►
Description
MR: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/54067
A
Or
okay,
all
right,
hello,
everyone
we
hit
record
and
we're
gonna,
take
a
look
at
things
and
there
will
be
the
whole
discussion
about
the
epic
for
security
policy,
security,
registration
policy
and
yeah.
We
are
trying
to
investigate
what
will
be
the
best
approach
for
us,
because
we
see
that
we
have
approaches
from
compliance
team.
We
have
approaches
from
our
team
and
we've
discovered
a
few
things
so
yeah.
Let
me
let
me
go
quickly
through
what
we
have
right
now.
A
So
in
those
previous
demos,
emails
demos,
I
was
recording
I've
prepared
something
like
that.
Like
the
storing
security
policies
and
repositories,
I
won't
go
through
the
code,
but
it
seems
like
what
compliance
team
is
proposing
right
now
with
their
work.
It's
pretty
similar.
If
you
take
a
look
here,
you
can
see
like
it
started
in
the
same
place
and
so
on,
and
so
they
they
also
have
an
idea
to
extend
the
current
pipeline
service
and
and
to
be
able
to
inject
something
into
into
that.
A
The
difference
between
us
and
compliance
team
is
that
they
have
a
yaml
file
with
configuration
that
is
stored
on
some
under
some
project
like
that
and
we
have
to
dynamically
generate
it
so
that
that's
the
whole
difference.
But
apart
from
that,
we
could
actually
reuse
them
the
services
they
they're
using
right
now.
A
So,
for
example,
here
they
have
like
the
content,
but
here
they
are
directly
reading
those
those
configurations
in
one
service
like
they're,
doing
everything
in
one
service
that
makes
a
little
bit
harder
to
for
us
to
abstract
it
and
have
something
in
common.
So
I'm
not
sure
still
if
we're
gonna
reduce
something
or
not,
we
have
to
decide
at
some
point.
For
now
we
can.
B
I
talked
with
the
compliance
team
member
yesterday
and
so
now
it's
one
to
one.
Okay,
so
one
project
has
one
compliance
and
it.
It
will
be
many
many
too
many
in
the
future.
So
I
guess
you
yes,
so
it
like.
So
in
the
future,
like
you
know
what
they
are.
Thinking
is
like.
So,
for
instance,
you
will
have
you
have
different
compliance
tasks
right
gdpr.
So
whatever
gbr2
you
know
so
you
you
will
be
able
to
say
that,
like
you
know,
they
call
it
label.
So
I
my
project
has
those
labels.
B
You
know
if
those
labels
could
come
from
group
or
they
could
be
assigned
to
project
now
it's
just
assigned
to
project.
You
know
that
it
doesn't
come
from
group,
so
those
like
labels
basically
are
just
yaml
files
that
you
you
can
define
whatever
you
want
inside
yeah,
okay
and
this
this
service.
They
extend
this
just
make
sure.
B
Whenever
you
run
pipeline,
you
run
what
you
define
in
those
yaml
files
as
well
just
for
the
clarification,
yeah
things,
yeah
yeah,
so
the
same
yeah,
so
it
I
find
very
similar
because
you
can
put
anything
in
those
xiaomi
files.
You
can
put
branching,
you
know
you
can
even
schedule
normal
pipeline
and
your
compliance
with
job
will
run.
There's
a
scheduled
job,
and
you
know
a
lot
of
similarity.
A
Okay,
yeah-
that
is
true.
Actually
this
is
this
actually
great
that
you
found
found
out
this
one,
because,
exactly
like
the
the
main
difference
between
us
and
the
compliance
team
is
that
they
are
preparing
the
yaml
file
with
like
the
whole
conflict
by
by
their
own
and
we'll
have
to
generate
it
dynamically.
But,
apart
from
that,
it's
very
similar.
A
A
We
have
we
have
our
own
structure
for
storing
policies
like
like
that
right.
So
yes
specify
rules
and
actions
and
then,
in
the
middle,
when
we
are
like
assigning
the
project
to
repository
with
with
policies,
then
we
have
to
add
the
logic
that
will
read
those
policies
and
then
generate
the
yaml
file
with
ci
configuration
for
it
all
right,
because
we
need
to
either
like
generate
the
file
or
extend
the
current
sure.
A
So
so
they're
doing
is
like
okay,
I
have
a
separate
project.
