►
From YouTube: Hands-On GitLab DevSecOps Workshop
Description
In this workshop we focus on how you can secure your application with GitLab. We will first take a look at how to apply scanners to your CI/CD pipelines in a hands-on exercise so that any vulnerabilities are caught as soon as the code is committed. Next, we will look at compliance frameworks and pipelines to show how you can ensure no one within your development teams is cutting corners and exposing your application.
A
All
right
welcome
everybody
thanks
for
joining
us
today
for
our
Hands-On
Workshop
focused
on
devsecops,
with
Git
lab
security
and
compliance
we'll
give
Folks
at
least
another
minute
or
so
to
trickle
in
here
get
joined
in
and,
while
folks
are
joining
in,
I
wanted
to
share
some
of
the
pre-work
setup
instructions
that
will
also
be
walking
everyone
through
this
morning,
I've
got
a
QR
code
as
well
as
the
short
link
there.
A
If
you
want
to
go
ahead
and
scan
that
or
take
a
screenshot
and
grab
the
link,
I'll
also
put
it
here
in
the
chat
or
for
everyone
to
to
take
a
look
at,
and
these
are
the
lab
setup
instructions
for
today's
Hands-On
Workshop.
So
let
me
go
ahead
and
drop
that
here
in
the
chat,
so,
like
I
said.
Thank
you
again
for
joining
our
Workshop.
Today,
it's
a
Hands-On
Workshop
we're
going
to
be
focused
on
security
and
compliance.
A
A
Ready,
let's
go
ahead
and
get
started,
welcome
everyone
we're
here
today
for
the
git
lab
security
and
compliance
adoption,
Workshop
focused
on
devsecops
Within
gitlab.
A
Before
we
get
started,
I'm
going
to
go
over
a
few
housekeeping
items
if
you're
experiencing
any
technical
difficulties.
Please
submit
your
issues
through
the
Q
a
and
my
colleagues
on
the
customer
success
team
here.
Steve
and
Rasheed
are
moderating
the
Q
a
for
any
issues
as
well
as
any
questions
that
you
have
throughout
the
presentation.
You
may
also
utilize
the
Q
a
feature
at
the
bottom
of
your
screen.
We
do
have
a
chat,
a
chat
functionality,
that's
mainly
for
me
to
share
information
with
you.
A
All
I
know
that
there's
a
few
more
people
that
have
joined
since
I
just
started
talking
here.
I've
got
the
lab
setup
instructions,
the
invitation
code,
everything
that
you'll
need
to
get
set
up
with
your
lab
environment
for
Hands-On
exercises
later
on
in
today's
Workshop,
which
I
just
pasted
that
in
there,
but
for
the
kind
of
full
visibility
for
everyone
here
to
get
a
benefit
of
the
questions
that
you're
asking
or
maybe
you
know,
get
some
insight
on
the
responses
to
your
issues.
A
You
can
utilize
the
Q
a
function
there,
all
righty,
so
my
name
is
Chris
guitarte
I'm,
a
senior
customer
success
engineer
here
at
gitlab
and
after
today's
session,
please
feel
free
to
connect
with
me
on
LinkedIn
I,
usually
take
the
time
to
share
a
post.
You
know
once
or
twice
every
week
to
highlight
some
of
the
key
topics
I'm
discussing
with
my
customers,
as
well
as
some
of
the
key
features
and
functionality
that
my
colleagues
are
sharing
or
key
parts
of
our
monthly
releases.
A
That
I
think
our
customers
will
find
Value
in
I'm
also
sharing
my
gitlab
profile.
So
you
can
see
some
of
my
latest
contributions
and
feel
free
to
scan
that
QR
code.
If
you
want
to
connect
with
me
on
LinkedIn
to
get
quickly
connected.
A
So
before
we
get
started,
I
wanted
to
introduce
you
to
today's
fictional
scenario
for
our
Workshop
today,
I
want
to
welcome
you
to
the
team
today,
you're,
officially,
a
part
of
a
brand
new
startup,
that's
creating
a
public
leaderboard
for
the
hit
new
racing
game
to
Nikki
racing.
This
groundbreaking
new
application
has
been
developed
and
deployed
in
a
Beta
release.
However,
developers
are
lost
and
how
to
make
it
secure.
A
Today's
Hands-On
Workshop
I've
got
the
lab
setup
instructions,
the
link
and
the
QR
code,
so
if
you're
just
joining
in,
feel
free
to
take
a
screenshot
and
scan
that
QR
code
or
grab
that
link
I
have
had
it
present
throughout
the
presentation
as
well.
If
you
need
it
all
right,
so,
let's
go
over
to
today's
agenda.
First
we're
going
to
go
ahead
and
get
you
set
up
with
your
environment
with
the
lab
setup,
then
we'll
talk
about
shifting
left
and
how
to
configure
our
demo
project
within
the
sandbox
environment
to
improve
our
security
posture.
A
Next,
we'll
introduce
compliance,
Frameworks
and
compliance
Pipelines
we'll
go
over
the
configuration
of
how
that
works
so
that
we
can
ensure
good,
Covenant,
good
governance
of
our
projects.
Pipelines
next
we'll
be
going
through
parsing.
The
results
we'll
be
making
sense
of
all
the
findings.
The
vulnerability
findings
by
introducing
all
of
the
security
scan
tools
by
shifting
left,
then
in
the
next
section,
we'll
go
through
the
s-bomb
and
license
compliance
we'll
we'll
go
through
the
software
bill
of
materials.
That's
what
fsbom
stands
for
and
the
license
compliance
information,
we'll.
A
Finally,
I
won't
go
through
this
Hands-On,
but
I
just
wanted
to
highlight
that
we'll
provide
instructions
for
you
all
to
transfer
all
of
the
workshop
course
material
back
to
your
own
gitlab.com
account
so
that
you
can
continue
to
play
with
that
content
that
you've
started
to
explore
in
today's
Hands-On
Workshop.
A
A
So,
to
get
set
up
we'll
need
two
things.
First,
we'll
need
your
gitlab.com
account
might
have
an
existing
account
if
you're
a
SAS
customer
already,
but
if
you're
a
self-managed
customer.
This
is
something
you'll
need
to
create
before
you
get
started.
So
if
you
have
an
on-prem
instance
of
gitlab
that
you
use
within
your
organization,
you'll
want
to
go
ahead
and
follow
the
lab
setup
instructions.
That's
linked
there
in
the
top
right
corner
to
go
ahead
and
create
that
account
with
that
account.
A
You
will
go
ahead
and
access
our
gitlab
demo
provisioning
system
to
utilize
the
invitation
code
that
I'll
be
providing
to
create
a
subgroup
on
gitlab.com,
which
is
our
SAS
platform,
and
that
subgroup
you'll
be
added
as
an
owner
and
we'll
give
your
SAS
account
owner
level.
Access
to
that
subgroup,
so
you'll
have
full
access
to
the
ultimate
subscription
for
the
next
two
days
and
for
the
duration
of
our
Hands-On
Workshop,
so
that
you
can
take
advantage
of
the
devsecups
or
security
and
compliance
functionality
that
I'll
be
showing
you
today.
A
A
So,
first
to
get
set
up,
and
this
is
kind
of
mirroring
the
the
lab-
the
lab
setup
instructions
that
I
shared
with
you.
A
This
is
those
instructions
that,
if
you've
scanned
that
QR
code
or
copy
that
link
and
it'll
open
up
in
a
different
browser,
I'm
walking
through
these
instructions,
pretty
much
through
the
slides
here
so
just
want
to
give
everyone
the
chance
to
either
work
at
it
on
your
own
pace
through
this
in
documents
or
you
can
follow
along
in
these
slides,
whatever
you're
most
comfortable
with
so
first,
we
want
to
go
ahead
and
go
to
www.gitlabdemo.com.
A
The
invitation
code
is
the
one
that
Steve
has
just
repasted
into
the
chat.
I
know
there's
quite
a
few
folks
that
have
just
joined
in
and
you
can
find
the
lab
setup
instructions
here.
I
can
also
repaste
the
instructions
in
the
chat
if
you've
joined
in
a
little
bit
later,
so
the
invitation
code
is
there
in
the
chat,
we'll
go
ahead
and
copy
that
and
go
back
to
www.getlabdemo.com
again
we're
clicking
redeem
invitation
code,
I'm
pasting
in
that
imitation
code
there.
A
That
starts
with
the
letter
d,
go
ahead
and
hit
provision
training,
environment
and
we're
going
to
need
our
gitlab.com
username
so
to
find
that
we're
actually
going
to
go
ahead
and
go
to
our
gitlab.com
SAS
platform.
So
again,
if
you
haven't
created
a
gitlab.com
account,
you'll
need
to
do
that.
First,
I'm
not
going
to
walk
through
the
sign
up
process,
but
you
can
find
those
instructions
on
how
to
sign
up
within
the
lab
setup
instructions
if
you're
logged
in
already
oops
one.
Second
here.
A
A
I'm
going
to
go
ahead
and
just
drop
that
in
there
and
click
provision,
training,
environment
great.
So
if
you've
gotten
to
the
screen
here,
you
should
have
a
new
subgroup
provision
for
you.
So
I'll
just
walk
you
through
this,
and
if
you
are
just
catching
up
with
us,
you
can
find
the
lab
setup
instructions
here
again.
You'll
want
to
drop
in
the
invitation
code
into
www.getlabdemo.com
click
provision,
training,
environment,
you'll,
get
another
screen
with
the
two
Fields
here
for
the
invitation
code
already
pre-filled
out
and
then
the
gate.
A
A
Just
an
example
here
in
the
screenshot,
okay
folks,
just
another
minute
there
to
get
set
up
with
the
lab
environment,
and
if
you
don't
have
that
SAS
account,
please
go
ahead
and
create
the
gitlab.com
account
per
the
lab
setup
instructions.
Then
you'll
be
able
to
redeem
your
invitation
code
and
provision.
