►
From YouTube: DevSecOps con GitLab
Description
GitLab permite que los desarrolladores y la seguridad trabajen juntos en una sola herramienta, lo que permite una seguridad proactiva o "desplazamiento a la izquierda". Esta sesión cubrirá lo que ofrece GitLab, cómo los resultados del escaneo se integran sin problemas con los Merge Requests y cómo usar el panel de seguridad para administrar las vulnerabilidades detectadas.
B
It
is
being
recorded,
as
the
presentation
that
you
can
see
on
your
screens
will
be
shared
by
email
in
the
coming
days
and
also,
if
you
have
any
questions
during
the
development
of
the
presentation,
you
can
use
the
question
and
answer
button
To
be
able
to
do
them
at
the
end
of
the
presentation.
We
will
have
about
10
minutes
to
answer
the
questions
and
I
will
also
try
to
answer
them,
as
one
more
is
going
on
in
the
presentation.
Thank
you
very
much.
B
So
many
software
teams
have
been
formed
and
the
number
of
software
products,
and
also
of
teams
that
manage
all
these
new
products
have
increased
in
practically
all
industries,.
So
at
the
same
time,
the
number
of
tools
that
we
are
using
on
a
day-to-day
basis
for
the
software
development
cycle
has
also
been
increasing,
and
there
are
many
offers
on
the
market
In
a
study
that
they
can
access
in
the
20th
of
2021,.
B
They
came
to
the
conclusion
that
this
increase
in
the
number
of
teams
that
develop
software
in
companies
and
the
number
of
applications
within
the
development
cycle,,
which
has
generated
a
exponential
increase
in
what
is
the
integrations
between
all
these
tools
of
the
cycle
of
development.
Then,
as
we
create
a
product,
we
have
more
tools.
We
need
to
integrate
these
tools
for
our
development
cycle.
This
complexity
is
increasing
and
with
the
trend
from
the
box
in
the
same
report,
it
is
also
mentioned.
B
Then
they
go
a
little
further
into
the
past.
Historically,
there
are
basically
two
ways
to
deal
with
this
problem
of
complexity
and
to
continue
with
what
it
is
to
achieve
the
business
objectives.
In
the
first
example
here
on
the
left,
we
are
putting
as
the
route
of
land
that
there
are
many
here,
many
land
routes
still
in
Latin
America'.
So
in
this
model
the
organizations
have
isolated
tools
and
processes.
B
Each
team
that
develops
an
application.
Each
software
team
defines
its
own
rules
of
how
to
work.
There
is
often
a
lot
of
manual
transfer.
There
is
a
lot
of
redundancy
in
what
each
of
the
applications
within
the
development
cycle
does
and,
as
a
result,
there
is
very
little
in
collaboration,
consistency
and
conformity
between
the
teams.
Each
one
goes
its
own
way.
B
But
these
interactions
are
so
fragile
and
the
tools
themselves
are
not
very
compatible
and
what
we
do
is,
as
it
will
be
seen
here.
We
have
an
adhesive
tape,
In
digital,,
each
one
of
them
is
integrated
and
it
becomes
a
great
responsibility
of
the
team
to
manage
these
integrations.
In,
a
team
that
could
be
generating
value
from
the
main
applications,.
It
becomes
a
team
that
manages
the
integrations
of
the
tools
within
the
cycle
of
software
development.
So
what
do
we
believe
in
hitler
that
there
is
a
third
way
that
is
to
practically
replace.
B
Custom
toolchains,
with
very
fragile,
integrations
between
them
on
a
single
platform
of
the
box.
Wta.
What
we
call
the
one
de
bots
platform
and
This
platform
is
a
unique
end-to-end
collaboration
solution
throughout
the
development
cycle.
development
that
allows
all
teams
to
contribute
and
we're
sure
believe
and
proven
that
removes
a
lot
of
the
burdens
of
managing
bot
platforms
by
goals.
B
]
people
and
teams
looking
for
depp
dry
right
implementations,
seek
each
other
and
make
an
effort
to
move
to
the
left,
everything
that
is
execution
and
detection
of
security
vulnerabilities.
With
many
automations
in
mind-
and
here
we
see
some
of
the
common
objectives
of
organizations
as
an
example.
