►
From YouTube: April 2023 Govern Stage Strategy Q&A
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
Yeah
definitely,
and
before
the
questions
I
will
say,
I
was
really
happy
to
see
that
theirs
was
mention
of
a
convergence
point
between
compliance
pipelines
and
security
policies.
B
I
watched
a
secure
video
first,
and
that
was
one
of
my
big
questions
and
then
I
watched
the
government
video
and
it
was
like
one
of
the
first
things
that
was
covered.
So
that's
a
big
thumbs
up
saw
that
was
the
q1
next
year.
I
believe
now
on
to
the
actual
questions
I
had
was
I
know
that
we're
going
to
have
when
we
triage
a
vulnerability,
there's
going
to
be
a
reason
for
setting
that
triage
status
and
curious.
C
B
Awesome,
thank
you,
Alana
compliance
adherence
reports,
so
this
one's
another
question,
where
it's
kind
of
tough
for
me
to
ask,
because
it's
so
loosely
bounded.
But
of
course,
when
we
think
about
compliance,
Bears
mentioned
in
the
recording
about
you
know
we're
not
going
to
go,
become
a
full-blown
compliance
company
right
where
our
platform
company,
the
messaging,
maybe
there's
room
to
improve
on
the
security
front,
but
we
are
not
going
to
become
a
clinical
peer
security,
Enterprise
company
or
a
CRC
company.
B
I
was
wondering
for
the
compliance
reports.
Adherence
reports.
Do
we
have
a
notion
of
what
external
data
sources
we
will
either
be
ingesting
or
exporting
data
to
and
from
I
I.
Think
ingestion
would
be,
of
course,
to
the
most
important
use
case
for
us,
or
is
that
fairly
open-ended?
At
this
juncture,.
D
Yeah
I
mean
right
now
we're
not
planning
on
having
any
Integrations
to
ingest
data
from
other
sources
at
the
beginning.
That
could
be
something
that
comes
later
right.
Now
we're
going
to
focus
on
git
lab
project
settings.
You
know
pipelines
things
like
that
that
are
more
directly
related
to
what
we're
doing,
but
the
like
external
to
gitlab
right
now,
there's
no
plans
to
pull
in
anything
else.
D
B
Thank
you
for
that,
and
then
finally-
and
this
one
I'll
caveat
by
saying
it
may
just
be
a
misunderstanding
on
my
part
of
what
guest
users
are
capable
of
my
impression
and
the
way
it's
called
out
in
the
current
docs.
Although
I
just
looked
again-
and
there
is
an
asterisk-
is
that
guest
users
cannot
approve,
merge
requests,
so
I
was
just
wondering
the
role-based
approval
of
scam
policies.
A
E
We
need
yeah,
no
I
was
reading
the
question
in
the
doc
previously
and
that's
something
I
think
Alan,
you
and
I.
We
can
just
kind
of
double
check
that
but
I
believe.
If
the
user
has
guest
access
to
the
development
project,
they
should
be
able
to
potentially
manage
those
approvals,
but
I
think
I
think
that
is
something
we
should
double
check
and
see.
If
there's
any
limitations
for
that
that
type
of
user,
do
you
have
any
thoughts
on
that?
One.
B
You
very
much
and
I
guess:
Sam
and
Derek.
We
have
gitlab
webinars
here
again,
so
I
guess,
if
you
want
to
confirm
that's
a
bot
or
a
person
throwing
it
out
there.
But
that's
the
end
of
my
questions.
A
A
Tim
looks
like
you've
got
the
next
question
here,
transferred
over
from
our
previous
one.
F
Yeah,
sorry
about
that
I
as
I
was
writing.
It
I
was
like
I,
think
I'm
asking
it
in
the
wrong
group.
F
I
was
curious
if
there
was
a
vision
for
notifications
for
vulnerabilities
to
make
detections
a
bit
louder
on
non-default
branches,
I
had
a
recent
customer
that
was
like
hey
we
ship,
you
know
we,
we
publish
projects
that
other
companies
download
and
run
it'd
be
great.
If
we
could
use
gitlab
releases
here
and
then
just
have
a
rolling
like
get
alerted
when
there's
vulnerabilities
that
are
found
in
like
n,
minus
3
releases
and
I
was
like
hey.
