►
From YouTube: Hands-On GitLab DevSecOps Workshop
Description
In this workshop we focus on how you can secure your application with GitLab. We will first take a look at how to apply scanners to your CI/CD pipelines in a hands-on exercise so that any vulnerabilities are caught as soon as the code is committed. Next, we will look at compliance frameworks and pipelines to show how you can ensure no one within your development teams is cutting corners and exposing your application.
A
Hi
there
welcome
in
hello
everybody
thanks
for
joining
me
today
for
your
Hands-On
workshop
on
devsecops
security
and
compliance.
Within
gitlab,
we'll
give
folks
just
another
minute
to
join
in
here
and
then
we'll
go
ahead
and
get
started
in
the
meantime,
while
we're
waiting
for
some
additional
folks
to
join
in
I
wanted
to
share
the
lab
setup
instructions
that
I'll
be
going
through
I
wanted
to
share
the
link,
as
well
as
a
QR
code.
For
you
to
get
get
all
set
up.
A
We
are
requiring
you
to
use
a
gitlab.com
account
to
get
set
up
with
our
sandbox
environment,
and
if
this
is
your
first
Hands-On
Workshop
you'll
want
to
make
sure
that
you
do
have
a
gitlab.com
account.
This
is
a
little
bit
different
from
you
know.
If
you
have
a
self-managed
lab
instance,
you'll
have
to
create
a
separate
gitlab
account
that
would
be
created
on
our
gitlab.com
SAS
platform.
So
again,
if
you're
just
joining
us
today,
please
go
ahead
and
take
a
screenshot
or
I'll.
A
Have
this
QR
code
and
Link
presence
on
all
the
beginning,
slides
and
I'll
go
through
this
in
Hands-On
detail
on
how
to
get
set
up
with
the
lab
environment,
but
feel
free
to
go
ahead
and
get
that
set
up
as
well
when
you
get
scan
the
QR
code
or
open
up
that
link.
It'll.
A
Look
something
like
this,
and
this
is
kind
of
like
a
document
to
allow
you
to
work
more
asynchronously
as
I
walk
people
through
or
if
you're
joining
in
a
little
bit
later,
you'll
be
able
to
catch
up
with
getting
your
lab
environment,
set
up
all
right,
we'll
go
ahead
and
get
started
here.
So
welcome
in.
Thank
you
for
joining
us
today.
We're
very
excited
to
have
you
for
a
Hands-On
Workshop
focus
on
devsecups
and
security
and
compliance
with
gitlab
before
we
get
started,
I'm
going
to
go
over
a
few
housekeeping
items.
A
First,
if
you're
experiencing
any
technical
difficulties,
you
can
submit
your
issue
through
the
Q.
A
and
some
of
my
colleagues
here
on
the
customer
success
team
that
are
panelists
will
be
able
to
help
you
out
with
any
issues.
They'll
be
moderating
that
q
a
for
any
questions
or
issues
that
you
might
be
facing.
Also,
if
you
have
any
questions,
feel
free
to
also
you
go
guys.
The
Q
a
feature
I
won't
be
allowing
anyone
to
get
off
mute
and
I
put.
Let
me
go
ahead
and
put
the
instructions
here
in
the
chat.
A
And
yeah
feel
free
to
ask
us
questions
through
the
Q
a
feature
in
the
zoom
functionality
at
the
bottom
of
your
screen.
So
I
went
ahead
and
dropped
the
link
to
our
lab
setup
instructions
and
go
ahead
and
get
started
with
that
and
I'll
walk
you
through
it
as
well.
A
So,
first
let
me
introduce
myself.
My
name
is
Chris
guitarte
I'm,
a
senior
customer
success
engineer
here
at
gitlab
after
today's
session
feel
free
to
connect
with
me
on
LinkedIn
I,
usually
take
the
time
each
week
to
share
a
post
or
two
highlighting
some
of
the
key
topics.
I'm
discussing
with
my
customers
on
a
weekly
basis,
as
well
as
sharing
some
new
features
and
capabilities.
That
I
think
are
important,
based
on
my
regular
interactions
with
customers
and
my
team
members
in
the
field.
I'm
also
sharing
my
gitlab
profile.
A
A
So
today,
you're
officially
part
of
a
brand
new
startup,
that's
creating
a
public
leader
board
for
the
hit
new
racing
game
to
Nikki
racing.
This
groundbreaking
new
application
has
been
developed
and
deployed
in
a
Beta
release.
However,
the
developers
are
lost
on
how
to
make
it
more
secure.
So
you
are
one
of
our
new
security,
Specialists
and
they've
tasked
you
to
utilize
gitlab
to
enhance
the
applications
overall
security.
A
So
here's
the
co
the
agenda
for
today's
Hands-On
Workshop
we're
going
to
go
through
the
lab
setup.
I've
gave
you
the
the
lab
setup
instructions
in
the
chat,
so
you
can
feel
free
to
get
started
with
that
now.
But
I'll
walk
you
through
it
as
well,
we'll
go
into
a
a
little
discussion
on
what
it
looks
like
with
shifting
left
and
what
that
topic
entails
before
we
actually
get
configured
with
our
Hands-On
workshop
with
our
demo
project
and
starting
to
add
those
security
scans
and
moving.
A
You
know,
shifting
left,
moving
the
the
security
scans
into
our
development
process,
then
we'll
talk
about
gitlab's
compliance,
Frameworks
and
compliance
pipelines
we'll
go
over
how
that's
configured
and
how
that's
how
that
works.
To
ensure
good
governance
of
your
project.
Next,
we'll
talk
about
parsing.
The
results
will
make
sense
of
all
the
vulnerability
findings
that
were
generated
and
discovered
by
shifting
left,
adding
those
security
scan
tools
in
our
pipeline.
A
Next,
in
our
software,
bill
of
materials
are
s-bomb
and
license
compliance
section,
we'll
explore
what
that
looks
like
within
gitlab
in
the
UI
and
how
to
download
that
s-bomb
to
your
local
machine,
as
well
as
the
license
compliance
information
and
how
to
set
up
a
license
compliance
policy
to
make
sure
you're,
not
in
violation
of
any
you
know,
licenses
that
shouldn't
be
utilized
within
your
software
composition,
your
project.
A
Finally,
if
we
have
some
time
we'll
take
a
brief
look
at
on-demand
scans
audit
events
and
more,
if
I
don't
have
time
to
go
through
all
these
sections
Hands-On,
you
do
have
the
access
to
the
sandbox
environment
for
two
days
from
today,
so
feel
free
to
take
advantage
of.
You
know
some
time
asynchronous
outside
of
the
session
that
we
have
Hands-On
with
me,
leading
you
all
today.