I
keep
the
like
the
compliance,
gitlab
ci
yaml
file,
and
it
will
be
automatically
included
in
every
single
project.
That's
assigned
to
that
compliance
right.
What
we
are
doing
is
it's
a
little
bit
different,
but
the
logic
that
is
underneath
is
the
same
because
we
at
the
end,
we
want
to
extend
the
current
pipeline
current
ci
configuration
with
something
that
is
defined
in
different
place.
A
B
B
B
A
A
Believe
we're
doing
like
at
the
beginnings
are
very
similar,
like,
of
course
you
can
do
that,
and
the
other
thing
that
you
could
do
like
you
can
go
to.
You
know
instant
settings
in
your
admin
area
and
then
you
can
specify
required
pipeline
configuration
and
then
you
can
specify.
Oh,
I
want
to
do
like
fast
test
on
demand,
scan
and
that's
it
and
then
you
can
save
it,
and
then
it
will
run
for
every
single
project
that
you
have
on
your
instance
of
gitlab
like
this
is
the
other
way
you
can
have
it
like.
A
Gitlab
is
unique
in
the
way
that
you're
actually
able
to
achieve
similar
things
by
multiple,
like
features,
and
it's
good.
You
know
sometimes
it's
confusing,
but
I
believe
here
the
difference
between
compliance
and
the
policies
for
us
is
like
compliance
is
talking
like
it's
a
broader
perspective.
In
my
opinion,.
A
Are
focused
mainly
on
security
stuff,
compliance
is
more
like.
Oh,
what
kind
of
features
would
would
I
want
to
have
enabled
in
gitlab
or
enforced
in
gitlab?
That
allows
me
to
achieve
certain
like
certification
or
or
compliance
right?
So,
yes,
this
is
what
it
is
for
us
like
for
now
we
can.
We
can
go
to
to
the
nbc
like
for
now.
What
we
need
to
have
is
being
able
to
associate
the
project.
A
B
B
A
You
described
yes,
the
thing
is
we
want
to
improve
the
user
experience
on
that,
so
that
that's
the
whole
difference
between
us
sure
and
compliance
team,
so,
okay
users
will
be
able
to
associate
security
policy
project
with
similar,
how
we
have
cluster
management
project
so
being
able
to
assign
the
repository
with
policies
with
given
project.
That's
one
thing:
the
other
thing
being
able
to
create
policy
in
that
project:
okay,
so
that
that's
what
we
have
right
now,
like
you,
specify
the
policy
as
yaml
file.
A
A
I'm
not
sure
if
you
want
to
keep
the
names
or
we
want
to
somehow
think
about
ids,
because
I'm
not
sure
if
I'll
go
to
security
on
demand
scans,
if
we
can
get
the
ids,
probably
not
probably
ids
are
hidden
from
the
user.
We
can
think
about.
Oh,
I
don't
have
anything
here.
I
think
at
some
point.
We
can
decide
if
you
want
to
keep
the
names.
A
A
B
Yeah,
I
I
still
have
struggle
for
our
mvc,
like
the
the
difference
we
are
creating,
I'm
I'm
struggling
for
real,
like
I
cannot
see
the
difference
that
we
trying
to
achieve
in
context
of
this
small
iteration,
oh
okay,
why
what
we
were
gonna
do
different
like
what
what
we
gonna
do
different
so
that
you
know
I
I
don't
even
have
the
the
implementation
comes
to
my
mind,
because
I
want
to
do
this
different,
so
I
can
think
of
okay.
Then
I
can
achieve
like
this,
but
I
I
kind
of
I
cannot
think.
B
A
B
B
A
B
A
B
B
B
B
B
B
B
B
Yeah,
it
is
a
bit
more
so
here
right
for
the
pipeline
full
configuration
path,
so
you
can
also
say
if
it,
if
it
has
security
type
compliance,
do
you
do
your
magic?
Do
your
logic
in
there
yeah.
You
know
like
if
you,
if
you
have
security
compliance,
that
you
want
to
fetch
the
dust
from
database.
Do
it
like
you
know
you
want
to
inject
something
you
want
to
change.
Do
it.
You
know.
A
You
know
this
this
solution
with
compliance
would
work
like
the
main
thing
is
that
the
ux
user
experience
for
that
would
be
bad
at
this
level,
because
you
need
to
configure
it
on
your
own,
like
you
cannot
click
it.
I
believe
the
whole
goal
for
it
is
to
be
able
at
some
point
to
be
able
to
drag
and
drop
things
or
select.