That
sounds
like
a
really
great
thing.
We
don't
really
do
anything.
F
I
mean
you
could
run
a
pipeline,
a
scheduled
Pipeline
on
those,
but
you
would
have
to
disable
running
those
pipelines
and
you'd
have
to
then
manually
go
into
the
pipeline,
like
security
tab
to
even
see
the
vulnerabilities,
but
that
might
even
be
problematic
because
there's
no
way
to
diff
between
that
and
the
default
Branch
it
seems
like
it
would
not.
We
would
not
be
a
good
provider
there
and
I
was
just
curious.
If
there
was
things
there.
A
Yeah,
so
I
dropped
a
link
to
an
epic
tracking.
The
feature
request
to
track
vulnerabilities
on
non-default
branches,
so
even
before
we
do
something
more
Advanced
like
notifying
you
know
or
including
notifications,
would
have
to
first
start
tracking
those
four
container
images
specifically-
and
this
is
going
back
and
forth
between
secure
and
government,
so
I'm
sorry,
but
we
have
plans
to
continuously
scan
all
Container
images
in
the
gitlab
container
registry.
A
F
G
A
So
it's
not
just
as
simple
as
just
adding
a
drop
down
to
filter
and
select
based
off
of
Branch,
because
we're
actually
not
storing
those
vulnerabilities
for
non-default
branches
in
our
database.
So
it
actually
would
be
a
rather
extensive
effort.
It's
it's
a
lot
more
than
just
adding
a
filter
drop
down,
filter,
yeah.
F
Yeah
makes
sense,
I
think
in
the
meantime,
my
my
team
might
consider
doing
a
dynamic
pipeline
that
then
kicks
off
Downstream
pipelines.
That
does
solves
for
this,
but
I
I
was
curious
as
to
whether
or
not
it
would
be
worth
investigating
and
it
seems
like
it
might
be
good
to
have
some
sort
of
solution
in
place
in
the
short
term
for
the
next
year.
F
My
next
question
was
about
the
dependency
lists.
Improvements
super
exciting
to
see
the
stuff
that's
coming
in
this
and
it's
fruit
of
the
dependency
database,
which
is
pretty
cool
so
specific
to
the
group
level
dependency
list
will
all
the
like
being
able
to
search
finding.
You
know
a
vulnerable
dependency
in
all
the
projects
quickly.
C
C
I
think
we
will
have
some
basic
search,
but
we
are
going
to
so
we're
shipping
the
group
level
dependency
list,
and
then
we
are
also
going
back
and
holistically
looking
at
our
searching
filtering
grouping
capabilities
for
the
vulnerability
report
in
the
dependency
list,
at
both
the
project
and
the
group
level.
So
that
might
not
be
there
in
the
first
iteration
it'll,
probably
just
be
fairly
basic
yeah.
Was
there
anything
else
that
you
were.
You
saw
in
those
designs
that
stuck
out.
F
No
I
think
like
given
that
we're
kind
of
categorizing
or
like
storing
more
of
this
in
the
database.
One
thing
that
customers
have
consistently
been
asking
for
has
been
like
hey:
can
you
identify
all
the
vulner
or
all
the
dependencies
that
are
out
of
date?
F
Who
cares
if
it's
secure
or
insecure
for
using
something
from
three
years
ago?
And
it's
been
upgraded
20
times
we
might
want
to
move
to
something?
That's
a
little
bit
more
upgraded
yeah.
C
A
So
as
we
do
make
improvements
to
searching
and
filtering
there,
those
search
and
filter
improvements
would
most
likely.
You
know
unless
there's
some
engineering
limitation,
that
I
can't
foresee
right
now,
like
most
likely
that
would
be
available
across
all
of
those
levels
with
full
feature.
Parity,
so
we'd
be
able
to
implement
the
searching
and
filtering
once
and
have
it
apply
everywhere.
F
C
It's
outside
that,
with
the
saved
views
outside
of
that
security
Center,
which
is
the
personalized
View.
F
G
So,
with
being
able
to
identify
all
the
occurrences
of
a
dependency,
is
that
so
is
that
done
by
how
do
I
just
search
at
that
in
that
bar
there,
and
then
it
would
show
me
all
of
the
projects
that
have
that
I
look
for
a
project
like
log4j,
like
you
have
an
example
there
or
what
is
it?