For
example,
the
sciences
that
have
to
provide
more
simplified
processes
that
is
very
transparent
to
developers,
and
that
is
mainly
consistent
in
a
very
very
obvious
objective-
is
to
reduce
the
surface
of.
C
B
That
we
have,
in
our
applications
to
reduce
security
breaches
by
detecting
a
skill
as
early
as
possible
in
the
cycle
and
also
in
something
very
important
that
organizations
want
is
to
be
consistent
throughout
all
multidisciplinary
teams
with
microservices
many
teams
are
managing
only
a
part
of
the
applications.
We
need
to
apply
both
compliance
and
security
policies,
as
well
as
consistent
audits
throughout
all
the
organizations
of
the
entire
organization
and
of
all
the
teams,
and
we
have
to
achieve
all
this
having
predictable
costs.
B
We
cannot
bear
that
every
time
we
analyze
In
an
application
or
part
of
the
application,.
We
are
understanding
costs
without
control,,
since
many
solutions
charge
for
each
analysis,
executed,
even
for
lines
of
code,,
and
so
these
are
the
requirements
so
that
we
can
move
a
little.
What
hitler
is,,
as
you
will
see,
below.
the
left
as
close
as
possible
from
the
developer,
all
the
automated
tests
in
security.
B
So
who
do
we
need
to
do
to
move
to
the
left
at
the
beginning
of
the
development
cycle
in
security
testing
automations?
We
need
to
do
security
test
automations
the
same
tests
that
security
teams
do
today
they
are
doing
manually
at
the
end
of
the
process.
They
need
to
carry
them
out
in
an
automated
way,
and
that
is
what
generates
what
empowers
developers
to
have
visibility
of
what
their
changes
are
when
adding
new
functionalities
to
the
applications
on.
What
is
the
impact
in
the
security
that
these
have,,
then?
B
We
also
need
to
identify
the
vulnerabilities
in
the
native
cloud
environments,
where
the
applications
are
going
to
be
implemented
and
implement
it
after
the
end
of
the
process,
and
we
must
also
do
what
we
call
continuous
compliance
of
the
sun,,
which
He
was
talking
about.
Creating
a
policy
uniform
throughout
the
entire
company.
B
Those
are
some
of
which
we
are
going
to
look
at
today
as
an
introduction,
and
security
is
something
contained
in
security,.
It
cannot
end
in
the
same
way
as
the
previously
deployed
software
development
cycle.
A
software
was
launched
in
a
cid
and,
for
example,
and
the
software
lasted
several
years
that
no
longer
Today
software
is
happening
very
quickly,.
We
are
talking
about
new
versions
of
code,
for
example,
in
beat
la,
on
the
22nd
of
each
month,.
A
new
version
is
made,.
B
The
launch
of
a
new
version
of
x,
la,
and
even
in
the
dotcom
holder,
functionalities
that
functionalities
that
are
released
in
a
new
release
on
the
22nd
are
available
on
a
daily
basis
for
customers,
as
so,
we
are
talking
about
multiple
deployments
per
day,
multiple
updates
in
the
version
of
our
software
on
a
daily
basis,
so
why
organizations
want
to
move?
What
is
security
at
the
beginning
of
the
development
cycle
on
the
left
is
for
a
post
topic.
B
There
is
a
study
here
on
anise,
which
is
the
impact
of
how
improper
handling
of
application
security
scanners
can
impact
the
cost
of
remediation.
We
are
speaking
of
that
if,
in
the
development
stage
here
decoding,
we
detect
vulnerabilities
that
are
added
by
what
The
very
changes
that
a
developer
is
making
and
we
resolve
them
before
they
reach
production
environments
speak
to
us
much
cheaper
than
doing
it
in
a
testing
environment
or
even
in
a
production
environment
where
there
could
be
immeasurable
impacts.
If
a
security
breach
is
exposed.
B
in
a
productive
environment
and
can
be
exploited
by
bad
actors,
then
the
cost
of
the
remediation
network
is
totally
related
and
is
totally
exponential.
Throughout
the
stage
when
we
remedy
the
vulnerabilities
that
are
detected
in
our
applications
earlier
in
the
software
development
cycle,
We
are
saving
a
significant
amount
of
money
and
we
are
also
taking
care
of
the
company's
image
of
the
companies
and
their
applications,.