Like
yes,
rules
like
like
we
have
for
other
policies.
I
want
to
do
this
drop
downs
and
so
on.
A
For
now
I
agree
that
maybe,
instead
of
having
like
separate
structure-free,
ammo
files
and
so
on,
and
then
converting
them
from
from
one
format
to
another
is
tricky
and
it
would
be
easier
to
actually
specify
the
compliance
with
proper
desk
configuration
and
so
on.
I
believe,
like
those
first
steps,
are
the
same
at
some
point.
We're
gonna
move
absolutely
in
different
ways,
because
we
want
to
have
a
simple
user
experience
and
the
rich
user
experience.
At
the
same
time
you
just
you
would
like
to
click
it
and
click
through
it.
Yeah.
A
B
Mean,
like
you
know,
just
to
clarify,
I
don't
mind
doing
this.
You
know
as
long
as
I
know.
What's
the
difference
you
know
just
the
problem
I
have
is
just.
I
cannot
see
now
the
difference
I
know
like
it's
like
we
did
like.
We
did
in
alerts
feature
right.
We
used
alerts
backhand
completely,
but
it's
in
different
ui.
You
know
yeah,
it
could
be
the
same.
It
could
live
in
different
ui,
different
ui
experience
different
view,
but
at
the
end
it
would
be
the
same.
B
You
know,
because
what
they
have
is,
from
a
point
of
view,
super
powerful.
You
know
got
it
and
here
here
right,
you
don't
like
so
because
they
use
ci
directly.
They
don't
need
to
do
this,
yaml,
conversions
and
stuff.
That
is
true
like
so
you
you
will
you
will
like
you
know,
you
will
pass
the
branches,
you
will
try
to
inject
those
branches
in
the
code.
They
don't
need
that
because
they
just
use
valid
ci
ammo
configuration
for
branches.
So
it's
like
100
percent,
like
you
know,
if
there's
something.
A
B
A
You
ask
me,
you
know
we
are
both
engineers.
We
are
thinking
about
simple
solutions
with
what
we
already
have.
It's
like
no
need
to
reinvent
the
wheel
to
develop
that
if
we
can
reuse
something
that's
already
in
gitlab,
but
I
believe
for
for
end
user,
it
would
be
beneficial
for
them
to
to
have
simplified
process
of
configuring.
It
now
sure.
A
About
oh,
we
take
the
small
step
and
try
to
see
if
that
works.
If
if
customers
will
say,
oh,
I
don't
like
it,
it's
it's
pretty
bad
user
experience.
I
would
have
something
different,
then
I'm
pretty
sure
we're
not
going
to
to
do
that.
You
know,
but
it's
all
about
being
able
to
quickly
get
the
feedback.
That's
that's
my
vision.
B
A
B
A
And
try
to
elaborate
a
little
bit
on
that
users
will
be
able
to
reference
an
existing
scan
profiles.
Okay,
that's
what
I
was
talking
so
this
is
this.
Is
this
one
being
able
to
select
those
we're
thinking
if
we
should
have
id
or
names
for
now
we're
going
to
stay
with
names?
Users
will
not
be
able
to
edit
or
delete
any
scan
profiles
or
cyber
hosts
that
are
referenced
by
an
active
policy,
and
that's
something
that
I
was
not.
A
I
was
not
yet
thinking
about
that.
Yes,
I
wasn't
thinking
about
this
because
you
have
those
names
here
and
then
you
need
to
create
some
kind
of
hook
and
whenever
you
try
to
delete
something
like
delete,
site
or
scan
profile
to
see.
Oh,
is
there
any
configuration
like
this
police
security
or
position
policy
configuration
assigns
to
given
the
project
where
I
have
those
profiles?
A
A
B
A
B
A
That
is
true
and
actually
an
mvc
and
not
nbc,
but
then
the
source
code.
I
I've
proposed
whenever
you
write
something
wrong
here.
It
will
not
include
the
the
dust
configuration,
but
it
will
fail
like
the
job
for
the
dust
on
demand
will
fail
and
say:
oh,
there
is
something
wrong
with
the
configuration.
Take
a
look
that
that
was
my
vision
just
to
be
able
to
to
give
the
feedback
to
the
user
okay.
So
I
have
a
like
simple
project
that
is
defined
here.
A
I'm
gonna
just
hit
run
pipeline.
