything
else
has
to
be
done
via
kubernetes.
D
D
H
D
D
H
G
D
The
the
main
problem
that
this
is
solving
so
there's
two
problems.
The
first
problem
is
that
so
outside
in
the
in
the
kubernetes
ecosystem,
there's
a
lot
of
containers
that
can
possibly
communicate
with
other
containers
right
and
that
can
cause
some
unexpected
behavior.
So
what
you're
doing
is
you're
providing
a
firewall
that
locks
down
the
communication
between
the
different
containers.
So
that
way
you
don't
have
any
unexpected
behavior.
So
that
would
be.
That
would
be
one
one
point.
D
The
second
point
would
be
you
can
limit,
since
you
are
limiting
what
access
containers
have
to
one
another,
then
you're
also
limiting.
If
anyone
were
to
get
onto
the
container
for
debugging
or
for
some
malicious
user
were
to
get
into
a
container
and
have
access
to
one,
they
want
to
be
able
to
access
information
from
other
containers,
so,
like
let's
say,
I
have
a
container
called
like
secret
Bank
data
right
and
let's
say
that.
There's
no
network
policy
towards
that
container
and
then
I
have
another
container
called
on
notepad
right
now.
D
Somehow,
if
there
were
no
one
that
worked
policy
setup,
let's
say
like,
even
though
the
Bank
container
was
super
restrictive.
Since
there's
no
network
policy
setup,
if
I
got
into
the
notepad
container
and
it
shares
in
the
same
namespace,
I
can
also
use
my
access
from
that
continuing
to
access
the
Bank.
You
know
container
and
then
draw
information
from
there.
So
it
provides
those
two
levels
of
security.
It's
basically
a
firewall,
but
internally.
D
J
E
D
J
D
D
D
We
can
see
that
it
reports
a
bunch
of
different
things
that
it's
detecting
within
the
container
runtime
so
like
and
notice
the
namespace
change
and
notice
the
mother
namespace
change.
So
it
has
all
these
different
things
that
it
scans
for
and
what
you
do
is
you
can
set
up
rules
for
the
alerting
and
what
will
happen
is
like
something
like
Prometheus
or
cystic
or
whatever
tool
that
you're
using
for
parsing
logs
and
alerting
it'll
send
these
logs
out,
and
then
you
can
set
up
different
alerts
for
different
things
detected
within
the
system.
D
Now
this
is
not
something
I've
had
a
whole
lot
of
time
to
play
around
with
I
am
expecting
to
play
around
with
it
more
in
the
future
and
and
see
like
the
value
that
ad
that
gala
adds
right
now.
All
we
do
is
just
install
it
and
within
values
that
Yamma,
which
is
how
we
configure
the
application.
We
can
add
certain
rules,
and
that's
all
I
know
about
this,
and
if
you
look
at
the
phoque
of
documentation,
these
are
a
few
of
the
things
that
it
checks
for
like
privilege.
D
Escalation
would
be
a
very
important
one
to
see
if,
if
you're
trying
to
get
privileges
that
you
shouldn't
have-
and
that
would
be-
are
like
a
red
flag
and
that
would
alert
the
team
and
have
the
security
team
dive
into
why
this
behavior
is
happening.
It
could
be
assistant
reach,
so
it
detects
a
lot
of
things.
It
outputs
them
to
the
syslog
and
then
from
there.
Some
type
of
learning
or
log
management
tool
would
pick
that
up
and
set
alerts
on
it.
D
J
B
D
D
D
Make
it
easier
on
customers
to
kind
of
understand
that
it's
not
going
to
be
so
crazy
or
so
tedious
to
migrate,
that
they
can
still
keep
their
Jenkins
pipeline's
impact
and
they
can
use
get
lab
for
source
code
management.
They
can
use
our
security
features.
They
can
start
with
everything
and
they
can
slowly
start
the
migration
process,
so
they'll
be
able
to
still
with
minimal
overhead
they'll,
be
able
to
still
use
Jenkins
to
run.
D
You
know
their
build
scripts,
they'll
use
Jenkins
to
run
their
deployment
scripts,
but
but
but
they'll
have
everything
house
within
get
lab
and
it'll
yeah
it'll
take
some
time
to
migrate,
but
it
won't
take
as
long
as
migrating
all
the
Jenkins
jobs
over
to
get
lap
it'll
just
be
kind
of
having
a
Jenkins
job
trigger
a
good
lap
pipeline
or
having
to
get
left
pipeline
through
a
Jenkins
job.
