►
From YouTube: DevSecOps with GitLab - EMEA Webinar
Description
GitLab enables developers and security to work together in a single tool, allowing for proactive security or “shifting left”. This session covers what GitLab offers, how scan results integrate seamlessly with merge requests, and how to use the Security Dashboard to manage vulnerabilities.
A
Welcome
everyone
welcome
to
the
devops
with
gitlab
I'm
glad
to
have
you
with
us.
I
think
we're
going
to
give
it
another
30
seconds
or
one
more
minute
to
get
everybody
joining
and
then
we'll
Kick.
This
off.
A
While
we're
waiting
I
have
the
a
quick
call
for
you
on
shift
left
just
to
know
whether
your
company
has
you
know,
begun
the
shift-off
approach,
just
interested
to
know
your
opinion,
whether
you
know
what
it
has
happened
or
not.
What
are
you
curious,
I'd
like
to
know
more,
okay,
see
still
waiting
on
others
for
now?
A
So
basically
we're
almost
a
50
50
tablet,
but
I'm
not
sure
and
I'd
like
to
know
more
so
I
think
we
are
going
to
start
for
now.
So
before
we
do.
Let
me
go
through
a
couple
of
housekeeping
points,
so
I'm
gonna
do
my
absolute
best
to
run
through
this,
not
very
quickly,
but
just
with
enough
time
that
we
have
enough
time
for
Q
a
where
you
can
be
welcome
to
mute
yourself
and
ask
a
question
or
you
can
use
your
q
a
exception
to
ask
your
questions.
A
We
have
really
amazing
support
group
here.
Stefana,
Chloe,
they're
gonna
be
answering
your
questions
throughout
this.
A
In
terms
of
how
this
is
going
to
be
wrong,
the
webinar
is
going
to
be
recorded,
you're
going
to
get
the
copy
of
it.
It'll
be
Central
inbox
within
the
last
couple
of
days,
and
what
we're
going
to
be
covering
today
is
literally
bringing
the
application
security
closer
to
developers.
I
think
we
have
everyone
who
we
need.
A
So,
let's
get
started
just
before
we
do
just
a
little
bit
about
myself.
My
name
is
Gregory
I'm,
a
strategic
customer
success,
manager,
Visa,
Dublin
and
I
can
work
with
Enterprise
clients
day-to-day
across
many
Industries
and
I
kind
of
help
them
on
the
step.
The
cops
journey,
and
in
many
cases
that
Germany
is
a
shift
left
in
my
time.
I
love.
A
You
know,
traveling
going
to
the
theater,
doing
all
those
sorts
of
things
and
then
recently
I've
taken
up
presenting
as
a
hobby,
so
I'm
trying
to
figure
out
how
that's
gonna
work
out
for
me
now
today,
we're
going
to
look
at
how
gitlabs
security
capabilities
will
help
you
find
and
fix
vulnerabilities
before
deployment
right.
The
whole
shift
left
approach
that
we
did.
The
poll
on
can
help
you
meet
your
compliance
needs
as
well,
so
this
is
going
to
be
the
core
of
the
webinar.
A
Well,
we
won't
cover,
however,
is
how
to
monitor
your
Cloud
native
production
environment
for
new
availabilities
and
how
to
secure
it.
So
there
won't
be
any
kind
of
technical.
A
It's
all
going
to
be
a
high
level
in
terms
of
what
you
need
to
do,
what
the
results
is
going
to
be
and
how
to
apply
this,
but
we
do
have
many
many
other
webinars
where
that
is
actually
something
that
we
do
so
just
to
ask
us
I
suppose,
if
you're
interested-
and
we
can
put
a
link
enough
for
you,
but
now,
let's
first
look
at
why
we
want
to
do
this
in
the
first
place.
A
So
what
we
see
here
is
that,
after
the
application
is
releasing
the
production,
it
costs
about
30
more
times
to
fix
your
green
flows.
Then
it
is
in
design
15
times
more
solder
than
Dev.
So
the
logic
is
there
so,
the
earlier
in
your
software
life
cycle,
you
do
your
security,
the
cheaper
it
is
than
to
fix
it.
A
A
And
if
you
had
all
the
scones
in
the
world,
you
know
which
there's
many
with
gitlab
other
tools.
So
what
do
you
do
when
you
find
ten?
Ten
thousand
probabilities,
which
is
a
real
scenario
right?
