►
From YouTube: DevSecOps / Compliance with GitLab - GitLab Webinar
Description
GitLab enables developers and security to work together in a single tool, allowing for proactive security or “shifting left”. This session covers what GitLab offers, how scan results integrate seamlessly with merge requests, and how to use the Security Dashboard to manage vulnerabilities.
A
A
All
right,
let's
jump
in
thanks
again
for
for
joining
us
today.
Today,
we're
focusing
on
devsecops
and
gitlab
I
am
joined
by
my
colleague,
Mary
Grace
waida.
We're
excited
to
have
her
on
with
us.
First
off
just
a
couple
of
housekeeping
items.
First
off
this
webinar
is
being
recorded,
so
you
can
look
for
that
recording
to
come
through
in
your
inbox
here.
The
next
couple
of
days.
The
deck
will
be
included
with
that
as
well.
A
If
you
have
any
questions
throughout,
please
put
those
in
the
Q
a
portion
of
your
Zoom
window.
We
have
folks
on
that
are
excited
to
help
answer.
Those
and
Mary
Grace
will
be
able
to
answer
a
couple
towards
the
end
as
well
and
with
that
I
will
pass
it
over
to
Mary
Grace.
B
Thank
you
Taylor,
so
hi
everyone.
So,
as
Taylor
mentioned,
our
session
today
will
be
focused
around
devsec
Ops
and
compliance
within
gitlab.
B
So
we're
going
to
discuss
how
development
and
security
teams
can
work
together
in
a
single
tool
allowing
for
a
proactive
approach
to
security,
sometimes
referred
to
as
shifting
left,
and
the
aim
of
this
session
is
really
to
provide
you
with
an
overview
of
what
gitlab
offers
from
a
security
and
compliance
perspective.
B
B
All
right
so
we're
going
to
start
with
an
overview
of
gitlab's
security
and
compliance
capabilities
and
how
application
security
fits
into
the
software
development
life
cycle
from
there
we'll
go
through
how
developers,
security
teams
and
compliance
professionals
can
take
advantage
of
these
tools
and
create
a
devsec
Ops
workflow
that
fits
the
requirements
of
your
organization
and
so
along
the
way
as
I'm
presenting
as
Taylor
mentioned
before,
please
feel
free
to
drop
your
questions
into
the
chat
and
one
of
my
awesome
colleagues
will
respond,
and
so
with
that,
let's
go
ahead
and
get
started
so
before
we
jump
into
the
security
and
compliance
capabilities
that
are
available
in
gitlab
just
want
to
take
a
step
back
and
kind
of
talk
through.
B
Why
so
many
organizations
are
using
gitlab
in
the
first
place
and
what
problems
we're
solving
for
our
customers?
So
really
here
we
are
helping
teams
move
from
sequential
devops,
which
you
can
see
over.
On
the
left
hand,
side
of
the
screen
here
to
concurrent
devsec
Ops,
which
is
implemented
by
leveraging
all
of
the
features
that
are
available
to
you
within
gitlab.
B
B
B
Is
that
with
this
workflow,
both
development
and
security
are
going
to
be
able
to
work
more
efficiently
and
more
effectively
leading
to
cost
savings
and
less
risk.
So
to
illustrate
this,
let's
talk
about
the
traditional
approach
to
application
security
for
a
moment,
so
in
a
traditional
process
as
a
developer,
you
might
push
code
to
your
repository.
Maybe
you
run
your
CI.
You
even
use
a
merge
request
to
kick
off
a
deployment
pipeline
which
then
might
hit
a
test
environment,
and
at
that
point
you
might
be
saying
to
your
QA
or
security
teams.
B
Now,
when
security
is
integrated
into
the
software
development
lifecycle
from
the
very
beginning,
you're
treating
security
like
any
other
code
flaw
and
enabling
better
collaboration
between
developers
and
security
teams,
so
you
have
a
single
source
of
Truth
between
development
and
security,
but
because
you're,
integrating
security
into
the
normal
development
workflow.
And
so,
with
this
approach,
we
can
scan
before
the
code
is
committed
to
the
staple
branch
and
also
maintain
a
list
of
approvers
to
ensure
the
security
of
the
main
branch
and
security
vulnerabilities
are
reported
directly
to
the
accountable
developer.
