►
From YouTube: Hands On GitLab DevSecOps Workshop - September 29, 2023
Description
In this workshop we focus on how you can secure your application with GitLab.
We will first take a look at how to apply scanners to your CI/CD pipelines in a hands-on exercise so that any vulnerabilities are caught as soon as the code is committed.
Next, we will look at compliance frameworks and pipelines to show how you can ensure no one within your development teams is cutting corners and exposing your application.
A
Right,
hello,
everybody
good
morning,
good
afternoon,
good
evening,
depending
on
where
you
are
in
the
world
today,
just
gonna
wait
a
couple
more
minutes
to
let
folks
trickle
in
start
joining
in
with
our
Workshop.
Today,
we
want
to
welcome
all
of
you
to
our
Hands-On
workshop,
with
focus
on
security
and
compliance
devsecups
within
the
gitlab
platform.
A
This
is
your
first
Hands-On
Workshop
here
at
gitlab
want
to
make
sure
that
you
please
ensure
that
you
have
workinggitlab.com
account.
This
will
be
different
from
an
account
that
you
have
on
a
self-managed
instance
within
your
organization
or
company.
If
you
use
git
lab
outside
of
our
SAS
platform
on
gitlab.com,
so
please
take
the
time
to
to
sign
up
for
an
gitlab.com
account
on
our
SAS
platform.
If
you
don't
have
one
already
again,
this
is
different
from
a
self-managed
or
on-prem
gitlab
instance
account.
A
So
I've
got
a
link
there
to
the
the
sign
up
page
on
our
SAS
platform.
I've
also
put
the
the
lab
setup
instructions
I'll
link
to
that
in
the
in
the
chat.
I'll
be
walking
you
all
through
how
to
get
set
up
with
a
lab
environments
on
gitlab.com
through
your
gitlab.com
account,
so
make
sure
that
you
follow
those
instructions
and
if
you
want
to
get
a
more
Hands-On
demonstration,
I'll
show
you
those
steps
as
well
in
just
a
moment
so
again.
Welcome
to
everyone.
A
A
Lots
of
folks
joining
in
and
if
you're
just
joining
in
today,
we're
just
giving
folks
just
another
minute
to
to
get
settled
in
here.
I've
shared
the
the
lab
setup
instructions
on
the
screen
here
you
can
take
a
screenshot,
also
put
it
here
in
the
chat
again
for
our
late
late
joiners
we've
got
a
link
to
the
lab
setup
instructions
as
well
as
requests
for
you
all
to
get
signed
up
for
gitlab.com
account
on
our
SAS
platform.
A
If
you
don't
have
it
already
and
that's
different
from
a
self-manager
on-prem
gitlab
account.
If
your
organization
maintains
your
own
gitlab
instance
all
right.
Well,
let's
go
ahead
and
get
started
so
I
just
wanna
again.
Welcome
you
all
to
our
security
and
compliance.
Adoption
Workshop
focused
on
devsecops
within
the
gitlab
platform,
I'm
gonna
go
over
some
housekeeping
items.
I've
I'm
joined
by
one
of
my
colleagues
here
on
the
customer
success
engineering
team.
A
Or
you
know.
If
you
have
any
issues
getting
your
lab
environment
set
up,
you
know,
Steve
and
Rasheed
will
be
able
to
get.
You
helped
out
along
the
way
and
as
a
reminder,
I'll
be
sending
along
or
the
team
will
be
sending
along
a
recording
of
today's
Workshop
tomorrow.
I
believe
and
they'll
also
be
sending
a
copy
of
today's
date
as
well.
A
So
I'll
have
links
to
different
resources
provided
in
deck,
so
you'll
be
able
to
have
access
to
both
the
recording
and
a
copy
of
today's
deck
after
today's
Workshop
and
then
finally,
with
today's
sandbox
environment,
that'll
you'll
get
provision
on
our
SAS
platform.
You'll
have
access
to
it
for
up
to
four
days,
I
believe
it'll
expire
on
October
1st.
A
So
you
have,
if
you
have
the
time
over
the
weekend,
if
you
want
to
continue
playing
around
with
this
sandbox
environment,
it
will
have
a
ultimate
license
applied
to
it
and
so
you'll
be
able
to
take
full
advantage
of
all
the
security
and
compliance
functionality
get
to
know
it
a
little
bit
better.
If
you
don't
have
it
already
within
your
organization
and
yeah
just
want
to
make
sure
that
you
have
that
time
as
well
to
take
advantage
of
the
sandbox
environment
all
right.
So
brief,
introduction
to
myself.
A
So,
let's
jump
right
into
it.
So
I
want
to
introduce
you
to
today's
fictional
scenario
for
a
workshop
today.
So
today,
you're
officially
part
of
a
brand
new
startup,
that's
creating
a
public
leaderboard
for
The
Hitman
racing
game
to
Nikki
racing.
This
groundbreaking
application
has
been
developed
and
deployed
in
a
Beta
release.
However,
the
developers
are
lost
on
how
to
make
it
secure.
So
you,
as
a
new
security
specialist,
have
tasked
you
to
use
gitlab
to
enhance
the
application's
overall
security.
A
A
I
see,
we've
got
quite
a
few
more
attendees
that
have
joined
in
so
we'll
get
set
up
with
our
your
own
personal
sandbox
environment,
on
our
SAS
platform
and
then
next,
we'll
we'll
look,
have
a
look
at
shifting
left
within
the
git
lab
platform
in
the
context
of
gitlab.
What
that
means,
and
then
we'll
get
Hands-On
with
configuring.
Our
sandbox
project
to
improve
our
security
posture
by
shifting
left.
Next,
we'll
talk
a
little
bit
about
the
compliance
framework
and
compliance
pipelines
within
gitlab.
How
that
works?
A
Furthermore,
we
were
going
to
be
looking
at
parsing.
The
results
we'll
be
looking
at
all
of
the
findings
that
have
been
generated
by
shifting
left,
both
in
the
merge
request,
as
well
as
when
emerges
happen
and
a
pipeline
has
run
against
the
default
branch
and
what
you
see
active
vulnerabilities
within
the
default
branch
on
our
project.
A
Finally,
we'll
have
a
brief
look
at
on-demand
scans
audit
events
and
more
and
then
I'll
touch
on
how
to
transfer
your
project.
If
you
wish
to
save
your
work
that
you've
been
working
on
as
part
of
this
Hands-On
Workshop,
it's
not
required,
but
it
is
something
that
is
optional
for
you.
If
you
want
to
save
your
work
into
your
own
namespace,
but
keep
in
mind
when
you
transfer
the
project
to
your
own
namespace
on
gitlab.com
or
even
to
your
own
organization's
top
level
group.
A
If
you
don't
have
the
ultimate
license,
then
you
won't
be
able
to
take
full
advantage
of
the
ultimate
level
features
that
we
show
you
today.
Some
of
the
features
are
available
in
premium,
but
you
know
for
the
most
part,
you
know
the
vulnerability
management
features
are
not
available
outside
of
the
ultimates
here,
for
example,
and
then
we'll
go
through
a
conclusion:
we'll
wrap
up
and
review
what
we've
learned
and
completed
in
today's
Workshop.
So
let's
go
ahead
and
get
started.
A
Let's
go
ahead
and
get
the
lab
environment
set
up
together
so
first
to
get
set
up.
I
want
to
make
sure
again
that
you
have
your
own
gitlab.
Your
own
gitlab.com
account
on
our
SAS
platform.
You
might
have
an
existing
account
if
you
already
use
the
SAS
platform
as
part
of
your
organization.
That's
totally
fine!
You
can
utilize
that
same
existing
account,
but
if
you
have
a
self-managed
or
on-prem
instance
of
gitlab
you're
going
to
want
to
go
ahead
and
sign
up
for
a
gitlab.com
account
on
our
SAS
platform.
A
A
So
once
you
get
your
SAS
environment,
Provisions
you've
got
your
gitlab.com
account.
We're
going
to
go
through
this
provisioning
process
to
set
up
a
subgroup
on
the
SAS
platform
associated
with
your
user.
Account
you're
going
to
be
made
an
owner
of
that
subgroup,
we're
going
to
go
ahead
and
Fork
a
source
project
for
working
Hands-On.
With
today's
exercises,
we're
also
going
to
reference
the
issues,
the
exercise,
steps
from
that
source
project.
The
issues
are
not
going
to
be
copied
over.
A
A
First
of
all,
so
we've
got
the
gitlab
www.gilabdemo.com
website
and
the
invitation
code,
so
that
invitation
code
is
something
that
you'll
want
to
copy
and
then
go
ahead
and
go
to
www.getlabdemo.com
and
when
you're
on
the
homepage
of
gitlabdemo.com
you're
going
to
click,
the
blue
redeem
invitation
code,
then
you're
going
to
paste
in
that
invitation,
code,
click
provision,
training,
environment
and
then
for
your
gitlab.com
username
you're,
actually
going
to
grab
that
when
you're
logged
in
to
gitlab.com.
Again.
A
This
is
on
the
SAS
platform,
not
your
self-managed
instance
and
you're
going
to
go
to
the
main
navigation
and
you're
going
to
go.
Click
your
avatar
and
that
upper
right
hand
corner
of
the
main
navigation
and
underneath
your
your
display
name,
possibly
your
full
name,
you're
going
to
have
your
username,
which
is
a
prefix
by
that
app
symbol,
you're
going
to
want
to
copy
everything
after
the
app
symbol,
but
not
include
the
app
symbol.
So
mine
in
this
case
is
cigatarte.
Dash
Workshop.
A
And
click
provision,
training,
environment,
make
sure
you
don't
include
that
at
symbol,
it'll
still
try
to
provision
the
the
subgroup
and
Associate
the
subgroup
with
that
username
or
the
ad
symbol.
But
you
might,
it
won't
actually
work.
So
you
want
to
make
sure
that
you're
using
everything
after
the
at
symbol
and
not
including
it.
A
A
And
you
can
click
that
in
this
case,
I'm
just
pasting
it
into
a
new
browser
and
I
can
see
that
I'm
in
this.
My
test
group
with
a
unique
identifier
specific
to
my
user
account-
and
this
is
unique
to
me.
So
no
none
of
the
other
attendees
in
today's
Workshop
will
have
access
to
this,
except
for
our
panelists
here,
including
myself
and
so
you'll.
A
Have
the
ability
to
you
know,
create
new
subgroups
or
create
new
projects,
but
you're
not
going
to
do
any
of
that
today,
you're
just
going
to
Fork
an
existing
source
project,
which
is
the
skit
lab
security
and
compliance
project
into
this
provision
subgroup.
So
again
we
went
through
the
process
of
redeeming
the
invitation
code.
A
Looking
provision
training,
environment
and
then
grabbing
our
gitlab.com
username,
which
is
from
our
SAS
platform.
You
can
see
that
there,
in
the
main
navigation
grabbing
the
Avatar
or
clicking
the
Avatar
icon
and
grabbing
your
username,
which
is
everything
after
the
at
symbol
there
and
if
you
get
lost.
If
you
lose
your
place,
you
don't
have
that
window
up
and
running
again.
You
could
always
go
through
the
provisioning
steps
again
to
get
back
to
your
original
group.
A
A
Put
that
in
that
field,
once
we've
redeemed
the
invitation
code,
click
provision,
training,
environment.
Let
me
get
to
that
page
and
we're
able
to
click
that
blue
my
group
button
and
we
get
to
a
page
that
looks
something
like
this.