A
A
So
let's
get
our
lab,
set
up,
ready,
I'm,
ready
to
share
those
instructions
in
the
chat,
so
hopefully
you're
getting
that
going
well,
we'll
need
two
things:
one
of
your
own
gitlab.com
account,
which
you
might
already
have
your
SAS
customers,
you
utilize
getlab.com
before
and
if
you're
a
self-managed
customer
you'll
need
to
create
that
first
then
next
we
have
our
gitlab
demo
system,
which
will
provision
a
subgroup
on
our
SAS
platform
and
provide
you
with
owner
level
access
and
the
ultimate
subscription
to
play
around
with
for
these
next
two
days.
A
So
before
we
get
going,
let's
go
ahead
and
get
started
with
the
provisioning
that
that
subgroup
with
the
ultimate
subscription
on
our
gitlab
instance.
A
First,
you
put
in
the
invitation
code
after
clicking
that,
let
me
go
back
to
the
homepage:
don't
forget
labdemo.com,
so
you
first
click
redeem
invitation
code
and
then
you'll
take
that
imitation
code.
That's
in
the
lab
setup
instructions!
That's
it
right
here
and
you
can
also
grab
the
link
or
find
it
in
the
chat.
A
Go
ahead
and
paste
that
in
there
and
click
provision,
training
environment,
then
you'll
grab
your
gitlab.com
username.
So
that's
found
oops
right
in
the
main
navigation,
where
you
can
find
your
avatar.
So
if
I
go
into
my
main
navigation
here
on
gitlab.com,
you
can
see
if
I
click,
my
avatar,
it's
everything
after
the
app
symbol
so
not
including
the
app
symbol.
A
You
want
to
grab
that
and
put
it
there
in
the
gitlab.com
username
field.
Mine
is
a
C
guitar
tape
and
provision
training
environment.
If
you
get
to
a
page
like
this,
that
means
the
subgroup
has
been
correctly
provisioned.
You
can
always
go
through
this
process
again.
If
you
lose
your
place,
you
want
to
get
back
to
that
subgroup
for
your
sandbox
environment.
A
It
won't
create
multiple
subgroups.
It'll
always
return
you
back
to
the
original
subgroup
that
was
provisioned
for
you,
so
you
can
click
that
blue
migrate
button
and
copy.
This
link
either
way.
You'll
get
to
your
provision.
Subgroup
that'll
be
an
empty
subgroup
where
you'll
be
creating
the
fork
of
a
project
and
run
with
the
the
repository
in
there.
A
So
again,
just
walking
through
that
putting
your
username
the
invitation
code,
clicking
provision,
training
environment
getting
to
a
page
like
this
clicking,
the
blue,
my
group
button
or
grabbing
that
URL,
putting
it
into
a
new
browser,
tab
or
window,
and
you
should
get
somewhere
like
this
you'll
have
a
unique
identifier
right.
Next
to
my
test
group,
the
name
of
the
subgroup,
everyone
will
have
a
different
subgroup
ID
and
if
you
get
to
a
place
where
you
hit
a
404,
you
might
have
made
a
typo
in
the
provisioning
step
for
creating
the
redeeming
your
invitation
code.
A
A
Today,
we've
only
got
an
hour
to
go
through
all
this
content
and
don't
don't
worry
if
you're
falling
behind
again,
you
do
have
two
days
to
go
through
this
Hands-On
exercises
and
you'll
have
full
access
to
all
the
ultimate
level
functionality
in
your
subgroup
and
the
projects
that
you
create
within
that
subgroup
all
right.
So
next,
so
once
we
have
that
subgroup
set
up
we're
going
to
go
ahead
and
get
ourselves
set
up
with
the
workshop
content.
A
For
this
we'll
be
working,
we're
taking
a
copy
of
the
content
from
our
Workshop
repository
I
got
a
link
to
that
there
in
the
chat
just
in
case
some
folks
have
come
in
a
little
bit
later,
I'll
replace
the
instructions
in
the
chat
again,
and
you
can
also
access
the
lab
setup.
Instructions
from
the
top
right
hand
corner
just
take
a
screenshot
or
scan
the
QR
code.
A
The
project
URL,
is
this
URL
right
here
and
what
I
like
to
do
is
I'll
open
up
this
URL
and
put
it
in
a
window
right
next
to
the
provision
subgroup,
because
when
you
take
a
fork
of
this
source
project,
it's
actually
not
going
to
bring
over
the
issue.
So
you
want
to
reference
the
issues
from
the
source
project,
gitlab
security
and
compliance.
A
You
can
find
the
issues
under
the
main
navigation
plan
and
issues,
and
then
you
could
have,
on
the
right
hand,
side
your
subgroup,
which
is
your
sandbox
environments,
where
you'll
be
working
the
project
into
Port
the
project.
You
can
go
back
to
the
gitlab
security
and
compliance
project,
homepage
the
repository
page,
and
then
you
can
click
the
forks
button
and
expand
this
a
little
bit
bigger.
A
Let's
make
it
a
little
bit
more
differentiated
from
the
gitlab
security
and
compliance
project
and
then
we'll
grab
our
unique
identifier
and
paste
it
into
this
namespace
drop
down
field
to
search
for
it
should
automatically
find
that
specific
subgroup
for
sandbox
environments
and
we'll
leave
the
project
slug
at
its
default
here
and
keep
the
visible
visibility
level
at
private.
So
now,
I'll
go
ahead
and
click
Fork
project.
A
Take
a
minute
there
and
it
should
Port
that
project
into
my
test
group,
which
is
my
sandbox
group
for
the
Hands-On
exercise
today,
and
it's
called
Workshop
project
I'm,
going
to
go
back
a
couple
steps
here,
just
in
my
browser's
history
to
go
back
to
the
gitlab
security
and
compliance
project,
which
is
a
source
project.
That's
been
forked
and
we're
going
to
go
ahead
and
open
up
the
plan.
A
Issues
page
and
it
looks
like
people
are
creating
their
Forks,
so
great
job,
everyone
for
following
along
so
again,
I'm
just
opening
up
the
issue
tracker
within
the
gitlab
security
and
compliance
source
project.
Those
issues
are
not
copied
over
into
the
fork
on
my
sandbox
subgroup.
I
refresh
this
here
you
can
see
the
workshop
project
now
in
my
subgroup.
A
So
awesome
I'm
going
to
go
through
my
slides
here
and
just
highlight
that
I
am
using
this
one
desktop
screen
here,
but
I
split
it
up
into
two
side-by-side
Windows.
If
you
have
multiple
monitors,
feel
free
to
just
use
two
different
monitors,
one
monitor
for
the
the
workshop
tasks
and
the
source
project
at
lab
security
and
compliance,
and
then
the
workshop
project.