B
They're
able
to
be
viewed
within
the
same
pipeline
workflow
and
the
vulnerability
can
be
either
dismissed
or
an
issue.
Can
be
created
in
the
same
place,
which
makes
tracking
much
easier
for
both
developers
and
the
security
team,
and
we've
found
that
the
best
way
to
scale
application
security
is
really
by
enabling
development
with
continuous
security,
and
this
level
of
integration
is
only
possible
because
gitlab
is
a
single
application
for
the
entire
software
development
life
cycle.
B
So
as
you're
all
aware,
when
you
develop
software
most
of
the
time,
you
are
building
upon
your
previous
work,
so
the
longer
that
you're
waiting
to
fix
bugs
or
vulnerabilities
the
more
code
is
affected,
and
so
then
it
takes
much
longer
to
resolve
and
that
in
turn
equates
to
a
much
higher
cost
to
remediate
and
so
having
to
context
switch.
Try
to
remember
what
exactly
was
done
weeks
or
sometimes
even
months
ago,
can
take
a
lot
of
effort
and
time,
and
so
by
the
time
an
application
is
released
into
production.
B
B
Within
the
secure
stage
we
offer
functionalities
such
as
static
application,
security,
testing,
container
scanning
dependency
scanning,
license
compliance,
Secrets
detection
and
dynamic
application
security
testing,
and
you
can
see
all
of
the
different
capabilities
outlined
on
this
slide
and
our
scans
can
be
built
within
your
merge
request
so
that,
as
developers
are
iterating
on
their
code,
they're
able
to
collaborate
with
one
another
they're
also
collaborating
with
the
application
security
team
and
they're
empowered
to
remediate
those
vulnerabilities
before
they
make
it
into
production
and
then
also
with
gitlab
security
teams,
have
agency
and
insight
into
the
process
as
well
can
do
things
like
require
approvals
and
enforce
scans
in
line
with
your
organization's
security
and
compliance
policies.
B
Additionally,
security
teams
have
visibility
into
organizational
risk
through
our
security
dashboard,
where
you're
able
to
view
summaries
of
security
findings
and
generated
vulnerability
reports
in
One,
dashboard
View,
so
we'll
get
into
all
of
this
in
further
detail.
But
next,
let's
talk
about
what
this
workflow
looks
like
from
the
perspective
of
a
developer
and
then
we'll
do
the
same
for
the
security
and
compliance
teams,
perspectives
as
well.
B
B
And
so
this
visual
here
on
the
screen
shows
what
this
actually
looks
like
in
practice.
And
so
the
key
to
gitlab's
approach
is
scanning.
The
code
at
the
point
of
code
commit
before
the
code
changes
ever
leave
the
developers
hands
and
before
their
code,
changes
are
mingled
with
others,
and
this
is
so
powerful
because
it
provides
real-time
feedback
to
the
developer
about
vulnerabilities
in
their
code
changes
while
they
are
still
working
on
the
code
and
they're
enabled
to
easily
fix
it.
B
So
they
can
resolve
those
flaws
before
introducing
the
code
into
the
main
branch
and
before
others
get
involved
and
as
I
mentioned
before,
security
still
has
agency
and
awareness
of
this
process
and
in
fact,
for
most
organizations.
We
would
encourage
the
idea
that
security
collaborate
within
the
merge
request
itself
as
part
of
a
review
and
we'll
talk
a
little
bit
later
about
how
you
can
enforce
these
types
of
reviews
dependent
upon
the
severity
of
the
vulnerability
that
is
uncovered.
B
So
here
is
an
example
showing
multiple
scanners
integrated
into
a
CI
Pipeline,
and
all
of
these
scanners
are
added
with
a
simple
include
template
line
to
your
gitlab
ci.yaml
file,
which
promotes
shifting
security
left,
because
it
makes
it
really
easy
to
integrate
security
into
your
workflows,
and
that
in
turn,
allows
you
to
remediate
vulnerabilities
earlier
and
because
gitlab
is
a
single
application.