My
test
group
and
unique
identifier
at
the
end
of
it,
and
if
you
find
yourself
at
a
404
page,
you
might
be
in
that
situation.
A
All
right
just
going
to
take
a
brief
moment
here
to
get
a
a
pace
check
with
everyone
on
on
today's
Workshop.
Give
me
a
thumbs
up
if
everybody's
gone
through
at
least
the
provisioning
steps
getting
your
subgroup
provisioned
on
gitlab.com.
If
you
give
me
a
thumbs
up
in
the
chat,
I'll,
be
able
to
know
that
some
folks
are
riding
along
just
fine.
A
All
right
see
a
few
thumbs
up,
looks
like
everything's
going
well
and
don't
worry.
You'll
still
have
time
to
to
get
set
up
as
we
go
along.
I'm
just
gonna
be
going
through
some
brief
introductory
slides
on
on
shifting
left
and
again
as
I
mentioned.
You'll
have
you
know
until
October
1st,
at
at
midnight
UTC
to
have
you
know
full
access
to
your
sandbox
environment
as
well.
So
thanks
for
the
confirmation
there
I'll
go
ahead
and
move
forward.
A
A
The
issue
is
when
we
Fork
a
project
are
not
copied
over,
and
so
you
want
to
make
sure
that
we're
only
referencing
our
Workshop
project
for
the
actual
Hands-On
portion
and
actually
working
with
editing
the
files
there,
selecting
your
namespace.
If
you
don't
have
many
name
faces,
you
should
see
that
pretty
easily
there.
If
you're
part
of
a
lot
of
different
organization.
If
you're
part
of
your
organization
on
gitlab.com
and
different
subgroups,
you
may
see
a
lot
more
there.
A
Fourth
project
it'll
take
a
minute
here
to
flirt
the
project
and
you
should
get
redirected
to
the
workshop
project
that
you
Fort
within
your
sandbox
subgroup,
I'm
going
to
go
ahead
and
just
back
up
a
little
bit
here,
go
back
to
the
source
project
and
just
make
sure
I
have
this
handy
here.
You
can
see
that
I
actually
have
a
few
different
Windows
here
side
by
side,
and
this
is
a
recommended
kind
of
setup
if
you
have
multiple
screens
or
multiple
desktops
or
multiple
windows
or
monitors.
A
Rather,
you
could
have
these
in
multiple
monitors,
but
we're
going
to
be
referencing
the
issues
from
The
Source
git,
lab
security
and
compliance
project
on
one
window.
So
you
can
go
to
the
main
navigation
plan
and
issues,
and
then
you
have
these
ready
to
click
through
on
one
side
or
one
monitor
one
window
and
on
the
right
hand,
side
you
could
have
the
provision
subgroup,
the
sandbox
environment
and
your
Workshop
project
there
on
the
other
side.
So
this
is
actually
the
right
hand.
A
Side
for
me
is
where
I'll
be
editing
the
files
and
doing
all
of
that
work
and
then
the
left
hand
side
is
where
I
will
be.
You
know,
working
through
the
workshop
instructions,
I
see
a
question
here:
how
what
do
you
click
to
Fork
the
projects
on
the
source
project
here
you're
going
to
go
ahead
and
go
to
this
link?
A
That
is
this
place
in
the
chat
and
then
once
you're
on
that
homepage
of
that
source
project
you're,
going
to
click
that
Forks
button
on
the
upper
right
hand,
corner
of
that
source
project
to
create
the
new
fork
and
then
you're
going
to
rename
the
project
to
make
it
a
little
bit
easier
to
identify.
You
can
call
it
Workshop
project
and
then
select
the
namespace,
which
should
correspond
to
your
provision
subgroup
on
gitlab.com.
A
If
you
have
any
questions
or
issues
getting
set
up,
you
can
always
ask
Steve
or
Rasheed
as
we
go
on
with
the
rest
of
the
workshop
material
I'm,
going
to
go
ahead
and
go
back
to
the
source
project
Labs,
creating
compliance
go
to
main
navigation
plan.
Then
issues
and
I
can
also
link
this.
Here,
too,
you
can
open
up
the
issues
directly
from
that
link
and
place
that
in
a
separate
screen
or
window
within
your
workstation
and
have
that
ready
to
kind
of
work
through
for
a
Hands-On
portion
and
again
this
right
hand.
A
Side
here
is
our
Workshop
project,
where
we've
actively
forked
that
project
the
source
project
into
our
sandbox
environment
and
then
now
we're
actually
going
to
remove
the
fork
relationship.
So
in
this
Workshop
project,
it's
important
not
just
to
Fork
it,
but
also
to
remove
the
Quark
relationship
so
that
the
merger
Quest
stays
within
this
project
and
everything
all
the
activity
stays
within
this
project.
So
we're
going
to
go
to
settings.
A
I'm
going
to
go
to
the
settings
of
the
workshop
project
here,
General
Place
instructions
on
how
to
remove
the
fork
relationship
as
well
in
the
chat.
If
you
don't
have
the
lab
setup
instructions
up
and
running
you're
going
to
go
down
to
the
advanced
section
of
the
general
settings
of
the
workshop
project
and
then
find
remove
Fork
relationship
and
click.
A
The
red
remove
work,
relationship,
button,
you're,
going
to
type
the
the
project
slug
to
proceed
and
confirm
that
removing
the
fork
relationship,
that's
fine
and
hit
confirm,
should
say
the
fourth
relationship
has
been
removed
and
you
should
be
ready
to
rock
for
the
Hands-On
portion
of
today's
Workshop.
So
again,
what
we
just
did.
A
We
were
able
to
Fork
the
source
project
at
lab
security
and
compliance
into
our
sandbox
environment
and
then
remove
that
fork
relationship
from
that
fork
project
so
that
we
can
continue
working
to
have
everything
isolated
within
our
our
sandbox
project.
Here,
I'm
gonna
go
back
to
the
slides
here
and
the
just
the
visual
representation
of
why
did
I
walked
you
through
live
making
sure
that
we're
forking
the
project
and
keeping
those
either
Windows
side
by
side.
A
If
you're
just
working
on
a
single
monitor
or
if
you
have
multiple
monitors,
you
could
put
them
on
two
different
windows:
nothing's
dependent
on
the
project
name,
so
you're
fine,
if
you
kept
it
with
the
the
same
name
as
the
source
project
I
just
like
to
rename
it
so
that
I
know
I'm.
Looking
at
my
sandbox
project
when
I'm
working
within
that
project
for
editing
the
files.
But
if
you
kept
the
the
same
name,
then
you're
all
good.
A
A
A
All
right.
Let's
take
another
minute
to
pause.
Let
me
get
a
thumbs
up
or
just
affirmation
that
everyone's
keeping
along
just
fine
in
the
chat.
Let
me
know
that
everybody's
going
along
with
the
lab
setup,
just
okay
and
I'll
start
talking
about
shifting
left
as
it
relates
to
gitlab
and
we'll
get
hands
on
in
just
a
few
minutes.
A
You
know
late
night,
on-call
procedure
to
you
know,
work
on
that
code
during
a
live
incident,
so
shifting
left
can
often
take
that
you
know
much
of
the
unnecessary
and
also
often
stressful,
heroics,
away
and
I'm.
Sure
many
of
you
can
relate
to
this
and
probably
heard
of
this
term
we're
already
familiar
with
it,
but
it's
good
to
kind
of
set
that
Baseline
for
everyone
on
today's
Workshop,
so
the
shifting
left
movement
was
heavily
driven
by
log
4J
and
the
solarwinds
events
and
and
security
is
becoming
much
more
of
a
risk.
A
This
is
just
a
snapshot
of
a
survey
that
gitlab
had
run
or
gitlab
devsecop
survey
back
in
2022,
where
57
of
security
team
members
said
that
their
organizations
have
either
shifted
security
left
or
are
planning
to
that
year,
and
then
43
of
the
respondents
thought
somewhat
are
very
unprepared
for
the
future.
So
I'm
really
glad
that
you
all
have
joined
us
today
to
really
get
more
familiar
with
and
Hands-On
with
the
securing
compliance
features
within
gitlab
if
you're
already
an
ultimate
customer.
A
This
will
kind
of
get
you
more
prepared
to
take
advantage
of
those
features
and,
if
you're,
not
an
ultimate
customer,
we
do
have.
Some
of
these
features
are
already
available
in
premium
with
the
enabling
SAS
scanning
secret
detection,
for
example,
but
the
vulnerability
management
capabilities
are
are
more
of
our
ultimate
level
functionality,
but
you'll
get
more
familiar
with
it
today
because
you
do
have
that
ultimate
level
subscription
applied
to
your
sandbox
group.
These
are
just
some
of
the
examples
of
where
the
security
scanning
is
happening.
A
A
So
what
does
that
mean
within
the
developer?
Workflow,
you
know
adding
those
Securities
tests
and
moving
shifting
security
left.
So
we've
got
the
gitlab
flow
as
a
diagram.
Here
we've
got
the
the
defaults
or
Master
branch
in
this
case
on
the
bottom
line
here
and
then
on
that
Top
Line
is
the
feature
branch,
and
so
what
we
mean
by
shifting
left
is
we're
moving
security
testing
as
close
as
possible
to
the
developer
and
where
they're
doing
their
work,
which
is
ideally
on
the
feature.
A
Branch-
and
this
is
the
gitlab
flow
of
you-
know,
feature
Branch
workflow.
You
know
essentially
there's
an
issue.
That's
created.
We
want
to
propose
a
change,
that's
happening
on
our
application
that
the
team
is
working
on
for
a
company
or
organization,
and
the
developer
creates
that
merger
Quest
they're,
proposing
that
this
branch
is
going
to
be
merged
into
defaults
or
Master
Branch,
so
they're,
working
on
a
feature
branch
that
introduces
all
these
different
changes,
they're
committing
those
changes
onto
that
feature
branch
and
then
a
CI
pipeline
runs
the
gitlab
ciml
file.
A
Has
all
these
security
scans
added
from
the
gitlab
platform
we're
doing
security
scans,
such
as
SAS,
detect
or
SAS
scanning,
secret
detection,
container
scanning
a
dash
scan
and
so
on.
Looking
at
license
compliance
as
well,
there
could
be
a
review
app.
That's
generated
to
you
know,
spin
up
the
application
with
those
proposed
changes
from
the
future
branch
on
that
ephemeral,
environment
and
we're
able
to
take
a
look
at
what
the
you
know.
Those
changes
look
like
on
our
live
and
running
application.
You
know,
discussion
happens
in
that
merge
request.
A
It's
really
a
great
place
for
you
to
have
that
collaboration,
not
only
identifying
the
security
and
vulnerability
security
findings
that
are
present
on
that
feature,
branch
and
helping
mitigate
those
earlier
on
before
they're
actually
merged
into
that
default.
Branch.
You
know
we
could
actually
block
emerge
based
on
the
security
findings.
If
it
surpasses
a
specific
vulnerability
criticality,
you
know
it's
critical
or
high
risk
vulnerability.
A
You
know
we
want
to
make
sure
that
our
security
team
is
properly
approving
or
you
know,
has
a
proper
oversight
over
the
merger
Quest
and
can
see
what
are
those
vulnerabilities.
Is
it
positive
or
false,
positive
and
making
sure
that
those
are
remediated
if
it
is
something
that
is
going
to
impact
the
application
and
production
and
making
sure
that
the
merge
is
blocked?
And
then,
if
all
the
work
is
is
done,
we
can
improve
those
changes
and
close
the
merger
Quest
and
actually
merge
that
Branch
into
the
default
Branch
for
the
master
Branch.