The
actual
sandbox
project,
where
you'll
be
doing
your
work
on
the
other
screen
or
window.
A
A
One
thing
that
I
didn't
do
actually
was
to
remove
the
pork
relationship.
This
is
actually
a
very
important
step,
so
it's
good
that
I
caught
that
slide
there
I'm
going
to
do
that
within
the
workshop
project.
The
project
that
I've
worked
in
into
my
sandbox
environment
so
I'll
go
to
the
main
navigation
there
settings
in
general
and
I'll
scroll
all
the
way
down
to
Advanced
expand
that
section.
You
click
the
expand
button,
scroll
down
and
find
remove
Fork
relationship
and
just
click
remove
Fork
relationship.
A
There
you'll
need
to
type
the
name
of
the
project
to
confirm
and
proceed
to
removing
the
fork
relationship
that
makes
sure
that
all
the
pipelines
show
up
in
your
Workshop
project
and
just
makes
everything
a
lot
cleaner.
So
make
sure
you
do
remove
the
fork
relationship
there
in
that
Workshop
project.
That
you've
worked
here
a
Sandbox
environment
and
you
should
be
good
to
go
for
a
Hands-On
exercises.
A
So
again,
as
I
mentioned,
the
workshop
steps
are
in
that
source
project,
the
git
lab
security
and
compliance
project
and
the
plan
issues
page.
So
that's
main
navigation
within
the
security
Appliance
project
plan
and
issues
got
that
here
on
the
left
hand,
side
and
then,
on
the
right
hand,
side
here,
I've
got
my
workshop
project.
A
All
right,
hopefully,
that's
not
too
fast
for
everyone
here,
but
again
take
your
time.
I've
got
the
lab
setup
instructions
in
that
upper
right
hand
corner,
and
you
know
you
can
go
at
your
own
pace
and
we'll
be
able
to
provide
a
recording
and
a
copy
of
the
deck.
Just
in
case.
A
You
need
to
go
over
everything
a
little
bit
more
slowly
afterwards,
again
so
for
our
first
lap,
the
first
section
here
we're
gonna,
go
ahead
and
talk
a
little
bit
about
shifting
left
a
common
term
utilized
and
used
in
the
devops
industry.
A
A
Quest
before
that's
actually
merged
in
the
default
branch,
would
you
rather
find
out
about
security
problems
now,
while
you're
working
on
the
code
before
it's
actually
merged
and
deployed
into
production
or
get
you
know
an
on
on-call
incident
late
in
the
evening
or
early
in
the
morning
and
have
to
work
through
an
issue
and
a
fire
drill?
Shifting
left
can
actually
take
a
lot
of
the
unnecessary
and
often
stressful.
A
So
this
is
heavily
driven
by
incidents
like
the
log
4J
incidents
and
solarwinds
security
is
really
becoming
more
of
a
risk
and
from
our
Dev
Cyclops
survey
back
in
2022,
we
did
see
that
about
57
of
the
team
members
that
were
surveyed
had
already
shifted,
left
with
security
or
were
planning
to,
and
then
43
of
the
Security
Professionals.
That
responded
indicated
that
they
do
feel
unprepared
or
somewhat
unprepared
for
the
future.
A
So
the
stats
on
the
left
hand
side
kind
of
indicate
where
the
development
teams
were
in
2022
and
then
on
the
right
hand,
side
you
kind
of
see
you
know
what
they've
started
to
implement
within
their
development
workflows.
You
know
running
SAS
scans,
employing
a
dynamic
application,
security
testing
gas
scans.
A
So
here's
just
an
example
of
the
gitlab
flow
I
already
mentioned
a
at
a
level.
You
know
what
it
means
to
shift
left,
make
integrating
those
security
scan
tools
in
your
pipeline
in
your
audit
CI
CD
pipeline
for
Automation,
and
whenever
you
are,
you
know
creating
a
new
feature
working
on
new
development.
You
oftentimes
create
a
new
issue
within
gitlab
and
then
you
create
a
merge
request
based
on
changes
that
you
want
to
make,
and
then
you
have
those
changes
made
on
a
feature
Branch
before
it's
actually
merged
into
your
default
Branch.
A
So
you
commit
those
changes
into
that
feature:
branch
and
within
the
pipeline.
Automation.
You've
got
your
security
scan
tools
that
you've
integrated
SAS
scanning
Dash
scanning
container
scanning
secret
detection,
dependency
scanning,
so
on
and
so
forth.
So
all
those
scans
are
happening
and
we
start
to
discover
those
vulnerabilities
and
we
have
a
discussion
about
it.
We
may
you
know
find
that
you
know
some
of
those
vulnerabilities
can
be
remediated
or
mitigated
early
on
before
that's
merged
into
the
main
or
default
branch.
So
hopefully
you
can
see
when
shifting
left.
A
We
can
start
to
move
the
detection
and
communication
and
feedback
around
some
of
those
vulnerabilities
that
are
added
to
your
CI
CD
pipeline
earlier
on
in
your
software
development
process.
It
helps
your
developers
kind
of
stay
secure
within
the
code
that
they're
writing
and
that
rapid
feedback
is
a
key
devops
principle
for
shifting
left
all
right.
So,
let's
enough
with
the
concepts
around
shifting
left,
let's
get
our
hands
on
the
exercises
for
today's
Hands-On
Workshop.
So,
let's
start
with
the
first
exercise.
A
What
I'm
going
to
do
here
is
just
switch
to
my
other
screen
and
you'll
see.
On
the
left
hand,
side
the
issues
list
again
from
the
gitlab
security
compliance
source
project,
I'll
go
ahead
and
click
shifting
left
there
I'm
going
to
read
through
the
instructions
and
just
walk
you
through
adding
those
security
scans
initially
into
this
Workshop
project
that
we've
port
into
our
sandbox
environment.
A
So,
first
we
want
to
make
sure
that
we're
in
the
main
page
for
this
Workshop
project
we
are
here
and
then
what
we
want
to
do
is
we're
going
to
open
up
the
main
navigation
here
and
go
to
build
pipeline
editor
and
we're
going
to
see
the
current
setup
of
our
Pipeline
on
the
main
branch.
It's
very
basic
we've
only
got
one
stage
here,
that's
the
build
stage
and
one
job:
that's
defined
the
build
job
within
the
build
stage,
so
we're
just
building
the
application.
A
A
So
now
we
want
to
go
back
into
the
build
pipeline
Editor
to
edit
the
gitlab
CI
yaml
cloud,
build
pipeline
editor
and
we're
going
to
get
back
to
this
editor
page.