Since
vulnerabilities
that
give
you
a
productive
environment
can
be
exploited
by
insecurity
gaps
and
have
much
more
harmful
consequences
than
those
in
the
previous
stages
and
the
traditional
model.
B
B
When
we
talk
about
security
already
being
part
of
a
git
voice
platform,
when,
with
a
being
from
a
box
platform
such
as
videla,
when
the
displacement
is
to
the
left,
it
is
done
correctly
and
consistent
in
all.
We
can
develop
and
scan
the
code
in
each
change
in
each
move
or
each
request
to
move
from
being
able
to
do
analysis.
There
was
a
daily
and
from
a
transparent,
automated
way
for
developers
working
in
the
same
context
in
which
the
developer
is
making
the
changes.
B
B
Platform
development,
all
teams
working
on
a
single
source
of
information
collaboration.
We
are
even
talking
about
au,
happy
compliance
editors
because
we
all
have
a
place.
Reporting
is
much
easier
so
by
having
everything
in
one
place,
decentralized,
radiant
we
are
putting
together
a
knowledge
center
and
an
information
center
on
both
vulnerabilities
and
audit
events
on
the
platform
box
in
our
development
cycle
of
that,.
B
We
already
have
a
box
platform,
but
who
wants
what
the
box
platform
has
to
enter,
to
be
able
to
meet
a
requirement
of
our
clients
regarding
the
security
and
shift
to
the
left,
and
the
results
of
the
scans
have
to
be
automated
and
available
to
the
developer.
At
the
moment
they
are
doing
the
code.
Changes
are
adding
new
functionality
are
solving
a
bar
are
creating
value
in
every
change
in
every
meal
that
they
lead
to
the
source
code.
We
have
to
d
To,
make
the.
B
We
also
have
to
have
a
management
centralized
of
all
the
policies
and
of
all
the
security
thresholds
of
all
the
approval
policies
so
that
they
are
and
added
some
new
podium.
Changes
that
can
introduce
new
vulnerabilities
must
also
be
the
platform
capable
of
integrating
scanners
that
you
already
have.
The
companies
already
have
standardized
by
the
useful
youngster,,
whether
to
be
pen,
testing
or
another
type
of
security
analysis,.
B
It
must
be
possible
to
integrate
within
the
club,
and
but
we
are
talking
about
a
stronger
and
more
consistent
integration,
where
no
distinction
is
made
that
a
hitler's
own
standard
in
be
handled
in
a
way
in
terms
of
reporting
and
blood.
Third-Party
scanners
cannot
report
in
the
same
way,
eels,.
We
are
talking
about
consistency,
integration
by
third-party
scanners
and
a
policy,,
and
the
results
are
shown
in
the
same
way
as
the
scanners
of
my
plan,.
So
the
most
important
thing
to
say,
last,,
we
always
talk
about
the
post.
B
The
cost
has
to
be
independent
of
the
number
of
applications,.
The
number
of
teams
that
we
have,
the
podium
lines
of
our
applications,,
so
we
cannot
understand
and
we
cannot
have
a
lack
of
control,
and
it
complies
with
all
of
that,.
So
these
are
the
requirements
that
our
clients,
have.
Now.
We
are
going
to
talk
a
little
bit
about
what
it
means
to
move
to
the
left
of
the
development
cycle
at
the
beginning
of
the
development
cycle.
Security
outrages,
traditional
application,
security
tools.
B
Once
the
developer
is
making
changes
to
the
repository
Trigger,
some
continuous
integration
tests
with
unit
tests
years,
for
example,.
It
is
done
a
month
later
and
once
the
non-response
is
complete,,
they
take
the
changes
to
the
next
environment
and
automatically
trigger
what
is
the
main
play
between
or
continuous
deployment,
and
once
a
deployment
is
made
in
an
environment
tests
are
executed
either
from
pen
testing
facebook,
dynamic
tests,
etc.
B
in
the
application
in
production
by
the
security
team,
and
the
security
team
can
already
take
several
days
to
execute
the
tests
or
even
weeks,
to
give
feedback
to
the
developer.
That
This
application
will
go
through.
Other
changes
to
the
application,,
a
name
or
a
productive
environment
will
go
through
the
security
reports
and
that
takes
days
or
even
weeks,,
but
why?