A
You
have
that
continuous
deployment,
the
CD
pipeline
running
we're
playing
out
to
production
and
we're
able
to
monitor
our
application
within
gitlab.
So
that's
really
our
shift
left
strategy.
When
we
talk
about
gitlab
we're
able
to
do
all
those
security
scans
earlier
on
in
the
development
process
directly
on
the
feature
Branch
before
its
merged
into
default
branch
and
trying
to
catch
those
vulnerabilities
before
it's
deployed
into
production.
So
that's
enough
talking
about
ships
and
left
I
think
we're
ready
to
go
Hands-On.
So
let's
go
ahead
and
start
to
dig
into
our
Hands-On
exercise.
A
So
I'm
going
to
switch
screens
here
and
I've
got
my
workshop
project
here.
On
the
right
hand,
side
and
I've
got
the
workshop
instructions
from
the
source
project
on
the
left
hand
side.
So
I'm
going
to
put
that
here
in
the
chat
in
case
you
don't
have
it
here
already
so
again,
we're
referencing
the
Hands-On
exercises
from
that
link
that
I
just
placed
in
the
chat.
A
We're
going
to
go
ahead
and
click.
The
first
number
one
shifting
left
issue
there
and
we're
going
to
walk
through
these
instructions.
So
this
section
is
going
to
focus
on
shifting
left
as
a
security
practice
and
our
code
changes
will
display
security
results
after
a
commit,
rather
than
months
down,
the
line
when
it's
already
been
merged
in
the
default
Branch.
So
the
first
step
here
is
just
adding
those
security
scans.
So
first
we'll
want
to
make
sure,
on
this
right
hand
screen
or
your.
A
You
know
the
the
window
that
you're
going
to
be
working
on
for
your
Workshop
project,
make
sure
in
the
breadcrumbs
you're
in
your
test
group
and
whatever
you've
named
the
workshop
project
that
you've
worked,
you
may
not
have
renamed
it
and
that's
totally
fine,
again,
I've
renamed
it
to
Workshop
project
because
I
like
to
identify
it
as
a
workshop
project.
But
if
you
didn't
rename
it
that's
totally
fine
just
make
sure
you're
in
you're
my
test
group,
your
sandbox
project,
so
make
sure
you're
on
the
main
page
of
your
Workshop
project.
A
The
users
worked
in
and
then
make
sure
you
have
the
issues
on
another
window
or
screen,
and
you
can
look
at
and
refer
to
so
we're
going
to
go
ahead
and
go
to
build
and
pipeline
editor
within
the
workshop
project.
So
main
navigation
build
pipeline
editor
if
you've
got
a
kind
of
a
wider
view.
You'll
you'll
see
the
main
navigation
already
popped
open,
but
this
is
a
bit
more
narrow
view
for
me.
So
this
is
just
the
pipeline.
Editor
we're
actually
going
to
be
making
active
edits
to
the
gitlab
ciml
file
throughout
today's
Workshop.
A
So
this
is
the
current
setup
of
our
main
or
default
branch,
and
what
we're
going
to
do
is
going
to
start
to
introduce
security
scanning
we're
not
doing
any
security
scanning
here
today.
So
let's
go
ahead
and
create
a
new
Branch
to
add
these
changes
and
propose
to
add
these
changes
on
the
main
or
default
branch.
A
If
you
need
to
get
back
to
the
pipeline
editor
just
to
review
what
the
the
main
branch
currently
has
just
go
to
the
main
navigation
and
again,
this
is
reference
from
our
issues:
The
Source
source
project,
the
issues
the
first
issue
there.
If
you
need
to
get
to
the
pipeline
editor,
it's
just
the
the
main
navigation,
build
and
then
pipeline
editor
and
that's
to
allow
you
to
take
a
look
at
the
current
configuration
of
the
main
or
default
branch
and
see
that
we
don't
have
any
security
scanning.
A
A
A
A
Pipeline
editor
from
the
main
navigation
and
then
from
there
we're
going
to
go
ahead
and
change
the
pipeline
completely,
so
we're
going
to
delete
all
of
the
pipeline
definition.
That's
currently
defined
just
delete
that
out
and
copy
the
snippet
from
our
source.
You
know
issue
in
our
Workshop
instructions
and
we're
going
to
paste
that
in
there
you
should
start
to
see
The
increased
complexity
of
our
pipeline
just
by
pasting
that
in
there
we've
added
quite
a
few
more
stages.
A
In
addition
to
the
build
stage,
you've
got
the
unit
stage,
the
test
stage,
the
feature
stage,
staging
cleanup
and
production,
and
further
on
after
that,
we've
got
an
include
statement
that
includes
several
vendored
in
templates
that
the
gitlab
product
and
the
gitlab
engineering
team
maintains.
So
all
of
these
template
files
are
introducing
the
security
scan
tools
that
we
want
to
use
for
shifting
left
within
this
project,
so
we're
introducing
container
scanning
a
code.
Quality
scan
dependency
scanning
assessed,
scan
tool,
secret
detection
and
SAS
infrastructure
as
code
scanning.
A
So
these
are
all
security
scans
that
we've
been
able
to
basically
enable
within
this
project
in
this
completed
pipeline.
Branch
interval
project,
just
by
adding
these
template
files,
there
isn't
any
configuration,
that's
necessarily
required.
Of
course,
you
can
override
some
of
the
configuration
that
comes
by
default
as
part
of
these
templates
and
I
can
show
you.
Actually.
A
If
you
go
in
this
upper
left-hand
corner
of
the
pipeline
editor,
you
should
start
to
see
I'm
going
to
increase
the
the
font
size
there.
So
you
can
see
it
a
little
bit
better,
but
hopefully
you're
following
along
with
me
within
your
your
own
sandbox
environment.
You
can
click
this
tree
icon
to
see
these
included
template
files
Upstream
from
the
gitlab
project
and
if
you
click
in
any
one
of
these
it'll
open
up
a
new
tab
with
the
contents
of
that
template
file.
A
And
it's
really,
you
know
kind
of
easy
to
read
it's
just
the
gitlab
CI
yaml
file.
With
the
same.
You
know
way
that
you
would
write
your
own
gitlab
ciml
file
and
it's
defining
the
variables
that
are
set
as
a
default
for
that
specific
scan
tool,
the
the
specific
job
that's
being
defined.
That
will
be
run
within
your
project
pipeline,
and
you
know
some
of
these
things.
A
You
could
actually
override
and
you'll
see
that
within
the
the
snippet
that'll
be
copied
over,
that
can
customize
the
the
security
scan
tools
based
on
our
desired
configuration
or
desired.
You
know
use
of
that
specific
security
scan
tool
in
our
pipeline
in
our
project,
I'm,
going
to
collapse
that
that
follow
tree
icon
again
and
just
scroll
down
a
little
bit
more.
A
So
you
can
see
this
so
you
can
see
that
we've
taken
the
the
container
scanning
job
that
was
defined
Upstream
in
that
template
the
container
scanning
template
and
we're
overriding
some
of
the
things
that
are
defined
there.
We've
got
the
the
variables
and
then
you
know
overwriting
some
of
the
variables
there.
You
know
defining
some
variables
that
are
not
already
defined
there
to
help
customize
the
container
scanning
job,
as
well
as
our
dependency
scanning
job,
and
you
can
imagine
if
you've
got
you
know
the
SAS
scanning
configuring.
A
You
want
to
override
some
of
the
things
there.
You
could
do
that
as
well.
Just
by
you
know,
restating
the
the
job
name
and
then
you
know
overriding
specific
things,
such
as
the
variables
or
adding
additional
tasks
that
need
to
happen
within
that
job.
In
order
for
that
that
job
to
run
appropriately
for
your
specific
project
and
one
of
the
cool
things
that
it's
going
to
do
too
it's
going
to
automatically
detect,
for
example,
the
the
projects
or
Frameworks
that
you're
using
within
your
project
so,
for
example,
dependency
scanning.
A
You
know
if
it's
like
a
node.js
project,
it's
going
to
know
to
you
to
scan
for
those
node.js
based
dependencies
that
that
are
pulled
in
as
part
of
a
node.js
project
or
if
you've
got
a
python
project,
the
dependencies
that
are
pulled
in
for
your
python
project
as
well.
So
you
don't
have
to
configure
anything
specific
to
have
it,
detect
the
type
of
language
or
framework
that
you're
using
You're
simply
including
the
template,
and
it's
going
to
automatically
detect
that,
for
you.
A
A
A
A
And
then
we're
going
to
make
sure
that
we
can
keep
the
the
title
the
same
as
the
commit
message.
The
only
thing
that
we
need
to
change
here
is
uncheck
the
merge
options
for
delete
Source
Branch
when
the
merge
request
is
accepted.
That
way,
we
maintain
that
completed,
pipeline
Branch
or
repository
go
ahead
and
click
create
merge,
request.
A
Make
sure
that
before
you
click
create
merge
request
that
you
have
already
removed
the
fork
relationship
before
doing
that,
I
should
be
able
to
find
the
instructions
on
removing
the
fork
relationship
from
our
lab
setup.
Instructions
and
I'll
make
sure
to
drop
the
instructions
here
as
well
pretty
quickly
in
the
chat.
A
And
it
looks
like
the
there
is
a
question
about
the
snippet:
we're
copying
the
snippet
directly
from
that
issue
there.
So
you
can
follow
everything
that
I'm
walking
through
live
as
referenced
from
that
source
project
with
all
the
issues
from
that
source
project
and
we're
looking
at
the
number
one
shift
in
the
left
issue,
so
hopefully
everybody's
keeping
along
to
spine
and
don't
worry
if
you're
falling
behind.
A
You
can
also
you
know
just
catch
up
by
following
these
instructions
and
then
again
as
a
reminder:
you'll
have
full
access
to
the
sandbox
environment
until
October
1st
at
midnight
Etc
all
right.
So
let's
go
ahead
and
create
the
merge
request
again
make
sure
you've
removed
the
pork
relationship
from
your
target
Workshop
project
before
creating
this
merge
request.
A
So
great
we've
got
the
merge
request
for
shifting
left.
It's
got
a
pipeline
running,
you
can
click
into
the
pipeline
here.
We
should
actually
see
that
in
this
pipeline,
within
a
merge
request,
because
we've
put
in
all
those
template
files
included
the
template
files
from
our
git
lab
project
or
the
git
lab
product,
we're
able
to
introduce
all
these
security
scan
tools
within
the
test
stage.
We've
got
code,
quality
scanning,
container
scanning
dependency,
scanning
infrastructure
is
code,
SAS
scanning
secret
detection
and
this
half
scanning
as
well
on
the
source
code.
A
A
So
that
takes
us
through
the
first
issue
of
our
Hands-On
Workshop
exercise,
I'm
going
to
go
back
to
the
slides
here
and
start
continuing
on
with
the
next
topic.
But
don't
worry
again
if
you're
falling
behind
just
work
through
these
kind
of
steps
and
make
sure
that
you've
introduced
the
the
new
snippet
replace
the
existing
gitlab
CI
yaml
configuration
on
a
new
Branch,
completed
Pipeline
and
then
created
that
merge
request
to
post
that
shift
less
strategy
on
our
main
or
default
branch.
A
All
right,
so
next
up
we're
going
to
be
talking
about
the
compliance
framework
and
before
I
jump
into
that.
Let
me
get
another
post
check
on
everyone.
How
am
I
how's
my
Pace
going?