Does
that
create
a
new
liability
for
you
if
you
can't
fix
them
right
away?
There's
now
even
a
greater
liability,
because
now
you
know
you,
you
know
the
exist,
you
can
ignore
it
right
and
with
glad
you
can
automate.
The
software
Factory
is
what
we
call
gitlab
to
apply
the
policies
that
you
require.
A
A
So
it
is
possible
to
do
that
amount
of
work
so
a
little
bit
about
the
background,
so
traditional
abstract
tools
were
built
10
or
more
years
ago
before
today's
modern
software
methodology
is
like
devops
with
data
deploys,
but
this
machine
used
to
get
kind
of
Beyond
Simple
shift
left
of
giving
them
kind
of
a
light
SAS
than
the
IDE,
which
is
still
pretty
good,
but
we
want
to
lead
a
new
era
where
security
is
baked
into
your
development
life
cycle
with
hope.
A
You
want
one
application,
there's
purpose
built
for
the
modern
software
Factory,
and
if
organizations
want
to
shift
lab
security,
they
need
to
rethink
the
current
tools
that
Target
both
Dev
and
security
teams
and
devops,
is
about
kind
of
breaking
the
Saddles
between
teams
together
to
collaboratively,
involve
them
to
come
to
the
solve
the
business
scenes
that
they
are
running
with
and
with
the
growing
importance
for
security
accusations
as
well.
You
need
to
scale
because
teams
scale
too,
and
that
can
only
be
done
by
empowering
Developers.
A
So
it
is
our
vision
at
gitlab.
It
develops
display
a
huge
and
major
role
in
finding
a
solving
security
vulnerabilities
at
the
very
early
stage,
so
that
means
that
application
security
tools
is
running
early
enough
and
automatically
triggering
build
pipeline.
So
like
these
applications,
you
know
security.
Different
security,
tooling
is
often
a
usage-based
priced,
so
that
organizations
are
kind
of
penalized
for
scanning
more
and
more
often
so,
and
that
results
in
security
teams,
often
owning
the
application,
security
tools
and
being
responsible
for
running
them
and
devop
doesn't
scale
like
that.
A
A
So
to
that
point,
what
would
you
say
if
you
could
start
all
the
code
every
time
right,
it
wouldn't
be?
It
was
seamless
for
developers,
you'd
be
using
fewer
tools
with
developer
security
operations
and
everyone
else
on
the
same
page.
So
how
do
you
do
that
and
you
do
that
with
gitlab
with
kind
of
one
at
devops
platform,
and
it
is
always
growing
and
evolving
end-to-end
platform
that
you
know
addresses
the
use
of
entire
organization
as
it
moves
through
that
checkup
Journey.
A
So
what
you
see
here
on
the
screen
is
at
different
stages
right,
so
there's
10
of
them
so
for
manage
to
plan,
create
verify
all
the
way
to
Monitor
and
projects
and
Below.
What
you
see
are
companies
that
you're
familiar
with
so
Jenkins
GitHub
and
they'll
represent
a
single
stage
in
a
software
life
cycle
and
at
the
top
you
see
different
personas
with
a
compliance
developer,
security
operations
and
all
together,
they're
part
of
this
software
around
the
life
cycle
right.
A
The
benefits
of
gitlab
are
that
you
can
access
end-to-end
data
in
one
place,
eliminate
minor
handoffs.
You
can
do
that
automatic
security
that
we
talked
about.
Onboarding
is
going
to
be
faster,
you're
going
to
deliver
some
of
the
file
side.
It's
actually
just
kind
of
to
make
the
short
is
you
can
focus
during
your
business
outcomes
without
without
having
to
worry
about
anything
else?
A
Now,
specifically,
there's
many
many
tools
out
there,
but
what
you're
seeing
here
is
SAS.
Does
dependencies
scanning
license
compliance
secret
detection
and
what
have
you
there's
more
to
that
fast
testing?
They
automate
it
into
every
single
merge
request.
You'll
no
longer
need
to
kind
of
think
between
the
risk,
cost
and
Agility.
A
So
because
it's
kind
of
one
tool,
those
tests,
those
tests
are
going
to
run
automatically
and
and
if
you
already
have
SAS
or
dance
tools
that
have
been
around
for
a
long
time,
which
is
what
I'm
seeing
a
case
with
other
customers,
you
can
reduce
your
cost
by
using
them
sparingly
in
in
specific
cases,
while
using
gitlab
or
every
code
commit
and
going
to
see
how
that
works
as
well.