Your
subgroup
on
our
SAS
platform
through
gitlabdemo.com.
B
A
You
should
be
somewhere
somewhere
similar
to
this
you'll,
have
a
different,
unique
identifier
for
your
test
group,
but
you'll.
Have
this
uniquely
assigned
for
yourself
I,
see
that
somebody
has
had
a
question
there.
If
you
have
a
404
when
clicking
my
group-
and
you
may
not
be
logged
in
on
gitlab.com,
so
you
may
want
to
log
in
on
gitlab.com.
First
with
your
the
username
that
you
provided
within
the
provisioning
process
and
I,
my
colleague
can
also
help
you
through
the
chat
as
needed.
A
So
yeah
you
shouldn't
be
here
with
the
score
for
you
may
want
to
go
ahead
and
make
sure
that
you've
logged
in
on
gitlab.com
First
and
verify
that
if
you
need
to
get
back
to
your
group,
you
could
always
go
back
to
gitlabdemo.com.
A
Click
redeem
invitation
code
paste
in
your
invitation
code,
one
more
time
with
provision,
training,
environment
and
type
in
your
getloud.com
username,
and
that
will
get
you
back
to
the
same
group.
It
won't
provision
multiple
subgroups
for
that
unique
username
that
you've
provided
there.
So
my
unique
username
is
he
guitarte
and
I'll
always
have
this
subgroup
for
today's
Workshop.
So
you
could
always
go
through
that
process
again
to
get
back
to
your
subgroup
if
you've
lost
it.
Somehow.
A
All
right
so
with
that
walkthrough
of
our
setup
process,
hopefully
everyone's
got
their
gitlab
environment,
set
up
for
a
workshop
group.
If
you
come
in
a
little
bit
later,
got
the
lab
setup
instructions
in
the
upper
right
hand
corner
of
these
slides
for
the
initial
sections
of
our
Workshop
today,
so
you
can
always
just
reference
that
pull
that
up
on
a
separate,
Tab
and
work
through
that
at
your
own
Leisure.
A
Don't
worry
about
trying
to
follow,
along
with
everything
we're
going
to
be
sending
along
the
recording,
as
well
as
the
slide
deck
after
today's
you
know
live
session,
so
you
could
work
through
this
at
your
leisure,
because
you'll
have
access
to
the
sandbox
environment
for
up
to
two
days
after
today's
Workshop
I
see
somebody's
raised
your
hand,
please
feel
free
to
drop
in
your
question
in
the
Q,
a
we'll
allow
you
to
get
your
questions
answered
to
help
from
my
customer
success.
A
Colleagues,
alongside
me
on
the
call,
thank
you
so
much
all
right
so
now
that
we
have
our
gitlab
environment
set
up,
we'll
need
to
get
ourselves
set
up
with
a
workshop
content.
So
for
this
we'll
be
forking.
The
content
from
our
Workshop
repository
and
we'll
be
meeting
the
fork
of
that
Workshop
repository
project
for
the
coming
Hands-On
exercises.
So
I'm
gonna
walk
you
through
the
forking
process
now,
so
we
want
to
navigate
to
this
URL
go
ahead
and
provide
this
again
in
the
in
the
chat.
A
It's
that
very
last
link
there,
the
Hands-On
Workshop
instructions
you
can
navigate
to
that
URL
there
and
what
we
want
to
do
is
open
both
of
these
projects
in
side
by
side
tabs,
as
the
issues
itself
will
not
be
forwarded,
we're
going
to
be
forking
the
project
into
our
sandbox
group,
but
we
still
want
to
keep
the
instructions.
A
The
Source
issues
from
the
workshop
project,
open
in
the
separate
tab
as
well,
so
first
to
work
this
cohort
project,
the
security
and
compliance
project
we'll
go
ahead
and
click
that
link
to
the
issues
listing
page
for
this
carrying
compliance
project.
A
And
then
we're
going
to
rename
the
project
Workshop
project,
so
we
can
clearly
differentiate
that
among
our
tabs
in
the
namespace.
We
can
select
the
namespace
here
if
we
can
click
the
drop
down
and
type
in
the
unique
identifier
to
quickly
find
the
subgroup
that
was
provisioned.
So
you
can
see
I
copied
that
unique
identifier
there
put
that
in
the
drop
down
search
box
and
automatically
selected
that
we'll
leave
the
project
slug
at
the
default.
Only
the
visibility
level
at
private
ends.
This
clipboard
project.
A
So
that
should
redirect
Us
in
this
current
window
or
tab
to
the
fork
project
within
our
subgroup
since
I
have
it
here,
open
and
in
a
separate
tab.
This
subgroup
view
if
I
refresh
it,
you
should
see
that
project
created
there
now,
so
you
can
click
into
it.
There
I'm
going
to
go
ahead
and
go
back
to
my
navigation
here,
a
couple
steps
just
to
make
sure
I
get
back
to
the
issues
for
the
gitlab
security
and
Appliance
project
that
we
are
not
going
to
get
transferred
over
when
we
afford
the
project.
A
A
A
There
hit
confirm
we'll
see
that
the
Quark
relationship
has
been
removed,
so
hopefully
you
can
get
follow
along
here.
It's
also
in
the
lab
setup
instructions
if
you're
just
joining
us.
We've
got
it
here
in
the
corner,
upper
right,
corner
upper
right
hand
corner
as
well
as
in
the
chat
that
I've
provided
to
everyone,
so
that
should
complete
the
setup
of
our
sandbox
project
within
our
sandbox
group
that
you'll
be
getting
hands
on
with
as
part
of
our
Workshop
today.
So
we
can
go
ahead
and
go
back
to
the
workshop
project
overview.
A
A
Hopefully,
I'm
going
at
the
right
pace
feel
free
to
let
me
know
either
in
the
chat
or
in
the
Q
a
that.
If
you
have
any
questions
or
have
any
issues
that
you've
run
into
my
customer
success,
colleagues
will
be
able
to
help
you
out,
and
the
issue
list
is
It's
contained
in
the
source
project
that
you've
worked.
A
I
believe
one
of
my
colleagues
will
be
able
to
respond
to
you
on
sharing
that
exact
location
and
I'll
put
it
here
in
the
chat
as
well.
It's
the
getlab.com
get
lab
learning,
Labs,
onboarding,
cohort
projects,
security
and
compliance
project
and
the
issues
list,
but
put
that
link
there
in
the
chat,
and
hopefully
somebody
is
able
to
help
answer
that
question.
There.
A
And
if
you
need
to
get
back
to
the
issues
list
from
the
source,
Workshop
project,
it's
going
to
be
within
plan
issues
within
that
that
URL
that
I
pasted
there
right
awesome.
Well
we're
done
setting
up
for
our
Workshop.
Hopefully
that
was
just
enough
time
again.
You
do
have
the
lab
setup
instructions
to
allow
you
to
continue
on
at
your
own
pace,
to
get
set
up,
I'm
going
to
be
going
through
some
introductory
material
first.
A
So
if
you're
still
catching
up
with
everything
just
feel
free
to
listen
along
and
get
a
lab
environment
set
up
and
we'll,
hopefully
get
everyone
caught
up
by
the
time
we're
getting
started
with
the
first
set
of
exercises.
So
for
this
first
lap
we're
going
to
be
shifting
left.
A
So,
let's
talk
about
shifting
left
shifting
left
is
a
fundamental
devsecops
practice
and
helps
discover
issues
within
code
much
earlier
on
and
the
delivery
value
stream.
This
is
rather
than
finding
problems
that
are
coming
up.
Much
later,
on
after
code
has
been
deployed
to
your
target
environments
or
after
your
code
is
shared
with
your
customers,
where
it
can
be
much
harder
or
more
costly
to
correct.
A
B
A
Shifting
left
can
take
a
lot
of
the
unnecessary
and
often
stressful
heroics
of
those
Endeavors
away
and
allow
you
to
kind
of
more
efficiently
utilize,
your
time
so
I'm
sure
many
of
you
can
relate
to
this
and
I
probably
have
heard
this
term
a
lot
by
now,
but
I
just
wanted
to
level
set
with
everyone
and
give
everybody
a
good
foundation.
What
we're
talking
about
today,
yeah
so
here
I've
got
some
results
from
our
gitlab
Dev
stock
up
survey
that
we
ran
in
2022..
A
We
see
that
57
of
team
members
that
responded
to
the
survey
I
had
already
shifted,
left
with
security
or
we're
planning
to,
and
then
43
of
Security
Professionals
indicated
that
they,
you
know,
actually
felt
very
unprepared
for
the
future
and
the
stats
on
the
left
side.
Here.
Oops!
Sorry
about
that
indicate
that
you
know
developing
development
teams.
Are
you
know,
starting
to
utilize
the
shift
left
mentality
and
starting
to
increase
their
security
scanning
tools
within
the
development
process
and,
if
you're
interested,
please
feel
free
to
check
out
that
report.
A
Using
that
link,
you
can
take
a
screenshot
of
this
slide
or
you
can
wait
for
the
slides
to
come
out
after
today's
session
or
scan
that
QR
code
and
we've
also
got
some
more
insight
here.
On
the
right
hand,
side
around.
You
know
some
of
the
specific
tools
that
our
customers
had
started
to
implement
such.
A
So
when
you
run
when
you
shift
left,
you
know
you're
performing
those
security
scans
right
within
the
developer
workflow.
So
this
is
an
example
of
the
gitlab
flow
where
everything
starts
with
an
issue
and
a
merger
Quest
is
created
and
whenever
there's
code,
that's
being
created
on
a
feature
branch
and
is
being
proposed
to
be
merged
into
your
main
or
default
Branch.
So
those
changes
are
committed
to
that
feature.
Branch
and
within
your
CI
pipeline,
we're
going
to
be
introducing
some
security
scan
tools
such
as
SAS
scanning
dependency
scanning
license
compliance
checks.
A
All
of
that
that
will
be
happening
within
the
CI
CD
pipeline.