How
are
you
all
keeping
up
give
me
a
thumbs
up
with
just
to
let
me
know
if
everything's
going,
okay
and
if,
if
you're
falling
behind
you
know,
just
let
me
know-
and
you
know,
Steve
or
Rasheed
should
be
able
to
get
you
caught
up
if
you've
run
into
any
issues.
A
Awesome.
Seeing
a
lot
of
Thumbs
Up
appreciate
that
looking
really
good
and
again,
don't
worry
if
you're
not
all
caught
up
yet.
Please
please
work
with
my
colleagues
here,
Steve
and
rasheeder
they're
happy
to
help
you
out.
You
can
even
provide
a
link
to
your
project.
They
can
take
a
look
at
where
things
are
at
right
now
and
help
you
get
caught
up.
If
you
need
to.
A
All
right
so
in
review
the
shifting
left
we're
able
to
set
up
security
scanning
by
examining
that
updated
CI
CD
pipeline
associated
with
your
sandbox
project
and
then
started
a
merchant
Quest
by
bringing
in
that
new
shift
left
strategy
into
the
main
branch.
Again
we're
going
to
leave
that
pipeline
running
in
the
background,
so
it
could
start
to
discover
those
vulnerabilities
within
the
source
Branch
or
that
that
feature
Branch.
The
completed
pipeline
branch
that
we're
going
to
be
proposing
a
change
into
the
main
branch.
A
The
next
section
here
we're
going
to
implement
a
compliance
framework
and
the
compliance
pipelines
that
are
associated
with
that
compliance
framework.
I'll
talk
to
you
a
little
bit
more
what
that
means
and
how
that
works.
All
right.
So
now
that
we've
started
to
find
a
new
pipeline
for
security
tests,
we
actually
decide
that
we
want
all
the
developers
to
abide
by
security,
best
practices
as
well.
To
do
that.
A
That's
associated
with
that
compliance
framework
when
we
enable
that,
on
our
project,
we're
going
to
ensure
that
the
right
jobs
are
executed
in
the
right
order
and
the
job
that
we
need
to
run
on
every
single
pipeline
is
always
included,
even
if,
even
if
the
developers
haven't
included
it
manually
within
their
pipeline.
This
will
help
ensure
developers
are
not
going
to
be
able
to
skip
a
few
steps
when
they're
working
on
their
feature
branches
and
they
can
remove
it
just
to
speed
up
things.
A
You
know
if
they
need
to
get
something
pushed
out
on
a
Friday
like
it
is
today,
so
keeping
compliance.
So
the
the
kind
of
theme
of
compliance,
Frameworks
and
compliance
pipelines
is
to
keep
compliance
and
create
that
governance
within
organizations
I
think
having
compliance
and
compliant
workflow
automation
process.
A
So
these
compliance
features
that
gitlab
has
developed,
enable
you
to
enable
that's
a
Bye
by
any
one
of
these
compliance
policies
that
are
listed
here
on
the
right,
so
I'm
sure
some
of
these
are
familiar
to
you
and
may
vary
from
region
to
region.
So
what
gitlab
does
it
supports?
What
we
call
these
compliance
Frameworks?
Essentially
a
label
that
you
create
yourself:
you
can.
You
can
name
it
accordingly,
based
on
one
of
these
compliance
policies
that
your
organization
needs
to
align
to
and
when
you
apply
that
compliance
framework
or
label
to
a
project.
A
Essentially
you've
identified
that
project
as
needing
to
align
to
one
of
these
compliance
policies
that
your
organization
needs
to
closely
follow
and
in
order
to
enforce
certain
things
within
the
pipelines
of
your
projects.
A
specific
you
know,
Upstream
project
can
contain
a
pipeline
file,
basically
a
definition
of
how
the
pipeline
should
run
of,
say,
the
specific
order
of
stages,
specific
jobs
that
need
to
be
included
and
that
pipeline
can
be
Associated
to
that.
To
that
framework
that
label
see.
For
example,
you
see
a
sock
2.
A
You
know,
clients
that
your
organization
may
need
to
abide
by
if
you've
got
a
sought
to
compliance
framework
and
the
pipeline
compliance
pipeline,
that's
associated
with
the
soft
T
framework,
any
pipeline
or
any
project
that
the
compliance
framework
sought
to
is
applied
to
we'll
need
to
abide
by
those
that
pipeline
definition
that's
defined.
They
can't
override
any
of
the
variables
that
are
defined
there.
The
specific
order
can
be
changed
around
the
additional
stages
that
may
not
be
included
in
that
Downstream
pipeline.
A
That's
that
Target
project
that
it's
applied
to
can't
remove
those
stages,
and
it
includes
those
jobs
that
have
been
defined
as
well
and
can't
be
removed
or
overwritten.
Of
course,
you're
going
to
be
able
to
customize
it
and
add
on
add
on
to
it.
Some
organizations
still
want
that
flexibility
to
kind
of
customize
that
that
Pipeline
and
you
can
do
that.
That
is
a
recommendation.
A
But
if
you
have
you
know,
essentially
you
know
an
organization
where
you
know.
Maybe
you
have
a
stock
q
and
maybe
a
specific
you
know
pipeline
in
mind
for
those
those
projects,
and
you
don't
want
anybody
to
to
modify
it.
You
know
you
could
simply
just
refer
to
that
compliance
by
way
and
not
necessarily
have
any
customization
in
that
Target
project.
But
it's
entirely
up
to
you.
A
A
Frameworks
compliance
pipelines
really
make
sure
that
the
development
team
is
not
only
following
best
security
practices,
but
is
following
the
the
compliance
that's
required
within
your
pipelines
in
your
projects
and
those
compliance
features
can
be
applied
to
many
different
projects,
making
it
easy
to
maintain
as
well
and
prevents
those
developers
from
you
know
skipping
those
necessary
scans
or
steps
that
you
need
to
require.
As
part
of
your
compliance
and
governance,
you
can
also
Force
external
scans
as
well.
You
can
really
do
anything
with
a
compliance
pipeline.
A
It's
just
a
good
lab
cim
will
file
so
anything
that
you
define.
There
is
essentially
run
on
that
that
Target
project
the
projects
that
you're
applying
the
compliance
framework
to
so
enough
of
that
kind
of
conceptual
overview.
Let's
Dive
Right
into
let
you
know
section
number
two
of
our
Hands-On
exercise
and
you
know
see
how
that
that
works
in
practice.
A
Gonna
go
into
main
navigation
plan
and
issues
and
go
to
the
issue
that
number
two
compliance
framework
issue:
I'll
paste
it
here
in
the
chat
too,
so
you
can
follow
along
if
you
don't
have
it
already
Andy.
This
is
exactly
what
I'm
walking
through
here.
So
what
we're
going
to
do
is
create
a
compliance
framework.
We're
actually
not
create
a
compliance.
Member,
that's
going
to
be
out
of
scope
for
today's
Workshop
we're
going
to
be
applying
an
existing
Appliance
framework.
A
That's
already
been
created
for
us
that
will
ensure
our
pipeline
runs
the
correct
jobs
in
the
right
order.
This
will
ensure
our
development
team
won't
be
able
to
skip
that.
The
steps
that
we've
defined
Upstream
in
the
clients
pipeline,
that's
associated
with
the
combined
framework
and
I,
will
make
sure
that
we
won't
be
able
to
you
know,
potentially
introduce
the
vulnerability
and
we're
learning
compliance
by
always,
including
the
specified
jobs
and
stages
that
are
defined
Upstream
so
step
one.
A
We
want
to
look
at
how
our
framework
is
defined
so
in
a
new
tab,
we'll
navigate
here.
We'll
click
this
this
link.
Here
you
can
right
click
open
in
new
tab.
I
just
command
clicked
it
on
my
Mac
here,
and
this
takes
you
to
this
Upstream
project
within
the
group
hierarchy
of
our
sandbox
environments,
and
we
have
this
securing
compliance,
CF
project
and
the
DOT
compliance
Dash
Gate
lab
ciml
file,
and
this
is
what
I
mean
by
the
you
know.
The
compliance
pipeline
that's
created.
A
A
We've
got
this
compliance
job.
The
stage
that
it's
running
in
is
the
dot
pre-stage,
that's
really
basic.
For
today's
purposes.
It's
just
an
echo
to
the
job
log
saying
message
from
the
compliance
frame
rate:
you
could
do
any
sorts
of
things
here.
It's
really
customizable,
it's
just
to
give
FCI
yaml
file.
The
last
section
here
lines
15
through
18
is
mandatory.
A
If
you
want
to
allow
your
developers
to
continue
to
customize
their
pipeline
based
on
the
Project's
needs-
and
this
is
really
you
know-
the
default
configuration
what
we
recommend
all
customers
do
is
you
know
still
allow
that
you
know
configuration
customization
directly
at
the
project
level
and
just
to
find
a
few
things
that
need
to
be
in
compliance
in
the
Upstream
pipeline.
You
know
not
take
too
too
much
of
a
heavy-handed
approach,
but
make
sure
you
know
certain
things
can
be
skipped
the
specific
stage
order.
A
You
know,
specific
jobs
that
need
to
always
run,
for
example,
and
that
sort
of
thing
I'm
going
to
close
this
out.
This
is
just
an
example
to
show
you
what
we're,
inheriting
from
the
compliance
pipeline,
that
the
framework
is
inheriting
from
all
right,
so
that
was
just
step
one
we're
just
getting
a
clear
understanding
of
what
we're
applying
to
our
our
Target
sandbox
project
step.
Two
is
actually
applying
the
framework,
so
we're
going
to
go
to
our
Workshop
project
here
and
then
we're
just
going
to
go
to
sorry
about
the
zoom
here.
A
A
A
A
That
means
the
compliance
framework
is
applied
here
and
if
we
run
another
pipeline,
I
should
be
able
to
see
that
the
the
new
job
and
the
adopt
pre-stage
is
going
to
be
applied
to
to
the
to
you
know
another
pipeline
that
gets
kicked
off
for
this
project,
so
we
can
actually
do
that
here.
Go
to
build
Pipelines.
A
I'm
going
to
zoom
out
again,
you
can
hit
this
blue
red
pipeline
button.
This
is
separate
from
these
instructions
here,
I'm.
Just
wanting
to
show
you
this
as
an
example,
we
can
run
a
pipeline
on
the
main
branch
it
doesn't
matter
if
it
has
actually
the
shift
left
strategy
or
not,
you
can
run
it
on
the
main
branch
and
we
can
see
that
the
main
branch
didn't
have
our
shift
left
strategy.
A
Yet
we
haven't
merged
that
completely
pipeline
yet
into
the
main
branch,
and
it's
still
included
the
dot
pre-stage
and
the
client
shop
that
was
required
only
because
we've
applied
the
compliance
framework
to
do
the
project
settings.
So
you
can
imagine
you
know
those
of
you
who
have
that
level
of
permission
to
apply
the
compliance
framework.
You
can
see
that
kind
of
the
power
that
it
has
to
create
governance
within
your
your
organization's
projects.
A
All
right,
so
that's
really
it.
We
just
wanted
to
show
you
how
to
apply
a
pre-existing
compliance
framework
that
has
a
compliance
pipeline
associated
with
the
compliance
framework.
Has
the
pipeline
associated
with
it
and
when
you
apply
that
compliance
framework
from
the
project
settings
level,
you'll
see
that
label
there
at
the
the
project
home
page
and
then,
when
you
run
another
pipeline
after
the
compliance
framework,
is,
is
applied.
You'll
be
able
to
see
the
the
impact,
the
governance
that
you've
created
there
all
right.