So
I
put
it
in
the
pre-work,
but
there
is
a
demo
project.
D
That's
part
of
the
get
lap
demo
system
that
shows
how
you
can
get
Jenkins
working.
There's
a
video
up
and
there's
also
a
blog
that
scheduled
to
be
released
sometime
late
sometime
next
week.
So
so,
a
few
of
the
things
I
want
to
go
over
is
just
kind
of
well
how
easy
it
is
to
do
this
and
how
we
can
show
customers.
So
so
here
we
have
a
pipeline
which
runs
build,
runs
security,
scan,
sassed
checks.
D
If
that
security
scan
actually
actually
passed
like
an
act,
if
there
were
actually
any
vulnerabilities
detected
and
if
there
were
vulnerabilities
detected,
then
we
don't
move
on
it'll
be
blocked,
but
if
there
weren't
vulnerabilities
detected
then
we'll
deploy-
and
the
thing
is
that
this
build
stage
calls
a
file
which
calls
a
Jenkins
pipeline.
So
so
build
is
actually
coming
from
Jenkins.
It's
not
really
a
get
lab
job
per
se.
It's
a
Jenkins
job
so
builds
being
called
in
Jenkins.
D
Then
we're
running,
scan
security
scans
up
to
the
containers
have
been
built,
we're
running
security
scans
and
then,
after
the
security
scans,
complete
right
now
we're
verifying
were
there
any
vulnerabilities
detected,
so
we're
checking
hey.
Were
there
any
vulnerabilities
detecting?
So
there
was
none
found.
Okay,
we
passed
now
we're
gonna
call
Jenkins
again
and
actually
deploy
to
the
staging
environment
using
Jenkins,
and
this
external
will
show
us
the
Jenkins
job.
So
if
I
click
on
I
should
go
to
Jenkins
Envy.
D
But
essentially
what
this
is
doing
is
it's
just
talking
to
the
Jenkins
server
and
it's
just
getting
is
just
triggering
a
job
to
build
with
the
job
name
that
I
pass
in
and
then
from
there.
It's
just
checking
to
see
what
the
result
of
the
job
that
I
really
is
and
then,
after
a
certain
amount
of
time,
after
checking
every
two
minutes
to
see
if
the
Jenkins
or
yeah
after
trying
every
two
minutes
and
see
if
the
Jenkins
I
was
gay
or
not,
they're
opposed
the
result
to
get
line.
D
If
Jenkins
were
to
fail,
then
this
pipeline
right
here
would
fail.
So
this
would
fail,
or
this
would
be
a
red
X
and
then
what
you
would
have
to
do
is
you
would
either
have
to
go
to
Jenkins,
because
it
could
be
a
issue
with
the
script
in
Jenkins
or
you
would
have
to,
or
you
would
have
to
check
the
script
that
calls
Jenkins.
It
would
involve
a
developer
to
troubleshoot.
D
So
when
you're
in
when
you're
in
your
Jenkins
view
and
your
Jenkins
pipeline,
there
is
what
is
a
get
lab
wrapper,
which
just
tells
get
left
to
communicate
with
Jenkins
right,
so
I'd
say
like
it
tells
like
when
the
Jenkins
shop
runs
and
finishes.
It'll
send
it'll,
send
a
request
to
get
allowed
to
notify.
So
it
pretty
much
does
this
where
it
sends
the
Jenkins
job
not
as
to
an
external
job.
So
that's
what
the
rapper
does
if
I'm
correct
about
it
being
the
same
thing
with
long
ago,
I
was.
H
L
K
D
K
D
Do
have
to
install
plug-in
that's
what
I
you
referring
to
the
the
rapper.
They
do
have
to
install
a
plug-in
which
is
available
on
the
under
Jenkins
marketplace
and
once
that's
installed,
the
video
that
I
posted
will
go
over
like
the
different
ways
of
actually
configuring
the
server.
It's
pretty
once
you
do
it
once
once
you
install
the
plugin
once
you
know
it
already
already
applying
to
our
Jenkins
jobs,
and
then
you
have
to
add,
like
a
small
configuration
on
each
Jenkins
job
time,
to
get
loud.
D
Change
yeah
mark
it'll,
be
a
minimal
change.
