►
From YouTube: vs-code security findings demo
Description
Description of the left nav for security findings using a test project against a production instance of Gitlab
A
A
This
is
I,
guess
the
weekly
demo,
oh
sorry,
show
and
tell
so
today
I'll
be
demonstrating
some
progress
on
vs
code.
It's
been
something
I've
been
working
on
for
a
while,
so
I
guess
I'll
jump
right
into
it.
A
Let
me
see:
I
have
a
Ultra
wide
screen,
so
I'm
trying
to
figure
out
if
I
can
share
okay,
a
portion
of
the
screen.
So
let
me
adjust
this
one
second.
A
Well,
let
me
just
okay
I'll
just
go
with
this,
so
this
Epic
I
guess
I'll
show
the
screenshots
real
quick.
So
the
idea
was
in
visual
studio
to
surface
security
findings.
So
if
you
haven't
worked
with
the
git
lab
extension,
it's
kind
of
like
a
plug-in
you
can
download
this
I
I.
Think
it's
hosted
on
like
the
official
website
that
a
lot
that
hosts
all
the
plugins
for
vs
code.
A
So
once
you
download
it,
you
can
access
your
git
live
instance,
whether
it's
local
or
product,
or
the
you
know.com,
using
an
off
token
that
you
generate
through
your
you
know,
user,
but
sevens.
A
So
what
we
wanted
to
do
was
surface
security
findings
for
the
current
Branch
you're
working
on.
So
these
are
screenshots
but
I'll
demo.
The
real
thing
here
in
a
second
so
I
have
this
test
project,
and
this
is
the
security
reports
project
that
the
Govern
team
has
set
up.
So
this
is
just
a
remote
that's
set
up.
This
is
the
current
Branch
we're
on
and
then
that
project
is
before
so
we
see
it's
the
same
remote.
This.
A
Mr
is
tied
to
that
branch
that
we
have
checked
out,
that
Master
pads
211c,
that's
what
this
is
so
now
going
to
the
actual
demo
of
the
UI.
If
we
go
to
so
this,
this
is
the
the
current
development
Branch
I.
Have.
This
work
is
going
through
final
review
to
get
merch
into
master
or
main
of
the
vs
code
project,
but
I'll
run
it
here
locally,
so
I
kick
off
the
extension,
so
this
is
building
we'll
debug
anyway,
and
then
this
will
then
open
this
in
I.
A
A
Okay,
this
is
working
right
just
right
before
so
let
me
try
to
relaunch
this.
A
Is
why
it's
doing
that?
That
was
weird
anyway,
so
this
here
is
existing
Behavior,
so
you
can
kind
of
see
issues
I'm
going
through
this
just
because,
if
you
haven't
seen
the
existing
functionality
of
the
vs
code
extension,
it's
kind
of
nice
to
walk
through
this.
So
we
expose
some
data
that
traditionally
would
access.
Through
the
you
know,
git
lab
monolith
like
the
the
website
and
what
we
wanted
to
do
was
surface
security
data.
So
what
we
added
was
the
security
scanning
area.
A
So
if
you
have
for
this
current
Branch
a
pipeline
that
has
run
that
generated
like
security
findings,
you
will
see
them
here
so
they're
grouped
into
new
and
fixed
bindings,
so
that
the
intent
here
being
that
new
findings
are
ones
that
were
detected
as
a
result
of
I
guess
the
the
changes
you've
made
some
new
findings
that
if
you
merge
that
that
Branch
would
create
new
vulnerabilities
and
fixed
findings
or
findings
that
if
you
merge
that
branch
have
resolved
I,
think
vulnerabilities
in
the
branch
I'm
reaching
into
so
they're,
grouped
by
severity
level.
A
So
this
is
production
data
off
of
the
the
merge
request.
I
just
showed
you,
so
you
kind
of
have
them
grouped
here.
These
icons
are
associated
with
that
level
of
severity.
What
the
actual
finding
is,
let
me
move
this
over
here
and
what's
missing
right
now,
and
that's
what
I'm
I'm
working
on
this
Milestone
is,
if
you
click,
if
you
double
click
on
one
of
these,
it's
supposed
to
open
a
tab
which
then
will
give
you
the
single
finding
view,
essentially
what
you're
used
to
in
in
the
UI.
A
So
what's
missing,
is
this
piece
and
and
we're
gonna,
basically
as
much
as
possible,
imitate
or
clone
kind
of
the
visual
elements
here
in
a
tab,
so
that's
kind
of
it
and
you'll
see
that
whatever
shows
up
here
is
new
and
fixed
show
up
exactly
the
same
as
the
UI
here.
A
I
think
to
clarify
also
that
we're
showing
findings
for
I
think
all
the
report
types
I
know
what
I
know
that
the
data
between
all
the
scanners
is
slightly
different,
but
what
we're
showing
is
is
what
they
all
have
in
common.