A
And
again,
if
you
haven't
seen
the
compliance
framework
in
your
settings,
you'll
probably
need
to
before
your
project
to
the
sandbox
group
that
would
be
provisioned
for
you.
On
our
SAS
platform,
we've
got
the
lab
set
of
instructions.
You
want
to
make
sure
that
you're
following
the
lab
setup
instructions
accordingly
and
again,
if
you're
just
join
in
a
little
bit
later.
Don't
worry
if
you're
falling
behind
gonna
get
a
thumbs
up.
If
everybody's,
following
along
okay
and
just
affirmation
everything's
going
on
along
well.
A
A
So
if
you
can
remember
back
on
that,
first
Hands-On
exercise,
you
created
that
merge
request.
We
started
that
shift
left
strategy
that
should
have
executed
the
the
new
and
improved
CI
CD
Pipeline,
with
the
security
scans
introduced
into
our
merge
request
and
on
scanning
the
the
changes
that
are
being
made
on
that
feature
brush.
A
So
now
it's
time
to
take
a
deeper
look
at
the
results
from
the
scans
and
then
what
one
thing
that
we
also
want
to
think
about
and
we'll
be
getting
our
hands
on
with
as
part
of
this
third
section
is:
let's
create
some
policies
to
make
sure
that
we
prevent
security
breaches
in
the
future.
So,
for
example,
you
know
we
want
to
make
sure
that
any
critical
vulnerability
is
detected
by
secret
detection.
A
Any
secrets
that
have
been
applied
to
our
project
are
are
properly
detected
and
we
block
emerge
and
that
we
make
sure
we
communicate
to
our
development
team
that
those
Secrets
need
to
be
revoked
removed
from
the
source
code,
and
then
we
rotate
the
secrets
on
our
end
as
well
all
right.
So
this
is
the
recap
of
the
the
scanners
that
we
implemented.
We
implemented
the
the
SAS
scanner,
the
static
application
security
testing,
which
analyzes
the
source
code
for
any
known
vulnerabilities
that
are
included
as
part
of
the
development
we've
got
Das
scanning.
A
We
didn't
actually
introduce
this
yet,
but
this
is
something
that
you
will
be
able
to
set
up
as
a
kind
of
proof
of
concept.
We're
not
going
to
actually
have
it
actively
running
against
our
application
today,
but
as
an
on-demand
scan
that
you
can
run
on
demand
or
on
a
schedule
against
a
live
running
application
that
you
could
set
up
on
your
own,
which
analyzes
the
running
app
oops
analyzes
the
running
application
for
non-vulnerabilities.
A
By
seeking
to
hack
into
your
application,
then
we've
got
container
scanning
which
scans
Docker
images
artifacts
for
non-vulnerabilities
and
the
application
container,
as
well
as
any
base
images.
Then
we've
got
dependency
scanning,
which
scans
the
project
dependencies
known
for
non-vulnerability
support
in
open
source
components.
As
I
mentioned,
it's
going
to
understand
the
language
or
framework
that
you're
running
in
and
use
the
appropriate
dependency
scan
tool
analyzer
to
look
at
those
specific
dependencies
that
your
Project's
pulling
in
got
license
scanning.
A
The
you
know
license
license
compliance
policy
and
setting
one
up
to
make
sure
that
we're
not
in
violation
of
a
specific
license
that
we
don't
want
to
include
as
part
of
our
project
in
the
future
and
then
finally,
secret
detection
I
already
described
that,
but
I'll
go
over
it
again.
It
really
just
scans
for
secrets
that
are
checked
into
your
source
code.
We
have
a
default
rule
set
that
scans
for
a
variety
of
Secrets.
A
But
if
you
have
specific
secrets
that
are
you
need
to
say,
your
own
application
and
you've
got
a
pattern
that
you
want
to
catch.
You
could
always
add
on
to
the
existing
rule,
set
and
scan
for
specific
pattern,
signing
unique
to
your
own
application.
But
it's
always
it's
going
to
scan
for
things
that
are
kind
of
common
across
our
industry.
A
And
this
is
just
a
brief
description
of
you
know
what
those
scanners
are
doing
in
the
stages
of
your
development
process,
so
at
the
commit
level
you're
able
to
already
start
to
implement
the
infrastructure
as
code
scanning
and
scanning
the
source
code
for
your
infrastructure's
code,
making
sure
there's
no
vulnerabilities
introduced
there.
The
SAS
scanning
secret
detection
license
scanning
independency
scanning
and
post
testing
which
I
didn't
go
over,
but
those
are
all
things
that
happen
at
the
commit
level
and
at
the
build
you
know
stage.
A
A
Again,
as
I
mentioned,
we'll
be
talking
about
policies
and
getting
Hands-On
with
creating
those
policies.
Specifically,
the
scan
result
policies
which
basically
is
a
dynamic,
merge,
request
approval
rule
to
take
action
based
on
scan
results,
so
say,
for
example,
we're
going
to
be
creating
a
scan
result
policy
to
create
a
merge
request,
approval
on
the
findings
of
our
secret
detection,
scan
tool.
A
We're
also
going
to
take
a
look
at
the
scan
license
compliance
policy,
which
is
essentially
created
through
the
scan
result.
Policies
feature
as
well
to
make
sure
that
we're
preventing
a
specific
license
type
the
MIT
license
from
being
introduced
in
our
project
and,
if
it's
being
introduced
in
our
project,
we're
also
making
sure
that
specific
team
member
has
oversight
and
provides
approval.
If,
if
they
can
apply,
you
know
communicate
to
the
team
that
those
those
dependencies,
those
specific
open
source
components
need
to
be
removed.
A
Before
that
merge
can
happen,
scan
execution
policy
I
want
to
actually
be
walking
you
through
Hands-On
today,
but
just
as
an
overview
for
you
all,
it's
kind
of
execution
policy
will
make
sure
that
you
can
require
certain
security
scans
are
run
on
your
project
on
every
single
pipeline
or
on
a
specific
schedule.
So
it's
a
great
way
to
enforce
things
similar
to
our
compliance
framework,
compliance
pipeline,
more
specific
to
the
security
scans,
specifically,
and
also
on
a
specific
schedule,
which
is
unique
to
the
scan
execution
policy.
A
A
A
A
A
A
A
A
A
Welcome
back
everybody,
hopefully
all
of
you
are
able
to
take
a
quick
break
from
today's
Workshop
and
I'm
excited
to
get
back
in
with
all
of
you
for
our
Hands-On
section
here
all
right.
So
what
we're
going
to
do
is
we're
just
going
to
go
back
to
our
Workshop
instructions
and
we're
going
to
go
to
the
third
exercise
called
parsing.
The
results.
A
And
then
I'm
going
to
go
ahead
and
just
make
sure
I'm
in
my
workshop
project
on
the
right
hand
screen
here.
So
if
it's
all
good,
so
we're
going
to
do,
is
going
to
take
a
look
at
the
results
of
our
pipeline
that
ran
as
a
result
of
the
merge
request
and
we're
going
to
actually
merge
that
code
to
generate
some
security
reports
that
happen
at
the
project
level,
where
you
might
be
doing
a
lot
of
your
vulnerability.
Management
on
you
know,
live
vulnerabilities
that
are
active
on
the
on
the
default
Branch.
A
It
could
be
already
in
production
all
right.
So
after
we've
implemented
our
shiftless
strategy,
we're
going
to
see
how
the
security
results
are
included
throughout
each
step
of
the
deployment
cycle,
so
first
kind
of
earlier
on
in
that
gitlab
flow,
we've
basically
created
that
feature
branch,
create
our
merge
request
and
now
we're
going
to
go
ahead
and
see
the
results
of
this
vulnerability
findings,
as
as
a
result
of
the
shift
left
strategy.
So
we're
going
to
go
to
main
navigation
in
our
Workshop
project,
I'm
going
to
plant
code,
merge
requests.
A
Click
that
first
merge
request
that
you
opened
up
mine's
called
shifting
left
it's
whatever
you've
named
the
commit
message
or
if
you
renamed
it
appropriately
and
expand
this
window
here,
so
we
can
see
the
pipeline
path.
So
that
means
all
of
our
vulnerability.
Scan
tools
have
run
successfully
on
the
source,
Branch
the
feature
Branch
completed
Pipeline
and
we've
got
some
results
to
take
a
look
into
you.
So,
let's,
let's
dive
right
into
it.
A
Eight
licenses
for
the
source
Branch
completed
pipeline,
we've
got
the
Apache
License
MIT
license
so
on
and
so
forth
and
right
now
there
isn't
any
policy
right
now
that
matches
any
license.
Yet
we're
going
to
be
creating
a
scan
result
policy
that
implements
a
license.
Compliance
policy
saying
we
don't
want
a
specific,
open
source
license
to
be
included
in
our
project,
we're
going
to
have
that
automatically
detected
as
part
of
our
license,
scan
tool
and
automatically
block
the
merge.
If
there's
you
know
a
specific
license,
that's
found
that's
out
of
compliance.
A
This
is
exactly
you
know
what
we're
able
to
see
right
now.
We
can
actually
see
the
the
license.
That's
being
used
the
packages
that
are
using
that
that
license
you
click
into
that.
We
could
see
that,
for
example,
the
Apache
license
is
used
by
packaging
in
an
import,
live
metadata
packages
or
components
as
part
of
our
project.
A
Let's
go
ahead
and
go
back
here
to
the
merge
request
continue
on
in
the
merger,
Quest
widget,
so
everything
happens
in
the
context
of
making
this
change
within
our
feature
branch.
Whatever
the
developer
is
working
on.
Those
commits
that
they're
making
it's
going
to
run
another
pipeline
as
time
goes
on,
and
it's
going
to
update
these
merger
Quest
widgets,
based
on
the
latest
pipeline.
A
Next
we've
got
code
quality.
You
can
see
some
of
the
findings
there
based
on
code
quality
scan
that
ran
against
our
our
source
Branch.
We
turn
17
in
findings
and
then
we've
got
the
security
scanning
widget
we've
got
at
least
50
new
potential
vulnerabilities,
25,
critical,
three
High
22
others.
What
are
those
we
click
that
down
arrow
and
we
got
this
hint
to
enable
security
training
we'll
get
into
that
a
little
bit
later
in
another
handbag
section
here,
but
we've
got
the
SAS.
A
You
know
scan
tool
the
vulnerability
findings
from
the
SAS
cam
tool.
We've
got
lots
of
critical
findings.
We've
got
S3
buckets
should
not
be
readable
to
all
users,
for
example.
If
we
click
that
vulnerability
finding,
we
could
see
the
project,
obviously
that
it's
in
this
project
here
the
file
within
our
project,
so
a
specific
line
and
the
file
that
it's
been
detected
in,
if
you
click
in
that,
opens
up
a
new
tab
and
shows
us
that
file
within
our
project
on
that
Source
branch.
A
That
indicates
that
potentially
critical
vulnerability
that
was
introduced
from
The
Source
branch
we've
got
the
identifiers.
Typically,
that's
going
to
be
something
that
you
know
is
coming
from
documentation
say
from
our
partners
say
AWS,
for
example,
that
indicates
the
different
configurations
of
of
let's
say
infrastructure
as
code,
and
you
know
what
what
the
implications
might
be
for
that
vulner
voting
and
that's
the
SAS
scan
tool.
Obviously,
and
we've
got
options
here
as
well.
A
If
we
want
to
collaborate
with
the
team,
add
a
comment,
for
example:
maybe
this
is
a
false,
false
positive.
You
know.