That's
occurring
in
that
merge
request
on
the
feature
Branch
before
the
merge
happens
to
your
main
or
default
branch.
You
also
have
things
like
the
review
app
and
the
discussion
code
review.
That
will
also
happen
in
the
merge
request
and
if
everything
looks
good,
you
know
no
critical,
High
vulnerabilities
are
found.
You
know.
A
Approval
may
not
be
required,
but
if
you
know
with
things
like
the
scan
results,
policies
that
we'll
be
showing
you
today,
you
may
require
that
approval
is
required
or
you
block
the
merge.
If
a
critical
vulnerability
is
found,
if
none
of
that
is
an
issue,
you
can
merge
the
feature.
Branch
the
issues
closed
and
you've
got.
A
You
know
a
new
feature
or
a
new
development.
That's
been
applied
to
your
main
branch
that
should
have
you
know
all
of
those
vulnerabilities
tracked
earlier
on
in
your
development
life
cycle,
where
you've
shifted
left
by
performing
that
activity
earlier
on,
and
this
is
an
example
of
the
the
gitlab
flow
that
we're
going
to
be
going
through
today,
so
that
rapid
feedback
as
a
key
devsecops
principle,
and
it's
something
that
will
be
highlighting
for
you
all
today
in
the
Hands-On
Workshop
all
right.
So
that's
a
brief.
A
A
I've
got
the
the
original
source
project
here,
gate
Labs,
creating
compliance,
the
issue
tracker
within
that
project
on
the
left
hand,
side
window
and
then,
on
the
right
hand,
side
window
I've
got
my
sandbox
project
that
I
was
able
to
fork
and
remove
the
fork
relationship
from
this
source
project
and
that
was
provisioned
in
the
or
that
was
forked
into
the
provision
subgroup
as
part
of
the
lab
setup
instruction.
A
So
do
let
us
know
if
you
have
any
issues
or
questions
I'm
going
to
be
walking
you
through
these
exercises
and
feel
free
to
follow
along
at
your
own
pace
again
as
a
reminder
we'll
be
providing
you
access
to
this
sandbox
environment
for
up
to
two
days
after
today's
Workshop.
So
don't
don't
worry
if
you're
falling
behind
I
want
you
to
kind
of
get
the
most
out
of
today's
Workshop
just
by
following
along
and
then
asking
questions
as
we
go
through
it.
So
go
ahead
and
click
issue.
A
One
shifting
left
we're
going
to
go
ahead
and
the
point
of
this
Workshop
exercise
is
to.
A
Merge
request
to
add
these
security
scans
and
shift
left
within
our
CI
CD
pipeline
in
this
Workshop
project.
A
A
If
you
have
this
issue
open
in
a
separate
window,
either
side
by
side
or
on
a
different
monitor
and
once
we're
ready,
we'll
go
ahead
and
in
the
workshop
project
in
our
sandbox
environment,
we're
going
to
go
ahead
and
open
up
the
main
navigation
go
to
build
and
pipeline
editor
here,
you're
going
to
see
the
current
setup
of
our
CI
CD
pipeline
within
our
Workshop
project.
It's.
A
Only
a
build
stage
defined
and
the
build
job
here.
What
we
want
to
do
is
go
and
add
in
some
security
scanning
to
this
pipeline.
So
let's
go
ahead
and
create
a
new
Branch
to
add
these
changes,
we're
not
going
to
make
these
changes
directly
on
Main
just
yet
so
we're
going
to
go
back
into
the
main
navigation
in
our
Workshop
project
and
go
to
code,
then
branches
and
we're
going
to
go
ahead
and
click
new
branch.
A
So
once
that
new
branch
is
created,
we'll
see
that
reflected
here
in
the
repository
View
and
we've
got
the
completed
pipeline
Branch
selected.
We
want
to
go
ahead
and
go
back
to
the
pipeline
Editor
to
edit
the
gitlab
CI
yaml
file
within
the
pipeline,
editor
on
the
gitlab
user
interface.
So
we
can
go
ahead
and
go
to
build
pipeline
editor
in
the
main
navigation.
A
A
Page,
the
top
left
of
the
editor
view.
You
can
do
a
couple
things
here.
You
can
open
up
or
collapse
this
tree
view
of
all
the
files
that
could
be
referenced
in
this
file,
so
right
now
we're
only
working
off
of
the
dot
gitlab.ci.ml
file,
but
as
you'll
see
when
I
work
through
this
you'll
see
some
other
files
referenced
here.
You
can
also
see
the
branches
that
we're
switching
between
in
this
editor
for
the
gitlab
ciml
file
that
we
want
to
edit.
A
A
A
A
There,
but,
for
the
most
part,
we're
actually
just
removing
all
of
this
and
replacing
it
with
what
we
have
here
in
the
issue
walkthrough
from
our
source
issue:
tracker
on
the
workshop
Hands-On
exercise,
so
we're
gonna
copy
use
this
handy
copy
tool
to
copy
the
entire
contents
here,
select
all
of
the
pipeline
here,
I'm
the
completed
pipeline
branch
and
remove
it
and
paste
in
the
updated
pipeline.
So
you
can
see
we've
added
a
few
different
things
here.
I
wanted
to
copy
and
paste
it
just
to
speed
up
the
implementation
of
Shifting
left.
A
A
Quality
is
actually
something
that
you
can
leverage
in
the
premiums
here
or
I'm
sorry
container
scanning
code,
quality
dependency
scanning
is
also
in
the
ultimate
tier
SAS
scanning
is
available
in
the
premiums
here,
but
is
enhanced
in
the
ultimate
tier
secret
detection,
something
that's
provided
in
the
premiums
here,
but
enhanced
in
the
ultimates
here
and
then
also
SAS
infrastructure
as
code
which
is
provided
in
premium,
but
enhancing
ultimate
so
we're,
including
all
these
templates
to
automatically
add
in
the
security
scan
tools
that
I
just
described
here
to
our
pipeline,
and
you
can
also
see
that,
with
those
include
templates
within
this
kind
of
preview,
we've
got
links
out
to
those
included
templates.
A
If
you
click
one
of
those
templates,
that's
included
in
you
can
see
the
source
code
for
that
within
the
gitlab
project,
and
if
you
want
to
you
could
see
the
fully
merged
configuration
in
this
full
configuration
tab
as
well.
So
this
is
the
full
kind
of
pipeline
output
or
get
lab
ciml
that's
merged
in
from
all
those
template
files.
When
the
you
know
the
gitlab
platform
has
interpreted
those
include
files,
we
can
go
back
to
the
edit
screen.
A
We
also
have
the
you
know:
additional
jobs
that
we've
defined
here
or
kind
of
further
elaborated
on,
so
the
build
we
won't
kind
of
go
into
too
much
detail,
but
just
showing
you
that
we've
added
additional
jobs
here
for
the
purposes
of
our
Workshop
we've
got
the
build
job.
The
unit
test,
job-
and
you
know
some
some
job
definitions
to
override
some
of
the
variables
or
add
some
before
script.
A
Actions
to
the
security
scan
tool,
jobs
that
are
added
automatically
through
these
templates
again
I
won't
be
going
through
too
much
detail
on
these.
But
I
just
wanted
to
highlight
that
these
are
the
things
that
we've
been
adding
as
we
prepare
to
shift
left
so
now
that
we've
copy
and
pasted
that
template
in
there
from
the
source
project
I'll
go
ahead
and
verify
that
everything
looks
good,
looks
like
everything
matches
with
that
copy,
paste
and
I'll
go
ahead
and
click
commit
changes,
but
I
like
to
update
the
commit
message.
A
Shifting
left
by
adding
security
scan
tools.
It's
not
mandatory
it's
optional,
but
it
gives
you
more
visibility
in
what
you're
changing
here
go
ahead
and
commit
changes
and
commit
that
to
the
completed
Dash
pipeline
branch
right.
So
we
should
get
a
notification
here
that
our
changes
have
been
successfully
committed
and
we
want
to
go
ahead
and
create
that
merge
request
so
to
actually
merge
in
the
shift
left
approach,
the
code
that
we've
introduced
in
this
pipeline.
A
We're
going
to
go
ahead,
it
doesn't
say,
merge
requests
here.
It
actually
says
new.
Alongside
the
completed
Dash
pipeline
branch
and
kind
of
line
here
or
row
go
ahead
and
click
that
button
to
create
that
new
merge
request.
It
takes
the
you
know
the
commit
message
as
the
title.
So
that's
great.
It
makes
that
a
little
bit
easier
to
understand
what
we're
trying
to
do
here,
shifting
left
by
adding
those
security
scan
tools,
and
then
we
want
to
make
sure
that
we
don't
delete
the
source
Branch.
A
So
you
shouldn't
see
any
merge,
complex,
merge
conflicts
since
we've
simply
just
replaced
that
code
there.
You
should
see
a
pipeline
kicking
off
if
you
click
this
hyperlink
for
the
pipeline
ID.
A
In
this
merge
request,
you
could
see
the
actual
additional
security
scan
tools
that
we've
introduced
within
the
test
stage:
code,
quality
container
scanning
dependency,
scanning
infrastructures,
code,
SAS
scanning
secret
detection
and
SAS
scanning,
so
we're
going
to
let
this
run
and
we're
going
to
move
forward
to
set
up
our
compliance
framework
pipeline
in
the
next
Lab
section,
but
we'll
check
back
in
a
little
bit
to
see
the
results
of
these
scanners
that
have
run
in
this
merge
request.
A
If,
for
some
reason
you
don't
see
that
pipeline
kicked
off
directly
in
the
merge
request,
you
could
always
go
back
into
the
main
navigation
going
to
build,
Pipelines
and
then
hit
run
pipeline
and
then
switch
the
branch.
It's
a
completed,
Pipeline
and
hit
run
pipeline
again.
So.