What
how
would
I?
How
would
I
get
a
list
of
the
projects
is?
It
is
my
first
question.
Yes,
just.
C
Yeah,
so
if
you
like
imagine
on
the
screenshot
on
slide
16,
when
you
hover
over
projects,
you
will
see
a
list
of
projects
where
that
dependency
exists
and
you'll
be
able
to
click
into
yeah
from
there
and
I
think
in
the
agenda.
We
have
Yeah
Tim
went
ahead
and
he
added
the
Epic
that
we're
working
on
the
designs.
C
G
The
second
part
that
comes
up
with
this
question
often
is
you
know
around
the
intermediation
aspect
of
it
and
I
think
the
first
step
of
what
they
want
to
do
is
is
to
say
no
new,
no
new
deployments
can
come
out
of
any
project
until
this
dependency
is
fixed.
G
That's
like
step
one
right,
so
you're
you're
not
going
off
and
going
and
solving
those
in
production,
but
you're
saying,
if
you're
going
to
do
any
development
on
this
project,
you
have
to
solve
this
before
you,
you
move
forward
seems
like
we're
close
to
that
being
able
to
get
there
is
there?
Is
there
plans
to
kind
of
build
some
enforcement
back
into
that
dependency,
scan
or
something
to
I?
Don't
know,
I,
don't
know
what
that'll
look
like,
because
it's
already
in
production
right.
So
it's
past
that
right,
request
State.
C
So
when
you
click
on,
you
want
to
know
where
this
Json
5
exists
and
what
projects
will
be
in
there.
We're
going
to
add,
like
in
case
you
have
103
projects,
we'll
add
a
search,
the
search
option.
C
But
let's
say
this
is:
let's
say
this
is
Python
2.
and
you
know
that
you
want
to
upgrade
to
python3.
How
can
you
put
a
block
on
maybe
some
some?
Maybe
not
all
of
these
are
production
projects,
but
some
of
these
you
want
to
put
a
block
on
any
future
changes
or
any
future
deployments
to
these
projects
until
the
dependency
has
been
updated
to
something
that
doesn't
have
or
that
to
a
future
dependency.
Is
that
right
they
get
that
right.
Yeah,
okay,
yeah.
G
Exactly
because
I
think
you
know,
obviously
the
ideal
state
is
say:
hey
we
wanted
to
find
this
package.
This
package
has
log4j
in
it.
We
want
to
go,
find
all
the
projects
that
have
that,
but
then
we
also
want
to
remediate
them
in
production,
but
that's
much
harder
than
just
saying.
Okay,
the
first
step
that
we
want
to
take
as
an
organization
is
just
to
block
them
from
doing
any
development
until
they
fix
it.
So
it
enforces
them
to
solve
that
problem,
and
so
that
eliminates
probably
90
of
their
technical
debt.
G
With
this
log
for
J
thing,
because
people
are
actively
developing
in
these
projects,
they
can't
push
anything
new
to
production
till
they
fix
it,
and
you
can
say
you
know
we're.
Gonna
have
log4j
solve
the
knowledge
projects
pretty
quickly
right,
and
so
that's
that
that's
like
the
first
step,
they're
looking
for,
because
you
know
when
we're
talking
about
something
where
it's
touching
a
thousand
projects
right
then
something
like
this
becomes
really
important.
G
I've
heard
this
from
a
lot
of
customers
who-
and
you
know,
like
the
what
what
they'll
say
is
you
know
one
way
they'll
do
that
today
is
with
those
two
two
ways
right,
so
one
is
you're
either
using
something
like
dependency
track
right
and
they
can
solve
it
through
there
by
setting
the
rules
up
in
dependency
track
and
blocking
things
or
or
they'll
you,
if
they're,
using
like
artifactory,
there's
like
the
artifactory
I,
can't
remember
the
feature
for
it,
but
there's
there's
some
way
that
you
can
detect
that
stuff
and
then
you
can
go
off
and
fix
all
the
containers
based
on
that
and
activate
that's
right,
thank
you,
yeah,
and
actually
you
can
solve
it
that
way.