Obviously
it's
not,
but
let's
just
say
it
is
say
it's
a
false
positive,
not
applicable
to
our
implementation,
maybe
based
on
how
it's
deployed
or
how
we've
configured
or
that
sort
of
thing.
A
You
can
always
add
a
comment
dismiss
directly
from
that
that
view
of
the
vulnerability
finding
straight
from
the
widget
on
our
merger
Quest
we're
not
doing
a
lot
of
context,
switching
everything's
happening
within
the
context
of
our
merger
Quest
right
going
on
here.
We
see
secret
detection
and
find
any
secrets
applied
to
all
right
that
were
found
in
this
specific
Source.
Branch
dependency
scanning
also
did
not
find
anything.
Standard
scanning
did
all
right.
Well,
I
think
I.
Think
that's
enough
kind
of
overview
here.
A
A
You've
also
got
links
to
different
cdes,
for
example,
on
some
of
these
vulnerabilities,
where
it
really
explains
in
more
detail
what
the
vulnerability
is
and
how
that
can
impact
your
project
in
your
organization.
You
can
also
have
a
link
to
create
an
issue.
If
you
want
to
create
an
issue
directly
in
the
gitlab
project,
you
can
utilize
jira
as
your
kind
of
issue
management
system
for
project
portfolio
management.
You
can
do
that
too.
You
can
connect
your
to
your
project
and
create
the
issue
directly
in
here
from
from
git
love
as
well.
A
So
just
a
couple
examples
there
on
the
workflow
directly
from
the
merge
request,
all
right.
So
what
we're
gonna
do,
let's
just
say
we're
feeling
risky
here
is
just
we
don't
really
mind
that
these
vulnerabilities
are
being
introduced
in
our
main
or
default.
Branch,
but
for
today's
purposes,
we're
just
going
to
be
showing
you
how
that
works
when
we
actually
still
have
active
vulnerabilities
on
the
main
or
default
Branch,
let's
go
ahead
and
just
merge.
This
just
left
strategy
introducing
the
security
scan
tools,
but
also
these
vulnerabilities
right.
A
We
haven't
remediated
anything
yet,
but
we're
just
going
to
merge
this
into
our
default
brand.
So
you
just
click
that
blue
merge
button
from
the
merge
request.
So
it
says
it's
merged
pipeline
is
going
to
be
pending.
It's
going
to
get
picked
up
here
soon.
We
can
go
ahead
and
go
to
the
main
navigation
of
our
Workshop
project.
We've
got
to
build
and
Pipelines,
and
we
should
see
this
recently
kicked
off.
Pipeline
should
be
running
by
now
might
take
a
little
bit
of
time
for
our
Runners
to
start
getting.
A
It
picked
up,
we'll
see
that
merge
Branch
completed
pipeline
into
main,
so
what
this
is
going
to
do,
let's
click
the
wrong
link.
There
we're
going
to
click
the
pipeline
ID
new
identifier
for
that
merge
into
main
pipeline
we're
going
to
see.
Obviously,
we've
got
the
dot
pre
stage
and
the
compliance
job,
because
we
will
apply
the
compliance
framework,
so
that's
always
applying
that
that
governance
on
every
single
pipeline
that
runs
there
after
we
also
have
the
security
scan
tools
that
are
are
running
obviously,
as
part
of
our
shift
left
strategy.
A
That
was
the
main
change
that
we
introduced
there
into
the
main
or
default
Branch.
So
we've
got
all
those
security
scan
tools
running.
So
all
the
results
of
those
security
scan
tools
should
actually
create
now
vulnerabilities
that
are
active
on
our
default
Branch,
so
we'll
be
able
to
see
all
of
those
vulnerabilities
when
we
go
back
into
the
workshop
project
here
main
navigation,
secure
and
vulnerability
report
that
will
actually
start
to
be
populated
here-
and
this
is
where
you
do
your
vulnerability
management
process,
for
you
know
active
vulnerabilities
that
are
on
that
default.
A
Branch.
Anything
that's
listed
as
critical
High
here,
medium
low,
you'll,
you'll,
see
these
numbers
start
to
increase
or
decrease
over
time,
depending
on,
what's
being
introduced
or
remediated
and
scanned
on
the
default
branch
of
your
project.
Right
now,
it's
not
going
to
have
any
results,
because
that
pipeline
is
still
running,
but
once
that
pipeline
completes
we'll
be
able
to
see
all
of
those
results
populated
here.
A
We've
got
a
daily
overview
of
the
council
vulnerabilities
over
time
that
are
on
the
default
branch,
and
so
you
know,
as
the
team
is
actively
remediating
those
vulnerabilities
on
a
daily
basis,
this
graph
will
kind
of
update.
So,
as
you
can
see,
on
the
workshop
instructions,
the
the
security
dashboard
vulnerability
account
will
update
daily
at
115
Etc.
So
right
now
we're
doing
the
workshop
live.
We're
not
going
to
see
this
refresh
until
overnight
tonight
or
depending
on
where
you're
on
the
world.
A
A
A
We've
also
got
a
link
to
the
video
demonstration
from
the
instructions
there.
If
you
can't
click
that
live
example,
I'll
try
to
find
another
live
example
and
share
that
with
you
all
in
the
follow-up
email
that'll
come
after
today's
haul,
but
you'll
the
video
has
a
much
better
example
to
share
all
right.
A
A
A
You
know
there
was
actually
a
few
different
views
of
good.
Let's
take
a
look
at
the
vulnerabilities
I
showed
you
the
merge
request
view
you
can
also
look
at
the
actual
pipeline
view
and
find
the
security
tab.
So
there's
a
way
to
look
at
all
the
vulnerabilities
in
kind
of
like
one
one
single
view.
This
is
from
the
pipeline
view.
This
is
not
part
of
the
workshop
instructional
I'm,
just
waiting
for
the
pipeline
to
complete,
but
I
wanted
to
show
you
something
in
the
meantime.
A
Is
the
the
security
tab
from
a
pipeline
graph?
You
can
look
at
the
security
Tab
and
see
all
the
security
vulnerabilities
and
start
to
filter
out.
You
know
the
vulnerabilities
based
on
a
specific
scan
tool,
all
the
critical
vulnerabilities,
so
it
gives
you
kind
of
like
that
more
Rich
kind
of
view
of
seeing
the
vulnerabilities
that
were
active
on
the
or
that
were
discovered
on
that
on
that
Branch,
where
the
pipeline
ran
against
and
you
kind
of
see,
also
a
number
of
vulnerabilities
based
on
each
scan
and
that
sort
of
thing.
A
All
right
cool,
so
it
looks
like
the
vulnerability
report
populated
for
me.
That
means
that
the
the
pipeline
had
completed
for
the
the
main
branch.
If
you
go
to
the
main
navigation,
build
and
pipelines,
I
should
have
been
able
to
see
that
that
merge
pipeline
had
completed
it
passed.
So
that
means
you've
got
the
active
vulnerabilities
now
discovered
on
the
main
branch.
A
Let
me
go
into
that
secure
vulnerability
report
we'll
see
all
the
active
vulnerabilities
there
and
one
cool
thing
and
I
want
to
mention
this,
because
this
is
something
that
I've
spoken
to
customers
about
in
the
past.
Is
you
know
how
do
you
do
kind
of
like
a
bulk
select
of
of
vulnerabilities
and
update
the
status?
This
is
something
that
wasn't
available
until
just
recently
in
gitlab
16.4.
A
Add
a
comment
there
and
then
change
the
status
quite
easily.
Instead
of
you
know
doing
it
one
by
one.
So
that's
kind
of
a
neat
feature
that
should
make
it
a
lot
easier
to
make
it
a
little
bit
more
efficient
when
doing
your
vulnerability
management.
If
the
need
comes
to
do
some
of
that
bulk
action
that
might
be
required,
maybe
it's
you
know
it's
filtering
out
by
the
specific
severity
of
like
low,
and
you
know
looking
at
those
vulnerabilities
and
if
a
lot
of
those
low
vulnerabilities
are
are
not
applicable.
A
For
example,
you
can
do
like
a
book
false
positive
or
end
distance.
Those
vulnerabilities
directly
all
right,
let's
see
here,
okay,
so
that's
just
a
brief
overview
of
the
vulnerability
report.
You've
got
other
kind
of
methods
here
to
to
filter
the
vulnerability
report
based
on
you
know
how
you
want
to
slice
and
dice
the
the
vulnerability
finding
active
vulnerabilities
on
your
default
Branch
based
on
the
severity,
the
tool
that
was
found
where
that
found
that
vulnerability
so
on
and
so
forth,
and
even
the
status
right
if
it
still
needs
triage.
A
If
it's
been
confirmed
resolved
and
that
sort
of
thing
and
the
dismissal
reason
right,
okay,
so
there's
still
a
lot
of
vulnerabilities
in
our
in
our
project,
and
we
want
to
prevent
some
of
these
things
from
happening
in
the
future
right.
So
we
want
to
set
up
a
new
policy
to
run
on
all
feature,
merge
requests.
So
for
our
use
case
in
today's
Hands-On
Workshop,
you
know
leak.
Tokens
are
really
easy
mistakes
that
can
lead
to
massive
problems,
so
we'll
create
a
quick
scan.
Result
policy
to
stop
that.
A
And
then
policies
menu
item,
we're
going
to
click,
the
blue
new
policy
button
and
under
a
scan
result
policy
we're
going
to
click
click,
select
policy
there,
so
we're
creating
a
new
scan
result
policy
in
our
Workshop
project.
We're
going
to
name
this.
A
new
scan
result
policy,
Secret,
detection
approval
policy
make
it
easy
to
understand
what
we're
doing
here.
A
So
you
can
see
how
kind
of
flexible
this
can
be
if
you
want
to
create
a
rule
based
on
any
critical
finding
on
any
security
scan
tool
that
we
support,
or
you
can
make
it
specific
to
a
unique
security
scan
tool
that
we
support.
So
here
we're
just
going
to
make
sure
it's
targeting
the
secret
detection
scan
tool
that
we
provide
and
we're
going
to
change
from
all
protected
branches
to
the
default
branch
and
we're
going
to
make
sure
it
says
no
exceptions
here.
A
This
is
useful
if
you
have
some
type
of
exception,
based
on
the
branch
that
you're
working
on
that
you
don't
necessarily
want
this
rule
applied.
In
our
case,
we
don't
want
to
add
any
exceptions.
We
wanted
to
just
apply
to
default
branch
and
not
have
an
exception.
There
am
I
going
to
find
any
vulnerabilities.
Keep
that
selected
as
any
and
the
severity
is
all
severity
level.
So
we
don't
care
what
severity
level.
It
is
if
it's
a
secret,
that's
being
detected
by
a
secret
detection
tool
and
it's
any
severity
level.
A
It's
going
to
start
to
trigger
this
Dynamic
merge,
request,
approval
or
the
scan
result
policy
and
the
status
is
new
and
all
vulnerability
States.
You
can
do
this
for
previously
existing
as
well.
If
you
know
you
want
to
make
sure
that
you're
catching
any
secrets
ever
already
committed
to
your
to
your
project
and
have
been
identified,
and
you
want
to
still
block
that
that
merge
so
that
that
might
be
desirable
for
you,
but
for
our
purposes
once
he's
new
and
all
vulnerability,
States.
A
Finally,
under
actions,
this
is
where
we
can
choose
the
specific
team
members
that
are
responsible
for
approving,
and
you
know
having
proper
oversight
on
the
merge
request.
Approval
for
secret
Center
detected,
so
we're
going
to
choose
an
individual
user.