So
it's
very
much
going
to
just
be.
Let
me
see
if
I
can
show
you
in
the
designs.
This
is
what's
missing
this
right
panel
here,
so
the
status
policy
violations
is
not
part
of
scope
of
this
epic
there's
a
separate
epic
for
that,
but
essentially
we'll
get
the
description
severity,
the
project.
A
A
So
this
is
the
piece
that
I'll
be
aiming
to
just
complete,
hoping
to
complete
this
roster,
but
other
than
that
yeah
I
think
that's
pretty
much.
It.
B
Yeah
I
have
one
question
Fernando,
but
let
me
start
by
saying
that
I
really
love
this
feature.
It's
very,
very,
very
cool
I,
think
it's
very
helpful
for
the
for
developer.
I
would
actually
use
it
myself
and
I
have
used
a
bit
the
plugin,
it's
quite
cool.
Actually,
so
that's
really
great
work,
just
a
couple
of
questions,
so
the
I'm
not
sure
you
might
have
mentioned
this
already,
but
what
kind
of
vulnerabilities
are
this?
Are
they,
for
instance,
secret
detection,
vulnerabilities
or.
A
Sure,
they're,
technically
they're,
all
all
the
scanners
I
think
I
need
to
double
check
that
but
I'm
pretty
sure
right
now
the
the
API
is
hitting
all
the
scanners.
So
what
we
do
is
we
iterate
through
each
scanner
type
we
actually
right
now,
because
the
endpoint
that
was
added
by
the
insights
team
lasts
two
Milestones
ago
or
last
one
yeah
two
Milestones
ago
now
you
specify
the
report
type
as
a
graphql
query.
So
let
me
see
if
I
actually
show
you
so
the
answer
is
all
of
them
right
now.
A
So
this
is
what
the
query
looks
like
report
type,
let's
see
in
this
in
this
example,
I'm
just
doing
Secret
detection
and
the
graphs
well
query
here,
but
in
the
in
the
demo,
it's
doing
all
of
them.
So
whatever
you
see
in
the
merch,
of
course,
with
it
you'll
see
here.
So
these
are
the
ones
that
are
supported.
A
B
That's
cool,
thank
you
and
they
have
a
second
one.
So
here
it
will
show
up
all
the
vulnerabilities
right
and
but
then
I
said.
A
Yeah,
so
these
are
the
clarify
the
terminology.
These
are
findings.
So
technically
findings
are
what
are
found.
You
know
as
running
these
scanners.
In
the
context
you
know
on
a
feature
branch
and
then
there
there
has
to
be
a
merge
request
tied
to
this
or
or
I
think
yeah
a
pipeline
render.
If
I'm
looking
here
see
for
this
query,
you
need
a
merge
request,
ID.
So
these
findings
are
always
tied
to
Mr.
A
So
if
you
have
a
branch
checked
out-
and
you
don't
have
the
merge
request
set
up
for
it,
then
there's
probably
not
going
to
be
a
pipeline
job,
so
you
won't
see
anything
here.
It'll
just
say
no
scans
found
so
yeah
and
then
vulnerabilities
are
after
you've
merged
in
and
then
I
think
it
kicks
off
another
pipeline
run
and
then
anything
found
once
it's
on.
The
main
branch
will
be
considered
vulnerabilities
and
that's
what
you'll
see
in
the
security
dashboard.
So
this
is
all
within
the
context
of
a
merge
request
from
the
feature.
A
Wrench.
Sorry
just
yeah
go
ahead.
B
No,
no,
it's
you're
right,
I'm!
Sorry,
if
for
not
using
the
right
term,
so
findings.
Indeed,
my
main
question
is
so
as
a
developer,
right,
I'm,
just
trying
to
think
out
loud
I
might
have
certain
policies
right.
So
could
be
that
my
project,
my
project
manager,
has
a
policy
there,
that
we
don't
care
about
medium
or
about
medium.
B
Medium
findings
or
vulnerabilities
or
whatever
or
maybe,
basically,
my
question
is:
can
we
filter
those
findings
depending
on
the
existing
policies
that
the
project
has?
Would
that
make
sense.
A
Sure,
right
now,
no
I
think
going
through
the
epics
I.
Don't
think
that's
a
feature
that
was
discussed.
What
we
do
have,
though,
is
policy,
there's
an
ethic
to
implement
to
surface
security
policies
so
that
you
can't
filter
through
the
UI.
But
the
idea
is,
as
you
see
all
these
findings,
you
would
see
if
there
are
any
policy
violations.
This
is
eventual.
This
is
like
you
know,
a
different
epic,
but
the
idea
would
be
to
eventually
surface
policy
rules
in
the
UI,
but
it
wouldn't
be
with
a
filter.