G
So
that's
kind
of
the
ask
of
how
do
we?
How
can
we
do
that
with
Git
Labs?
That's.
That
was
my
first
thought
when
I
saw
this
is
like
oh
we're
almost
to
a
place
where
maybe
we
can
do
some
sort
of
I
think
a
policy
would
be
great
grand
if
that
does
that
make
sense.
Now,
what
we're
looking
for
is
go
create
a
policy
for
all
these
projects
that
are
defined
here.
That
on
an
emerge
request
that
there's
a
new
policy
for
that
specifically
yeah.
E
Exactly
and
Sam
was
adding
some
notes
here
as
well,
but
yeah
yeah
scan
result
policy
for
pre-existing
vulnerabilities
would
be
a
place
to
start
there,
and
then
you
could
also
have
for
newly
detected
vulnerabilities
if
we
yeah
that
would
block
this
in
in
future
cases.
If
there
are
dependencies
that
you
want
to
mitigate,
so
you
would
Define
it
kind
of
based
on
severity.
So
it's
critical
medium.
You
can
block
merge,
requests
that
you've
detected
these
vulnerabilities
in
and
then
block
merge
until
the
security
role
or
whichever
approvers
you've.
H
I
think
I
got
the
next
question
here.
It's
a
bit
of
a
blend
of
secure
and
govern,
but
super
excited
to
see
some
of
the
IDE
features
coming
in
curious.
How
we
see
the
IDE
and
Mr
security
widget
coexisting.
It
looks
like
Sam.
You
got
a
first
response
on
there.
A
Yeah,
at
least
for
our
first
iteration,
we're
focusing
just
on
displaying
the
same
information
that
you
would
see
in
the
merge
request
page
in
gitlab,
but
in
the
IDE,
essentially
so
we're
trying
to
split
things
out
menu
we
detected
versus
previously
existing
and
let
you
click
on
vulnerabilities
and
view
the
details
of
that.
You
know
the
main
goal.
The
main
problem
that
we're
solving
with
the
very
first
iteration
is
just
eliminating
the
need
to
jump
back
and
forth
between
git
lab
and
your
IDE,
so
that
you
conceal
everything
within
one
application.
A
I
wasn't
sure
how
much
Conor
would
have
wouldn't
be
available.
It
looks
like
you're
on
Conor
I,
don't
know
if
you
have
anything
else
to
add
to
that.
I
Yeah
so
yeah,
it
seems
totally
right
about
what
we're,
starting
with
the
reason
that
we're
starting
with
this
is
basically
to
have
that
consistency
and
to
have
something
that
we
can
do
sooner.
If
we
were
to
try
to
people,
everyone
wants
to
scan
locally.
If
everyone
says
they
want
to
scan
locally
until
they
realize
maybe
all
the
environmental
dependencies
that
every
developers
machine
has
to
have
and
all
that,
but
the
the
first
step
is
but
the
the
workflow
you'll
be
able
to
do.
Is
you
code?
I
You
commit
you
push?
You
don't
mean
you
need
to
have
an
MR
necessarily
yet
and
then
some
other
features
that
already
exist.
Now,
as
you
can
see
the
pipelines
running
and
the
IDE
as
it's
going,
you
can
see
the
job
logs
even
of
the
scan
job.
So
if
there
are
errors
or
anything,
you
can
actually
see
that
right
there
in
the
IDE
and
then
once
the
the
results
get
processed.
It
is
pretty
similar
to
the
Mr
widget
in
the
green
of
the
corner
of
the
screen.
I
So
next
to
where
the
pipelines
go
in
the
workflow
extension
there's
sort
of
a
new
security.
You
know
Tree
View
thing,
so
that's
where
it's
starting
that
got
a
little
a
bit
delayed.
It
turns
out
the
extension
is
a
little
bit
harder
to
develop
than
than
we
expected,
but
still
actively
being
worked
on
and
beyond
that
you
start
to
see
more
honestly.
It
goes
more
for
my
area,
because
static
analysis
is
often
what
you
want
to
do
in
an
IDE,
so
you'll
start
to
see
a
little
bit
more
reduction
in
that
way.