In
our
case,
you
can
also
assign
groups.
So
if
you
have
a
group
architecture
where
you
have
maybe
like
a
security
team
assigned
to
a
specific
subgroup
in
your
group
architecture
or
group
hierarchy,
you
could
assign
the
security
team
as
this
approval
group
instead
of
an
individual
user.
A
So
that's
kind
of
a
nice
feature
you
can
leverage
as
well
we're
just
going
to
utilize
Michael,
my
colleague
Logan,
as
the
individual
team
member
to
approve
so
just
start
typing
in
his
username.
It's
present
there
in
the
Hands-On
instructions
and
make
sure
he's
assigned
as
the
approver
for
this
policy
all
right.
So
that's
it
for
the
configuration
of
the
secret
detection
approval
policy
we'll
go
ahead
and
configure
with
a
merge
request.
A
So
what
this
does
it's
actually
going
to
set
up
a
new
project
in
our
group
hierarchy
called
the
workshop
project
security
policy
project.
So
it's
going
to
live
alongside
our
Workshop
project
and
it's
going
to
hold
our
scan
result
policies
and
scan
execution
policies
as
code
in
this
project,
so
you're
going
to
make
sure
you're
merging
this
you're,
not
actually
editing
code,
you're,
just
using
UI
to
generate
that
code
that
gets
created
in
this
security
policy
project,
so
that's
merged.
You
can
use
the
breadcrumbs
to
take
a
look
at
what
it's
done
there.
A
So
it's
created
that
dot,
gitlab
security
policies
directory.
It's
got
a
policy.yaml
and
it's
got
the
policy
that
we
created
the
secret
detection
approval
policy
I'm
going
to
go
back,
make
sure
I'm
going
to
my
my
test
group
subgroup,
The
Sandbox
subgroup
that
was
provisioned
for
you
and
go
back
to
our
Workshop
project.
A
So
if
we're
going
to
create
another
merge
request
adding
another
token,
we
should
start
to
see
this
scan
result
policy
taking
an
effect
all
right.
So
we're
actually
going
to
simulate
that
now.
So
we're
on
step.
Four
here
of
the
issue
number
three
parsing:
the
results
in
our
source:
Hands-On
exercise
project,
so
we're
going
to
copy
that
we're
going
to
go
to
the
web
ID
so
make
sure
you're.
A
In
your
repository
view
the
workshop
project
and
we're
going
to
go
ahead
and
edit
the
workshop
project
source
code,
you
can
use
that
edit
drop
down
menu,
click
web
IDE
to
start
editing
the
file,
our
files
within
that
project,
we're
going
to
go
into
the
run.pi
file
and
we're
going
to
paste
them
after
the
first
two
lines:
the
simulated
AWS
secret
or
this
key
we're
going
to
go
ahead
and
use
that
we're
in
the
web.
Ide.
A
A
Right
so
we've
got
a
new
merge
request,
based
on
that
recent
change
to
simulate
the
secret
being
added
to
our
run.pi
file,
we're
going
to
make
sure
that
delete
Source
branch
is
unchecked,
so
we
maintain
that
that
feature,
branch
that
was
created
and
just
create
merge,
request
foreign,
so
we're
going
to
have
that
pipeline
running.
So
we've
already
made
that
shift
left
strategy
on
the
default
branch
and
we
should
hopefully
get
the
results
of
the
secret
detection
tool
and
see
that
identified
that
the
secret
was
added
right
now.
A
It
says
that
it
requires
one
approval
from
the
secret
detection
approval
policy.
So
that's
great.
It
looks
like
our
scanner
result.
Policy
is
now
applied
to
our
project
for
future,
merge,
requests
and
based
on
the
results
of
the
the
pipeline,
that's
running
and
then
Define
if
it
finds
a
secret,
we're
going
to
be
mocking
the
merge.
So
right
now
it's
by
default
blocking
the
merge,
but
if
it
didn't
find
a
secret
it'll
unblock
the
merge
and
just
make
the
approval
optional.
A
But
if
it
does
find
a
secret-
and
it
will
find
that
once
this
pipeline
completes,
then
then
we'll
be
able
to
to
block
the
merge
and
and
Logan's
going
to
need
to
make
the
proper
approval
before
it
can
be
merged
all
right.
So
that
takes
us
through
issue
number
three
in
our
Workshop
Hands-On
of
parsing.
The
results
I'm
going
to
switch
back
to
the
slides
here.
A
A
So
with
with
so
many
high-level
hacks
appearing
in
many
headlines,
you
know
most
governments
have
started
to
require
organizations
to
produce
a
software
bill
of
materials,
so
we
decided
in
siniki's
Racing's
best
interest
to
have
these
reports
ready
to
go.
So
we
quickly
check
if
we're
affected
by
the
next
breach
or
piece
of
software.
That's
impacting
our
project,
so
this
is
heavily
influenced
by
the
solar
winds
Fallout.
This
is
kind
of
a
brief
overview
of
what
that
has.
A
So
I'm
going
to
kind
of
walk
you
through
in
the
Hands-On
exercise
where
to
get
access
to
the
software
building
materials,
how
to
download
that
to
your
local
machine.
What
format?
That's
in,
essentially,
where
the
format
that
the
software
billing
materials
that
you're
downloading
is
in
the
Cyclone
DX
format.
A
So
that's
a
popular
format.
That's
used
to
report
an
S1
and
a
machine,
readable
or
Json
format,
and
it
was
created
by
the
open
worldwide
application
security
project,
the
owas
organization.
So
that's
really
become
the
adopted
standard
for
the
software
building
materials,
we'll
also
review
the
software
dependency
list.
So
before
downloading
it,
you
can
see
all
of
the
dependencies
that
were
discovered
as
part
of
the
project
and
the
dependency
scanning
that
ran
against
the
the
default
branch
and
discover
which
dependencies
relate
to
known
vulnerabilities.
A
Let
me
go
back
to
my
source
project
plan
and
issues.
Click
on
that
number
four
software
bill
of
materials
reports
and
license
compliance
all
right.
So
we're
going
to
take
a
look
at
the
software
bill
of
materials
report
that
our
scanners
are
created
as
well
as
see
that
the
various
licenses
that
are
scanners
have
detected
all
right.
So,
let's
review
and
download
the
software
Bill
and
materials
report
so
on
our
Workshop
project,
I'm
going
to
go
to
the
main
navigation
here
and
go
to
the
secure
and
dependency
lists.
A
We've
got
all
these
different
components
dependencies
and
if
we
click
the
the
down
arrow
here,
we
can
actually
see
the
associated
vulnerabilities
right
next
to
that
specified
component
or
dependency
makes
it
really
easy
to
see.
You
know
how
we're
vulnerable,
what
component
is
making
us
vulnerable
and
the
specific
vulnerabilities
that
were
detected
and
we're
using
this?
Your
potentially
outdated
version
of
Pro
click
in
this
vulnerability.
You've
got
the
vulnerability
page.
That
gives
you
more
details
similar
to
what
you
were
able
to
see
in
the
widget
view
on
the
merger.
A
Quest
has
links
to
different
cves
and
you
can
create
an
issue
from
here
or
add
any
existing
issue.
If
there's
something
else
that
you
know,
the
team
is
already
working
on
to
start
to
remediate
this
vulnerability.
You
can
update
the
status
from
here
confirm
that
it's
a
true
positive
will
fix
it.
You
know
change
the
status
and
then
you
know
that'll
help
in
the
vulnerability
management
process
from
the
vulnerability
report
as
well.
A
So
that's
just
a
you
know
an
example
of
looking
at
the
dependency
list
and
starting
to
see
the
vulnerabilities
that
are
associated
based
on
the
components
that
were
identified
based
on
dependency
scanning
in
your
project.
Let's
say
we
want
to
download
the
software
bill
of
materials.
We
want
to
download
that
using
the
export
button.
A
You
click
that
blue
or
that
export
button
in
the
upper
right
hand,
corner
of
the
dependency
list
and
we'll
download
that
that
Json
file,
that's
in
the
Cyclone
DX
format,
I
will
download
it
to
your
local
machine
and
then
you
can
manipulate
it.
However,
you
want
to
or
share
that
with
your
Auditors
as
needed.
A
I
provided
just
an
example,
a
command
line
tool
using
the
jqu
command
to
kind
of
pretty
print
the
you
know,
contents
of
that
file,
if
you
want
to,
if
you
wish
to
review
it
on
the
command
line,
I'm
going
to
go
through
that
live.
We've
got
a
lot
more
to
cover
here,
so
just
wanted
to
show
you
how
to
go
through
that
dependency
list,
see
those
Associated
vulnerabilities,
as
well
as
how
to
download
that
software
build
the
materials.
That's
in
that
Cyclone
VX
format.
A
Next
up
for
license
compliance,
we're
going
to
see
all
the
licenses
that
are
included
as
part
of
our
project.
That's
been
scanned.
That's
been
identified
based
on
this
latest
scan
on
our
default
Branch.
So
you've
got
all
these
different
licenses,
the
specific
projects
or
components
that
are
included
as
part
of
our
project
that
relate
to
those
specific
licenses.
So,
let's
just
say,
for
example,
we
don't
our
our
legal
team
based
on
our
you
know
compliance
needs.
We
can't
allow
the
MIT
license.
A
A
Policy
section
select
that
policy
and
we're
going
to
create
this
license
compliance
policy
from
this
form
here,
so
we're
going
to
deny
MIT
license
as
the
name
of
the
new
scan
result
policy
that
we're
creating
in
our
Workshop
project
make
sure
it's
enabled
in
the
rules
we're
going
to
make
sure
it's
the
license
scan
in
an
open,
merge
request
targeting
all
protected
branches.
You
don't
care,
you
know
what
branches
targeting
that's
a
protected
Branch.
You
can't
allow
the
MIT
license,
I'm,
not
going
to
allow
any
exceptions.
A
Again,
we
don't
care
which
branch
it
is
if
there
is
a
specific
branch
that
is
exempt
from
this
rule,
you
can
do
that
the
status
is
all
license
statuses.
If
it's
a
newly
detected
license,
that's
just
introduced
on
a
new
change
or
a
pre-existing
license
that
we've
already
detected
from
the
past.
You
don't
want
to
run
the
risk
of
introducing
this
on
future
changes
anymore.
A
The
license
is
matching
we're
going
to
use
the
autocomplete
here
just
to
type
in
MIT
and
just
choose
the
MIT
license
there
in
the
drop
down
we're
going
to
require
one
approval
similar
to
before
the
individual
user.
Logan
Stucker
he's
my
colleague
here
on
the
demo
engineering
team
that
helped
create
these
Workshop
materials
for
you
all,
and
then
you
should
be
able
to
configure
with
a
merger
Quest
that's
going
into
our
Workshop
project
security
policy
project.
Again
that
was
created
alongside
the
workshop
project
in
our
group
hierarchy.
A
We're
going
to
merge
that
to
make
sure
that
the
policy
is
going
to
be
applied
on
feature,
merge,
requests,
we'll
go
back
in
our
breadcrumb
to
the
subgroup,
go
back
to
our
Workshop
project
and
we
should
be
able
to
see
if
we
go
into
the
secure
many
main
navigation
secure
and
license
compliance
page
zoom
out
a
little
bit
that
we
are
in
violation
of
our
license
compliance
policy
now
for
the
MIT
license.
So
these
components
should
be
removed
on
future
iterations
to
our
project
or
if
any
new
changes
introduce.