So
this
allows
us
to
quickly
edit
the
gitlab
CIA
mobile
file.
Let's
add
in
all
the
security
scan
tools,
what
we
want
to
do
is
go
ahead
and
just
grab
this
code
snippet
here
and
we're
going
to
delete
everything.
A
That's
within
the
current
completed
pipeline,
Branch,
gitlab,
ciml
file
and
we're
on
line
one
now
we're
going
to
paste
in
this
entire
snippet
of
code,
which
is
essentially
shifting
left.
So
we
started
with
just
a
build
stage
and
we're
replacing
that
with
something
a
little
bit
more
robust,
so
I'm
gonna
delete
all
that
out
and
paste
in
again
this
entire
snippet
we're
just
replacing
the
entire
contents
of
thinking,
lab
ciml
file
and
so
we're
adding
multiple
stages
here.
A
We
won't
go
into
too
much
detail
here,
but
it
is
something
to
highlight
that
you
know
just
including
the
templates
should
get
you
going
with.
You
know,
making
sure
that
you
can
Implement
all
those
security
scan
tools
and,
having
it
automatically
detect,
say
the
languages
or
Frameworks
that
you're
using
and
using
the
appropriate
analyzer,
but
you
can
override
the
the
jobs
that
are
defined
from
the
individual
security
scan
tool
templates
and,
for
example,
container
scanning.
You
can
see
here
in
this
editor
screen
from
this
preview.
A
It
is
an
include
to
a
template,
that's
vendored,
in
from
the
SAS
platform
or
from
the
gitlab
product.
Our
engineering
team
manages
these
these
templates
and
you
can
see
exactly
the
full
definition
of
the
job
here,
but
you
don't
have
to
modify
that
job
necessarily
out
of
the
box.
You
can
simply
override
you
know
some
of
the
job
settings
there.
A
Now
you
can
also
switch
to
the
full
configuration
if
you
want
to
see
the
fully
merged
output
of
our
gitlab
ciml
file,
now
I'm
just
going
to
merge
that
shifting
left
strategy
here
by
including
all
this
templates
to
add
all
those
security
scan
tools
and
then
commit
those
changes,
add
a
commit
message
here
to
make
it
a
little
bit
more
self-explanatory.
Shifting
left,
adding
security.
A
A
And
then
the
merge
request
button
is
actually
this
button
that
says
new
we're
going
to
go
to
that
row.
Complete
a
pipeline
and
click
that
new
button
and
it's
going
to
take
in
the
title
from
the
commit
last
commit
message
on
that
Branch.
That's
fine
and
then
make
sure
that
before
you
do
this,
you
want
to
make
sure
that
you've
removed
the
pork
relationship
as
well
before
doing
this.
A
So
if
you
haven't
removed
the
fork
relationship,
just
follow
the
lab
instructions,
that's
in
the
chat
or
you
can
go
into
the
settings
General
and
remove
that
work
relationship.
A
Shouldn't
have
any
merged
conflicts
here
and
we'll
have
a
pipeline.
That's
already
running,
based
on
the
latest,
commit
for
this
branch,
and
so,
if
you
click
into
this
pipeline,
that's
running,
they
should
be
able
to
see
all
of
the
security
scan
tools
that
have
been
added
here
to
this
pipeline
or
the
gitlab
CIA
mobile
I.
Won't
let
this
run.
A
I
have
some
instructions
here
on
how
to
kick
off
another
pipeline
for
the
merge
request,
if
you
needed
to
if,
for
some
reason
the
pipeline
wasn't
running,
but
this
should
be
sufficient
enough
for
our
needs
all
right.
So
we've
completed
the
first
Hands-On
exercise
for
shifting
left
we've
added
the
the
security
scan
tools
to
our
gitlab
ciml
file
on
a
new
branch
and
create
a
merge
request
and
we're
requesting
a
merge.
A
The
completed
pipeline
Branch
with
the
new
security
scan
tools
added
to
the
gitlab
ciml
file
into
our
main
branch
through
the
merge
request.
So
that
concludes
step
or
exercise.
One
go
back
to
the
issues
list
here
and
I'll
go
back
to
my
slides.
So
you
can
continue
with
the
presentation
here
before
we
get
into
the
second
exercise
for
the
compliance
framework.
A
All
right
so,
for
the
second
section,
we've
got
a
new
pipeline
defined
with
all
the
relevant
security
tests
that
we
want
to
implement
within
the
pipeline,
and
now
we
want
to
ensure
that
all
of
our
developers
are
abiding
by
security,
best
practices.
To
do
this,
we're
going
to
enable
and
assign
a
compliance
framework
to
our
project.
A
A
So
this
is
a
a
slide
here
that
kind
of
goes
over.
Some
of
the
you
know,
compliance
Frameworks
that
some
of
our
customers
need
to
worry
about
when
working
within
the
software
projects
in
gitlab
that
they're
developing,
and
so
what
I
want
to
share
with
you
is
some
of
the
key
features
within
a
compliant
workflow
in
gitlab
that
could
help
you
align
yourself
to
some
of
these
compliance
Frameworks.
A
Anything
that
should
be
run
on
every
single
pipeline.
Where
that
compliance
framework
is
applied
to
that
project,
to
ensure
that
security
scans
are
run,
certain
artifacts
are
created
and
stored
all
the
time
and
not
you
know
not
accidentally
forgotten
about
and
any
other
steps
that
are
required
by
your
organizational
requirements.
A
So
these
are
some
of
the
benefits
of
gitlab's
compliance.
You
have
a
chance
to
ensure
that
the
development
teams
are
following
best
security
practices,
best
practices
within
security.
We
have
compliance,
features
that
can
be
applied
to
many
different
projects,
making
it
really
easy
to
maintain
so
think
of
it
as
a
template
that
can
be
overwritten.
A
You
can
also
prevent
developers
from
skipping
and
necessary
scans
when
they're
trying
to
push
out
code
last
minute.
So
you
have
maybe
a
required
job
or
you're,
including
the
series
scan
tools
in
this
compliance
pipeline.
That's
applied
to
the
project
Downstream.
They
won't
be
able
to
remove
those
security
scans
or
remove
that
compliance
job
that
you
have
to
find
in
that
compliance
pipeline,
and
you
could
all
also
utilize
a
compliance
pipeline.
It's
of
course
external
scans
to
run
as
well.
A
So
let's
go
ahead
and
jump
right
back
into
our
Hands-On
exercise.
Number
two
for
the
compliance
framework.
I'm
going
to
switch
over
to
my
screen
here,
open
up
the
second
issue
here
in
the
source
project
for
compliance
framework
and
then
what
I'm
going
to
do
is
going
to
go
back
to
the
the
home
page
for
the
workshop
project.