They'll
have
to
just
make
sure
that
that
Jenkins
it'll
be
like
a
click
like
you're
going
to
their
Jenkins
job.
They'll
click,
a
button
that
says
report
to
get
lab.
You
know
once
this
job
has
complete
and
that's
pretty
much
what
they
need
to
change
and
maybe
like
another
option.
But
the
video
highlights
those
the
changes
that
need
to
be
done.
M
D
So
I
wrote
one
per
job,
but
you
don't
have
to
write
one
per
job
and
it
doesn't
necessarily
need
to
be
a
Python
script.
It
could
be
a
batch
spirit
and,
depending
on
how
you
write
it,
you
can
pretty
much
write.
One
script
where,
like
the
job
itself,
will
be
able
to
pick
up
what
job
needs
to
run
based
on
what's
the
agent
so.
M
Sorry,
sorry,
but
then
my
question
is:
if
I'm,
if
I'm
a
customer
and
I'm
writing
the
script,
then
what
integration
is
getting
that
offering
me?
It's
me
making
the
script.
It's
me
making
the
rest
call.
It's
me
tracking.
The
result.
It's
me
bowling.
It's
me
returning
an
exit
code
which
fails
the
pipeline
you're.
D
You're
correct
on
that,
like
which
there
still
needs
to
be
some
interaction,
the
benefit
that
customer
is
getting
here
and
that's
a
good
question.
The
benefit
that
the
customer
is
getting
here
is
that
they
can,
even
though
they
I
helped
to
write.
Let's
say
how
to
write
this
Python
script
for
the
build
job
and
they
can
be
the
same
script
for
the
deploy
job
just
passing
different
parameters.
D
It
allows
them
to
be
able
to
go
back
into
Jenkins
and
see
what
the
job
status
is
via
this.
This
little
external
endpoint
is
one
thing
and
it
lets
security
scans,
don't
be
run,
but
you'll
be
able
to
keep
calling
Jenkins
and
using
it
I
mean
it's
not
requires
some
overhead,
but
it's
just
kind
of
to
ease
the
customer
in
like
hey,
you
don't
need
to
like
move
everything
to
get
left.
Yeah
die
animal
because
you're
ready
using
you're
already
using
the
Jenkins.
D
C
And
in
Fernando
I
think
I
recall
a
video.
Oh
you
just
put
out
that
to
my
surprise
and
excitement
showed
a
pipeline
where
you
can
heterogeneous
Lee,
pull,
pull
and
Jenkins
at
different
spots,
and
so
you
can
still
use
get
lab
as
the
the
source
of
truth
for
your,
your
your
your
the
code,
but
but
you
might
have
Jenkins
doing
like
the
builds
and
maybe
like
the
tasks,
but
you
can
still
use
us
for
it.
The
rest
of
the
stuff
great.
C
D
Yeah,
so
so
yeah
just
just
take
a
look
at
the
pre-work,
take
a
look
at
the
video
and
then
hopefully
that
blog
comes
out
next
week
and
then
you'll
be
able
to
show
that
to
customers.
D
Let's
see
how
much
time,
okay,
we
got
15
minutes
so
I'll
make
the
next
two
things,
quick,
so
air,
gapped
environments.
So
what
air
gapped
environments
do?
Is
they
allow
a
customer
with
a
very
limited
environment
and
by
very
limited
I,
mean
in
terms
of
network?
It's
an
environment
that
has
very
limited
connectivity
or
has
no
access
to
the
Internet,
and
these
customers
typically
be
Bank
or
they
can
be
on
different
state
departments
or
whatever
it
be,
and
they
just
do
not
want
any
access
to
the
outside
world.
D
It's
a
very
restricted
system
and
what
ends
up
happening
here
is
they
still
want
to
make
sure
that
the
containers
within
the
system
are
not
vulnerable
or
that
the
application
code
that's
being
developed
is
not
vulnerable.
So
how
can
that
be
done?
So
this
is
where
we
came
up
with
air
gapped
environments
and
what
air
gapped
environments
do.
D
Is
they
allow
us
to
actually
download
the
container
images
for
our
tools,
for
example,
bandit
is
the
tool
that
scans
sassed
on
Python,
and
what
we're
able
to
do
is
we're
able
to
actually
have
these
in
our
local
container
registries,
so
we're
able
to
we'll
have
to
push
these
images
and
have
them
scan
beforehand
to
a
container
registry
with
these
copies
and
update
it
in
a
certain
way.