Because.
It
is
done
at
the
end
of
the
development
cycle,
developers.
B
Usually
also
have
some
automated
tests,
either
in
your
local
development
environment
that
can
generate
a
report
of
some
skills,
In
general,,
the
source
code
of
the
application,,
but
in
particular,
they
cannot
have
the
intelligence
to
know
if
the
vulnerabilities
are
really
detected..
The
detected
vulnerabilities
are
really
associated
with
the
changes
that
the
developer
is
suggesting
to
the
source
code
or
not,,
which
complicates
determining
the
responsibilities
of
the
developer.
B
C
B
That
is
alive
is
to
automate
the
software
factory
with
automatic
scanners
that
empower
the
developer
to
determine
that
some
skills
are
already
being
introduced
by
them
directly
due
to
their
changes.
and
give
you
the
tools
to
resolve
them
before
taking
productive
environments,
to
productive
environments
and
with
the
necessary
policies
to
focus
on
exceptions
and
not
focus
on
vulnerabilities
in
large
numbers
en
masse,,
but
rather
that
the
developer
can
already
resolve
many
of
them
before
they.
Production
environments
have
to.
B
B
It
What
we
call
the
flower
of
the
flower,
I
want
to
clarify
a
pre-established
recipe
or
a
Brian.
Ching
strategy
is
mandatory,,
but
rather
it
is
a
recommended
end-to-end
process
where
everything
begins
with
an
idea,,
a
planning
stage
here.
Well
before
the
developer
is
executing
code
changes.
We
are
generating
an
idea
of
a
new
functionality.
B
I
am
taking
changes
to
the
repository
in
and
it
is
where
we
create
after
the
answer
is
associated
with
the
work,
not
a
development
branch
of
fitur
or
power
bar
and
with
each
change
with
each
committee.
The
developer
is
taking
to
these
branches.
What
are
the
automated
processes
of
continuous
integration
that
can
be
unit
tests?
And
here
we
also
do
what
is
already
the
shift
left,
the
movement
to
the
left
of
the
automatic
scans
of
security
in
directly
in
the
developer's
work
context
that
are
answered
by.
B
B
Automated
unit
and
security
tests
generate
a
report
that
is
availability
or
in
the
month
since
the
developer
in
the
work
context
can
have
access,
has
access
to
them
and
You
already
take
actions
and
make
new
changes
to
correct
any
problem.
That
is
detected,,
be
it
a
functional
problem
or
a
security
problem,
and
once
and
not
only
are
you
working
alone,,
but
you
can.
B
Start
working
with
other
developers
right
from
here.
with
the
security
team,
with
the
operations
team
to
review
ones
and
collaborate
to
improve
the
podium,
the
response
anthem,
then
it
generates
all
the
data
from
the
security
reports
of
the
reports.
The
three
units
of
all
the
collaboration
between
the
teams
also
keep
records
of
how
certain
problems
have
been
resolved,
so
it
's
like
a
library
that
developers
will
be
able
to
use
to
solve
the
same
problems
of
other
teams,.
B
So
with
that,
you
are
left
with
a
knowledge
base
and
we
move
very
rarely,
but
once
we
have
the
collaboration
and
review
and
it
is
ready,,
you
can
do
automatic
deployments
in
a
review
environment
for
the
execution
of
specific
security
tests
that
require
an
application
running
with
all
these
reports.
We
can
also
proceed
with
the
approvals.
These
approvals
can
be
dynamic
and
by
dynamic
I
mean
certain.
B
Approval
thresholds
so
to
speak.
If
it
is
said,
the
scanners
to
detect
vulnerabilities
In
addition
to
criticisms,
I
need
ten
or
fifteen
approvals.
Before
moving
on
to
the
next
step.
If.
You
do
not
detect
any
new
vulnerability.
Incrementally,
I
do
not
need
the
approval
of
the
security
department,,
but
I
do
need
the
normal
approval.
B
We
have
To
explain
more
details
from
now
on.
We
have
the
context
of
the
security
reports
in
the
month
because
for
the
developers,
the
type
of
development
and
the
reports
and
the
security
flowers
already
in
the
context
of
my
default
branch
for
the
security
team
can
follow
up
on
all
the
remaining
ones.
By
exception.