So
I'll
just
show
you
what
what
we
have
in
the
policy
this
this
okay,
this
project
is
assigned
to
to
disk
configuration
project
so
with
policy.
So
I
have
two
policies
here:
one
two
to
have
a
test
and
the
second
one,
second,
one
for
sas
yeah
sas
for
every
branch.
So
that's.
A
And
I
will
just
go
quickly
to
to
the
ci
gitlab
ci
project,
because
it's
very
simple:
it
has
only
one
job
that
is
doing
only
echo
as
a
script
and
that's
it.
No
nothing
nothing's
more
and
then
I
hit
run
pipeline
problem
run,
will
start
okay,
so
we
have
it
and
we
have.
We
should
have
this
job
that
was
defined
in
gitlab
ciaml
file.
Then
we
have
sas
and
then
we
have
dust,
that's
what
we
have
defined
and
then
it
will
run.
A
A
When
I
go
to
security,
I
do
not
see
any
vulnerabilities
found,
even
though
they
are
some
found
for
for
this
job.
So
probably
it's
it's
about
like
naming
or
or
some
other
stuff,
and
it
was
not
treated
as
as
something
less
vulnerability.
A
report
I
don't
know
like
this
is
simple
things
to.
We
need
to
take
a
look,
but
this
is
one
thing
that
is
missing
and
I
definitely
need
to
look
into
it.
A
A
Let
me
where
do
I
have
the
pro
okay
required?
Processor?
Okay,
so
I
was
telling
you
previously
about
the
feature
that
is
that
is
here:
the
required
pipeline
configuration
that
can
be
specified
and
and
so
on.
So
actually,
yes,
it's
all
being
like
the
magic
is
happening
here
and
and
that's
in
that
class.
So
it
takes
a
look
if
it
is
configured
for
the
for.
A
Code-
and
I
was
thinking-
oh
maybe
we
could
do
something
similar
for
security
policies
and
that's
what
I
did
with
with
the
processor
for
for
security
policies,
but
like
I,
I
prepared
other,
mr,
like
dmr,
that
you
already
have
seen,
and
I
I
was
demoing
and
the
approach
that
I
took.
There
is
similar
to
the
approach
that
the
compliance
team
has,
and
this
is
different
approach.
A
So
I
have
two
approaches
and
I
wanted
to
discuss
with
you
or
maybe
you
can
do
it
offline,
which
would
be
the
better
for
us,
because,
obviously
we
need
to
choose
if
we
want
to
go
in
similar
way
to
this
feature
or
similar
to
compliance
feature
both
will
solve
the
problem.
We
simply
don't
know
yet
how
we
can
solve
it.
B
B
Compliance
team
that
we
need
to
be
aware
of
as
well,
so
they
the
way
they
do
things
their
over
writing
mechanism
takes
presence
of
everything.
Okay,
so
you
know
they.
Actually
they
do
like.
So
when
you
say,
like
you
know,
if
you
open
a
compliance.
Yaml
example
in
that,
mr,
if
you
open
that
mr
like,
if
you
go
like
the
description
of
that
image,.
B
A
B
A
We're
gonna
extend
it:
we're
not
running
going
to
run
like
a
different
yaml
file.
We're
gonna
run
the
project
yaml
file
with
some
extensions
to
it,
so
that
that's
the
difference
that
yeah
that's
something
we
need
to
decide
how
to
do
it
properly.
I
I
prepared
two
versions
and
I'm
to
be
honest,
like
both
are:
okay
overworking,
obviously,
we'll
have
to
get
some
mrs
checked
by
ci
team,
because
we
don't
want
to
break
anything
here
and
we
are
doing.
B
Like
so
when
I
point
out
this,
the
way
that
we
want
to
do
ci
team,
that's
how
the
conversation
start.
The
ci
team
cannot
see
the
difference.
How
the
compliance
team
is
doing.
Our
hours
is
doing.
Okay,
so
see
you
know,
so
this
is
how
all
the
conversation
started.
So
I
said
we
want
to
do
this
and
the
ci
team
says:
what's
the
difference
with
that,
you
know
and
I
yeah
like
you
know,
I
will
come
back
to
the
same
thing
though.