B
We
can
leverage
What's
called
the
review
app,
which
is
a
fully
functioning
app
used
to
test
the
changes
made
to
the
code
and
that
allows
you
to
run
even
Dynamic
application
security
tests
or
desks
before
the
code
ever
leaves
the
developers
hands
and
before
the
code
is
merged.
B
And
so
when
we
talk
about
enabling
developers
to
address
these
security
findings,
what
does
that
actually
look
like
in
practice?
So
we
just
saw
what
this
scanning
looks
like
in
the
context
of
a
pipeline,
and
so
now
I
want
to
show
you
what
it
looks
like
in
the
merge
request
itself,
and
so
here
we
have
a
specific
CI
CD
pipeline
that
successfully
ran
on
a
feature
branch
that
has
security
and
license
compliance
scanners
configured,
and
so,
from
this
view
you
can
see
a
summary
of
the
specific
pipeline
that
ran.
B
You
can
also
see
the
approve
button
along
with
this
drop
down
here.
To
show
you,
the
list
of
eligible
approvers,
for
this
merge
request
also
shown
is
a
short
version,
summary
of
results
for
each
of
the
scanners.
So
you
can
see
here
the
24
new
and
four
dismissed
vulnerabilities
for
the
security
scanner
and
then
you're
also
able
to
view
the
full
report
or
expand
the
results
within
the
pipeline
as
well.
B
And
so
then,
from
there
developers
can
decide
what
action
to
take.
So
one
option
is
to
create
an
issue
for
this
finding
to
either
address
it
right
away
or
in
a
future
release,
and
the
other
option
would
be
to
dismiss
the
vulnerability
with
a
comment
specifying
why,
such
as
for
a
false,
positive
or
any
type
of
accepted
risk,
and,
to
reiterate
you
know
some
of
the
benefits
of
this
approach.
Again,
every
piece
of
code
is
tested
upon
commit
without
incremental
cost.
B
The
developer
is
empowered
to
remediate
now,
while
they're
still
working
in
that
code
or
easily
create
an
issue
with
one
click
and
then
the
dashboard
for
the
security
team
is
a
roll-up
of
the
vulnerabilities
remaining
that
the
developer
did
not
resolve
on
their
own,
and
so,
with
this
approach,
vulnerabilities
can
be
efficiently
captured
as
a
byproduct
of
software
development
and
finally
having
one
single
tool
to
handle.
B
All
of
this
also
reduces
your
costs
over
an
approach
that
involves
buying
and
degrading
and
maintaining
different
point
Solutions,
and
so
gitlab
provides
resources
to
help
guide
developers
in
remediating
vulnerabilities.
So
when
available,
we
will
provide
a
suggested
solution
as
well
as
links
to
relevant
information.
We
also
offer
Auto
remediation
for
dependency
and
container
scanning
findings.
You
can
resolve
with
a
merge
request
where
you
can
automatically
implement
the
suggested
solution.
B
B
So,
additionally,
developers
also
have
access
to
integrated
training
resources
to
help
them
resolve
vulnerabilities.
So
this
integration
capability
uses
the
vulnerability
information
to
get
a
link
to
learning
resources
that
educate
developers
on
finding
and
fixing
that
particular
security
problem,
and
so
this
provides
developers
with
trusted
guidance
that
they
can
use
to
resolve
the
vulnerability
with
confidence,
and
this
is
also
a
highly
effective
way
to
retain
knowledge
for
a
number
of
different
reasons.
B
So
bite-sized
coding
challenges,
give
developers
targeted,
Hands-On
skill
building
and
that
vulnerability
and
how
to
resolve
it.
There's
also
contextual
learning
right,
so
it's
presented
in
manageable
chunks,
which
continuously
reinforces
good,
secure
coding
patterns
from
a
trusted
Source,
not
just
enabling
a
patch.
B
It
also
reduces
the
time
gap
between
learning
and
application
of
knowledge,
which
leads
to
you
know,
lasting
engagement
and
and
retention
developers
also
are
able
to
grow
their
muscle
memory
to
recognize
those
security
issues,
while
they
code
leading
to
the
elimination
of
common
vulnerabilities
from
the
very
start
of
software
creation,.