A
A
We'll
go
back
to
that
main
screen
for
my
workshop
project
and
we'll
let
those
pipelines
run
and
it
says,
there's
a
reminder:
we've
just
gone
through
shifting
left,
creating
a
merge
requests
to
introduce
those
changes
into
the
main
or
default
branch
and
we'll
let
those
pipelines
Run
for
the
merger,
Quest
Branch,
to
show
us
some
of
the
results
of
the
vulnerability
findings
right.
Let
me
switch
back
to
our
slides
here
and
I'll.
Introduce
you
to
our
next
topic
within
the
second
lap
or
compliance
Frameworks.
A
All
right,
so,
let's
review
so
in
shifting
left,
we
were
able
to
set
up
that
security
scanning
by
updating
our
CI
CD
pipeline
associated
with
another
Workshop
project.
You
started
that
merger
Quest,
bringing
in
the
new
shift
left
security,
scan
tools
into
the
main
branch
with
the
merge
requests
and
we'll
leave
that
pipeline
running
in
the
background,
so
that
we
can
move
on
with
this
Workshop.
A
So
now
that
we've
started
to
define
a
new
pipeline
for
the
security
discuss
security
tests,
we
decide
that
we
want
all
the
developers
to
abide
by
security,
best
practices
as
well,
we'll
be
enabling
a
compliance
framework
on
our
project
so
that
developers
to
ensure
that
the
right
jobs
are
run
and
the
correct
order
and
also
ensure
that
our
developers
can't
skip
a
few
steps.
Just
to
push
out
a
new
feature
when
they're
in
a
time
crunch,
so
just
make
sure
that
all
of
our
developers
are
following
security.
A
A
So
what
this
means
is,
you
can
keep
compliance
alongside
any
type
of
compliance,
that
your
organization
needs
to
align
itself
to
we've
got
kind
of
a
grid
here
of
different
compliance,
Frameworks
that
you
may
be
familiar
with
I'm,
not
going
to
go
through
all
of
them
here,
but
I
want
to
highlight
that
with
a
compliant
workflow
and
creating
automation
with
that,
you
can
enforce
Define
rules,
policies
and
separation
duties
and
reduce
overall
business
risk.
Utilizing
some
of
these
features
that
we've
got
in
gitlab,
so.
A
A
The
compliance
features
can
be
applied
to
many
different
projects,
making
it
really
easy
to
maintain
as
well.
You
can
think
of
it
as
like,
including
a
template,
but
instead
of
a
template
that
can
be
overwritten
whatever's
defined
in
the
compliance
pipeline
and
apply
to
a
project
through
the
compliance
framework.
A
I
can't
necessarily
be
overwritten
if
it's
clearly
defined
in
that
compliance
pipeline
that
it's
inheriting
from
you,
can
prevent
developers
from
skipping
necessary
scans
when
they're
trying
to
push
out
code
lesson
I
mentioned
that
earlier
on,
but
it's
very
important
that
if
you
define
the
stage
for
all
of
his
security
jobs
to
run
in
and
then
you've,
you
know
started
to
outline
the
security
jobs
that
need
to
be
included.
A
It's
really
customizable
as
much
as
you
want
to
it's
just
a
gitlab
c
IML
file
that
you
have
you
know,
essentially
full
access
to
and
control
over,
who
has
access
to
modify
it
and
that
separate
project
that
the
the
compliance
framework
is
assigned
to
and
the
pipelines
or
the
projects
will
be
inheriting
from
so
I'll
go
ahead
and
dive
into
that
a
little
bit
more
in
our
Hands-On
Workshop
that
we're
going
to
be
going
into
today
and
Hands-On
exercise
two.
A
So
let's
switch
back
into
my
secondary
desktop
here,
I'm
going
to
go
into
our
issues,
tracker
for
the
gitlab
security
and
compliance
Workshop
or
the
the
project
here,
get
lab
securing
compliance,
go
to
the
compliance
framework
issue
and
we'll
go
through
these
instructions
together.
A
So
we're
going
to
be
assigning
I'm
going
to
actually
be
creating
compliance
framework
going
to
be
finding
a
compliance
framework.
That's
been
already
pre-created
within
our
group
structure
that
will
ensure
our
pipeline
runs
the
correct
jobs
in
the
right
order.
This
is
going
to
ensure
our
Dev
team
won't
be
able
to
skip
a
few
steps
in
the
pipeline
and
potentially
introduce
a
vulnerability
to
our
main
or
default
branch.
A
So,
first
defining
our
framework
we're
going
to
go
ahead
and
navigate
in
a
new
tab.
I'm
going
to
show
you
the
compliance
pipeline,
that's
associated
with
the
compliance
framework
that
we'll
be
assigning
open,
that
a
new
tab.
A
So
it's
a
project
called
security
and
compliance
CF
and
in
this
we've
got
the
DOT
compliance
gitlab
Dash
ci.aml
file,
and
this
is
essentially
the
gitlab
ciml
file
that
all
of
our
projects
will
inherit
to
understand
that
we've
got
these
default
stages
that
can't
be
overwritten
or
removed.
We've
got
a
DOT
pre
stage,
build
unit
test
and
cleanup
stage,
and
then
we've
also
got
a
compliance
job.
A
We
can
add
Default
jobs
that
are
always
run
for
every
single
pipeline.
So
we
just
call
this
compliance
job
and
it's
running
in
the
pre-stage,
and
it's
just
going
to
Echo
a
message
just
to
let
the
team
know
in
the
job
logs
that
you
know
the
compliance
framework
has
been
assigned
to
that
project.
Nothing
too
complicated.
Right
now,
for
the
purposes
of
our
Workshop,
but
just
something
to
show
you
of
how
the
inheritance
works.
A
We've
also
got
this
section
here
to
make
sure
that
we
still
allow
our
developers
to
create
custom
configuration
within
their
gitlab
ciml
file
on
each
project.
So
this
is
mandatory
to
make
sure
that
happens.
You
don't
need
to
modify
this.
You
can
include
this.
This
is
part
of
our
documentation
on
how
to
create
the
compliance
pipeline.
A
I
just
wanted
to
show
you
this
on
how
this
is
created
again,
it's
out
of
scope
for
us
to
create
something
custom
for
today's
Workshop,
but
if
you
want
to
explore
after
today's
Workshop
you're
more
than
welcome
to
in
your
own
sandbox
group
for
the
duration
of
your
access
to
it
all
right,
so
we
want
to
go
ahead
and
apply
that
pipeline
through
a
compliance
framework.
So
we
close
that
Tab
and
we're
going
to
navigate
back
to
the
not
the
gitlab
security
compliance
project,
but
we're
going
to
go
to
our
Workshop
project.
B
A
That's
a
typo
there
in
the
instructions
I'm
going
to
edit
that
real
quick
here.
A
A
Oh
you
know
what
I
I
I
changed
the
compliance
framework
that
we
needed
a
change
here.
Sorry
about
that.
It's
a
the
compliance
framework
is
called
security
and
compliance
Workshop
that
hasn't
changed,
but
the
name
of
the
project
that
you're
working
in
should
be
Workshop
project.
A
A
A
So
actually
that
is
a
great
way
to
kind
of
highlight
that
you
can
apply
this
the
same
compliance
framework
across
many
individual
projects.
As
you
see
fit
within
your
organization,
they
need
to
align
to
a
certain.
A
You
know,
compliance
framework
that
you
define
so
that
compliance
framework
could
align
to
a
specific
compliance
framework
that
you're
working
towards
such
as
saw
two.
You
know,
fedramp
whatever
you
need
apply
it
to
that
project.
To
ensure
that
you
know
things
can
be
overwritten,
you've
got
their
appropriate
stages,
defined
in
the
right
order.
A
You've
got
the
default
jobs
defined
as
well,
so
that
that
essentially
allows
you
to
assign
those
things,
but
for
today's
purposes
we're
just
calling
it
security
and
compliance
Workshop
compliance
framework,
and
it
has
that
compliance
pipeline.
That
I
was
showing
you
earlier.
So
that's
it
for
lab
exercise
too.
We've
just
gone
through
the
walkthrough
of
web
Appliance
pipeline
looks
like
and
apply
the
compliance
framework
to
our
Workshop
project.
A
So,
just
as
a
quick
recap,
we've
just
gone
through
putting
together
the
compliance
framework
or
reviewing
it
and
applying
it
to
our
Workshop
project.
A
So
that's
how
you
extend
the
default
or
the
the
project
gitlabci.aml
file,
the
CI
CD
configuration
with
the
compliance
framework
and
the
compliance
pipeline
that
gets
applied
to
that
project,
so
that
should
ensure
the
relevant
guardrails
are
applied
for
a
development
team
now
on
our
Workshop
project,
all
right
so
on
to
lab
three.
So
now
that
our
mergerquest
pipeline
is
completed
and
we
know
that
it
works,
we
want
to
merge
it
to
me
now.
A
You
know
certain
levels
of
vulnerabilities
that
are
caught
by
our
security
scan
tools
and
blocking
a
merge
and
assigning
the
appropriate
approver
to
kind
of
validate
whether
or
not
that
is
a
true
vulnerability
or
false.
Positive.
A
So
just
want
to
recap
some
of
the
security
scan
tools
that
we
introduced.
First,
we've
got
these
static
application
security
testing
or
the
SAS
scan
tool
so
that
SAS
scanner
analyzes
the
source
code
for
known
vulnerabilities
that
are
included
as
part
of
the
development
process
as
part
of
that
source
code.
A
Next
we've
got
Das
scanning
Dynamic
application
security
testing,
which
analyzes
your
running
application
on
an
environment
for
known
vulnerabilities
by
looking
to
kind
of
imitate
the
you
know,
hacks
or
vulnerabilities
in
within
your
live
or
running
application,
so
that
analyzes
that
copy
of
your
built-in
deployed
and
running
application.
It
looks
brand
new,
those
known
vulnerabilities
that
are
accessible
during
the
execution
or
running
of
your
application.