B
A
A
What's
the
difference
in
terms
of
what
user
wants,
I
don't
know
to
be
honest
like
we
could,
we
could
use
something
as
you
described,
but
at
the
same
time
this
is
a
little
bit
different
in
terms
of
how
you
use
it,
because
you
have
to
specify
the
project
you
have
to
like
the
separate
project
and
that
separate
project
you
have
to
store
yaml
files
with
policies,
and
then
you
have
the
logic
that
converts
that
to
ci
configuration
a
cml
file
and
then
we're
running
it.
So
that's
the
difference.
Yes,.
A
B
Duplicate
a
lot
of
work,
because
what
compliance
things
teams,
long
vision
is
really
aligns
what
we
want.
They
have
two-step
approvals.
They
want
to
improve
a
ui,
they
want,
like
you
know
they,
don't
they
don't
want
also
just
yaml.
They
want
compliance
jobs
to
be
configured
by
ui
as
well.
You
know.
So,
if
we,
you
know,
the
first
step
is
kind
of
important.
A
B
A
B
A
B
A
For
them
to
develop
something,
they
don't
want
to
wait
for
us
until
we
develop
something.
I
believe,
especially,
that
our
plan
is
at
some
points
to
replace
the
yaml
repository
stuff
with
ui
and
I
believe,
for
now
we
are
trying
to
deliver
something
that
we
will
be
able
to
ship
and
someone
will
someone
will
be
able
to
run
it
and
see
if
they
like
it
or
not,
because
that's
the
product
that
yes.
A
That
sam
has
to
take
anyway,
if
it's
worth
investing
our
time
and
investing
like
his
time
and
talking
with
customers
and
so
on
so
yeah.
This
is
the
valid
questions
you
know
we
engineers
are.
We
have
a
tendency
to
simplify
things
and
do
or
do
things
with
with
the
tools
that
we
already
have,
but
I
believe
for
the.
B
B
A
B
A
No
worries
I'll
collapse,
things
that
are
not
really
important
for
the
conversation
like,
for
example,
you're
sending
the
finder
with
being
able
to
find
by
names
like
this
is
just
to
be
able
to
find
scanners
like
profiles
and
scanners
by
name
like
this
is
the
same.
We
have
okay,
I've
added
the
license
for
it,
because
you
need
to
be
on
ultimate
to
have
it.
I
believe
I
believe,
you've
asked
this
question
to
samuel.
A
And
another
quick
note:
I
think
you
need
that
the
feature
flag
as
well.
I
cannot,
I
believe,
I've
added
it
here
in
pokemon
I'll,
just
that's
awesome,
I'll
I'll
leave
it
as
it
is
right
now
I'll
go
to
it
in
a
second
another
service
and
another
service.
Oh
okay,
I
looked
into
I
looked
into
that
services
and,
for
example,
you
have
run
dust
scan
service
or
what
this
service
was
doing
previously.
It
was
building
the
template
and
then
it
was
like
running
it.
A
I
I
just
extracted
the
logic,
that's
responsible
for
preparing
the
the
configuration
for
running
on
demands
test
scans
because
I
needed
I
need
to
reuse
it,
and
I
I
wanted
to
to
just
extract
that.
So
I
extracted
that
to
that
scan.
Ci
configuration
service
yeah,
so
so
that
that's
one
thing,
and
here
oh
yeah,
and
that's
the
logic
that
that
was
extracted
from
this
run.scan
service,
I'm
going
to
collapse
it
as
well
not
needed
for
that
conversation.
This
is
needed
to
create
okay
test
on
demand
scans,
create
service.
A
That's
another
thing
that
I
extracted
from
from
this
class
and
moved
the
whole
logic
to
params,
create
service.
So
this
is
the
service
that
actually
it's
taking
the
the
test
scanner
profile
and
that's
a
pro
like
test
site
profile
and
they
are
they're
converting
that
to
two
environment
variables
that
are
used
in
the
scan,
so
that
that's
also
something
that
I
had
to
extract,
because
that
was
all
happening
in
one
service,
and
I
wanted
that
to
to.
A
I
wanted
to
reuse
that
code,
not
only
copy
paste
it,
so
I'm
I'm
closing
it
as
well,
and
this
is
the
service
I
created
to
extract
that
logic,
not
important
for
our
conversation.
This
is
the
service
I've
developed
to
prepare
the
configuration
that
that's,
okay,
okay,
I
have
a
feature
flag
here.
Of
course
we
don't
have
like
the
url
on
the
of
the
mr,
because
we
don't
have
it
yet
reload
issue.