C
B
B
Integrated
security
scanning,,
the
developer
has
access
to
the
reports
directly
in
the
mere
since
the
results
of
the
scanner
and
the
vulnerabilities
of
these
are
directly
related
Thanks
to
the
work
he
did,
for
example,.
A
new
library
was
added
to
those
changes
and
that
library
has
security.
Vulnerabilities
in
the
month,
well,
I
will
have
access
to
those
reports..
B
The
vulnerabilities
are
shown
directly
in
the
flow
in
the
developer
context
in
the
natural
workplace,,
which
is
the
third
car,.
So
the
developer
has
access
there
to
make
everything
that
happened
visible
and
also
has
detailed
information
on
how
to
solve
it,
it's
a
skill,
then,
and
also
by
having
a
review
environment,,
they
can
be
done,.
It's
coming
to
the
left.
B
C
A
C
B
Sees
the
vulnerabilities
that
the
developer
is
already
detecting
here
in
the
changes,
because
she
is
resolving
them
as
the
one
who
has
access
to
the
reports
and
I
am
going
to
show
you
what
that
looks.
Like,
the
security
team
is
already
going
to
make
vulnerabilities
visible
security
that
the
development
team
is
not
able
to
solve
it.
B
B
So
we
are
talking
about
development
teams,
security
teams.
So
how
is
it
that
security
development
teams
work
all
on
the
same
page
like
that
really
work,
as
a
single
team
is
to
address
the
vulnerabilities
is
to
address
the
security
vulnerabilities
found
in
the
same
way
as
the
bugs
for
bucks
from
the
podium
in
am
when
a
bar
is
in
a
branch
in
a
development
program
in
a
branch
I
solve
it
before
taking
it
to
the
productive
branch.
B
B
All
working
in
the
same
context
of
I
lie
down
then
scale
to
scale.
What
is
the
security
function
for
developers
enabling
them
empowering
them
to
solve?
A
skill
is
good
at
the
moment
they
are
introduced
and
vulnerabilities
that
cannot
be
resolved
can
be
treated
as
exceptions,,
but
that
does
not
mean
that
they
will
not
be
followed
up.
I
have
a
back
I
have
an
application.
Failure
and
I
have
to
start
the
planning
group
to
solve
then
with
a
vulnerability
Exactly.
B
The
same
thing
is
done,
and
this
level
of
integration
that
I
am
talking
about
is
possible
on
the
island,
because
we
are
talking
about
a
box
platform
for
the
entire
development
cycle
and
also
with
the
tools
that
developers
already
use
to
deliver
more
secure
applications
since
we're
not
reinventing
the
novelty
either,.
Many
of
the
more
features
of
security
that
I
am
going
to
show
you
are
already
tested
and
provided
by
the
industry,
which
are
these
and
which
are
these.
B
Security
scanners
are,
for
example,
static
security
scanners
to
detect
a
skill
in
the
source
code
dependency
scanners
to
detect
vulnerabilities
in
dependencies
of
our
software.
Not
only
our
sources
could,
but
also
in
their
dependencies,
detect
secrets
that,
for
some
reason
were
introduced
in
the
source
code
and
are
there
and
can
be
exploited
by
bad
factors
in
compliance
with
licenses.
B
B
C
B
For
example,
we
are
talking
about
that.
We
need
a
running
application
for
an
excursion
application
to
be
able
to
be
dynamic
tests.
It
is
possible
to
do
it
with
conclave,
even
in
we
add
an
authentication
layer
to
access
applications,
exceptions
of
applications
that
require
user
authentication,
ento
nce
the
tools
are
quite
complete,
and
here
you
can
see
a
type
of
fish
that
is
fast
texting.
B
There
are
two
in
a
small
difference
between
the
two
in
one
is
done
through
the
api,
and
another
is
done
already
in
a
controlled
environment
of
testing
of
the
application
in
fast
testing
are
the
only
scanners
that
require
a
configuration
in
the
source
podium
by
which
I
mean
that
they
are
like
unit
tests,
but
for
security
that
I
can
detect
with
fast
sting
or
detect.
If
you
have
it
in
zero-day
vulnerabilities,
then
I
will
to
explain
this
a
little
more
in
detail.
Then
this
is
what
an
automated
pipeline
looks
like.