A
A
So
you
know
our
vulnerabilities
may
not
only
come
from
the
source
code
that
we're
building
to
write
our
application,
but
could
also
come
from
the
containers
that
we're
building
and
all
the
dependencies
within
that
container
On.
A
related
note:
we've
got
the
dependency
scanning,
so
this
scans
project
dependencies
for
any
known
vulnerabilities,
reported
in
any
open
source
components
that
are
included
as
a
dependency
as
part
of
your
your
software
application.
So
with
python
with
JavaScript,
you
include
external
project
dependencies.
A
Next
we've
got
license
scanning.
It
was
essentially
scans
the
licenses
that
are
included
as
part
of
all
those
dependencies
that
you're,
including
in
within
your
application,
all
those
open
source
components.
What
licenses
are
defined
in
those
components
or
dependencies
to
help
determine
if
you
are
compatible
with
a
set
policy.
Maybe
you
need
to
exclude
certain
types
of
projects
based
on
a
policy
that
your
organization
needs
to
Define.
A
We'll
go
through
some
of
the
setup
process
on
how
to
create
a
scan
or
a
license.
Compliance
policy
in
today's
Workshop
secret
detection
is
exactly
what
it
sounds
like
it
just
simply
scans
for
any
secrets
that
are
committed
directly
to
the
source
code.
Make
sure
that
those
Secrets
aren't,
if
it's
you
know
found
in
your
source
code,
highlights
that
within
the
vulnerability
results
and
will
allow
you
to
you,
know,
potentially
automatically
revoke
any
git
lab
tokens
that
are
found
if
it's
a
gitlab
token.
A
All
right,
so
that's
just
an
overview
of
all
the
CI
CD
scanners
that
we've
introduced
and
shifting
left
I
want
to
also
show
you,
the
the
scanners
and
stages
right,
so
I
kind
of
went
through
this
at
a
high
level
and
we're
briefly
introducing
the
the
pipeline
and
the
jobs
that
we
introduced
in
shifting
left,
but
our
gitlab
product
can
trigger
the
CI
CD
pipeline
under
various
conditions.
A
You
know,
pipelines
usually
execute
when
the
source
code
is
committed
or
merge,
request
is
created
and
approved,
but
I
wanted
to
show
you
on
today's
Workshop.
You
know
essentially
we're
all
the
secure
scanners
are
being
executed
as
Jobs
during
the
ticd
pipeline,
and
these
are
all
run
and
the
test
stage
of
the
pipeline
right
after
the
build
process
completes
and
right
after
unit
tests
are
completed.
So
what
this
does?
A
It
enables
the
quickest
feedback
to
the
developer
right
in
the
merge
request
before
a
merge
happens
to
the
main
or
default
branch
and
the
deployment
happens
to
production
and
anytime,
they
continue
to
commit
changes
to
that
feature.
Branch,
a
new
pipeline
will
kick
off
and
we'll
you
know,
be
able
to
review
any
newly
introduced
vulnerabilities
or
see
if
there's
vulnerabilities
that
have
been
removed
as
part
of
that
ongoing
development
process
on
the
feature
branch.
A
These
are
all
things
that
you
can
review
directly
on
the
security
tab
within
the
pipeline
view,
if
you're
an
ultimate
customer
and
in
the
sandbox
environment,
you
are
using
an
ultimate
subscription,
so
you'll
be
able
to
kind
of
triage
and
kind
of
do
that:
vulnerability,
management
directly
within
the
pipeline
View
and
within
the
merger
Quest.
But
if
you're
a
premium
customer,
those
results
will
be
simply
provided
in
the
Json
artifact
that
you
can
download
or
review
directly
in
the
git
love
user
interface.
But
you.
A
Just
want
to
have
a
brief
discussion
on
the
policies,
so
one
of
the
reasons
lots
of
customers
move
to
utilize
security
and
compliance.
Within
gitlab
is
the
ability
to
enforce
security
and
license
policies,
security
and
license
compliance
policies
across
all
of
their
software
development
projects
in
their
organization.
That's
being
developed
on
gitlab,
so
being
in
that
single
platform
really
gives
us
that
you
know
kind
of
governance
and
single
pointer
control
over
what's
happening
across
our
projects
and
so
with
the
scan
result
policy.
A
In
other
words,
that's
just
a
way
for
us
to
create
merge,
request
approval
requirements.
You
know
make
sure
that
we
take
action
based
on
the
results
of
our
scan,
so
security
scan
tools.
So,
for
example,
we
find
that
critical
vulnerability
may
be
a
secret,
that's
been
accidentally
disclosed.
So,
as
I
mentioned,
we
can
make
sure
that
approval
is
required.
A
We
block
the
merge
and
we
allow
that
notification
be
sent
out
to
that
approver
and
they
can
get
collaborate
with
the
development
team
to
get
that,
you
know,
revoke,
removed
and
rotated
accordingly
scan
execution
policies
are
a
little
bit
similar
to
our
compliance,
Frameworks
and
pipelines.
Where
you
can
require,
you
know,
certain
security
scans
run
for
your
pipelines
in
a
project,
but
it
has
some
additional
functionalities,
such
as
running
on
a
specified
schedule.
So
you
know
making
sure
that
scans
run
on
a
specified
schedule
within
the
project
pipeline.
A
So
there's
kind
of
key
differences
between
the
two
we're
working
on
merging
those
features
together
to
make
it
more
of
a
unified
experience,
but
we
do
have
documentation
that
we'll
be
able
to
share
with
you,
after
today's
Workshop,
to
highlight
some
of
those
differences
all
right
so
enough,
with
kind
of
the
overview
of
how
we're
parsing
the
results
and
what
we've
been
able
to
accomplish
so
far
we're
going
to
go
ahead
and
get
into
our
Hands-On
exercise.
Number
three
I
want
to
take
a
quick
minute
here
to
just
hold
audience.
How
are
you
all
feeling?
A
Do
you
need
a
quick
break
here?
You
think
we're
going
too
fast
feel
free
to
just
let
us
know
in
the
in
the
chat.
You
know
if
you
think,
when
we
need
a
quick
break
and
it
looks
like
we,
you
might
need
a
quick
break.
So
what
I'll
do
is
I'll
queue
up,
maybe
around
seven
minutes
for
us
to
meet
seven
minutes
after
the
hour
I'll.
Let
me
go
ahead
and
get
a
timer
set
up
here
and
we'll
go
ahead
and
jump
right
back
into
it.
A
A
A
A
A
A
A
A
A
A
A
A
B
A
We're
just
going
to
jump
into
our
Hands-On
exercise.
Number
three
and
switch
my
desktop
here
and
I
know
that
there's
some
q
a
here
in
the
Q
a
section
allow
my
colleagues
to
focus
on
answering
those
questions
for
you
all
and
that
way
I
can
get
back
into
the
issues
here
in
the
Hands-On
part
of
the
workshop.
A
We've
got
quite
a
bit
of
content
to
go
through,
so
apologies
I
won't
be
able
to
verbalize
some
of
my
responses
there,
but
you're
in
good
hands
with
Steven
Sheed
all
right,
so
we're
going
to
go
through
and
start
parsing.
The
results.
A
A
And
then
it
looks
like
my
pipeline
might
have
failed
here.
So
if
yours
had
failed,
you
could
always
retry
the
pipeline.
There's
a
retry
button
here
you
can
do
that.
I
do
have
the
first
pipeline
that
ran
and
passed
and
yeah
sorry
about
that.
I
think
that
would
have
been
good
to
catch.
I
should
have
checked
that
while
I
was
on
my
break
here,
but
we
can
allow
this
to
run.
It
should
only
take
a
few
minutes
here
and
you
know
once
that
runs.
A
We
should
be
able
to
see
some
of
the
below
this
approval
section,
which
is
still
optional.
Today
we
don't
right
now
we
don't
have
any
approval.
Rules
set
up
through
scan
result
policies
yet,
but
once
this
pipeline
finishes
completing
we'll
be
able
to
see
some
of
the
secure
reports
that
are
unique
to
this
Branch
by
introducing
those
security
scan
tools,
I'm
going
to
skip
over
this
for
just
a
few
minutes
here,
while
this
pipeline
runs
so
that
way,
we
can,
you
know,
allow
it
to
run.
A
Get
the
you
know,
vulnerability
results
showing
in
the
merge
request.
Then
I'll
go
through
that
step.
One
again,
we
want
to
go
ahead
and
skip
skip
two
step
two
as
well,
because
that
that
merge,
you
know
we'll
not
be
able
to
happen
until
the
pipeline
succeeds.
A
So
we'll
skip
step
two
in
my
interface
at
least,
but
if
you're
able
to
follow
along
within
your
your
Workshop
project,
you
may
be
able
to
follow
these
instructions
kind
of,
as
it's
subscribed
here,
but
I'm
going
to
walk
you
through
creating
some
of
these
scan
result
policies,
these
preventative
security
policies,
to
make
sure
that
you
know
we
require
approval
based
on
vulnerabilities
that
are
found.
A
A
But
what
I
want
to
be
able
to
show
you
in
the
meantime.
All
this
pipeline
is
running
is
how
you
can
prevent
that
from
happening.
So
we'll
go
directly
into
step
three,
since
this
pipeline
is
still
running
and
we're
going
to
go
into
secure
in
the
main
navigation
and
policies
we're
going
to
go
ahead
and
click
new
policy.
A
The
description
can
be
left
blank,
but
you
can
add
any
additional
details
there
if
needed,
want
to
make
sure
it's
enabled
and
the
policy
status
and
in
the
rules
section
we've
got
different
configuration
items
to
create
the
scan
result.
Policy
for
the
scan
type,
we'll
make
sure
it's
a
security
scan
instead
of
all
scanners,
we'll
clear
that
selection
and
select
only
secret
detection
click
out
of
that,
and
it
will
make
sure
that
it
runs
from.
