Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Protect Stage / 5 Feb 2021
GitLab / Protect Stage / 5 Feb 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Spikes for Security Orchestration Policy: how to enforce having given scan in your pipeline

Description

In this video we are going through some spikes related to Security Orchestration Policy​ and we are presenting current state of the work and general idea of how this could be implemented on the backend side.

This part of the video shows changes made in https://gitlab.com/gitlab-org/gitlab/-/merge_requests/52661/diffs?commit_id=e3cab09feb477f68688ee28db81592886e168053

A

Hello, everyone, my name, is alan persiuski senior, pickens engineer for threat management. I'd like to talk to you shortly about uh having security organization policies within um in yaml repository and I'd like to show you something: that's working and we're going to improve that. Okay. So here we are, we have a simple project, that's rails project and currently it is not configured to have the security acquisition policies. Okay, I'm gonna run the pipeline now and this pipeline I'll just go quickly to to our ci yellow file.

A

So you'll see how it's being configured right now, which is very simple.

A

Actually it will do only one thing which is in test stage tool, echo string as a script, so this is it okay, all right so pipeline is running, so you have to wait a minute or two to let it finish. Okay, it's it's succeeded.

A

So now I go. This is my secret section, polishes project. Where I can store my policies. I will go to github security policy now, first I'll enable the enforcement of sas.

A

So, as you can see, currently it was disabled all right, so I'll enable that so one thing to to mention I because we don't have ui yet for it. I already connected this project with policies, uh so this repository policies with the project that I'm using to test it. Okay, so I'm going to enable it okay, sas is enabled right now, all right now I can go back to pipelines. It'll trigger the pipeline again.

A

Okay, so I'm running in for masters, I want to emphasize one thing so here I selected that I'm gonna run for pipeline for this branch and we're using wildcard here. So, whatever branch we have, it will it'll run and actually scan sas. Okay, now I'll go back to the secret detection and I'll enable it in a minute, but first we need to take a look at the pipeline view and see if indeed, we have included sas scans into our pipeline.

A

Okay, so, as you can see, the pattern is running and we have sas enabled for them and everything's working as expected. Okay, let's do one more thing, let's enable as well secret detection.

A

Okay, it's enabled and I will go back and I'll trigger a new pipeline and I will see if this prediction was added or not. So I know that mvc and apex, and so on. We are all informing about we'll first include tasks, uh because I don't want to configure my cluster true to actually deploy the application as fast.

A

I wanted to quickly show you the idea that stays behind it I'll be preparing dmr with mvc, just to show you the code, because there's only a few lines of code that was changed due to have that so I'll I'll include that uh in the link in the description of this video, but let's first take a look: if we have the section detection- yes, yes, we have it okay, so that would be it. Thank you. Everyone.