A
So
what
we're
going
to
do
is
we're
going
to
create
a
compliance
framework
that
will
ensure
pipeline
runs
the
correct
jobs
in
the
right
order.
That'll
ensure
Dev
team
won't
be
able
to
skip
a
few
steps
in
the
pipeline
and
potentially
introduce
the
vulnerability.
By
doing
that.
So
first
one
first
step
here
and
the
second
exercise:
you
need
to
Define
our
framework.
A
A
So
this
is
a
security
and
compliance
CF
project
and
we've
got
this
DOT
compliance,
dashgate
lab-ci.yaml
file,
and
you
can
see
that
we've
predefined
some
additional
stages
here
and
the
specific
order
they
should
be
in
so
dot
pre-build
unit
test
and
clean
it.
So
these
are
all
mandatory
stages
that
should
be
present
in
every
single
job
or
every
single
pipeline
run
on
a
project
where
this
pipeline
is
applied
to
it.
We
also
have
a
default
job.
A
That's
been
defined
here,
called
the
compliance
job,
that'll
run
in
the
dot
pre
stage
within
the
pipeline,
and
it's
a
simple
job.
Is
this
a
script
that
Echoes
a
message
from
the
compliance
framework?
This
is
just
an
example.
You
might
have
something
more
complicated
here
in
the
script
steps,
but
just
wanted
to
show
you
how
that
works
and
how
that
can't
be
overwritten.
A
It
must
be
included
on
every
single
pipeline.
Lastly,
on
lines
15
to
18,
we've
got
this
kind
of
section
here
to
include
all
the
individual
projects
configurations.
So
this
is
a
standard
configuration
of
compliance
pipelines.
You
want
to
have
this
on
every
single
compliance
pipeline
to
make
sure
that
your
developers
can
still
work
within
their
projects
to
build
their
own
automation
outside
of
what's
required
for
compliance
within
your
organization.
So
that's
just
a
standard
thing
here.
You
don't
need
to
customize
it,
but
you'll
want
to
include
that
on
every
compliance
pipeline
that
you're
creating
Upstream.
A
So
that's
something
I
wanted
to
review
with
you
you're,
not
creating
a
new
compliance
pipeline
here
and
then
step
two.
What
we
want
to
do
is
apply
that
pipeline
to
our
Workshop
project,
so
to
apply
a
pipeline,
a
compliance
pipeline,
It's
associated
with
a
framework.
That's
done
at
the
group
level.
We've
already
done
that
Association,
but
what
we
want
to
do
is
comply
the
compliance
framework,
which
is
essentially
a
label
to
our
Workshop
project,
to
apply
that
pipeline
as
a
governance
policy,
so
go
to
the
settings
General
from
the
main
navigation
in
our
Workshop
project.
A
Now,
if
we
go
back
to
the
workshop
project,
home
screen,
we'll
see
the
security
and
compliance
Workshop
compliance
framework
applied
to
it
in
green
there,
you
can
customize
the
colors
and
customize
the
labels.
However,
you
want
within
your
own
organization,
that's
a
way
for
you
to
align
yourself
to
some
of
those
compliance
Frameworks
that
you're
striving
towards
making
sure
that
your
projects
are
in
compliance
with
all
right.
A
So
let's
go
back
now
that
we've
applied
that
compliance
framework
and
compliance
pipeline
to
the
workshop
project
and
go
back
to
the
slides
I'll
talk
to
you
a
little
bit
more
around
parsing
the
results.
So
hopefully,
that
pipeline
is
completed
within
our
merger
Quest
and
we
can
talk
about
the
results
there.
A
All
right,
so,
just
as
a
recap
in
this
previous
section
compliance
framework,
we've
seen
how
to
extend
the
CI
CD
configuration
with
the
compliance
framework
and
compliance
pipelines
just
by
applying
that
compliance
framework
through
the
the
project
settings,
so
that
should
ensure
the
relevant
guard
rails
are
set
up
for
the
development
team,
so
not
remove
any
required
stages
from
our
Pipeline
and
not
remove
any
required
jobs
that
are
part
of
that
compliance
pipeline.
A
So,
as
I
mentioned
for
this
next
lap,
our
next
section
we're
going
to
be
parsing
in
results.
So
now
that
our
merge
request
pipeline
is
completed
and
we
know
that
it
works,
we
want
to
merge
it
into
main
as
well.
So
let's
take
a
deeper
look
into
the
scans
and
the
results
of
the
scan,
as
well
as
create
some
policies
that
we
might
need
to
prevent
security
breaches
in
the
future.
A
So
what
security
scanners
that
we
use?
Let's
go
into
a
little
bit
more
detail,
and
you
can
kind
of
highlight
that
here
first,
we
implemented
static
application,
security,
testing
or
SAS,
which
analyzes
source
code
for
known
vulnerabilities,
that
included
part
of
the
development
process
and
that's
just
looking
at
the
source
code.
A
So
you
might
remember
you
might
say
you
know.
Why
are
we
looking
at
that?
Well,
the
problems
that
you
might
be
running
into
vulnerabilities
may
not
necessarily
come
from
the
source
code,
but
from
you
know,
dependencies
within
the
containers
of
container
images
that
you're
building
as
well.
A
Then
we've
got
dependency
scanning
which
scans
project
dependencies
within
your
software
libraries
or
packages
that
are
being
included
as
part
of
your
software
development
process
and
looking
for
known
vulnerabilities
related
to
those
open
source
components
license
scanning
scans.
The
licenses
of
included
open
source
components
to
determine
if
they're
compatible
with
a
set
policy
which
we'll
be
going
through
today
and
then
secret
detection
is
exactly
what
it
sounds.
It
scans
for
Secrets,
checked
into
your
source
code
and
also
checks
any
commits
that
would
and
automatically
revoke
any
gitlab
tokens
that
are
found.
A
So
it's
not
going
to
automatically
revoke
any
tokens
outside
of
gitlab,
but
it'll
notify
you.
If
there's
you
know,
potential
secret
related
to
you
know,
say
an
AWS
secret,
for
example,
and
highlight
that
as
a
critical
vulnerability
and
you
can
communicate
that
back
to
your
development
team
and
the
merge
request
and
let
them
know
that
it
needs
to
be
revoked
and
remove
from
the
source
code
and
then
regenerated
or
future
use
all
right.
A
So
I
just
want
to
highlight
here
again.
I
mentioned
this
in
the
walking
through
the
pipeline,
but
our
gitlab
product
can
trigger
the
CI
CD
pipeline
under
different
conditions
and,
as
you
can
see
here,
all
of
the
all
of
the
security
scan
tools
are
happening.