A
Branches
to
default
branch
and
we're
going
to
say
and
finds
any
vulnerabilities
that
match
all
all
of
the
following
criteria
and
we're
going
to
add
a
new
criteria
here,
click
that
menu
here
and
say
severity
is
new.
A
And
collect
click
select
all
for
all
security
severity
levels,
so
we
don't
care
what
severity
it
is.
We
want
to
make
sure
that
the
criteria
is
all
severity
levels
for
any
new
vulnerability
or
any
vulnerability
that
matches
this
criteria
of
all
severity
level
levels
and
the
secret
detection
job
within
our
pipeline.
B
A
And
so
what
that
the
this
does
is
it
says
that
this
is
ready
to
merge,
so
we
can
go
ahead
and
click
merge.
A
We've
actually,
as
part
of
that
security
scan,
result,
policy,
editor
user
interface
and
that
form
we've
created
a
new
merge
request
and
a
different
project
in
our
subgroup
called
Workshop
project
security
policy
project.
A
So
all
that
configuration
is
stored
as
code
here
in
gitlab
security
policies
and
I
won't
go
through
it
in
too
much
detail.
But
I
wanted
to
show
you
that
all
of
that
was
stored
as
code
in
my
test
group
that
sandbox
project
that
we
were
provisioned
during
our
lab
setup,
so
that
lives
alongside
our
Workshop
project,
and
that
is
where
the
scan
results
policy
is
being
referenced
from
that
we
created
within
the
workshop
project.
A
A
Perfect,
so
we
see
that
license
compliance
detected
eight
licenses
for
the
source
Branch.
You
could
see
the
report
here
so
I'm
just
going
back
into
step,
one
here,
I'm
just
going
through
some
of
the
merge
request,
widgets
that
are
defined
or
created,
based
on
the
security
scan
tools
that
we
introduced
by
shifting
left.
So
we've
got
a
license.
Compliance
widget
shows
all
the
licenses
that
are
in
use
by
our
software
project
and
some
of
the
packages
that
reference
it.
You
can
click
into
it.
A
You
can
see
some
more
details
there,
a
more
detailed
license,
compliance
interface
or
the
license
and
which
packages
are
referencing
that
license
you've
got
the
security
scan
scanning
merge,
request,
widget,
where
you
can
expand
here.
You
can
see
what
SAS
scanning
detected,
25
critical
vulnerabilities,
secret
detection
detected.
No
new
vulnerabilities,
which
is
great
dependency
scanning,
detected
no
vulnerabilities
with
container
scanning
phone.
Some
potential
vulnerabilities-
you
can
always
click
through
on
any
of
these
vulnerabilities
within
the
merger,
Quest
widget.
To
get
that
model
view
for
the
vulnerability
finding.
A
B
A
B
A
A
A
If,
if,
for
example,
this
is
not,
you
know,
it's
like
a
false
positive
or
it
doesn't
necessarily
apply
to
our
implementation,
you
can
add
a
comment
directly
in
this
interface
too
and
just
say:
oh
I'm
not
gonna
live
in
or
our
implementation,
false
positive,
add
comment
and
dismiss
and
that'll
dismiss
it
from
the
report
and
make
sure
it
doesn't
show
up
here.
A
So
we'll
go
ahead
and
just
merge
this
with
all
the
vulnerabilities
we
don't
have
time
to,
you,
know,
mitigate
or
remove
all
those
vulnerabilities
as
part
of
our
Workshop
today,
I
just
want
to
show
you
this
process
of
how
things
show
up
and
how
you
can
start
to
review
those
vulnerabilities
within
the
merger
Quest
and
maybe
even
collaborate
or
you
know,
dismiss
them
directly
in
the
merge
request.
Let's
say
all
of
your
work
is
done:
you're
ready
to
merge.
A
You
can
merge
that
into
default
branch
and
that'll
kick
off
our
pipeline
to
run
the
pipeline
and
security
scan
tools
on
the
main
or
default
branch
which
should
introduce
all
of
the
you
know,
active
vulnerabilities
that
will
be
need
to
be
reviewed
directly
from
our
secure
menu
and
security.
Dashboard
on
the
project
level.
A
I'm
going
to
go
back
to
that
main
project
page
for
a
workshop
project,
if
you
go
to
main
the
main
menu
secure
and
security,
dashboard
you'll
see
all
of
the
security
vulnerabilities
and
their
accounts
over
time
that
have
been
introduced
to
the
main
or
default
branch.
This
is
something
that
doesn't
happen
in
real
time.
This
is
something
that
refreshes
daily
at
1,
15
Etc,
and
so
even
though
we'll
have
the
pipeline
run
and
we'll
have
all
those
vulnerabilities
introduced
to
our
main
or
default
branch.
A
The
security
dashboard
won't
be
able
to
show
you
all
of
that
information
just
yet.
You
know,
since
you
have
access
to
the
sandbox
environment
and
project
for
next
two
days.
You
know
by
this
time
tomorrow
you
should
be
able
to
see
those
vulnerabilities
reflected
in
the
security
dashboard,
but
I've
got
a
link
to
a
live
example
in
the
cohort
instructions,
Workshop
instructions,
as
well
as
a
video
demonstration
of
the
security
dashboard
functionality.
A
So
you
can
use
view
that
at
your
leisure,
also,
once
our
pipeline
completes,
we
have
the
vulnerability
report,
which
is
a
kind
of
a
great
interface
for
doing
triage
and
creating
issues
assigning
those
issues
to
the
development
team
members
to
start
remediating.
Those
vulnerabilities
and
start
proposing
those
changes
to
be
merchants
in
the
main
or
default
Branch
through
emerge
requests
to
get
those
removed,
and
this
is
something
that's
actively
updated
for
the
latest
vulnerabilities,
the
latest
pipelines
and
those
vulnerabilities
that
are
found
on
the
main
branch.
A
So
once
that
pipeline
completes
we'll
be
able
to
see
the
vulnerability
report
and
go
back
to
that
later
on
once
that
completes,
but
we
can
take
a
quick
look
here
to
see
how
how
that's
going
go
back
to
the
main
navigation,
build
Pipelines,
see
that
it's
running
so
once
that
passes,
I
should
be
able
to
see
because
it's
running
on
the
main
branch.
A
You
click
that
pipeline
ID.
You
see
all
the
security
scan
tool
jobs
there
once
those
jobs
complete
successfully
and
you
know,
identify
all
the
active
vulnerabilities
in
our
main
default
Branch.
Let
me
go
back
to
our
Workshop
project.
A
Go
into
secure
and
vulnerability
report
we'll
be
able
to
see
all
the
active
vulnerabilities
that
are
live
on
our
main
or
default
branch
in
our
application,
so
we'll
let
that
run
all
right.
So
we
did
step
three
I
skipped
ahead:
a
little
bit
here
for
a
Hands-On
exercise
to
create
that
secret
detection
approval
policy.
A
A
So
now
that
we
have
that
secret
detection
approval
policy,
let's
go
ahead
and
make
sure
it
works,
go
ahead
and
find
your
Workshop
project,
you
can
go
back
to
the
main
Repository
landing
page
here
and
B,
make
sure
on
the
main
branch
for
your
Workshop
project
and
we're
going
to
click
the
edit
drop
down
and
choose
the
web
IDE
I'm,
going
to
directly
edit
one
of
the
files
here
in
our
Workshop
project
to
add
in
a
simulated
Secret.
A
So
we're
going
to
go
ahead
and
copy
this
secret
here
and
we're
gonna
go
to
the
Run
dot
Pi
file.
You
can
find
that
here
in
the
web
IDE
and
we're
going
to
drop
that
in
here
between
limes,
two
and
six,
and
you
see
the
code
suggestions.
Functionality
is
part
of
our
gitlab
Duo
Suite
of
AI
functionality,
kind
of
Auto
completing
some
of
that.
A
It's
enabled
here
for
sandbox
group,
but
we're
not
going
through
that
today,
but
you
might
have
seen
that
suggestion
there
so
I'm
just
going
to
go
ahead
and
have
that
simulated
secret
committed
to
our
project
in
this
line.
Four
here
between
the
lines,
one
and
two
on
the
previous
line,
four
and
we're
going
to
go
ahead
and
commit
that
to
a
new
Branch.
So
we're
going
to
switch
to
this
Source
control
editor
window.
A
So
we
have
just
created
that
simulated
secret
accidentally
leaked
in
our
source
code
on
a
new
Branch,
we're
going
to
create
a
new
merge
request
just
by
using
this
a
little
pop-up
to
create
the
merger
Quest
here
so
you've
updated
the
file
run.pi
in
this
merge
request
we're
going
to
go
ahead
and
make
sure
delete.
Source
Brands
Branch
when
merge
request
is
accepted
as
unchecked
and
create
the
merge
request
for
this
change
here.
A
And
as
you
can
see,
because
of
that
scanners
or
policy
that
we
created
earlier,
this
merge
request
now
requires
one
approval
from
the
secret
detection:
approval
policy
open
that
widget
up,
you
can
see
the
approvers
for
that
approval,
rule
secret
detection,
approval
policy
and
the
approver
is
Logan
stuck
at
my
colleague
on
the
demo
team,
and
it's
required
that
one
of
the
eligible
approvers
approves
that
that
merge
and
so
right
now
the
merge
is
blocked.
So
all
the
required
approvals
must
be
given
before
this
merge
can
happen.
A
So
that's
exactly
what
we
want
to
see
and
as
soon
as
we
see
the
scan
results
we'll
let
that
run
here
in
the
background,
we'll
jump
right
into
it
after
I
go
through
some
brief
overview
of
our
next
exercise.
So
let
that
run
the
pipeline
for
this
next
merge
request
where
we've
simulated
leaking
a
secret.
A
A
Skip
over
that
break,
I
put
that
at
the
wrong
location
there,
but
we've
got
this
next
section
that
we're
going
to
be
going
through
now.
So
just
as
a
review,
we
did
go
through
the
scan
results
policies
and
you
know
reviewing
the
the
vulnerability
findings
in
our
merge
requests.