A
I
suppose,
now
that
we
talked
about
the,
why
and
the
what
so,
let's
now
focus
on
the
how
so
how
does
GitHub
help
with
security
left-
and
you
know
a
bit
of
a
background
here-
is
what
I'm
seeing
what
we
were
all
seeing.
I
think
in
today's
world,
every
company
is
a
software
company
anyways
and
if
they
don't
think
of
themselves
as
such
they'll
quickly
be
behind
in
the
market,
and
if
you
can
think
of
a
company
that
is
not
a
software
company,
please
do
push
your
comment
in
there
in
Zoom
chat.
A
I'm
really
curious.
If
you
can
find
an
example,
because
I'm
really
struggling
to
do
that
and
most
companies
are
using
their
technology
and
software
to
differentiate
themselves
in
the
markets
and
the
velocity
of
the
development
has
never
been
more
important,
and
so
the
Securities
in
certain
times
becomes
a
bit
of
an
artatha
because
we
need
to
develop
faster.
We
need
to
deliver
in
this
features,
but
waiting
to
address
software
security,
vulnerabilities
quality
into
installate
can
be
very
costly
and
opens
up
organizations
to
unnecessary
risk.
A
That's
why
it's
important
to
develop
security,
front
and
air
start
as
early
as
possible,
which
is
known
as
shift
in
security
lab.
So
what
you're
seeing
in
the
screen
here,
security
is
usually
done
at
the
kind
of
end
of
the
release,
configure
monitor,
defend
part.
What
we
want,
however,
is
to
move
it
as
far
left
as
possible.
A
So
shifter
approach
has
been
a
long
time
in
the
making
right.
This
is
not
a
New
Concept
by
any
means,
and
in
recent
years,
has
been
heavily
driven
by
a
log,
4J
solarwind
events.
Some
of
you
might
know
them,
but
those
are
huge
breaches
very
famous
and
security
is
becoming
a
more
and
more
important
the
company,
starting
to
think
right.
How
do
we?
How
do
we
get
better
at
this?
Because
of
the
penalties
because
of
the
fines?
Our
company
needs
to
be
compliant
secure.
That's
an
interesting
survey
that
we've
done
we're
doing
every
year.
A
A
So,
if
you're
curious
do
check
out
that
report
by
following
the
link-
and
it's
quite
interesting,
there's
a
lot
of
other
data
in
there.
Oh,
this
is
even
this
is
even
more
interesting.
A
The
whole
True
Flight
responsibility,
so
this
should
have
been
another
poll,
but
you
can
comment
who's
responsible
in
your
company,
because
what
we
see
here
is
that
well
developers
in
organizations
think
that
it's
a
it's
their
full
responsibility.
The
53
of
them
said
that
48
of
operations
believe
security
is
their
sole
responsibility,
but
I
personally
agree
with
security
Personnel
on
sales,
because
security
is
everyone's
responsibility,
so
it
can't
be
just
mine
or
yours
or
someone
else's.
A
We
all
own
it
and
the
way
I
think
of
it
at
gitlab
anyways,
is
that
smart
responsibility
to
not
click
on
official
emails,
but
it's
also
responsibility
of
the
security
team
to
educate
me
or
not,
and
if
I
fail,
which
I
do
sometimes
they
need
to
educate
me
and
kind
of
helped
me
fix
that
right.
So
it's
a
we're
all
in
the
same
boat.
A
So
now
I'm
gonna
put
deep
up.
You
can
run
all
your
security
scans
before
the
code
is
merged,
which
is
I
think
at
Greenway
that
we
can
do
this
with.
So
what
does
it
really
mean
before
the
code
is
merged?
It
means
that
the
accountable
developer
sees
the
results
immediately
of
every
change
you
she
has
made.
So
this
is
what
you're,
seeing
here
in
the
middle
part
of
it.
A
A
Any
security
vulnerabilities
developer
is
giving
back
feedback
right
there
right,
then
not
a
month
later,
not
three
months
later,
not
in
a
spreadsheet
anywhere
right
there
right
then,
and
a
couple
of
hours.
