►
From YouTube: Sec Section PM / Field Sync - July 2023
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right,
thank
you,
everybody
for
joining.
This
is
the
Cs
and
SEC
PM
sync
for
July,
and
this
will
be
the
public
portion
so
we'll
be
discussing
product
updates
and
other
things
that
are
safe
to
talk
about
publicly
and
then
we'll
move
on
to
the
private
portion.
A
So
let
me
go
ahead
and
let
me
share
my
screen.
A
All
right
so
just
to
start
off
with
some
product
updates.
Grant
did
you
want
to
talk
about
the
first
one
here.
B
Sure
can
yeah,
so
we
just
released
the
spawn
a
feature
flag,
we'll
be
enabling
cscd
pipelines
in
the
Target
projects
that
are
being
enforced
by
scan
execution
policies.
B
An
example
scenario
for
customers
might
be
that
they
want
to
enforce
secret
detection
or
SAS
scans
across
all
their
projects,
and
some
repos
may
not
be
set
up
for
builds,
and
they
would
ultimately
be
circumventing
any
Global
enforcement
of
running
secret
detection
or
SAS
scans,
for
example.
So
what
we're
going
to
be
doing
with
this
release
is
for
any
Target
project
will
automatically
kind
of
behind
the
scenes,
enable
cicd
create
that
gitlab
ciml
file,
and
that
will
allow
us
to
inject
the
jobs
that
we
need
to
enforce
from
a
Global
Perspective.
A
Great,
the
next
one
was
in
the
release
post,
but
I
just
wanted
to
call
it
out
here
the
automatic
response
to
revoking
Google
Cloud
tokens
when
it's
discovered
on
gitlab
and
then
the.
A
See
if
it'll
jump
down
the
shared
rule,
Set
customizations
between
sas.ac
and
secret
detection,
you
can
click
on
that.
If
you
want
more
information,
I
don't
know
if
this
is
going
to
jump
down
to
the
right
place.
A
All
right
and
then
the
exporting
compliance
Frameworks
report,
so
we
added
the
compliance
Frameworks
report
to
the
group
level
compliance
Center
area
and
you
can
now
export
that
to
CSV.
If
you
need
that
in
a
format,
that's
you
know
outside
of
gitlab,
we
added
an
option
here
to
allow
developers
to
force
push
to
a
protected
Branch
when
there
are
no
other
branches
in
the
project.
A
So
this
one
was
added
specifically
because
we
got
a
lot
of
feedback
that
once
you
create
a
protected
branch,
no
one
can
or
do
the
developers
can't
can't
push
to
it
immediately
so
that
first
push
we're
allowing
any
developer
in
the
project
to
start
and
then,
after
that
it
will
follow
the
same
settings
as
the
fully
protected
setting
and
so
that's
available
in
the
project
settings
now.
B
Yeah
I
just
wanted
to
also
highlight
another
one
that
we're
working
on
right
now,
that's
behind
feature
flag
and
we've
been
working
on
this
for
a
while
they're,
probably
probably
will
be
several
iterations
in
the
the
logic
for
how
we
compare
scan
results
and
identify
like
when
we
want
to
actually
require
an
approval.
B
But
we've
had
a
number
of
customers
who
have
kind
of
felt
that
it's
confusing
when
approvals
are
required
and
when
they're
not
and
that's
what
we're
working
on
doing
here
is
increasing
that
accuracy
and
kind
of
improving
on
what
customers
are
expecting
and
and
what
we're
showing
there
so
ultimately
we'll
be.
Comparing
the
latest
completed
pipelines
for
each
pipeline
source
for
the
source
and
Target
branch.
B
This
is
with
the
exception
of
parent
child
pipelines,
which
we
think
is
much
rarer
of
a
use
case,
but
we
we
may
work
to
add
that
in
the
future
I'm
trying
to
think
a
good
example
here
is
if
customers
are
trying
to
run
their
security
scanners
overnight
in
a
scheduled
scan.
We
might
be
missing
results
from
that.
So
we're
kind
of
opening
it
up
to
capture
results
from
more
pipeline
sources.
B
Not
just
the
kind
of
the
Mr
pipelines
or
kind
of
the
default
Branch
pipelines
that
we've
been
using
so
this
will.
This
will
definitely
improve
the
number
of
results
that
we're
capturing
and
comparing
against,
and
we
we
think
it's
going
to
help
a
lot
of
customers.
It's
behind
a
feature
flag.
We've
asked
a
few
customers
to
kind
of
explore
and
see
if
this
is
solving
for
them.
C
The
only
thing
different
from
this
screenshot
right
here
is:
there
won't
be
search,
error,
filtering
enabled
for
this
first
iteration
and
then
we're
we're
optimizing,
some
queries
so
we're
leaving
it
behind
a
feature
flag
for
16.2
and
by
the
end
of
the
month
we
should
have
those
queries,
resolved
and
optimized
for
performance,
and
so
it
should
be
available
by
default
in
16
3,
and
then
we
have
some
other
iterations
that
we'll
start
working
on
immediately
after.