A
The
idea
would
be
that
you
would
have
basically
maybe
some
type
of
Israel
I
forget
if
this
icon
is
related
to
a
policy
violation
or
if
it's
just
related
to
severity,
but
let's
say,
for
example,
this
is
related
to
a
policy
violation.
You
would
have
this
logo
this
icon
here
and
then
you
click
into
it,
and
then
you
would
see
here
the
policy
violation
rule.
This
is
again
not
scheduled.
A
Yet
this
requires
some
additional
work
from
the
the
policies
team
and
back
end
and
to
expose
all
of
this,
but
that
is
to
answer
your
question.
I.
Think
that's
as
much
as
I
understand
that
we
would
surface
policy
violations
in
this
manner,
but
that
might
be
a
feature.
Improvement
I.
Don't
think
right
now
on
the
UI
there's
any
type
of
filtering
of
the
left.
Nav
here
I,
don't
even
know
how
we
would
Implement
those
filters
within
the
UI,
but
right
now
no
no
way
to
filter.
B
Awesome.
Thank
you
so
much
yeah.
A
I
know,
thanks
to
the
questions,
I
think
I'll
I'll
try
to
I'll,
follow
up
with
Connor
and
ask
about
that
or
maybe
that's
something
we
can
do
as
a
follow-up.
I,
don't
even
know
what
that
would
look
like
in
terms
of
filtering
but
yeah.
A
So
the
only
thing
that's
up
in
the
air
right
now
is
you
know
we
we're
wanting
to
ship
it
this
kind
of
Milestone
as
the
intent,
but
you
know
we
may
end
up
doing
where
you
click
on
this,
we'll
open
a
web
browser
with
the
modal
for
the
single
finding
right
now,
it's
not
linkable
I
think
the
threat
insights
team
is
doing
work
around
that
to
make
that
model
reusable
and
accessible.
A
But
if
that
doesn't
pan
out
I,
don't
know
the
timeline
that
they're,
you
know
they
have
for
that
work.
I
may
have
to
just
focus
on
trying
to
get
this
worked
as
originally
planned,
where
you
click
on
one
of
these
and
open
within
vs
code.
If,
if
it
turns
out
that
it's
going
to
take
longer
to
implement
the
the
web
version
of
this
we're
trying
to
save
some
time
because
we
thought
well,
we
could
just
generate
a
link
open
the
link
go
to
the
get
loud.
A
You
know,
Give
Love,
you
know
within
a
browser
but
right
now
that
that's
not
as
easy
as
it
sounds,
because
that's
all
a
view
app.
So
it's
not
like
a
single
page
for
you
to
go
to.
We
need
to
be
able
to
view
client-side
routing
and
a
lot
of
other
stuff,
that's
not
as
straightforward.
So
anyway,
that's
all
I
got.
C
I
had
a
couple
questions
and
a
comment
too.
Just
awesome
work
it's.
This
is
like
the
fifth
priority
on
our
Dev
secops
adoption
priority
list,
so
it's
a
huge
priority
like
across
the
board
across
all
teams-
and
it's
really
nice
also
just
use
just
the
collaboration
across
secure
and
govern
teams-
that's
happening
here.
It
comes
up
in
like
customer
calls
and
I
think
you
guys
all
have
the
context
of
this,
but
with
like
trying
to
shift
left
and
reduce
the
cost
for
every
customer
of
finding
vulnerabilities.
C
This
kind
of
thing
you
know
is
like
about
as
far
left
as
you
can
go
for
finding
vulnerabilities
early
in
the
development
life
cycle.
So
it's
definitely
a
huge
win
for
our
customers
and
other
competitors
already
have
this
kind
of
feature,
so
you're
really
helping
close
a
gap
for
us,
which
is
awesome,
so
I
just
want
to
make
sure
everyone
here.
C
Has
that
context
too,
but
I
wanted
to
ask
like
if
this
is
the
MVC,
like
our
do
you
know
if
there's
plans
for
like
how
we're
kind
of
validating
you
know
what
additional
improvements
they
might
want
once
this
initial
versions
out,
and
then
also
I,
think
you
already
explained
this,
but
once
it's
released
like
to
actually
use
it,
does
every
engineer
have
to
go
into
their
IDE
and
enable
this.
A
Okay,
yeah,
so
I
guess
two
answers
or
two
parts,
so
I
think
Conor
would
know
best
he's
like
the
PM
for
this
teacher
in
terms
of
how
he
wants
to
go
about
testing
and
validating,
and
what
would
be
next
I
think
as
far
as
like
planned
issues
in
the
Epic
I
think
it's
two
parts:
it's
exposing
security
findings
and
that
and
MVC
includes
the
left
and
that
which
I've
showed
you
and
the
right
a
single
finding
deal.