B
The
review
application
in
this
I,
who
are
running,
are
deploying
an
application
in
a
review
environment
with
some
code
changes
that
are
introduced
by
a
developer
against
it.
The
application
in
our
fully
functional
deployed
application
is
tested
before
the
code
leaves
the
hands
of
the
developer's
workbench.
I.
Don't
need
to
go
to
the
end
of
the
process
flow
since
the
process
deploy
an
operating
I
already
am
doing
with
each
meal.
B
That
report
to
me
directly
in
it.
It
reminds
me
of
the
vulnerabilities
in
this
way,
then,
in
each
piece
of
code
that
is
tested
at
the
time
of
eating,
there
is
no
incremental
cost.
The
developer
can
right
now
take
action
with
each
of
these
vulnerabilities
create
a
niche
for
a
follow-up
in
making
a
disney
and
comment.
Why
and
I
want
to
clarify
that
by
making
a
says
the
developer
does
not.
It
does
not
mean
that
it
will
pass
the
approval
group.
B
It
is
only
to
communicate
that
I
As,
a
developer,,
this
detected
vulnerability,
I
think,
is
a
false
positive.,
For
example,
I
think
that
it
is
being
remedied
at
another
level.
At
the
network,
level.
For
example,
leave
a
comment
so
that
the
tester
can
decide
whether
or
not
it
passes,.
If
there
is
an
exception
or
not,,
then
the
developer
in
still
dissimilar
to
the
cardiac
muni
does
not
mean
that
it
will
go
to
the
next
step,
but
that
I
am
leaving
everything
documented.
B
B
Here
it
is
an
example
of
a
vulnerability
that
I
am
detecting
and
I
also
have
here.
The
ones
crossed
out
or
those
that
are
marked
with
a
check.
Ue
green
are
vulnerabilities
that,
with
these
changes
at
best,,
they
are
resolved,
that
is,
they
were
previously
on
the
source
podium
and
thanks
to
these
changes,
I
am
solving
so,
as
a
developer,.
If
my
job
was
to
solve
a
vulnerability
in
a
productive,
environment,,
I
will
lie
down
to
be
able
to
detect
and
have
a
report
that
those
changes
that
I
am
producing
are
really
resolving.
That
vulnerability.
B
B
Going
a
little
deeper
into
the
detail
of
the
vulnerabilities,,
how
is
it
that
the
developer
can
resolve?
It
is
because,
by
directly
clicking
on
one
of
them,
I
can
have
additional
information
and
even
help
for
the
solution
here.
What
I
can
do
is,
as
I
told
you
to
do.
A
2000
discard
leave
a
comment
that
does
not
mean
that
it
will
go
to
a
later
environment
without
approval.
It
means
that
I
am
giving
information
about
why.
What
I
think
is
not
a
vulnerability
to
create
the
bug
to
start
the
dev
cycle.
B
I
roll
I
am
creating
a
stew
of
the
language
in
the
same
way
to
create
a
boat
I
can
directly
change
to
flip
the
podium
that
I
am
introducing.
The
move
and
I
have
all
the
information
from
where
it
is
receiving
these
vulnerabilities
from
where
they
are
being
generated.
What
is
the
project?
What
is
the
from
the
identifier
etc.
I?
Don't
know,
I
have
all
the
information
on
how
to
resolve
the
vulnerability
that
I
am
in
introduction.
B
B
These
are
shown,
for
example,
in
the
security
dashboard,
where
you
can
see
here
that
I
am
not
only
seeing
the
vulnerability
of
a
project,
but
I
am
seeing
a
level
designed
for
security
directors
for
the
children
or
for
a
security
team
that
manages
multiple
projects
here.
I
can
see
aggregated
metrics
at
the
group
level
of
all
the
projects
and
I
can
prioritize
with
rating,
and
we
have
a
rating
of
efficient
efe
I
have
two
projects
with
ep.
What
does
it
mean?
They
have
script.
B
Vulnerability
helps
me
a
lot
as
a
security
director
to
prioritize
projects
that
have
an
attack
interface
because
they
have
critical
vulnerabilities,
and
this
helps
me
plan
and
prioritize
and
then
I
have
what
is
the
funeral
home
report?