So
this
would
be
up
to
the
customer.
D
We
just
offer
the
images
and
we
just
offer
a
way
of
accessing
the
images
within
get
lot
to
actually
scan
your
code
in
an
offline
environment.
So
that's
pretty
much
the
basic
idea
around
that
and
it
is
offered
for
a
whole
variety
of
different
scans,
so
I'm
planning
on
creating
a
video
demo
on
this
before
the
end
of
the
quarter,
so
just
stay
tuned
for
that
it
was
just
more
information
and
more
highlights
on
this.
D
But
right
now,
within
this
page,
you
can
see
exactly
what
offline
environments
are
and
exactly
how
to
set
up
different
scanners
using
these
instructions.
So
it's
available
for
all
five
different
types
of
scanning
and
then
from
there
I'll
move
on
to
the
last
topic,
which
is
cool
new
features
and
just
to
show
that
just
so
I
can
leave
some
time
for
questions.
One
of
the
features
is
within
the
security
dashboard
and
it's
this
button
here
which
allows
us
to
export
all
our
vulnerabilities
as
a
CSV
file.
D
D
So
you
should
be
able
to
see
an
exported
file
that
contains
a
CSV
of
all
the
vulnerabilities
and
everything
and
then
from
there
it's
up
to
developer
to
parse
this
data,
however,
need
it
or
do
whatever
it
is
with
the
data
or
move
it
into
a
monitoring
tool.
But
this
is
one
new
feature
that
we
offer
and
then
the
next
important
feature
that
customers
would
be
interested
in
would
be
the
merge
request
approvals.
D
So
if
you
look
at
this,
merge
request
that
I
added,
because
there
are
vulnerable,
merge,
request
approvals
for
a
vulnerability
check
you
can
see
and
license
check
is
also
applicable.
So
if
there
are
any
licenses
which
are
deemed
invalid
or
there
are
any
vulnerabilities
detected
within
the
system,
the
merge
request
cannot
be
approved
unless
someone
from
the
appropriate
team
has
approved
them
so
for
license
check.
D
If
there
is
a
license
which
has
been
blocked,
then
that
means
that
one
of
these
four
people
that
let's
say
they're
part
of
legal
or
they're
part
of
some
type
of
legal
security
team,
and
they
would
have
to
make
sure
that
this
project
can
be
used
and
approved
same
goes
for
vulnerability
check.
If
certain
vulnerability
is
detected,
then
what
ends
up
happening
is
that
someone
from
the
security
team
would
need
to
approve
before
it
they're
required
before
this
can
be
merged.
D
So,
and
these
approvals
are
set
up
in
Settings
General
and
you
go
to
merge
request
approvals,
and
here
you
can
set
up
vulnerability
check.
You
can
set
up
license
check
and
you
can
set
up
exactly
who
you
want
to
be
part
of
that
group.
So
you'll
add
them
based
off
of
get
lock
groups
and
there's
also
a
variety
of
different
things
that
you
can
add
like
the
same
person
who
submitted
the
merge
request,
can't
merge
it
and
must
be
merged
by
can't
be
merged
by
committer
or
by
authors.
D
So
there's
different
rules
that
you
can
set,
and
this
if
you
ever
need
to
show
anyone.
This
is
highlighted
within
this
video,
that's
shown
in
the
cloning
feature
section.
So,
yes,
those
are.
Those
are
the
main
points
I
wanted
to
add
in
this
in
this
on
discussion
and
yeah,
now
I'm
open
to
any
questions
and
anything
that
y'all
want
to
add
and
are
interested
at
all.
D
L
L
D
M
D
Let's
go
back
to
this,
so
if
you
look
at
the
security
and
you
look
at
license
complaints,
this
is
this
is
what
I
was
referring
to,
where
I
would
add,
different
policies
around
what
licenses
are
allowed
and
what
licenses
are
allowed
and
if
there
are
any
dependencies
or
anything
within
the
project
that
detected
any
of
these
licenses,
then
the
license
check
would
block
the
license.
That
would
block
the
merge
request
from
being
merged.
I
H
I
D
There's
a
way
to
make
requests
so
through
strategic
marketing.
So
you
can.
You
can
make
a
request
for
a
TM
M,
which
is
what
my
role
in
the
company
with
a
Technical
Marketing
Manager.