Security
scan
jobs
are
happening
in
the
test
stage,
so
usually
pipelines
will
be
executing
whenever
source
code
is
committed
or
merge
across
is
created
and
approved.
A
So
what
this
enables
is
the
quickest
feedback
to
the
developer
right
within
the
merge
request,
as
they
commit
code
to
the
feature
branch
and
they
can
review
the
findings
either
in
the
security
tab
of
the
pipeline
or
directly
within
the
merger,
Quest
widgets
and
the
merger
Quest
itself.
A
So
I
want
to
talk
a
little
bit
about
policies
because
we'll
be
implementing
some
here
today.
You
know
one
of
one
of
the
many
many
reasons
lots
of
our
customers
move
to
gitlab
is
the
ability
to
enforce
security
and
license
compliance
policies
across
all
of
their
software
development
projects
in
our
organization.
A
So
that's
one
of
the
benefits
of
the
gitlab
platform
so
being
on
a
single
platform
gives
us
the
ability
to
have
that
single
point
of
control
and
policies
can
be
applied
to
either
a
single
project
or
multiple
projects
and
there's
really
two
types
of
policies.
A
scan
result
policy,
which
is
essentially
an
automatic
merger,
request,
approval
policy
to
take
action
based
on
scan
results.
A
For
example,
if
I
find
a
secret
in
my
project,
I
want
to
block
a
merge
and
require
a
certain
approver
within
my
organization
to
review
and
make
comments
and
collaborate
with
the
development
team
to
get
that
secret
or
vote
removed
from
the
source
code
and
then
regenerated
scan
execution
policies
are
kind
of
similar
to
compliance
pipelines
and
that
we
can
require
security
scans
or
are
run
on
all
of
our
projects
pipelines,
but
it
has
an
additional
benefit
there
to
run
security
scans
on
a
specified
schedule
as
well.
A
So
there's
pros
and
cons
to
utilizing
scan
execution
policies
as
well
as
compliance,
Frameworks
and
pipelines.
I
will
be
able
to
share
documentation
resources
to
UB
email
after
today's
session,
but
just
wanted
to
highlight
scanning
execution
policies
are
available
as
well
all
right.
That
brings
us
right
into
our
next
Hands-On
exercise.
Number
three
for
parsing
results:
I'll
go
ahead
and
switch
over
here
to
my
other
screen.
Here,
go
back
to
the
issues
tracker
on
the
source,
security
and
compliance
project
go
to
parsing.
A
A
So,
first
we'll
go
into
the
main
navigation
here
and
go
to
merge
requests,
we'll
click
into
that
merge
request
that
we
created
here.
It
took
the
commit
message
here:
shifting
left,
adding
security
settings
to
the
pipeline
and
so
that
it's
passed.
So
that's
great.
That
means
that
we've
got
the
security
results
available
here
to
review
right
in
the
merge
request
widgets.
So
we
can
see
here
that
in
the
license
compliance
merger
plus
widget,
we
can
expand
that
and
see
all
the
detected
licenses.
A
It
says
the
detected
eight
licenses
on
the
source
branch
we've
got
the
Apache,
License
MIT,
license
and
so
forth,
and
we
can
see
which
packages
are
I
used
using
that
specific
license
or
how
many
packages,
and
if
we
click
into
it,
we
can
actually
see
which
packages
are
actually
using
it.
Here.
A
Then
we
have
the
security
scanning
merge,
request,
widget,
which
shows
some
of
the
vulnerability
results
and
findings
within
the
security
scan
tools
that
we
just
implemented
by
shifting
labs,
we'll
go
ahead
and
open
that
up
and
we
can
start
to
see
at
a
high
level
how
many
vulnerabilities
were
found
by
the
SAS
scanner:
25
critical,
zero,
High,
zero,
others.
What
those
individual
vulnerabilities
are,
if
you
scroll
down
here
and
then
also,
we
saw
that
secret
detection
detected
no
new
vulnerabilities
and
same
thing
for
dependency
scanning,
but
container
scanning
found
25
new
potential
vulnerabilities.
A
So
these
are
findings
here,
one
high
and
24
others,
which
are
all
medium
here.
If
we
click
into
one
of
these
vulnerabilities,
we
can
see
this
description
of
the
vulnerability,
the
file
that
it
was
found
in
as
well
as
the
line
number.
If
we
click
into
that,
we
could
see
go
directly
into
the
repository
View
and
the
specific
line
number
to
review
that
detective
vulnerability
directly
in
the
source
code
for
the
SAS
scan.
A
And
then
we
also
have
a
link
to
identifier
here.
You
know
something
that
might
reference
AWS
documentation
or
other
things
that
would
help
you
kind
of
better
understand
what
the
vulnerability
is.
If
you
go
into
say
this
High
vulnerability
within
container
scanning
we've
got
a
little
bit
more
information
here
around.
You
know
the
image
that
was
utilized
in
detecting
this
vulnerability,
the
identifier,
the
CBE
identifier
and
some
helpful
links
that
might
help
inform
better,
inform
us
of
the
legitimacy
of
you
know
this
vulnerability.
A
If
it
is
a
true
positive
or
if
we
are
susceptible
to
the
vulnerability,
if
we
wanted
to
dismiss
the
vulnerability,
we
can
add
a
comment
dismiss
it
directly
in
this
view,
so
right
away
in
the
merge
request,
we
could
start
to
you
know
kind
of
trim
down
our
list
of
vulnerabilities
that
we
need
to
work
through
and
you
know
add
a
comment
dismiss
it,
so
we
can
do
that
here.
For
example,.
A
A
Let's
just
take
a
chance
here
and
just
merge
directly
into
the
default
Branch,
but
all
even
though
we
have
all
these
vulnerabilities
and
we'll
see
what
that
looks
like.
So
what
it's
going
to
do
it's
going
to
merge
our
shift
left
strategy
into
our
main
branch
and
it's
going
to
run
another
pipeline.
So
what
we
want
to
do
is
go
into
our
main
navigation
go
to
build
Pipelines
and
we
should
see
a
pipeline
running
now
on
our
main
branch.
A
Once
that
pipeline
completes,
we
should
have
full
visibility
on
any
potential
vulnerabilities
that
are
introduced
on
our
main
or
default
branch
and
we'll
be
able
to
leverage
the
you
know.
The
security
dashboard
security
vulnerability
report
over
there
in
our
main
navigation
on
Project
level,
to
dive
a
little
bit
deeper
and
the
instructions
here
it
says
you
could
take
a
break.
A
I
want
to
take
a
break
now,
since
we
only
got
16
minutes
left
for
the
workshop
and
I
just
want
to
kind
of
highlight
some
of
the
things
here
in
the
steps
for
you
to
consider
as
you
work
through
these
steps
at
your
own
pace
after
today's
Workshop.