B
So
when
it
comes
to
separation
of
duties,
security
teams
have
a
number
of
controls
available
in
gitlab,
such
as
enforcing
when
scans
run,
which
we'll
talk
more
about
in
just
a
moment,
as
well
as
the
ability
to
set
scan
result
policies
which
create
rules
that
ensure
security
issues
are
checked
before
merging
a
merge
request,
and
so,
for
example,
you
could
set
a
scan
result
policy
that
says
if
any
scanner
finds
a
newly
detected
critical
vulnerability
in
an
open,
merge
request.
That's
targeting
the
master
Branch
then
require
two
approvals
from
any
member
of
the
application.
B
Security
team
and
approvals
have
a
lot
of
flexibility,
so
there's
a
number
of
different
ways
that
you
can
kind
of
configure
those.
So
you
can
really
customize
this
to
meet
the
needs
of
your
particular
organization
and
your
workflow,
and
then
in
gitlab
security
teams
are
enabled
to
participate
in
the
vulnerability
management
process
in
a
number
of
different
ways.
So
to
illustrate
what
the
vulnerability
triage
and
resolution
process
can
look
like,
let's
walk
through
an
example
workflow.
B
So
everything
in
gitlab
starts
as
an
issue
from
an
issue.
A
developer
can
open
a
merge
request
and
commit
code
on
every
commit.
The
code
is
then
scanned
for
vulnerabilities.
If
a
new
vulnerability
is
detected
due
to
the
scan
result
policy,
then
Security
Group
approval
is
required
to
proceed
and
if
the
vulnerability
is
legitimate,
then
the
security
approver
leaves
a
comment
on
the
merge
request,
request,
changes
and
a
resolution.
B
Then
the
merge
request
is
passed
back
to
the
developer
to
make
new
commits.
If
the
vulnerability
is
a
false
positive,
then
the
security
team
member
can
dismiss
that
vulnerability
approve
the
Mr
allowing
for
the
code
to
be
merged
and
if
no
vulnerability
was
detected,
then
the
approval
process
from
security
is
not
necessary
and
the
code
can
be
merged
and
after
the
code
is
merged
into
main,
it
is
scanned
for
live
vulnerabilities.
B
If
a
vulnerability
is
detected
in
production-
and
it
is
a
false
positive,
then
the
security
team
can
set
the
vulnerability
record
to
dismissed
and
if
it's
a
legitimate
and
actionable
vulnerability,
then
the
security
team
could
set
that
status
to
confirmed,
create
an
issue
from
that
vulnerability.
And
then
the
development
team
can
action.
The
issue
by
creating
a
merge
request
and
restarting
that
process
and
the
security
team
can
also
use
vulnerability
reports.
B
So
that's
what
you
see
on
your
screen
here
now,
so
the
vulnerability
reports
provide
an
overview
of
all
the
security
vulnerabilities
from
scans
of
the
default
Branch
within
groups
and
projects,
and,
as
you
can
see
here,
you
can
drill
down
into
a
vulnerability
for
detailed
information
such
as
the
originating
project
and
file,
as
well
as
the
metadata
to
help
you
analyze
the
risk
and
then
you're
also
able
to
take
action
on
these
vulnerabilities
Again
by
creating
an
issue
or
dismissing
them.
B
And
gitlab
also
offers
visibility
into
your
security
risk
via
what
we
call
our
security
dashboard.
So
this
allows
either
Direct
Security
or
CSO
type
roles,
immediate
visibility
into
a
group
level
security
posture.
So
they
can
quickly
understand
any
at-risk
projects
with
security
grades,
so
they
are
able
to
see
burn
down,
Char
vulnerabilities
over
time
for
the
given
and
for
a
given
project,
they're
also
able
types
of
grades,
so
a
through
f,
which
is
based
on
the
number
of
high
or
greater
severity
vulnerabilities
per
project.
B
B
So
we
touched
on
some
of
the
compliance
pieces
a
bit
when
we
talked
about
scan,
result,
policies
earlier
and
enforcing
scans,
but
now
we'll
discuss
in
further
detail.