A
Another
component
dependency
that
has
the
MIT
license
will
be
added
to
this
list
and
the
merge
will
be
blocked
until
that
component
or
dependency
is
removed
all
right.
So
that
takes
us
through
our
fourth
exercise
here
in
our
Hands-On
portion
for
software
Builder
materials
reports
and
license
compliance.
A
A
All
right
so
now
that
you've
secured
your
application
to
the
use
of
compliance.
Frameworks
scan
result
policies,
and
you
know
the
license
compliance
policies.
It's
time
to
make
sure
we
can
always
double
check
our
work,
especially
in
worst
case
scenarios
Maybe
by
scanning.
You
know
an
active
environment.
A
You
know
that
has
potentially
some
change.
You
know
issues
or
vulnerabilities
that
can
only
be
detected
through
like
a
dash
cam
we'll
go
over
some
of
the
tools
that
Google
provides
to
help
in
some
of
those
situations,
as
well
as
some
additional
security
minded
tools.
So
first
off
is
the
security
education
tools.
We
partnered
with
some
vendors
to
provide
you
with
security
training
right
within
the
gitlab
application,
and
training
is
offered
for
any
vulnerability.
A
That's
linked
to
you
directly
within
that
vulnerability
report
and
helps
educate
your
developers
on
how
to
mitigate
that
issue
with
some
kind
of
guided
steps,
or
you
know
examples
that
they
can
walk
through
to
better
understand
what
the
vulnerability
is
and
how
to
mitigate
that
within
their
source
code,
for
example,
all
right.
Well,
let's
go
back
into
the
Hands-On
exercise.
I'll
show
you
that
feature
how
to
enable
that
for
your
project
as
well
as
how
to
create
the
on-demand
scans
to
actively
scan,
maybe
on
a
schedule,
perhaps
a
long-lived
environment
like
your
staging
environment.
A
A
A
Results
will
be
associated
with
the
selector
branch
of
Maine,
but
you
may
have,
for
example,
if
you're
doing
this
scan
on
say
like
a
long
lived
environment,
your
staging
environment,
and
you
have
a
long
way,
Branch,
that's
always
being
deployed
to
that
environment.
You
can
associate
it
with
that
Branch
as
well,
but
if
you've
got
an
environment
that
basically
represents
what's
actively
leaving
the
deployed
to
your
production
environment,
you
can
associate
with
your
main
or
default
Branch
team.
A
We've
got
runner
tags
as
well
to
specify
the
runners
that
would
process
the
scan,
so
you
may
have
a
gitlab
runner
that
is
uniquely
positioned
to
have
access
to
that
staging
environment.
So
you
may
have
a
runner
tag
associated
with
that
Runner
that
can
get
get
access
to
run
that
dascad,
the
Das
configuration
we're
actually
going
to
select
the
scanner
profile,
click
that
button
there
and
click
the
new
scanner
profile
and
we're
going
to
call
it
just
the
staging
profile.
A
You
can
configure
the
the
scan
mode
for
that
that
profile,
you
can
be
an
active
scan
or
passive
scan,
we'll
just
leave
it
as
the
passive
scan.
Depending
on
how
you
wanted
to
approach,
you
know
looking
for
vulnerabilities
using
our
Das
scan
tool,
you
can
have
all
these
other
configuration
items
such
as
the
spider,
timeout,
Target,
timeout.
Turning
on
the
Ajax
glider
and
showing
debug
messages,
you
can
save
that
and
then
the
site
profiles
essentially
defining
the
target
application
to
staging
sites.
You've
got
the
URL
that
you
would
Target.
A
We
can
just
be
assured
that
it
could
run
on
that
Cadence
I
won't,
actually
save
and
run
it
I'm
just
going
to
go
ahead
and
just
save
the
scan
see
how
that
appears
in
the
and
the
user
interface
and
how
that
could
be
kicked
off.
If
you
need
to
by
clicking
that
run,
scan
button,
we're
not
going
to
run
it
I
just
want
to
show
you
how
that's
configured.
A
We
can
also
take
a
look
at
audit
events,
see
the
important
events
that
are
happening
within
our
application
or
within
our
project
in
the
gitlab
platform.
So
that's
in
the
secure
audit
events
section
of
our
main
navigation,
our
project.
You
can
see
all
the
things
that
are
happening
if
you
need
to
provide
the
information
to
your
Auditors
or
need
to
review
exactly
what's
going
on
and
make
sure
that
nothing
suspicious
is
going
on
within
your
application.
So
what
what's
being
configured?
You
know
the
rules
are
being
configured
and
that
sort
of
thing.
A
A
So
we've
got
the
transfer
project
exercise
that
I
want
to
make
sure
that
you
do
this
as
a
as
a
final
step
after
you've
completed
everything,
and
if
you
want
to
save
all
your
work,
it
is
optional.
You
don't
have
to
transfer
this
project
to
your
own
namespace
or
to
your
organizations
group
on
gitlab.com.
It
is
just
a
way
for
you
to
save
your
work
if
you
want
to
refer
to
it
later
on.
A
All
right
so
I'm
not
going
to
go
over
how
you
move
your
project,
it's
pretty
self-explanatory
in
the
Source
source
project
instructions.
It's
just
all
the
steps
there
in
issue,
number
six
transfer
project
and
just
as
a
warning,
you
don't
want
to
do
this
until
you're
satisfied
with
all
the
work
that
you've
tried
and
attempted
to
do
within
the
sandbox
project,
because
if
you
don't
have
the
ultimate
license,
you'll
lose
a
lot
of
the
functionality
that
we
reference
as
part
of
the
workshop
instructions.
A
And
you
have
again
as
a
reminder:
you
have
until
October
1st
at
midnight
Etc
to
kind
of
go
through
this,
so
you
have
a
full
weekend
to
kind
of
play
around
if
you
wanted
to
all
right.
So
as
a
recap,
I
just
want
to
go
over
everything
that
we've
been
able
to
do
so.
We've
explored
some
of
the
security
and
compliance
capabilities
that
kitlab
offers
your
organization
we
looked
at,
starting
with
shifting
left,
securing
shifting
securing
compliance
left
by
reducing
the
delivery,
friction
and
catching
issues.
A
Earlier
on
in
our
value
stream,
we
set
up
compliance
Frameworks
and
applied
that
to
our
project,
to
assist
with
you
know,
providing
governance,
and
you
know
ensuring
things
that
are
always
enforced
as
part
of
our
pipelines.
Moving
forward,
we've
learned
how
to
review
the
the
scanning
results,
both
in
the
merge
request,
as
well
as
the
project
level
vulnerability
report.
Anything
that's
been
discovered
on
the
default
Branch,
as
well
as
how
to
set
policies
on
the
you
know,
scans
that
are
happening
in
preventing
you
know
secrets
from
being
applied.
A
Actually,
let's,
let's
that's
a
good
reminder
here:
let's
go
back
into
our
Workshop
project
here
and
if
we
look
at
the
latest
merge
request,
we
should
be
able
to
see
that
it's
going
to
block
that
merge
request
and
require
approval,
because
the
security
scan
tool
found
a
secret
right.
So
we
did
in
this
merge
request.
Widget,
we
see
that
secret
detection
is
detecting
new
potential
vulnerability.
A
We
also
dug
into
a
little
bit
briefly
showing
you
how
to
set
up
an
on-demand
scan
that
could
either
be
run
manually
or
set
up
to
run
on
a
schedule
on
a
Target
application
and
also
looking
at
the
you
know
the
audit
log
within
our
project
and
how
to
enable
the
security
education
tools
accomplished
a
lot
in
almost
two
hours
and
congratulations
for
making
it
to
the
very
end.
I
want
to
kind
of
wrap
things
up
with
just
more
resources
and
how
we
can
help
you
be
more
successful.
A
Even
after
today's
Workshop,
you
know,
gitlab
offers
a
number
of
different
ways
to
help
you
maximize
the
value
of
your
investment
through
training,
access
to
subject
matter,
experts,
meetings
with
folks
like
myself,
Steve
and
Rasheed
and
other
members
of
the
customer
success
team.
So
you
know
I'm
gonna
go
over
all
of
these,
so
we've
got
self-paced
learning,
that's
free
through
our
learning
management
system
on
levelup.lab.com.
A
So
if
you
want
more
of
a
self-paced
Hands-On
approach
to
learning
about
git
lab,
you
know
feel
free
to
take
a
look
at
or
level
up.getlab.com
learning
management
system.
We've
got
all
kinds
of
courses
that
are
all
free
for
you
to
take
advantage
of,
and
then,
if
you're
interested
in
getting
a
certification
in
any
one
of
those
areas
of
focus,
you
know
there
are
paid
certifications
that
are
available
as
well.
A
We
also
offer
private
instructor-led
training
if
you
liked
what
you've
seen
today,
but
you
want
something
a
little
bit
more
in-depth,
more
tailored
to
your
organization's
needs.
We
do
have
paid
instructor-led
training.
That's
over
course
of
multiple
days
really
tailored
to
the
organization's
needs
within
your
company
organization.
Got
a
link
to
you
know
one
example:
there
get
lab
CI,
CD
training.
We
also
offer
on
the
customer
success
team.
You
know
a
regular
Cadence
of
monthly
webinars
and
workshops
that
are
really
introductory
presentations
and
Hands-On
sessions.
A
Just
like
we
went
through
today
across
multiple
use
cases,
not
just
security
and
compliance
but
cice.
You
know
you've
got
a
workshop
series,
for
you
know:
customers
that
are
well.
You
know
versed
within
Jenkins,
but
are
looking
to
move
to
gitlab
CI,
for
example,
and
so
we've
got
a
lot
of
those
Hands-On
workshops
and
webinars
to
help
you
get
more
familiar
with
the
gitlab
platform
and
how
to
make
the
most
out
of
your
investment
with
gitlab.
A
Finally,
we
do
invite
you
to
engage
with
folks
like
myself
and
Stephen
Rasheed
and
the
rest
of
the
customer
success
team.
So
you
can
schedule
time
with
us.
You
may
already
have
a
regular
Cadence
with
a
customer
success
manager,
but
you
may
be
eligible
to
meet
with
someone
like
myself
or
Steve,
the
Rasheed
on
an
ad
hoc
or
on
demand
basis,
and
we
do
invite
you
to
to
look
for
those
invitations
to
meet
with
us
as
well.
A
As
you
know,
work
with
your
sales
representative
or
even
you
know,
if
you're
filing
a
support
ticket.
You
know
you
could
always
inquire
to
see
if
you're
eligible
to
meet
with
a
customer
success
representative
and
we're
happy
to
help
you
along
the
way
and
provide
you
know
more
targeted
guidance.
One-On-One
we'd
be
happy
to
reach
out.
If
you
want
to
meet
with
us,
feel
free
to
send
us
a
chat
message
with
your
email,
I'll
be
happy
to
take
a
look
to
see
if
you're
eligible
to
meet
with
us.
A
Another
tool
that
I
haven't
mentioned
here
is
priority
support.
So
we
do
have
a
sport
engineering
team
as
well
versus
very
much
Hands-On
able
to
troubleshoot
with
you
on
leveraging
a
lot
of
the
security
compliance
features
that
we've
shown
you
today.
You
do
have
availability
to
engage
with
our
support
team.
If
you
are
a
paid
customer,
even
if
you're
a
premium
customer
or
an
ultimate
customer,
they
can
help
you
out
with
all
of
the
technical
questions,
technical
issues
and
helping
you
troubleshoot
and
get
over
any
blockers
that
you've
run
into
as
well
all
right.