It
depends
on
on
the
commit,
and
then
here
she
can
look
at
this
even
be
educated
about
what
to
do
better
next
time
and
success,
and
the
process
is
performed
again
so
that
the
security
team
never
sees
that
I
said
they
never
have
to.
A
In
a
lot
of
cases
actually
do
anything,
but
then,
if
there's
any
exceptions,
if
they'll
say
if
people
may
be
used
to
be
dismissed
or
there's
other
things
well,
then
the
security
team
is
is
seeing
this
and
it
will
be
able
to
either
dismiss
or
say
no,
let's
go
back
and
fix
this.
The
issue,
for
example,
which
was
which
were
something
we're
going
to
see,
but
everything
is
not
great.
Everything
is
approved.
Fair
enough,
then
that's
we're
going
to
deploy
this
to
production.
So
this
is
a
kind
of
gitlab
recommended
flow.
A
Your
mileage
will
vary,
of
course,
but
this
is
sort
of
what
we're
seeing
as
the
kind
of
best
practices,
and
this
is
kind
of
zoomed
out
version
of
the
same
thing
as
a
it
starts
with
planning
Milestones
issues.
Then
we
have
emerging
quests,
but
the
same
thing
is
actually
happening
here
in
the
Middle.
With
the
merge
requests
the
code
is
pushed
automated
testing
is
run
then
there's
a
bit
of
a
collaboration
review
and
if
anything
is
found,
security,
quality
issues.
The
feedback
is
then
given
back
to
the
developer
and
then
through
approval.
A
A
So
if
the
Embrace
strip
left
I
think
this
quite
benefits
to
that
you'll
be
able
to
scan
all
code
every
time,
not
three
months
later,
it'd
be
very
seamless
for
developers
because
it
wouldn't,
they
would
have
to
think
about
what
tools
to
use
where
they
are
from
one
place.
You'll
be
using
fewer
tools
properly
with
everyone
in
the
same
play
on
the
same
page.
In
the
same
place,
they
have
security
operations,
not
that
many
silos
still
performance
policies,
happy
compliance,
others.
Those
are
huge
benefits
along
the
way.
A
So
gitlab
supports
a
wider
range
of
tools
with
different
scans
and
they're,
making
it
easy
for
you
to
secure
your
application,
and
this
is
at
least
read
this
last
dependency
scanning,
looking
for
Secrets
being
compliant
with
licenses
scanning.
Your
container
images
surrounding
infrastructure
coverage,
guided
fuzzing,
Dynamic
applications,
degree
testing,
which
can
also
be
done
before
your
measure
production
not
after
and
web
API.
B
A
So
that's
it
big
list
there
and
because
the
gitlab
is
a
single
application,
we
can
leverage
the
review
app
as
well
right.
It's
a
fully
functional
application
that
we
used
to
test
the
changes
made
to
the
code
right
so
to
run.
Dynamic
application,
security
testing
and
before
code
is
ever
could
ever
use
a
developer
hand
and
before
the
code
is
merged.
So
this
is
what
you're
seeing
here
we
have
the
build
stage
during
the
test
stage.
We
run
all
the
security
scams.
Then
we
have
the
review
app
and
then
we
run
the
dash
cam.
A
So
experiment
abilities
are
reported
in
the
Mr
Right
an
emerge,
requests
and
or
plant
reports.
So
what
we
see
here
is
first
of
all,
we
know
that
this
match
request
doesn't
draft,
so
we
know
that
this
is
being
worked
on.
We
also
see
that
approval
is
needed
by
at
least
one
somebody
from
project
management,
quality
assurance
and
configuration
management.
A
So,
but
we're
also
seeing
that
no
changes
in
test
results
were
done.
We
see
that
the
performance
metrics
have
been
degraded,
no
license.
Compliance
issues
were
detected.
However,
we
see
that
a
lot
of
potential
volumities
were
found,
Zoo
critical
to
high
and
258
others.
So
if
we
drill
into
that,
we
can
actually
see
a
burger
lists
more
description
as
to
what's
inside.
A
So
we
see
a
lot
of
licenses,
but
we
don't
have
any
policies
for
that
right,
so
Apache,
License,
BSD,
so
they'll
file,
apparently
if
they
would
have
a
license,
wouldn't
have
been
able
to
merge
that
now
what
else
so
we've
got?
Sas
detected
48
potential
vulnerabilities
for
critical
of
the
high,
so
seven
critical
dependency
scanning.