It
was
already
discussed
with
Conor
about
like.
A
Can
we
just
ship
the
left
nav
at
least
you
surface
findings
that
they
exist,
even
though
you
can't
drill
down
into
them,
and
the
the
response
was
like:
that's
still
not
quite
enough
functionality
or
value
to
the
user,
at
least
that's
the
feedback
I
got
so
for
MVC.
It
needs
to
be
the
left
nav
with
being
able
to
drill
down
to
a
single
finding,
so
that
is
MVC
which
I'm
hoping
to
complete
this
model
Stones.
So
then
the
second
part
is
what
comes
up
out
after
this
and
I.
A
Think
that's
actually
like
it's
broken
down
into
an
epic
is
the
and
with
a
couple
issues
right
now
that
knee
refinement
is
adding
support
for
servicing
policy
violations.
So
what
that
would
do
is
I
think
the
policy
violations
apply
to
individual
findings
and
that
requires
I
think
a
significant,
more
amount
of
back-end
work
than
it
does
front.
End
work
because
we
have
a
lot
of
the
structure
for
the
front
end
done
now,
or
you
know,
once
this
merge
request
was
merged,
so
I
think
that
hasn't
been
scheduled.
A
I,
don't
think
it's
been
vetted,
I
think
the
challenge
with
that
would
be
surfacing
like
consistency
between
the
the
policy
violation
like
how
the
strings
are
generated,
how
the
messaging
is
generated
between
the
gitlab.com
or
sorry,
the
gitlab
rails,
monolith
like
the
main
rails,
app
versus
vs
code
here,
because
I
think
right
now,
a
lot
of
that
text
generation
leaves
client-side.
So
we
have
to
replicate
that
here
in
vs
code
or
shift
that
all
that
front-end
logic
into
the
back
end.
A
So
there's
a
lot
of
refactor
work.
That's
going
to
be
needed
to
get
policy
violations
to
work,
so
that
would
be
the
immediate
next
thing.
I
would
think
that
Conor
may
push
forward
for
the
exposing
policy
violations
in
in
this.
Beyond
that
I
I
assume
it
would
be
based
off
of
customer
feedback
and
whatever
findings
he
has
after
the
ships.
A
So
hopefully
that
makes
sense
and
and
if
I
think
let
me
share
my
screen
again,
real
quick,
so
that
work
is
captured
in
this
epic,
which
I'll
post
in
the
chat
here
in
a
second.
But
this
is
the
second
piece
of
it
and
I
think
right
now
it
I'm
not
scheduled
to
work
on
it.
It
may
be
someone
from
the
policy
team
or
it
can
be
anyone
else
who
has
bandwidth
to
jump
in,
and
that
would
be
basically
adding
the
oh
actually
I'm.
A
Sorry,
we
surface
policy
violations
in
two
places,
so
actually
I
don't
think
we
need
a
filter
so
going
back
Nick
to
your
question,
I
think
we
serve
as
policies
violations
in
two
ways
in
line
on
the
actual.
Finding
and
I'll
have
a
little
description
and
then
we'll
actually
have
a
completely
different
drop
down.
Section
for
policy
violations,
so
you
could
go
right
to
them
and
I
think
if
you
click
down
to
an
individual
violation.
This
is
what
it
would
tell
you
what
is
being
violated.
A
So
maybe
that
helps
a
little
bit
with
what
you
were
looking
for:
I
guess
without
the
filter,
but
you
would
have
a
whole
separate
section.
So
this
all
this
work
would
probably
be
next.
If,
if
once
we
get
the
initial
security
finding
stuff
out,
I
just
don't
know
the
capacity
for
the
policies
team
to
work
on
this
regarding
back
end,
I
think
that
would
be
the
main
dependency.
A
To
enable
it
yeah
sorry
I
forgot
about
that
yeah.
So
there
are
two
things
to
that:
there.
You
need
to
follow
the
steps
that
you
would
just
to
enable
the
extension,
and
that
requires
you
to
download
the
extension
there's
some
configuration
steps
basically
to
add
auth
token,
but
once
I
think
you
add
the
off
token,
you
should
be
good
to
go.
A
The
only
other
requirement
is
that
you
have
the
security
scanner
set
up
in
your
project.
You
know
and
that's
pretty
standard
in
terms
of
like
if
you
wanna.
Basically,
you
need
to
still
do
the
same
steps
you
would
need
to
do
to
have.
A
Findings
show
up
in
the
merge
request
and
you
will
need
a
merge
request
that
existed
for
the
feature
Branch
you're
working
on
other
than
that
it
should
Auto
detect
the
brands
you
currently
have
checked
out
and
it
uses
that
it's
aware
of
the
project
and
the
directory
or
in
and
the
branch
you've
checked
out.
So
all
that's
automatic.