That
I
also
have
reports
of
multiple
projects
in
the
report
of
inbox
vulnerabilities
in
the
execution
of
the
report
of
the
e
execution
of
the
scanners
in
the
default
branches.
So
we
are
talking
about
security
vulnerabilities
that,
for
some
reason,
have
already.
A
B
Then
programming.
The
description
of
the
two
scanners
in
the
main
branch
I
can
always
have
the
updated
data,
and
here
I
have
all
the
data
to
prioritize,
to
assign
and
to
plan
and
determine
which
are
the
detected
vulnerabilities,
as
well
as
the
file
detected
in
the
line
of
code
that
I
have
to
work
to
solve
it.
B
B
A
real
vulnerability
is
real
and
I'm
going
to
remediate
it
and
I
can
also
configure
it
as
resolved
by
some
relationship.
The
network
media
in
the
network
layer
and
not
in
the
application
layer
can
be
an
example,
but
what
is
there
is
all
recorded
and
becomes
a
knowledge
center,
so
that
in
case
in
other
projects,
the
same
vulnerability
is
detected.
We
know
how
it
was
resolved
in
the
other,
then
we
have
the
tools
to
move
more
more
round-up.
That
measures
can
be
taken
all
the
necessary
measures
within
each
ability
to
even
start
the
development
flow.
B
B
B
Samuel
al
recto
enríquez
tells
me:
how
can
you
control
when
a
project
a
code
has
more
than
10
years,
with
those
errors
and
vulnerabilities,
what
strategies
can
be
used
or
if
the
team
does
not
want
to
be
responsible
for
those
errors
and
vulnerabilities,
well,?
If
the
team
does
not
want
to
be
responsible
for
those
errors
and
vulnerabilities,
I
think
we
are,
as
we
say
here
in
Paraguay,,
we
are
fried,,
someone
has
to
take
responsibility
for
those
vulnerabilities
and
I
am
just
going
to
go
to
what
is.
B
In
the
reports
first
have
We
have
to
have
visibility,.
We
cannot
sweep
security
vulnerabilities
under
the
rug
and
pretend
that
they
are
not
there,
if
they
were
detected,,
they
are
there,
and
even
though
we
do
not
know
that
they
are
there
if
some
responsibility
happens
and
do
and
power
development
or
the
team
of
security
or
of
the
entire
company,
there
is
a
very
big
security
risk.
So
the
issue
is
the
same
as
the
errors
in
the
software
is
to
detect
as
many
as
possible
plans
to
plan
prioritize
and
solve
it
step
by
step.
B
Everything
cannot
be
solved
in
one
day.
Hopefully
it
could
be
resolved
from
where
then
I
see
what
the
site
is
here,
and
it
gives
you
only,
for
example,
for
that
which
helps
me
to
prioritize
and
I.
Have
certain
vulnerabilities
and
I
am
going
to
focus
on
the
most
critical
ones
in
the
projects
that
I
have
a
rating.
C
B
Have
hundreds
here
of
projects
with
fm
qualification,
I
am
going
to
go
a
little
more
in
detail
right
I
am
going
to
focus
on
critical
skills.
Well,
then,
in
each
spring
of
rapid
interaction,
I
have
to
treat
them
with
peace
skills
like
a
neighborhood
in
the
software,
so
I
hope
that,
with
that
I
can
answer,
they
are
not
incremental
improvement
processes
step
by
step,
depending
on
the
amount
of
resources
that
I
am
having
well,
but
I
cannot
answer.
The
vulnerabilities
below
I
have
to
activate
the
correct
carpet,
and
that
is
what
we
have.
B
For,
the
entire
cycle,
develop
a
single
platform
of
bots.
Once.
You
include
the
security
scanners
in
the
country,
in
an
automated
way
in
the
security
reports
that
showing
them
here
are
automatically
authorized,.
I
only
have
to
send-
and
that
is
just
one
Very
interesting
question.
So
I
usually
run
a
security
test
and
send
it
to
the
team
by
email
or
by
some
internal
tool.
With
my
plan,
you
no
longer
need
to
send
them.
B
They
already
feel
the
security
team
already
has
access
to
the
repository
to
the
same
place
where
the
code
is
and
has
access
to
the
reports
of
some
skills.