So
after
this
main
pipeline
completes,
you
should
be
able
to
go
into
the
the
toolbar
here
or
the
main
navigation
and
go
to
secure
security
dashboard,
and
this
gives
you
a
high
level
view
of
all
the
the
specific
counts
of
vulnerabilities
and
their
criticality
over
time.
A
A
So
if
you're
doing
this
live,
you're
not
going
to
see
any
results,
even
if
that
pipeline
completes
on
the
main
branch,
you'll
have
to
wait
until
that
daily
refresh.
There
are
some
links
there
for
a
video
demonstration
of
how
this
works,
as
well
as
a
live
example
in
a
different
project.
You
can
take
a
look
at
both
of
those
to
get
more
insight
on
how
that
works.
A
But
if
that
main
branches
or
the
main
the
pipeline
running
on
the
main
branch
is
completed,
you
should
be
able
to
see
the
vulnerability
report
fully
populated
here
at
the
project
level,
and
this
is
where
you
can
do
your
triage.
Create
issues
based
on
vulnerabilities
that
are
currently
active
on
the
default
branch.
Do
some
sorting
and
filtering
based
on
the
severity
that
you
want
to
focus
on
the
status
of
the
vulnerability?
A
Is
that
it's
in
each
triage
status
or
confirmed
and
the
specific
tool
that
you
want
to
focus
in
on
for
the
vulnerability
report,
so
that
again,
this
will
only
populate
once
the
main
branch
pipeline
has
completed
running
I
can
check
that
here
under
build
pipelines,
might
take
a
few
more
minutes
here.
A
So
while
that's
running
I'm
going
to
go
ahead
and
Skip
to
step
three
here,
which
is
a
preventative
security
policy,
so
the
prevent
any
emerges
from
happening
containing
some
vulnerabilities,
we
can
set
up
a
new
policy
to
run
on
all
future.
Merge
requests
for
our
use
case.
Lead
tokens
are
easy
mistakes
that
can
lead
to
massive
problems.
A
Give
it
a
name,
leave
the
description.
Blank
and
we'll
start
to
fill
out.
The
rules
section
I'm,
just
following
along
in
the
instructions
here
and
I
apology
apologize
for
going
a
little
bit
faster.
I
want
to
be
able
to
show
this
to
you.
I'm,
going
to
select
the
scan
type.
Choose
security
scan
go
from
all
scanners
to
the
secret
detection,
so
you
can
configure
this.
A
Click
see
here
all
severity
levels,
new
severity
and
all
severity
levels.
A
And
then
our
interactions
we're
going
to
require
approval
one
approval
from
an
individual
user
I'm
going
to
select
my
colleague,
Logan
Stucker
who's
on
the
demo
team
here
at
Gillette,
we're
going
to
go
ahead
and
click
configure
with
a
merge
request,
and
what
this
does
is
creates
this
scan
result
policy
as
code
and
a
separate
project
in
our
subgroup
hierarchy,
we're
going
to
click,
merge.
A
And
get
that
Merchants
there,
and
if
you
click
the
breadcrumbs,
you
could
actually
see
that
new
project
that
was
created
for
the
security
policies
and
stored
as
code
within
this
subdirectory
under
policy.yaml.
You
go
back
to
my
test
group.
You
can
see
it
lives
alongside
the
workshop
project.
So
what
we
want
to
do
here
is
simulate,
adding
a
secret
to
our
project
and
see
if
that
scan
result,
policy
takes
an
effect,
so
let's
go
ahead
and
go
back
to
the
workshop
project
and
open
from
the
main
repository
view.
A
We're
going
to
click
this
edit
drop
down,
go
into
the
web
IDE
and
we're
going
to
edit
the
run.pi
file
and
take
this
fake
token
and
put
it
here
between
lines.
Two
and
four
just
paste
that
in
there
we're
going
to
go
into
the
source
control
section
here,
click
the
down
arrow
to
commit
it
to
a
new
branch
and
we're
going
to
just
use
the
default
name
or
the
new
branch.
A
So
on
this
merger
Quest
now
we
see
the
scan
result
policy
taking
effect
it
does
require
one
approval
from
the
specific
scan
result
policy
and
that's
Logan
Stucker
here
and
so
we're
blocking
the
merge
into
our
default
branch
by
default.
Using
the
scan
result
policy
until
we've
verified
that
either
no
secrets
are
found,
then
the
merge
will
be
unblocked
or
if
a
secret
is
found
and
detected,
the
merge
will
be
blocked
until
approval
is
made
by
the
certain
person
that
we've
assigned
to
it
so
that
scan
result
policies
and
reviewing
the
results.
A
So,
let's
go
into
a
short
description
around
this
section
with
so
many
high
level
attacks
appearing
in
many
headlines.
Most
governments
have
started
to
acquire
a
software
Bill
and
materials
or
s-bomb.
So
the
team
decides
that
it's
in
Tanuki
Racing's
best
interest
to
have
these
reports
ready
to
go.
So
you
can
quickly
check
to
see
if
you're
affected
by
the
next
breach.
A
This
is
heavily
inspired
by
The
solarwinds
Fallout
I
won't
go
into
too
much
detail
here,
but
in
the
US
sled
our
Administration
to
deliver
require
software
companies
working
federal
agencies
to
deliver
software
billing
materials
from
the
end
of
2021
onwards
and
the
software
bill
of
materials
provides
applying
information,
provides
a
dependency
name
and
version
dependency
licenses.
The
package
are
used
to
install
the
dependency
dependency
hierarchy,
image
scanned
or
the
link
to
the
package.
A
A
So
let
me
go
ahead.
Got
eight
minutes.
Left
I'm
gonna
try
to
speed
through
this
here
and
get
you
some
more
visibility
into
how
to
do
this.
Hands-On
within
your
lab
environment.
A
So
using
the
left
hand,
navigation
within
the
workshop
project
gonna
go
to
the
secure
dependency
list
and
you
can
see
based
on
the
last
successful
scan
on
the
project.
We've
got
all
the
dependencies
listed
out
here
in
this
page
on
getlab.com.
You
can
sort
it
by
severity,
the
component
name
or
the
packager,
and
depending
on
whether
or
not
a
license,
is
reported,
you
can
see
the
licenses
there
as
well.
A
So
you
can
click
through
some
of
these
components
just
to
see
some
of
the
details
around
the
vulnerabilities
that
are
potentially
within
those
components.
So
it
gives
these
really
great
Insight
on
you
know.
You
know
the
software
composition
of
your
project
as
well
as
any
potential
vulnerabilities
based
on
the
composition
of
different
components
that
are
included
within
your
project.