We
didn't
get
to
go
through
the
vulnerability
results
yet
that
are
showing
in
the
vulnerability
report
on
the
main
branch.
Let
me
go
ahead
and
just
jump
back
into
that
right
now,
real
quick.
We
might
be
able
to
see
that
now.
A
As
you
might
recall,
I
I
did
skip
over
the
the
section
of
reviewing
the
vulnerability
report
on
the
project
level
because
that
Pipeline
on
the
main
branch
hadn't
completed
yet,
but
now
it's
completed,
and
so
now
it's
fully
populated
here.
So
you
can
see
the
vulnerability
report
how
we
can
review
these
vulnerabilities,
see
the
vulnerability
page
set
of
Statics
for
status,
for
the
vulnerability
means
triage
confirm
that
it's
a
true
positive.
We
need
to
fix
it
dismiss
it
for
you.
A
Or
resolve
it,
because
maybe
we
know
that
it's
a
verified
as
fixed
or
mitigated
otherwise,
maybe
directly
on
infrastructure,
or
something
like
that.
So
we
can
do
all
that
directly
within
the
vulnerability
report
on
the
project
level,
and
these
are
all
vulnerabilities
that
are
active
based
on
the
findings
on
the
main
or
default
Branch.
A
So
you
can
kind
of
see
all
that
process
there
and
if
you
need
to
kind
of
customize
this
vulnerability
report
based
on
what
needs
to
be
done,
you
can
see
that
we've
got
all
of
the
vulnerabilities
that
meet
triage
vulnerabilities
that
are
all
resolved,
which
are
none
because
we
just
found
all
of
them
just
now,
filter
into
all
statuses,
which
is
not
too
helpful
if
you've
got
a
lot
of
things
going
on,
but
you
can
kind
of
filter
things
as
needed
through
the
status
drop
down
based
on
the
severity.
A
A
Okay,
so
just
to
kind
of
give
you
some
context
here
for
what
why
we're
introducing
the
software
building
materials
and
license
compliance
so
with
so
many
high-level
attacks
appearing
in
many
headlines.
You
know
most
of
the
governments
that
are
within
where
our
organizations
are
based
out
of
have
started
to
require
a
software
bill
of
materials.
You
might
decide
for
our
organization
in
our
fictional
scenario
that
tanuki's
Racing's
best
interest
is
to
have
these
reports
ready
to
go
so
I
can
quickly
check
if
we're
affected
by
the
next
breach.
A
You
know
heavily
influenced
by
The
solarwinds
Fallout
within
2020,
when
we
saw
that
major
breach
when
hackers
compromised
the
solarwinds
product
Orion
that
result
the
result
of
that
hack
led
to
the
binding
Administration
requiring
software
companies
working
federal
agencies
to
deliver
software
building
materials
from
the
end
of
2021
onwards.
A
A
A
The
Cyclone
DX
format
is
used
to
report
on
our
software
bill
of
materials
in
a
machine,
readable,
Json
format
and
Cyclone
DX
was
created
by
the
oauth
organization,
open
worldwide
application
security
project.
A
So
we're
going
to
review
and
explore
the
gitlab
generator
s-bomb
report
review
the
software
dependency
lists,
discover
which
dependencies
relate
to
known
vulnerabilities
and
download
that
report
in
that
Cyclone
DX
format
to
our
local
machine
and
allow
you
to
kind
of
manipulate
that.
However,
you
want
to
let's
go
ahead
and
switch
back
to
our
Hands-On
exercise.
Number
four
in
our
source
project
here,
get
lab
security
and
compliance.
The
issues
list
we'll
go
back
to
the
issue
tracker
there
and
go
to
number
four
software
Bill
materials
reports
and
license
compliance.
A
We
can
click
through
to
see
a
few
of
the
components
you
know
kind
of
what
what
components
were
detected
as
well
as
some
of
the
details
of
the
specific
vulnerabilities
that
are
discovered
related
to
that
component.
A
A
A
That'll
generate
the
s-bomb
report,
download
that
to
your
browser's
default
downloads
directory
and
what
we
can
do
here
is.
We
can
manipulate
that
that
file
and
I'm
just
showing
an
example
here
using
JQ,
it's
just
a
Json
file,
but
since
it's
machine
readable,
we
can
make
it
even
more
readable
using
something
like
J
key
or
the
command
line
and
kind
of
see
the
full
contents
here
and
do
some
searches-
and
you
know,
queries
you
know
directly
at
the
command
line,
but
I
just
wanted
to
show
you.
A
So
that's
it
for
step,
one
I'm!
Just
wanting
to
show
you
how
you
can
review
the
yes
bomb
report
directly
within
the
user
interface,
as
well
as
downloading
that
machine,
readable,
Cyclone,
DX,
Json
file
to
your
local
machine,
and
you
can
manipulate
it
from
there
as
well
and
share
it
with
your
Auditors
if
needed
so
step,
two
we're
going
to
go
through
license
compliance.
A
A
B
A
So
we're
going
to
say
status
is
select
all
either
newly
detected
or
pre-existing,
because
even
if
it
exists
previously,
we
don't
want
it
to
be
included
from
here
on
out,
not
just
the
new
components
that
are
being
introduced.
But
any
components
that
may
have
been
introduced
previously
and
let's
see
here
license-
is
matching
and
then
select
license
types
we'll
just
do
in
the
search
field
and
autocomplete
for
just
MIT
select
that
you
can
select
one
or
many
for
this
purpose
of
our
license.
A
Compliance
policy
we'll
go
ahead
and
just
select
MIT
here
and
then
similar
to
the
previous
rule
or
previous
policy
that
we
created
we're
going
to
require
one
approval,
and
this
could
be
useful
if
you
have
maybe
a
different
team
member.
That's
more
concerned
around
the
you
know
license
compliance.
You
don't
have
to
select
the
same
team
member
that
you
have
for
like
secret
detection
or
any
of
the
security
scan
tools
that
need
approval
for
finding
a
specific
severity
of
vulnerability.
A
But
for
today's
purposes,
we'll
still
utilize
Logan,
as
our
approver
here
go
ahead
and
click
configure
for
the
merge
request
and
I'll
utilize.
The
existing
security
policy
project
to
make
the
additional
changes
for
another
scan
policy
that
we
added
for
the
license.
Compliance.
B
A
So
now
we're
going
to
run
a
new
pipeline
for
our
merch
requests.
There
will
be
a
new
approval
rule
based
on
this
license
compliance,
license
compliance
policy
and
will
be
added
to
prevent
any
software
from
being
merged
into
our
default
Branch
using
the
MIT
license
for
any
recent
scans
that
have
detected
the
MIT
license.
A
A
So
any
future
merge
requests
will
flag
those
components
as
violating
the
the
license
compliance
policy
that
we
created
and
will
require
those
components
to
be
removed
and
replaced
with
an
equivalent
that
doesn't
use
that
MIT
license
before
the
merge
can
happen
into
our
default
branch.
So
that's
it
for
software
building
materials
and
license
compliance.
B
A
So,
in
the
previous
section
exercise
we
explore
the
s-bomb
information
via
Labs
interface
and
allow
you
to
download
that
directly
to
your
local
machine.
We
were
also
able
to
quickly
identify
those
problematic
software
components
that
violate
our
license.
Compliance
policy
in
our
application,
and
we
did
set
up
that
scan
result
policy
focus
on
license
compliance,
protect
against
the
use
of
those
software
components
with
that
MIT
license.
A
If
that
MIT
license
was
utilized,
that
would
carry
unwanted
legal
or
business
risk
with
our
licensing
model.
B
A
A
A
All
right,
let's
go
ahead
and
just
jump
right
into
the
Hands-On
exercise
and
I'll
show
you
how
some
of
those
extra
features
work
with
the
on-demand
scans
audit
events
and
the
enabling
the
security
education
tools
go
back
to
the
issue
tracker
within
the
source,
security,
Appliance
project
click
on
number,
five
on
demand,
scans,
audit
events,
X
configurations.
A
A
B
A
You've
got
a
couple
different
scan
modes
here,
active
or
passive
active,
which
simulates
the
text
to
the
Target
to
find
potential
vulnerabilities
could
actually
be
harmful
to
the
typing
scan.
So
you
may
want
to
consider
your
options
here
between
active
and
passive
and
I
would
always
recommend
that
you
only
run
those
Dash
scans
on
a
non-production
environment
to
number
one
ensure
the
stability
is
ensure
the
state
stability
of
your
production
applications.
You
could
be
increasing
additional
load
and
if
it's
an
active
attack-
and
you
can
you.
A
Introduce
you
know
some
vulnerabilities
or
you
know,
take
your
application
down.
So
definitely
always
focus
on
non-production
or
staging
environments
go
ahead
and
hit
save
profile.
These
are
other
options
that
you
can
configure
here
for
the
dash
scanning
profile
and
then
for
the
site
profile.
We're
we're
essentially
defining
the
target
for
the
dash
scanner,
go
ahead
and
hit
new
site
profile,
call
it
staging
environment,
say
it's
a
website
and
then
the
target
URL
we've
got
a
sample
URL
here
that
you
can
just
copy
in.
A
You
can
also
include
specific
paths
on
that
URL
that
shouldn't
be
scanned.
If
there's
certain
things
that
you
don't
want
to
be
a
part
of
that
data
scanning,
and
then
you
can
control
the
request,
headers
that
are
provided
as
well
to
make
sure
that
you
know
caching
isn't
involved
or
things
of
that
nature,
and
you
can
also
enable
some
basic
authentication
as
needed,
save
this
profile
here
for
the
Target
site
profile
and
for
today's
purposes
we're
not
going
to
run
this
scan.
This
is
not
an
active
application.
A
B
A
Specific
time
zone
and
repeating
either
every
day
every
week
so
on
and
so
forth,
but
you
can
save
those
configuration
items
as
a
save
scan,
disable
the
scan
schedule
and
hit
save
scan.