B
B
Why
was
that
action
compliant
who
authorized
that
action
where
and
how
long
did
it
last
and
what
gaps
may
exist
so
gitlab's
audit
event
capability
helps
to
answer
those
audit
logging
requirements
within
either
the
UI
or
our
API,
and
we
also
offer
streaming
audit
events,
so
you
can
actually
redirect
a
webhook-based
stream
of
audit
events
to
an
external
logging
tool
like,
for
example,
a
Splunk.
B
We
also
have
the
chain
of
custody
report
which
provides
a
one-month
trailing
window
of
all
commits
to
a
project
under
the
group
which
gives
you
insight
into
information
such
as
the
commit
sha,
the
commit
author,
the
date
committed,
Etc
and
then.
Finally,
the
compliance
Frameworks
report
shows
you
the
compliance
Frameworks
that
are
applied
to
projects
in
a
group
and
we'll
talk
more
about
that
in
just
a
moment.
B
So
next
I
wanted
to
touch
on
an
important
topic
that
is
very
much
top
of
mind
for
many
of
our
customers
right
now,
so
the
software
bill
of
materials
or
the
s-bomb
so
as
I'm
sure
you're,
all
aware
and
s-bomb,
is
a
nested
inventory
or
list
of
ingredients
that
make
up
software
components
and
then,
in
addition
to
the
components
themselves,
as
bombs
include
critical
information
about
the
libraries
tools,
processes
that
are
used
to
develop,
build
and
deploy
a
software
artifact,
and
so
in
gitlab.
B
B
B
You
can
drill
down
into
the
vulnerabilities,
see
if
there's
a
suggested
solution
create
an
issue,
put
it
right
back
into
the
developer's
workflow
so
that
they
can
remediate
it
and
you
can
move
on,
and
so
this
isn't
just
about
generating
the
bill
of
materials,
which
is
great.
But
it's
really
an
actionable.
S-Bomb.
B
B
So
once
you
define
the
rules
and
policies
for
your
organization,
you're
going
to
want
to
enforce
those
policies
and
so
gitlab
offers,
you
know
a
number
of
different
compliance,
controls
and
automation
of
compliance,
workflows,
which
are
really
focused
on
enforcing
those
policies
and
separation
of
Duties,
while
reducing
overall
risk
and
so
to
break
this
down
a
little
bit
further.
There
are
three
main
components
here,
so
we
have
the
compliance
framework
project
templates
and
those
allow
you
to
create
projects
with
issues
that
map
to
specific
audit
protocols.
B
You
know
such
as
HIPAA
Etc,
to
help
you
maintain
an
audit
Trail
and
manage
your
compliance
programs,
compliance
framework
project
labels,
enable
common
compliance
settings
to
be
applied
to
projects
with
specific
framework
labels,
and
then
compliance
pipelines
allow
you
to
actually
Define
a
pipeline
configuration
to
run
for
any
projects
with
a
given
compliance
framework,
and
so
what
this
really
does
is
it
allows
you
to
run
specific
jobs,
especially
security
jobs
on
every
pipeline
run,
and
the
configuration
here
is
managed
at
the
group
level
in
the
pipeline.
B
And
then
another
way
that
you
can
enforce
scans
to
be
run
is
with
scan
execution
policies
and
so
with
gitlab
Security
Professionals
can
use
a
scan
execution
policy
to
create
rules
which
enforce
security
scans
for
particular
branches
at
a
certain
time,
and
so
supported
types
are
SAS,
Das,
secret
detection,
container
scanning
and
dependency
scanning,
and
as
an
example
of
what
this
could
look
like,
you
could
set
up
a
scan
execution
policy
that
says
to
run
a
desk
scan
with
scan
profile,
a
and
site
profile.
A
when
a
pipeline
runs
against
the
main
branch.
B
And
so
you
might
be
wondering
when
you
should
use
compliance
Frameworks
versus
when
you
should
use
scan
execution
policies,
so
there
are
advantages
and
disadvantages
to
each
approach.
So,
as
you
can
see
here,
we
do
have
some
documentation
that
you
can
look
through
in
a
comparison
table,
but
to
kind
of
sum
it
up.