I
We
want
to
do
kind
of
the
same
thing
though,
but
we're
in
the
MRE
you'll
be
able
to
see
SAS
findings
in
the
diff
and
the
changes
view
we're
working
on
that
now.
You'll
see
that
you
want
to
see
something
similar
to
that
in
ide.
It
gets
complicated
because
you
have
uncommitted
changes
in
ID
and
you
only
have
committed
changes
in
an
MR
but
but
finding
a
way
to
kind
of
fuse
those
in
a
way
that
makes
sense.
That's
that's
where
you'll
see
the
idea
going.
I
Maybe
one
final
note
is
that
the
secret
detection
is
likely
to
do
some
more
stuff
on
the
developer
machine
than
SAS,
just
because
of
the
difference
in
once.
You
push
a
leak,
it's
it's
leaked,
you
can't
fix
it
like.
You
can
just
fix
this
asphalt.
I
H
I
H
It
seems
like
there
could
be
sort
of
duplicate
work
there
like
we're
sort
of
blending
or
checking
within
the
code
review,
but
then
also
within
the
IDE
view,
I'd
be
curious
to
see
if
I'm,
you
know,
like
developers,
perspective
what
what
what's
annoying
me
and
what
makes
the
most
sense
for
them
and
curious
if
you
have
any
impact
on
that.
I
Right
so
generally,
I
think
the
answer
is
both
because
your
ultimate
goal
is
to
not
get
a
security
ball
in
production.
The
you
know
next
step
in
is
the
Mr
the
code
review
stage.
The
next
step
in
from
that
is
when
the
code's
actually
getting
written
so
the
more
we
can
bring
the
the
context
to
developer
without
making
them
save
the
file,
commit
it
push
it
wait
or
we
could
just
tell
them
right
away
the
more
likely
you
are
to
actually
get
that
home
results
in
an
efficient
manner.
J
Hey
so
I
I
was
just
curious
to
check
on
what's
happening
with
the
AIML,
with
respect
to
security
and
govern.
C
So
we
shipped
in
like
a
week's
time,
the
first
iteration
of
explain
this.
For
nobility
there
was
an
option
to
make
it
like
a
chat,
but
we
wanted
to
see
this
is
an
experimental
feature.
Do
users
really
need
to
have
that
chat
interface,
so
instead
they
can
just
click
a
button
and
get
that
further
explanation
of
okay.
What
is
this
vulnerability
and
how
would
I
go
about
fixing
it
in
the
beta
version?
If
we
decide
to
pursue
that,
we
will
try
and
get
a
better
understanding
of
hey.
Is
this
even
helpful?
C
Was
this
useful
for
you
and
then
we've
got
a
lot
of
other
really
good
ideas
that
Sam
did
a
great
job
of
organizing
and
I
also
have
just
like
a
general
Vision
that
we
are
in
the
process
of
reviewing.
These
are
things
that
are
just
in
flux.
Changing
really
quickly.
I,
like
left
on
Friday
came
back
on
Monday
and
everything
was
different,
so
take
that
with
the
grain
of
salt
I
think
you
have
a
follow-up
question
that
I
could
also
probably
help
answer.
So
do
you
want
to
voice
over
that.
J
Yeah,
so
the
next
next
question
is
more
about
like.
Is
there
a
chat,
GPD
kind
of
interface,
where
I
can
ask
questions
with
respect
to
security
more
from
the
CSO
side
like
csos?
They
just
want
to
understand
what
is
the
security
part
share
for
my
entire
applications,
which
project
is
more
secure?
Why
it's
so
secure
what's
happening
so
how
they
can
surface
that
kind
of
information?
J
So
that's
what
I
was
trying
to
understand?
Is
there
something
happening?
I'm
like
I
saw
like
you
dropped
a
link
around
the
chat,
GPD.
C
J
Yep
got
it
yeah,
just
because
just
curious
playing
and
just
exploring
so
many
things
happening
past
two
months,
I
was
like
okay,
I'll
check
like
what's
happening
or
probably
ask
few
things
which
may
be
helpful
down
the
line.
Okay,.
C
Yeah
and
I
think
if
you
have
it
already,
if
you
could
add
your
ideas
and
thoughts
to
that
AI
analysis,
possible,
use
cases
and
tag
myself
or
Sam.
That
would
be
super
helpful.