So
essentially
this
is
this
is
what
you
get
in
emerge
requests.
So
every
piece
of
code
is
tested
upon
commit
so
without
incremental
costs.
It's
just
done.
A
Every
time
developers
will
be
able
to
remediate
now
and
there's
also
dashboard
for
Security
Professionals
to
roll
up
all
the
availabilities
in
one
place
and
as
good
as
a
single
tool.
It
could
reduce
cost
or
approach
to
buy
and
integrate,
maintain
other
Bond
Solutions.
So
it's
all
in
one
place,
but
then
so,
if
we
kind
of
go
back,
then
we'll
be
able,
for
example,
if
we
click
onto
any
of
the
let's
say
critical
evaluation
of
the
SAS
argument,
type
identifier.
A
So
we'll
click
on
that
doesn't
matter
which
one
then
you
will
be
able
to
see
an
actual
turbo
language
right.
So
there'll
be
a
name,
a
description
project
where
it
was
found.
The
actual
file
where
was
introduced
an
identifier
and
so
cve
I,
think
it's
common
vulnerability,
exposures,
so
the
necessarily
the
scanner
and
the
scanner
provider
and
then
the
links
to
that
in
certain
cases
and
you'll
have
even
a
solution
which,
in
this
case
is
upgrade
to
the
latest
version.
A
So
then,
what
developer
able
to
do
is
either
to
dismiss
a
vulnerability
with
a
comment
or
create
an
issue
and
actually
create
the
work
after
that
yeah,
what's
also
great,
is
that
in
certain
cases
we
have
training
resources
built
in
with
our
scanners,
as
well,
so
by
completing
an
appropriate
kind
of
challenge.
According
to
that
specific
problem,
right
availability,
then
it's
going
to
be
very
effective
because
it's
kind
of
a
bite-sized
coding
challenges
that
give
developers
targeted,
Hands-On
skill
building
in
that
particular
vulnerability,
and
it's
not
to
resolve
it.
A
It's
contextual
learning,
presented
in
manageable
chunks
and
kind
of
continuously
reinforces
good,
secure,
quoting
patterns.
It
reduces
the
time
gap
between
learning
and
application,
knowledge
in
ensuring
lasting
engagement
and
retention
so
connect
to
help
us
go
there,
Master
memory
to
recognize
security
issues,
while
we
code
so
not
only
that
we're
giving
developers
a
feedback.
So
yes,
you
need
to
fix.
This
is
something
you
introduce,
but
hey.
This
is
a
bit
more
education
around
how
you
do
that,
which
I
think
is
absolutely
brilliant.
A
A
So
Susanna
with
still
results
the
scanners
can
produce
and
what
developers
can
do
and
to
resolve
vulnerabilities
directly
from
the
context
of
the
emerge
request
and
let's
take
a
look
at
the
security
teams
that
can
see
and
manage
the
remaining
vulnerabilities
that
are
across
teams.
Right,
sell
a
little
bit
from
the
security
side
of
things.
So
what
we
see
here
is
a
degree
dashboard
right
and
it's
designed
for
directors,
security
and
C
cells.
A
It's
a
metrics
aggregate
about
group
or
at
the
instance
level,
and
it's
directly
actionable
assignments,
Milestones
Etc
and
it's
showing
you
high
level,
Trends
and
metrics
that
we'll
be
seeing
here
with
images
over
time,
30
days,
60
days,
90
days,
their
severities
and
whether
so
it's
increasing
or
decreasing,
and
we
have
a
secret
without
a
security
scoring
to
the
dashboard.
So
from
a
to
F.
So
f
is
critical
abilities
a
will
be
having
zero.
A
I
think
lowest
a
priority
committee
so
anyways
and
yeah
what
issues
kind
of
need
to
be
addressed
in
this
case
now,
the
screen
dashboard
provides
an
overview
of
all
the
screwable
abilities,
again
groups
and
projects.
So
this
is
actually
a
vulnerability
report
in
this
case.
So
there's
a
there's
a
whole
lot
in
here
and
you
can.
If
you
wanted
to
drill
down
into
vulnerability
for
detailed
information,
you
can
find
originating
projector
file
metadata
metadata
to
analyze
risk.
A
You
can
take
action
on
these
will
abilities
by
creating
an
issue
we're
dismissing
them,
as
we've
seen
before,
the
security
dashboard
displays
information
from
results.