A
I'll
just
give
you
some
examples
about
a
view.
Your
s-bomb
report,
either
a
city
UI
or
directly,
manipulating
that
Json
file
on
your
local
machine
so
step.
Two
we've
got
license
compliance
so
using
the
left
hand,
navigation.
We
want
to
click
through
to
the
main
navigation,
secure
and
license
compliance,
and
this
shows
at
a
glance
all
the
licenses
detected
in
our
project.
Based
on
that
last
pipeline
run
on
the
default
branch.
But
let's
say
we've
decided
we
no
longer
want
to
utilize
or
allow
the
MIT
license
within
our
project.
A
A
A
We'll
say
all
of
the
statuses
newly
detected
or
pre-existing
licenses
and
make
sure
the
license
is
matching
and
we'll
type
in
MIT
and
just
select
MIT
all
right
and
then
we'll
make
sure
that
the
actions
requires
one
approval
similar
to
before
an
individual
user
and
we'll
select.
My
colleague,
Logan
stuff
here,
go
ahead
and
configure
where
the
merge
request.
A
A
A
A
So
if
I
actually
want
to
do
a
new
merge
request,
we
could
see
that
there,
but
what
we
can
also
do
is
we
can
go
back
to
the
secure
license
compliance
page
and
very
simply,
we
can
see
that
we're
now
in
violation
of
that
policy,
for
the
license,
compliance
rule
that
we
added
so
MIT
license
is
forbidden
and
we
get
this
denied
kind
of
indicator
there
on
the
license
compliance
page,
but
on
future
merge
requests
if
I
were
to
create
a
new
merge
request.
A
Oh
there's
already
open,
merge
requests.
Let's
go
back
into
that
there.
You
should
be
able
to
see
that
the
merge
is
blocked,
but
it
does
require
two
different
approvals.
Now,
one
for
deny
MIT
license
and
one
for
the
secret
detection
approval
policy,
there's
actually
a
good
time
to
check
in
on
that
pipeline,
where
we
that
was
run
when
we
added
the
the
secret
here,
we
could
see
that
the
merger
plus
widgets
are
loading
parsing.
The
license
compliance
results,
as
well
as
the
security
scan
results
as
well.
A
When
we
let
it
load,
we
should
be
able
to
see
that
we
are
in
violation
of
the
MIT
license
being
included
now
and
then
the
the
cigarette
detection
scanning,
detecting
that
AWS
secret,
that
we
added
all
right.
I'm
gonna
go
back
while
that's
still
loading
just
want
to
share
with
you.
There's
a
couple
more
steps
here.
I
know:
we've
only
got
three
minutes
left,
but
a
few
more
sections
here
just
to
share
that
you'll
be
able
to
do
this
asynchronously
at
your
own
pace.
You
have
full
access
to
this
sandbox
environment.
A
A
So
what
you
could
do
is
with
some
of
these
optional
features
or
additional
features.
You
can
double
check
your
work
or
run
a
dash
scan
on
demand
on
a
specific
schedule
on
say,
like
a
staging
environment,
to
find
those
vulnerabilities
that
are
out
there
on
your
application
in
a
running
environment
as
well
as
some
security
education
tools
that
you
can
enable
for
your
project
as
well.
To
help
your
developer
development
team
better
understand
the
vulnerabilities
that
are
being
discovered
within
your
project,
so
that's
all
in
the
Hands-On
exercise.
Number
five!
A
You
go
back
into
the
issues
here.
You
can
see
all
the
steps
on
how
to
walk
through,
enabling
or
setting
up
an
on-demand
scan
you're
not
actually
running
a
dash
scan.
You've
just
provided
an
example
your
own,
how
to
configure
that
with
the
UI,
as
well
as
how
to
review
audit
events
important
things
that
are
happening
within
your
project
that
might
need
recording
back
into
your
compliance
team,
as
well
as
configuring
that
security
training.
A
All
right,
so
we've
only
got
a
minute
left
I
want
to
just
kind
of
make
sure
that
you
know
that
you
can
transfer
the
project
as
I
mentioned.
If
you
want
to
keep
all
of
the
work
outside
of
the
two
day
window
that
you
have
to
work
within
the
sandbox
environment
or
the
ultimate
subscription.
So
you
want
to
keep
all
that
work.
You
can
transfer
that
into
your
own
namespace
on
gitlab.com
or
to
your
organizations
group.
A
So
that's
something
you
could
do
only
when
you're
done,
because
again
we
do
have
an
ultimate
license
applied
to
your
subgroup
in
the
sandbox
environment.
So
it
is
something
that
you
want
to
make
sure
you're
fully
done
with
all
the
workshop
exercises
before
you
transfer
it,
because
you
won't
be
able
to
take
advantage
of
some
of
the
ultimate
level
functionality
if
you
don't
have
an
ultimate
license
in
your
personal
namespace
or
your
organization's
namespace.
A
All
right,
so
that
takes
us
to
the
top
of
the
hour,
just
want
to
recap
really
quick
here.
So
today
we
looked
at
shifting
security
and
compliance
left,
reducing
the
delivery,
friction
and
catching
issues.
Earlier
in
our
value
stream,
we
set
up
a
compliance
framework
to
assist
with
the
reporting
and
ensuring
that
our
developers
are
not
skipping
any
steps.
A
We
learned
how
to
review
scanning
results
from
our
security
scan
tools
when
shifting
left
and
setting
policies
on
them.
We've
talked
a
little
bit
about
how
to
generate
a
software
bill
of
materials
reviewing
that
in
the
gitlab
UI
or
downloading,
that
for
local
machine,
as
well
as
setting
up
a
license
compliance
policy.
A
Fortunately,
I
didn't
have
time
to
start
to
set
up
that
on-demand
Dash
scanning
that
you
could
do
at
your
own
Leisure
with
a
copy
of
this
deck
and
the
instructions
here
on
the
source
project
in
lab
security
and
compliance.
I
didn't
get
to
show
you
the
audit
events
that
you
can
see
at
your
own
Leisure
within
your
Workshop
project,
and
you
can
also
enable
the
developer
training
and
see
how
that
works
within
the
sandbox
environment
as
well.
A
So
we
accomplished
a
lot
in
this
past
hour
and
hopefully
you're
able
to
follow
along
as
quickly
as
I
did
apologies
again
for
trying
to
unpack
all
that
in
one
hour.
But
hopefully
you
got
enough
out
of
this
Workshop
to
get
started
and
again
you
do
have
two
full
days
to
take
full
advantage
of
the
Hands-On
materials
at
your
own
Leisure
asynchronously
at
your
own
pace.