They
have
access
to
the
history
of
vulnerabilities
response,,
so
I
am
no
longer
sending
the
security
vulnerabilities
to
the
security
team,,
but
we
are
all
working
in
the
same
place
with
the
same
visibility
and
when
I
say
the
same
visibility.
It
depends
a
lot
on
the
role
they
have,
because
a
developer
can
see
a
skill,,
perhaps
depending
from
the
configuration
of
a
project,
but
not
at.
B
Level,
if
I
am
a
member,
how
to
develop
a
project,
I
can
see
a
skills
of
a
project,
but
not
of
the
entire
group
that
security
people
having
higher
privileges,
can
have
access
to
multiple
reports.
Projects
at
the
same
time
then
automatically
summarizing
the
reports.
Security
scanners
are
automatically
updated
with
the
description
of
the
security
scanners
in
the
pipelines
and
those
of
the
security
team
working
on
the
same
bot
platform
have
access
to
these
reports
automatically.
They
have
to
access
the
project,
access
the
group
and
follow
up
on
vulnerability
reports.
A
B
B
There
are
other
webinars
that
explain
how
to
configure
a
pipeline.
In.
This
case,
I
assume
that
you
already
know
how
to
configure
do
is
configured
in
a
church
file
and
de
montaigne
in
the
root
of
the
repository
and,
for
example,
to
add
analysis,
as
all
you
have
to
do,
r
is
to
include
a
temple
and
the
security
law
theme
is
managed
by
hitler,
that
is,,
it
is
managed
by
english,
no,.
B
B
That
I
am
going
to
share.
These
are
the
tools
that
are
recommended
to
integrate
when
I
recommend
that,
when
I
say
integrate
in
this
case,
I
am
saying
enable
and
in
my
key
it
is
integrated
by
default.
You
have
to
add
it
to
your
in
to
your
papers
in
a
simple
way,
as
I
showed
you
before,
and
you
already
have
these
security
tests
in
the
country
between
Once.
Some
other
recommendations
would
be,
for
example,
to
configure
approval
policies
depending
on
whether
vulnerabilities
were
detected
and
their
criticality
within
a
development
branch.
B
One
context
is
in
the
ephemeral
branches
that
can
be
a
functionality,
branch
or
a
branch
to
resolve
a
downturn.
The
tics
in
the
report
in
the
email,
branches
branch,
or
rather
the
report
in
all
the
branches
that
are
not
the
branch
of
all
of
you-
have
access
in
the
metro,
because
why?
Because
before
I
am
running
one
in
the
branch
with
the
branch
of
faith,
then
in
the
result
of
the
security
scanners
that
are
executed
in
branches
that
are
not
the
ones
in
the
background,
I
have
them
in
the
green,
well,
directly
in
the
metroplex.
B
C
B
B
B
I
recommend
you
use
the
infrastructure
scanners
as
you
can.
They
are
very
good
that
if
we
integrate
many
open-source
tools,
but
we
don't
integrate
it
directly
and
we
manage
it
right,
here.
It's
in
charge
of
managing
those
integrations
by
default,,
transparent
for
all
of
you,
and
we
take
care
that
with
each
version,
ideas
don't
break.
So
there
are
open-source
tools
inside
of
our
scanners.
B
So
if
there
are
no
more
questions,
the
time
has
come
finished.
The
beat
the
e,
but
there
I
was
reading
one
last
question
that
says
you
can
install
the
local
atlas
having
a
subscription.
If
we
differentiate
between
subscriptions
and
licenses,
when
we
talk
about
subscriptions,
we
are
talking
about
having
a
git
live.com
account
in
the
cloud
in
a
directed
instance
managed
by
line
and
there
you
can
have
a
premium
and
ultimate
freeze
vision.
B
You
don't
need
to
install
anything
and
the
same
subscriptions
can
excuse
the
licensing
we
have
it
in
our
own
installation,
either
to
your
mobile
providers
or
in
your
own
infrastructure
in
a
raspberry,
pi
I.
Think
that
a
little
long
key,
so
if
they
can
have
an
installation
of
guiteras
local
having
a
subscription
in
either
premium
and
ultimate
or
free,
there
are
those
options
either
in
a
sas
subscription
or
with
a
licensing
in
your
infrastructure,
managed
by
you.
So
that's
all
for
today.
I
hope
it
has
been
helpful
and
we'll
see
you
next
time
once
in.