So
you
can
make
our
request
and
then
fill
out
exactly
what
you
need
and
then
from
there
I
can
help
out
in
something
great
I
got
a
opportunity.
D
A
I
D
B
B
You
know
this
in
our
prescribed
way
and
and
so
that's
kind
of
where
we
are
with
checkmarks
they've
done
some
things
as
a
POV
and
we're
helping
them
redirect
to
make
sure
that
it's
done
in
a
can,
because
we
want
to
consistent
user
experience
and
so
white
source.
If
you,
google,
white
source
code
lab
and
and
the
actual
instructions
and
details
are
on
their
page,
not
ours,
we're
asking
that
the
other
vendors
take
the
effort
of
keeping
that.
B
It's
the
same
wait,
so
we
we
have
an
API
that
we
didn't
have.
We
remember
I
went
how
long
ago,
but
like
a
year
ago,
we
didn't
have
it,
and
and
Nicole
and
Sam
have
created
a
document
on
the
handbook
pay
on
a
handbook
page
that
explains
more
prescriptively.
What
the
vendor
needs
to
do,
you
can
link
to
it
from
or
you
can
get
to
it
from
that.
Overall
alliances
link
that
I've
put
on
the
pre-work.
I
I
J
B
B
Need
ultimate
because
you
need
to
be
able
to
have
those
scan
results
in
the
March
request
pipeline,
and
you
need
to
have
it
in
your
dashboard
if
they
don't
use
ultimate.
What
they
get
is
a
really
ugly
JSON
file
that
they
have
to
parse
and
figure
out
and
do
something
with.
So
we
are
doing
that
integration
level
with
ultimate
and
in
fact,
the
way
that
white
source
has
done
it.
B
B
Help
people
have
greater
confidence
in
their
findings
because
if
they
run
our
open-source
scanners
and
they
run
whatever
existing
scanners
that
they're
using
and
they
can
see
that
side
by
side,
it's
the
same
thing
that
threat
fix
is
doing
with
the
denim
group.
They've
created
a
whole
application
that
they
sell
to
do
just
that.
That
compares
results
of
different
scanners
to
improve
the
confidence
in
the
finding.
So
there's
a
side
benefit
there.
I
So,
just
going
back
to
the
documentation
on
Security's
integration
and
also
slink
into
the
docs,
so
everybody's
got
it.
We
don't
make
any
reference
here
that
this
is
a
all
validity
or
we
don't
magic
at
all
for
any
type
of
paid
version
of
get
lab
from
the
docs
and
yet
I'm
the
first
paragraph.
We
say
these
results
are
then
automatically
cemented
in
various
places,
make
it
last,
such
as
the
merger
quest
widget
and
screw
the
death
work.
I
I
J
Think
that
value
of
getting
it
in
front
of
developers
Cindy
one
thing
I
just
noticed
recently,
which
I
hadn't
picked
up
before,
was
that
the
merge
request
security
reports
do
not
bubble
up
because
they're
not
in
the
default
branch
and
that's
a
really
helpful
elimination
of
noise,
so
that
developers
have
to
deal
with
this
stuff
and
if
you
just
dump
an
artifacts
pile
in
there,
the
chances
they're
gonna
spend
the
time
to
wheedle
through
it
figure
out.
If
that's
a
duplicate
report,
all
that
other
stuff
is
just
way
low,
so
I
think
that
the.
J
B
Gold,
that
would
be
wonderful
if
you
could
just
share
that,
and
you
know
let
me
let
me
raise
this
as
a
point.
I'm
sure
y'all
are
coming
up
with
ways
of
articulating
things
to
your
customers,
you're,
probably
doing
things
with
demos
and
whatever.
Please
get
those
back
to
me
so
that
I
can
help
share
those
more
broadly
I.
Can
you
know
if
you've
got
a
great
slide?
I
can
bake
it
into
the
security
overview.
Well,.
J
A
Hate
to
cut
us
off,
but
we
are
actually
over
time,
but
what
I
can
do
is
I
think
we
definitely
continue
the
conversation.
So
I
would
love
anybody,
go
in
and
open
an
issue
and
detail
exactly
what
you
would
like
to
see
covered
in
a
future
session.
We
will
be
happy
to
have
Cindy
and
fern
join
us
again
and
have
another
topic
to
focus
on.