On
the
most
recent
security
scan
on
the
default
branch,
security
scans
I
perform
every
time
the
branch
is
updated,
so
if
it
hasn't
run
in
a
while,
then
it
wouldn't
be
updated
if
you're
seeing
a
top
top
left.
You
see
that
it
ran
three
hours
ago
right
which
you'll
see
here
is
that
we
have
in
this
particular
report.
A
We
have
21
critical,
32
high
medium
vulnerabilities
when
we
have
when
they
were
detectors,
the
status,
the
severity,
the
description,
identifiers
and
the
tool
that
was
used
to
find
them.
A
A
So
now
the
project
security
dashboard
also
kind
of
displays
results
in
the
most
recent
security
scans
on
the
default,
as
I
said,
and
we
basically
use
it
to
find
the
fixed
vulnerabilities
attacks
in
the
default
Branch
right
and
we
can
schedule
security
pipeline
runs
to
ensure
information
is
regularly
updated.
For
example,
if
there's
been
no
kind
of
major
work,
there
were
no
commits
and
well
then
there'd
be
no
security
scans,
but
actually
automate
this
to
run
daily.
A
What
else
you
can
do
you
can
interact
with
the
mobility
from
the
dashboard
itself,
wants
to
kick
into
any
one
of
them?
You'll
be
able
to
see
what
the
status
is
so,
first
of
all,
it
would
be
by
default
and
detected.
You
can
then
either
dismiss
this
as
a.
We
will
not
fix
a
false
positive
because,
for
example,
Secrets
not
believe
that
they
have
a
kind
of
a
layer
of
defense
that
protects
from
there.
Maybe
it's
not
an
issue
anymore.
A
You
can
have
it
confirmed,
yeah
user,
seeing
this
availability
and
confirms
it
is
to
be
real
dismiss.
The
user
has
seen
sustainability
in
kind
of
dismisses
us
and
resolved.
It's
already
been
fixed,
no
organic
called
base.
We
don't
have
to
worry
about
it
and
everyone
that
I
see
that's
what
happens.
You
can
actually
go
through
it
and
see
what
was
resolved.
What
was
the
comment?
Who
did
what
and
why.
A
So
I
suppose
in
a
sense,
there's
obviously
a
lot
more
to
get
lots
capabilities,
but
we
have
a
lot
to
cover,
so
I
wanted
to
touch
on
a
bit
of
a
compliance
before
we
wrapped
up.
So
so
compliance
there's
a
lot
to
it
as
well,
but
just
kind
of
adrenal
level
compliance.
We
have
embedded
automatic
security
quality
vulnerability
management
as
we
talked
about
policy
enforcement
to
keep
things
moving
quickly,
while
remaining
compliant
we're
able
to
simplify
user
management.
So
it's
a
single
permission
model
where
you
will
use
your
authentication.
A
Authorization
is
enforceable
and
consistent.
So
you
will
not
need
to
manage
multiple
authentication
schemas
across
multiple
applications,
so
consistent
user
writes
across
all
product
categories
and
that
integration
with
existing
SSO.
We
also
have
custom
roles
that
were
recently
introduced
to
gitlab,
which
I
think
is
great,
which
allows
you
to
customize
your
roles
to.
However,
you
see
fit
so
expert
auditing,
so
we
verify
compliance
in
less
time.
A
It's
very
important
activity
is
locked
in
one
single
audit
log
that
covers
the
entire
devops
lifecycle,
pretty
much
always
on
accessible
and
accurate,
and
you
can
tightly
control
code
is
deployed.
You
can
kind
of
eliminate
guesswork,
incremental
rollout
changes
and
can
reduce
impact,
so
apply
the
compliance.
It's
probably
compliance.
We
address
segregation
of
incompatible
duties,
identity
and
access
control,
approval
controls,
configuration
management
and
change,
control,
access,
restrictions
for
changes
to
configuration
and
pipelines,
protection,
branches
and
environments,
auditing
live
license
code
usage
and
security
testing.
A
A
This
is
a
huge
Topic
in
itself
like
a
couple
of
hours
worth
of
our
time,
but
in
short,
the
first
step
would
be
is
creating
or
identifying
policies
that
need
to
be
addressed.
Any
type
of
requirements
lists
that
you
you
may
need
to
keep
track
of,
for
example.
So
the
second
step
is
here
is
automatic
compliance
Workforce.