C
B
Cool,
if
there's
no
questions
on
that,
one
I
have
point
two
here
and
I
shared
this
in
our
cspm
SEC
thread
previously.
I
might
have
even
spoken
in
one
of
our
previous
meetings
about
this,
but
we
are
working
on
a
user
study
for
unifying
compliance,
pipelines
and
security
policies.
I've
got
the
two
related
epics
linked
there,
so
we're
ready
to
start
sending
this
out.
B
I've
actually
sent
it
to
a
couple
of
customers
wanted
to
see
how
the
test
holds
up
before
we
we
go
more
broadly,
but
if
you
have
any
customers
that
are
actively
using
compliance
pipelines
or
security
policies,
it
would
be
great
to
have
some
additional
participants
to
join
our
study
so
feel
free
to
reach
out
to
me.
We
can
talk
more
about
that
or
view
that
thread.
You
can
also
respond
there
and
see
some
more
details
about
what
I'm
looking
for
yeah.
Let
me
know
thank
you.
A
All
right,
if
there's
nothing
around,
that
I
wanted
to
point
out
some.
Some
updates
that
we
haven't
put
into
the
release
post,
but
I
know
that
some
of
you
have
run
into
problems
with
dust
and
it
locking
up
on
some
Benchmark
or
demo
applications
set
of
Mirko
you've
specifically
called
this
out
multiple
times.
We've
done
a
couple
of
things
that
I'm
hoping
will
open,
open
it
up
and
and
help
out
with
that
we've
been
able
to
get
through
a
couple
of
different
Benchmark
apps
that
we
haven't
been
able
to
before.
A
So
the
two
issues,
two
main
issues
that
we
solved,
one
was
a
panic
with
a
go
logger
that
was
causing
the
analyzer
to
lock
up
and
crash.
So
we
replaced
that
with
a
logger
that
does
not,
or
that
is
more
stable.
With
with
the
standard
go
logger
previously,
we
were
using
one
that
seemed
stable
enough,
but
recently,
looking
at
their
issues
on
their
GitHub
account.
There's
multiple
accounts,
multiple
issues
coming
in
from
different
customers,
there's
talking
about
panics
and
crashing.
A
So
we
replaced
that
and
then
the
second
one
that's
actually
more
relevant
is
that
we
have
changed
the
logic
around
how
we
run
passive
checks
forward
to
ask
previously
what
we're
doing
is
we're
running
the
crawler
when
the
crawler
was
done,
it
would
start
the
passive
check
service
and
it
would
pull
all
the
stuff
out
of
the
queue
and
start
checking
it.
A
Now
we're
actually
running
the
passive
checks
along
at
the
same
time
as
the
crawler,
so
as
the
crawler
finds
something
new,
it
puts
it
into
the
queue
the
passive
checks
are
immediately
working
on
it
to
get
through
as
many
of
the
items
as
possible.
That
means
that
it,
even
if
the
law,
even
if
the
queue
does
fill
up,
which
is
unlikely
when
they're
running
in
parallel,
but
even
if
it
did
it,
wouldn't
stay
that
way
for
very
long.
A
So
the
test
would
not
lock
up
and
it'll
keep
adding
stuff
to
the
queue
as
the
passive
check
service
pulls
things
out
of
that
queue
to
to
run
through
the
passive
checks,
so
I'm,
hoping
that
this
will
address
a
lot
of
the
the
locks
that
we've
seen
with
dust,
especially
on
these
demo
applications.
A
So
if
any
of
you
are
have
run
benchmarks
or
Demos
in
the
past,
and
it's
locked
up,
if
you
could
try
it
again
and
see
if
it
works,
I
would
appreciate
it
if
it
doesn't
work,
let
me
know,
and
we
will
jump
back
on
it,
to
see
what
might
be
affecting
that
specific
scan.
A
All
right
and
then
the
next
one,
if
you
haven't
seen
I'm,
actually
moving
to
the
create
stage
to
be
the
group
manager
there.
So
this
meeting
will
still
happen,
we'll
we'll
transition
it
to
another
PM
in
SEC.
A
We
haven't
really
discussed
who
exactly
will
take
over
it,
but
I'm
sure
someone
will
will
volunteer
and
we'll
get
we'll
get
this
running
with
another
dri,
but
just
as
an
FYI,
that's
that's
happening
on
next.
Monday
is
my
official
start
date
as
the
group
manager
there
and
then
Sarah
you've
got
the
last
item
here.
D
Yeah
I
think
I've
mentioned
it
before,
but
we
got
some
customer
feedback
that
customers
would
like
more
consistency
around
what
languages
and
versions
were
supporting
between
SAS
and
SCA
tools.
So
we're
currently
working
on
defining
that,
and
we
just
wanted
to
make
sure
everyone's
aware
so
that
we
can
get
additional
feedback.
If
any
of
you
have
anything
that
you
want
to
contribute.