B
So
compliance
framework
pipelines
are
recommended
when
scan
execution
enforcement
is
required
for
any
scanner
that
uses
a
gitlab
template
scan
execution
enforcement
is
required
for
scanners
external
to
get
lab
scan
execution
enforcement
is
required
for
custom
jobs
other
than
security
scans,
and
then
skin
execution
policies
are
recommended
when
scan
execution
enforcement
is
required
for
dust.
B
Skin
execution
enforcement
is
required
for
SAS
secret
detection,
dependency
scanning
or
container
scanning
with
Project
Specific
variable,
customer
customizations
or
scans
are
required
to
run
on
a
regular,
scheduled
Cadence,
and
so
either
solution
could
be
used
equally
well
in
situations
where
scan
and
execution
enforcement
is
required
for
SAS
or
secret
detection.
When
custom
rule
sets
are
not
used
or
skin
execution
enforcement
is
required
for
container
scanning
with
no
Project
Specific
variable
customizations.
B
So
the
approach
that
you
take
will
really
depend
on
your
use
case
and
your
needs
here,
but
lots
of
different
kind
of
options
and
a
lot
of
flexibility
with
the
tool,
and
we
encourage
your
feedback
on
this
as
well
as
we
are
thinking
about.
You
know
ways
to
unify
the
user
experience
for
both
compliance,
Frameworks
and
scan
execution
policies,
foreign.
B
Approval
policies
feature
allows
legal
and
compliance
teams
to
manage
policies
which
will
require
approval
on
merge
requests
whenever
licenses
are
detected
that
violate
that
policy,
and
so
those
policies
are
stored
in
the
yaml
in
a
git
repository
inside
of
gitlab
in
a
security
policy
project,
and
so
those
security
policy
projects
can
then
be
linked
to
one
or
more
development
projects,
or
they
can
also
be
linked
to
groups
or
subgroups,
which
will
then
cause
the
policy
to
be
applied
to
all
of
those
projects
inside
those
groups,
and
so
by
storing
those
policies.
B
As
as
part
of
the
yaml
file,
we
can
provide
a
full
history
of
any
changes
that
are
made
to
the
policy
we
can
do
things
like
require
approvals
anytime,
A,
Change
Is
proposed
to
be
made
to
the
policy
and
again
we
can
provide
separation
of
Duties
to
allow
security,
compliance
and
legal
teams
to
manage
those
policies
separately
from
the
Developers
foreign.
B
So
that
was
a
quick
overview
of
security
and
compliance
within
gitlab.
So
there
is
a
lot
more.
We
could
cover
so
definitely
encourage
you
to
reach
out
to
us
with
any
questions
also
wanted
to
touch
on
the
support
and
enablement
that
is
available
to
you
through
gitlab
Professional
Services.
So
we
offer
a
number
of
types
of
Professional
Services
engagements.
B
So
if
there
is
something
you
are
wondering
if
we
can
help
with
please
let
us
know,
but
just
to
provide
a
quick
overview
of
some
of
the
most
relevant
services
available.
So
we
do
offer
live
training
classes
which
include
Labs,
they're,
really
Hands-On.
So
as
an
example,
we
have
a
security
essentials,
training
available
as
well
as
gitlab
for
project
managers
and
devops
fundamentals.
B
Training,
and
these
courses
can
really
accelerate
your
time
to
value
with
Git
lab
and
enable
your
teams
quickly,
so
that
they
can
focus
on
the
high
priority
work
item
items
that
you
need
them
to
complete
to
accomplish
your
devops
objectives.
So
I
would
really
encourage
you
to
take
a
look
at
what
is
available.
B
We
know
that
getting
your
teams
used
to
a
new
way
of
working
or
taking
your
existing
devsecops
workflow
to
the
next
level
involves
changes
not
only
to
process
and
tools,
but
also
culture,
and
so
these
trainings
can
really
help
to
unlock
the
potential
of
git
lab
so
that
your
teams
understand
everything.
That's
available,
you
know,
feel
excited
about
the
tool
and
can
take
full
advantage.
A
Great
thanks,
Mary
Grace,
before
we
jump
into
a
few
questions,
I
just
wanted
to
let
everybody
know
that
I
have
opened
up
a
feedback
poll.
We'd
love
for
you
to
take
a
quick
moment
to
provide
us
with
a
little
bit
of
feedback
on
today's
session.