Consider
having
a
person
manually
go
through
each
policy,
you
can
automate
the
workflow
by
creating
rules
that
need
to
be
met
and
the
third
step
would
be
audit
management.
A
We're
going
to
go
deeper
into
policy
management
policy
management,
helps
you
define
rules
and
policies
to
adhere
to
either
internal
company
policies
or
policies
based
on
legal
or
regulatory
Frameworks
such
as
GPR
sub,
2,
PCI,
socks,
HEPA,
so
on
and
so
forth,
and
we
offer
a
number
of
features.
Kind
of
addressing
this
policy
management
with
okay
would
be
merge.
A
Approvals,
scanning
policies,
external
service
approvals,
non-repudiation
platform,
management,
inventory,
risk
assessments,
incident
remediation
and
threshold,
and
if
we
expand
the
nodes,
we
have
granular
user
roles
and
permissions
as
a
especially
for
where
gitlab
supports
five
different
user
roles
with
permissions
according
to
people's
role,
rather
than
access
required
to
that
particular
repository.
There's
also
the
ability
to
customize
the
roles.
A
Then
we
have
compliance
settings
to
create
an
enforce
compliance
policies
for
user
based
on
compliance
rules
for
specific
projects
and
groups,
then,
with
credentials
inventory,
we
can
track
all
the
credentials
that
can
be
used
to
access
gitlab
self-managed
instance,
and
then
we
have
protected
branches
to
control
or
not
rise.
Modifications
to
specific
branches,
including
creating
pushing
deleting
a
branch
without
I'd,
have
got
promotions.
Walkovers.
A
Then,
once
the
policies
and
rules
were
defined,
you
need
a
way
to
enforce
these
policies.
Compliance
controls
and
automations
compliant
workflows
focused
on
enforcing
policies
and
separation
of
Duties,
while
at
the
same
time
reducing
overall
risk.
A
You
consider
GitHub
offers
the
ability
to
create
templates
to
enforce
rules
and
policies.
Some
of
the
templates
are
sub
2,
ISO,
GPR,
HIPAA
and
so
on
so
forth.
So
if
you
expand
on
those
or
Wicked
lab
compliance,
Frameworks
projects
templates,
where
you
can
create
those
projects
with
issues
that
map
to
specific
other
protocols,
so
that
you
can
help
maintain
another
Trail
and
manage
compliance
programs.
A
Take
it
up
also
for
compliance
framework
projects,
labels
we
can
enable
common
compliance
settings
to
be
applied
to
projects
with
specific
framework
labels.
So
this
is
an
example
of
that.
So,
for
example,
we
need
to
Define
compliance
Frameworks
for
ourselves
right
which
CI
jobs
need
to
be
around
foreign.
A
Labels
with
compliance
framework
so
for
that
particular
group,
but
they
kind
of
top
level
we'll
have
project
a
which
would
be
ISO
which
then,
if
you
look
on
the
left,
will
be
again
SAS
and
dust
project,
V,
project,
C
and
then
we'll
have
immutable
pipeline
jobs
that
executed
according
to
that
framework,
so
project
a
pipeline
run,
ICC,
build
stage,
SAS
and
dust
and
test
and
jobs
are
there
so
fast
and
that's
would
be
because
it
has
an
ISO
label
in
it
it
wouldn't.
You
would
be
able
to
remove
it
out
of
there.
A
So
the
benefit
here
is
you
ensure
the
jobs
are
running
for
compliance
again,
better
security
and
you're,
also
shifting
out
the
approval
workflows
early
in
the
process
as
well,
so
I
think
one
of
the
last
things
here
I
want
to
talk
about
the
order
management.
So
compliance
of
this
requires
traceability
of
various
compliance
events
such
as
user
actions,
permission
changes,
approval
changes,
logins,
passwords
and
so
on.
That
information
exists
in
lab
and
audit
management
aims
to
provide
a
Consolidated
view
of
these
insights.
A
When
did
they
take
action?
What
action?
Why
did
they
do
it
again
and
so
on
and
so
forth?
And
we
answer
those
questions
with
at
audit
announced
right.
They
basically
aim
to
certify
immunization
audit
logging
requirements
within
the
UI
or
within
API
as
well.
So
I
will
give
you
an
advanced,
lock
system
with
20
logs,
where
everything
is
logged
to
online
gitlab
instance.