You
can
see
that
here
in
the
listing
for
on-demand
scans
and
it'll,
allow
you
to
run
it
on
demand,
based
on
the
configuration
that
you
provided
to
run
that
dascan,
that
is
outside
of
the
pipeline.
This
is
just
something
that
you
can
run
either
on
demand.
A
Somebody
with
access
to
this
on
demand
scans
page
or
you
can
set
it
up
to
run
on
a
schedule
outside
of
the
pipelines
as
well.
A
Next
that
I
want
to
next
thing.
I
want
to
show
you
looks
like
there's
a
question
on
how
to
record
a
login
sequence
and
passive
scan.
There's
it's
more
of
an
advanced
topic
that
you
can
customize
by
including
a
dash
scan
within
your
pipeline
and
maybe
only
run
that
pipeline
through
the
on-demand
kind
of
like
user
interface
or
maybe
on
a
manual
pipeline
run
using
the
web
UI.
One
of
my
colleagues
would
be
happy
to
share
some
of
that
documentation.
A
There
I
know
allowing
you
to
customize
the
authentication
for
your
application
that
might
be
required
for
the
dash
scan
to
complete
but
yeah
I've
spoken
to
customers
that
maybe
have
some
SSO
mechanism
in
front
of
their
application.
You
need
to
log
in
via
the
SSO
mechanism.
We've
got
ways
to
do
that
within
the
CI
pipeline,
specifically,
and
making
sure
that
the
pipeline
only
runs
maybe
on
on
specific
events
such
as
the
scheduled,
on-demand
pipelines,
or
you
know,
through
a
manual
run,
maybe
with
certain
variables
passed
to
it
all
right
step.
A
Two
we're
gonna!
Just
look
at
the
project:
audit
events
using
the
left-hand
navigation
menu.
Let's
go
ahead
and
go
back
to
secure
and
audit
events
well,
not
necessarily
directly
related
to
vulnerability
findings.
This
is
a
way
to
get
a
report
and
all
the
actions
taken
on
our
project
for
the
past
month.
A
You
can
see
that
there's
things
like
adding
the
dash
profile,
adding
the
scan
result,
policies
to
our
project
or
removing
certain
things.
You
can
see
a
full
listing
of
what
these
audit
events
are
by
clicking
this
link
here.
A
So
this
is
maybe
very
important
to
kind
of
be
able
to
audit
some
of
those
activities
or
actions
that
have
been
happening
within
your
project
and
either
providing
that
t
your
internal,
a
compliance
team
for
auditing
purposes
and
so
on.
A
All
right
for
the
last
step
here
in
this
exercise,
five
we're
going
to
configure
the
security
training
for
our
project
so
to
enable
this
security,
training
security,
education
for
Developers.
You
can
go
back
I'm,
going
to
close
this
tab
here
for
documentation.
Go
back
to
our
Workshop
project,
go
to
the
main
navigation,
go
to
secure
security,
configuration
and
click
on
vulnerability
management,
and
you
can
see
the
partners
that
we
have
for
security
training
for
the
gitlab
application.
A
You
can
enable
one
or
many
of
these
and
you
can
select
one
as
a
primary
training,
and
this
is
when
you
know
primary
training
allows
you
know
One
Security
partner
to
take
precedence
if
there's
maybe
training
for
more
than
one
of
these.
A
But
if
there's
training
that's
only
available
on
one
kind
of
give
yourself
the
option
of
getting
the
training
provided
from
all
of
the
available
sources
on
our
platform,
all
right,
so
just
a
heads
up,
you
know
reviewing
the
actual
vulnerability
training
and
how
that
works
within
our
partners
is
autoscope
for
today's
Workshop,
but
just
wanted
to
show
you
how
you
can
enable
it,
and
since
you
have
the
sandbox
environment
for
the
next
day
or
two,
if
you
don't
have
an
ultimate
subscription,
this
is
something
that
you
can
start
to
explore
and
see
how
it
works
all
right.
A
No,
it
says
highlight:
oh
what
you
have
next
to
do.
If
you
want
to
transfer
the
project,
so
congratulations
you've
successfully
done
everything
that
we've
asked
of
you
if
you've
been
able
to
follow
along
in
our
Hands-On
Workshop
today.
A
A
You
can
follow
the
instructions
which
is
in
the
issue
tracker
and
that
source
project,
where
we've
been
doing
all
the
lab
exercises
for
transfer
project
and
I-
won't
go
through
all
this
in
too
much
detail
here.
But
I
wanted
to
share
that.
These
are
all
the
instructions
on
how
to
transfer
the
project.
A
Just
to
recap
this
last
section
we
did
explore
the
configuration
of
Dash
scanning
as
an
on-demand
tool
to
scan
a
non-production
environment
and
the
gitlab
audit
events
viewer
to
review.
You
know
important
changes
that
might
be
happening
within
our
project
and
potentially
share
that
with
our
internal
compliance
team
and
also
enabling
that
security
education
tools
within
the
project,
so
I'm
not
gonna,
go
through
the
transfer
steps.
But
do
you
want
to
caution?
A
Everybody
only
transfer
the
project
when
you're
done,
because
if
you
don't
have
an
ultimate
license
on
a
namespace
that
you're
transferring
project
to
you'll
lose
some
of
the
capabilities
that
we've
been
able
to
show
you
today
with
the
vulnerability
report,
the
merge
request,
which
it's
showing
all
the
vulnerabilities
directly
in
the
merge
request,
the
scan
result
policies.
A
You
know
all
those
features,
the
compliance
framework,
compliance
pipelines.
Those
are
all
things
that
our
compliance
pipeline,
specifically
that
is
not
included
in
premium.
A
And
so,
as
a
reminder,
you
do
have
that
the
next
two
days
to
be
able
to
work
within
the
sandbox
group
and
sandbox
project
where
the
ultimate
license
is
applied,
and
you
know
once
you're
ready
at
the
end
of
it.
If
you
want
to
transfer
your
work,
feel
free
to
transfer
that
to
your
own
namespace
on
gitlab.com.
A
All
right,
so,
let's
recap:
we've
got
about
10
minutes
left.
So
during
this
Workshop
we
explored
the
security
and
compliance
capabilities
that
gitlab
offers
to
your
organization.
We
looked
at
shifting
security
compliance
left,
reducing
the
delivery,
friction
and
catching
those
issues.
Earlier
on
in
your
value
stream,
we
set
up
a
compliance
framework
to
assist
with
enforcing
a
specific
order
of
stages,
enforcing
a
default
job
to
be
applied.
I
don't
know
if
I
actually
showed
that,
let's,
let's
go
into
a
workshop
project
here
and
let's
find
one
of
these
recent
pipelines.
A
I
want
to
make
sure
I
highlight
that
build
Pipelines
go
into
this
pipeline
here,
so
we've
got
the
dot
pre
stage
and
the
compliance
job,
which
is
the
default
job.
You
need
to
find
that's
important
to
highlight
because
we
ran
a
pipeline
after
the
compliance
framework
was
applied
to
this
project.
We
saw
that
this
new
job,
this
Default
job
is
not
included
in
our
pipeline.
Definition
is
actually
inherited
from
that
compliance
framework
compliance
pipeline.
You
know
outside
of
this,
this
group
hierarchy.
So
let
me
Echo
that
message
here
from
the
compliance
framework.
A
We
go
into
the
gitlab
ciml
file,
we
don't
have
the
pre-stage
and
we
don't
have
that
that
job
defined
from
our
compliance
framework.
So
that's
showing
that
in
action,
so
we
did
get
to
show
that
compliance
Frameworks
and
compliance
pipelines.
How
that
works.
A
We
learned
how
to
review
scanning
results
and
set
policies
on
them,
so
making
sure
that
you
know
any
critical
vulnerabilities,
such
as
the
secrets
that
it
might
be
accidentally
disclosed
in
our
source
code,
are
not
accidentally
merged
into
our
main
default
branch
and
leaked.
We
can
block
the
merge
and
ask
that
those
Secrets
be
revoked,
rotated
and
removed
from
the
source
code.
A
A
We
talked
about
the
s-bomb
and
license
compliance,
so
we
we
got
to
take
a
look
at
where
to
go
to
see
all
the
dependencies
that
are
pulled
in
you
know
all
of
the
licenses
that
are
associated
with
some
of
those
dependencies
and
setting
up
a
license
compliance
policy
to
block
those.
A
From
being
included
on
future
emerges-
and
you
know
highlighting
you
know,
any
components
that
are
out
of
policy,
we
also
dug
into
the
best,
as
I
mentioned,
and
looked
at
the
audit
events
within
our
project
and
also
enable
that
developer
training
so
a
lot
in
these
past
two
hours
and
thanks
to
all
of
you
for
making
it
this
far.
So
just
as
a
summary,
you
know,
let
me
shift
left.
You
can
scan
all
of
the
code
every
time
you
know
see,
mostly
for
all
of
your
developers
using
fewer
tools.
A
These
security
scan
tools
are
built
into
gitlab.
Some
of
them
are
already
present
in
gitlab
premium,
such
as
secret
detection
and
task
scanning,
or
what
git
love
ultimate?
You
have
the
kind
of
pull
throughout
the
functionality
to
do
the
you
know
blocking
emerges
automatically
if
there's
a
critical
vulnerability
found
or
you
know,
setting
up
the
compliance.
Frameworks,
Appliance
Pipelines
you've
got
the
developer
teams,
security
teams
and
operations
teams
all
on
the
same
page,
and
you
know
we've
got
you
know,
happier
compliance
Auditors
now
that
we've
got
all
the
information
at
our
fingertips.
A
So,
thank
you
all
for
for
joining
today's
Workshop
as
a
reminder
we're
going
to
be
sending
over
the
slide
deck
and
recording
of
today's
Workshop
to
everyone
after
the
session.
So
I
appreciate
you
all
for
joining
and
thank
you
very
much.