Just
a
couple
of
questions
there
and
with
that
I
will
jump
into
some
of
the
questions.
I've
questions
I've
seen
come
through
the
first
one
here.
This
is
all
great,
but
it's
a
lot
of
information,
so
many
different
things
to
talk
about.
B
Yeah,
so
that's
a
great
question
so
kind
of
building
off
what
I
just
said
in
regards
to
Professor
Professional
Services.
B
B
We
advise
enabling
one
or
two
scanners
at
a
time
so
keep
things
really
simple
start
with
secret
detection
and
dependency
scanning,
so
secret
detection
only
has
one
analyzer
there's
no
build
requirements.
It's
relatively
simple
findings.
You
know:
is
this
a
secret
or
not?
So
that's
a
good
one
to
start
with,
and
then
it's
also
a
good
practice
to
enable
dependency
scanning
early
so
that
you
can
start
identifying.
You
know
any
existing
vulnerable
packages
in
your
code
base
and
then
from
there.
B
You
want
to
really
give
your
team
time
to
get
comfortable
with
the
vulnerability
reports
and
establish
a
vulnerability
management
workflow
in
git
lab
I've.
Also
seen,
customers
be
really
successful,
with
identifying
a
team
to
Pilot
the
new
approach,
so
that
can
get
you
some
early
wins
and
provide
an
example
for
other
teams
to
follow,
and
we
do
also
have
a
guide
and
a
video
walkthrough
for
the
steps
and
kind
of
order
of
operations
to
follow
when
getting
started
with
gitlab
application
security
as
well.
B
A
Awesome
next
question:
here
we
would
like
to
start
using
gitlab
scanning
capabilities,
but
we
have
a
management
mandate
to
use
a
certain
tool
for
static
application.
Security
testing
does
gitlab
integrate
with
other
security
tools.
B
Yeah,
so
gitlab
does
integrate
with
pretty
much
any
other
security,
and
then
you
also,
then
we'll
see
the
results
from
those
scanners
in
your
vulnerability
reports
as
well,
once
you
have
the
integration
configured,
so
we
do
have
documentation
on
our
kind
of
official
security
Partners,
but
again
gitlab
is
a
very
flexible
tool,
and
so,
if
you're
wondering,
if
we
integrate
with
a
particular
tool,
would
encourage
you
to
reach
out
to
us
so
that
we
can
help
to
guide
you
accordingly.
B
Of
course,
we'd
love
for
you
to
use
all
of
gitlab
scanners,
but
we
understand
that's
not
always
possible.
Sometimes
you'll
have
to
use
other
tools
as
well,
so
our
scanners
play
really
nicely
with
other
tools
and
you
can
even
use
them
together,
so
you
could
use
gitlab's.
You
know
SAS
scanning,
in
tandem
with
your
existing
tool,
to
augment
the
capabilities
of
your
existing
scanners.
A
Great
and
then
one
more
here,
I'm
seeing
does
gitlab
provide
security
training
for
users.
How
can
we
get
more
information
about
training
opportunities
available.
B
Yeah
so,
in
addition
to
kind
of
the
Professional
Services
offerings
that
we
have,
which
are
going
to
be
the
most
Hands-On
and
and
include
like
the
lab
components
and
really
give
you
practice
with
the
tool,
we
do
have
a
number
of
free
resources.
So
we
have
YouTube
videos.
We
have
the
gitlab
learn
platform,
which
we
can
also
link
you
to
as
well,
which
includes
things
like
self-paced,
certifications
and
training
courses
that
you
can
go
through.
B
We
also
have
really
great
documentation
and
again
with
any
kind
of
questions
that
you
might
have.
We
encourage
you
to
reach
out
so
that
we
can
help
to
kind
of
connect
you
with
the
appropriate
resources.
A
Great
well
thank
you,
Mary,
Grace,
and
and
thank
you
everyone
for
joining
us
today.
We
appreciate
you
taking
some
time
out
of
your
day
and
as
a
reminder,
we
will
be
sending
out
the
recording
and
the
deck
here
in
the
next
couple
of
days,
and
with
that
we
will
wrap
up
today's
session
have
a
good
day.
Everybody.