A
We
also
give
you
a
compliance
dashboard
that
aims
to
provide
compliance
inside
and
is
in
Consolidated
view
with
the
overall
and
compliance
signals,
such
as
segregation
of
ugth
framework
compliance
license
compliance,
my
Appliance,
merge
requests
and
the
code
getting
dashboard
focuses
mostly
emerge
the
more
activities.
So
this
is
what
it
looks
like
so
you'll
find
it
in
security,
compliance
left
hand,
side
compliance,
and
we
see
update
redmi
with
the
description.
So
there
were
no
approvals.
It
was
merged
one
day
ago
below
dashboard
for
new
users.
A
So
this
is
such
an
example
of
it
all
right,
just
a
couple
of
things
which
you,
which
you
could
do.
If
you
want
to
learn
more
about
compliance
security,
we
have
a
food
training
on
level
up
level
up,
gitlab.com,
learn:
Street
training
you'll
need
not
to
pay
anything.
Whether
if
you
want
to
do
the
actual
certificate
certificates,
then
it'll
be
I,
think
150
or
cost.
But
if
you
don't
want
to
do
the
exosification,
the
training
is
free,
so
you
could
do
team-ups
and
get
Essentials
project
management
courses,
sukui,
CI
CD.
A
A
You
know,
and
also,
if
there's
a
need
for
your
company
to
do
private
sessions
like
this
and
absolutely
we
have
a
Professional
Services
to
be
engaged
and
at
this
point,
I
think
I've
really
run
to
everything
I
wanted
to
cover
today,
so
we're
gonna
leave
it
or
if
there's
any
questions
so
feel
free
to
unmute
yourself
and
yeah
go
ahead.
Thank
you.
So
much
I'm
going
to
stop
sharing
my
screen
and
yeah.
If
there's
any
questions,
absolutely
go
ahead,.
B
I
have
a
question
or
it's
a
static
question.
Well,
where's
a
good
place
to
start
because
I
know
you
listed.
You
know
loads
of
different
types
of
security
tools
for
someone
who
is
maybe
not
actually
doing
any
security
or
maybe
they're
just
thinking
about
SAS,
where
how's
a
good
place
to
get
started
using
gitlab.
A
Right
well,
I
probably
would
be
if
you've,
if
you've,
if
you've,
never
done
it
using
gitlab
we've
accepted
extensive
documentation
where
I
think
circuit
lab
starting
with
security,
and
it
really
gives
you
an
overview
of
how
to
do
all
this
right.
So
let
me
share
my
screen
again,
so
this
is
so
get
started
with
gitlab
applications.
You
can
it's
a
great
ideal
resource
in
order
how
to
best
do
this
right.
It
starts
with
the
easiest,
the
best
I,
suppose
kind
of
buying
for
your
time
and
also
yeah.
A
A
So
there's
there's
a
question:
can
we
integrate
yourself
with
any
IM
tools
for
access
management?
What
required
from
the
lab
site
for
doing
that?
So
I
guess
that
example,
so
you're
wondering
if
we're
going
to
integrate
with
OCTA
or
any
other
providers
like
that,
we
also
have
documentation.
That
would
explain
in
detail
which
you
need
to
do
so
I,
don't
think,
there's
any
with
major
providers.
I,
don't
think,
there's
any
difficulties
with
the
integrating
you
basically
just
need
to
follow,
documentation
and
yeah.
A
A
If
you
wanted
to
watch
the
question
more
than
happy
to
answer,
if
you
wanted
to
comment
on
the
full
shift,
left
it'd
be
absolutely
great
to
hear
kind
of
how
your
company
is
going
through.
This
haven't
seen
anything.
A
If
not,
if
there's
no
questions
I
think
at
this
point
yeah
we
can
wrap
up.
The
recording
will
be
sent
after
a
couple
days
along
with
the
deck
itself,
so
you
can
follow
up,
go
to
it
as
well.
If
you
have
any
questions.
Do
reach
out
to
me
be
more
than
happy
to
talk
to
you
about
app
approach.
What
we
do,
yeah
how
we
can
help,
and
if
you
just
you,
wanted
to
balance
a
couple
of
opinions
off
as
well
yeah
more
than
happy
to
to
speak
to
anyone.
B
A
Everyone
for
joining
I'm,
going
to
learn
Terminator
session
and
have
a
great
rest
of
your
day.