I
believe
that's
the
one
that
you
already
prepared
yesterday.
B
B
A
B
A
Only
that
probably
it's
a
mistake,
because
that
was
copy
paste
made
like
from
that
kit
laptop
file.
I
removed
it
because
yeah,
I'm
I'm
using
only
one
stage
actually
from
for
it,
but
anyway
like
this
is
this
is
not
really
important
for
this
compressor.
Maybe
we
should
talk
with
last
team
to
understand
why
they
did
that.
Actually,
I
don't
believe
this
change
is
needed
anymore,
because
I
changed
a
little
bit
the
way
we
could.
A
B
B
A
A
A
Our
dash,
we
do
we
check
it,
we
do
I'll
show
you
in
a
minute.
I
will
just
collapse
last
things
that
are
not
important
for
the
for
the
whole
conversation
and
we'll
go
to
it
just
quickly.
I
had
to
extend
the
gitlab
ci
config
with
ref
ref,
a
simple
I'm
specifying
it
from
here.
I
need
to
have
an
information
on
what
branch
are
we
currently
running
the
pipeline
and
it
was
not
passed
to
the
to
the
class
that
has
generated
the
configuration,
so
I
had
to
add
it.
B
A
A
So
I'm
I'm
extending
the
config
e
file
with
two
with
one
additional
class,
so
here
how
it
was
before
we
had
build
config
that
is
actually
like
the
build
required
includes
and
add
soup
like
and
we're
using
what
we
have
defined
in
config,
and
here
I'm
I'm
just
doing
the
same,
I'm
just
adding
additional
step
because
we're
still
having
this
and
we
need
to
have
additional
step
to
to
extend
the
config
with
things
from
security,
orchestration
policies,
that's
it
so
I
have
the
processor
and
what
it
takes.
It
takes
the
config.
A
The
config
is
hash.
With
the
configuration
of
the
of
the
ci,
then
the
project
we
need
to
have
a
project
to
properly
find
the
desks
profiles
and
ref
to
know.
What's
on
what
branch
are
we
currently
running
the
pipeline?
So
we
know
what
jobs
to
include
or
not
and
not?
Okay.
So
that's
for
the
config
and
then
you
have
for
the
processor,
and
this
is
the
the
place
where
the
magic
happens.
So,
as
I
said,
I
have
a
conflict
project
and
ref
and
a
feature
is
not
available.
A
A
A
A
B
You
know
so
why
don't
we
like
you
know
like
that's,
so
one
methodology
is
yours
and
for
me
like,
why
don't
we
say
like
forces
here
there
right
another
line?
If
you
have
security
compliance
configuration,
you
know
security
compliance
configuration
model
like
it
gets
the
content
of
that
yaml.
You
know
at
the
content
of
and
convert
it
into
a
prop,
like
you
know,
valid
sci
job.
You
can
convert
into
a
proper
ci
job
with
variables
and
everything
you
know,
even
though
user
experience
is
different.
There,
like
you,
said
profile,
convert
everything.
A
So,
okay,
so
they
have
right
now
to
include
something
from
the
compliance
yaml
file.
They
have
this
path
and
yes
project
and
they,
yes,
they
simply
are
replacing
the
configuration
of
the
yaml
file
to
have
to
have
only
this
include
project
and
file
right.
So
for
us,
what
would
be
a
little
bit
different
is
okay,
if,
if
it's
compliance
I'll
just
if
com
compliance,
yaml
file,
then
do
this
right
and
the
other
solution
would
be
to
else
or.
A
A
A
We
need
to
take
a
look,
maybe
that's
something
that
you
can
do,
because
I
will
be
biased
towards
my
solution
already
and
you
already
are
biased
towards
compliance.
So
what
you
could
do
is
to
investigate
that.
Take
their
code
take
the
code
that
we
we
have
for
for
the
policies
and
see
what
how
we
can
do
that.
I
believe,
if
you
go
to
the
code
here,
what
will
be
interesting
for
you
to
do
that
job?
A
A
Merge,
security,
orchestration
policy,
template
and
actually
it's
it's
pretty
simple-
we're
just
reading
those
templates
by
using
template,
fender
and
reading
the
content
of
it,
and
then
loading
gamble
files
from
it
now,
one
one
thing
to
mention,
and
and
that's
not
needed
for
for
embassy,
but
to
be
able
to
to
think
about
the
whole
solution
as
it
is.
I
I
was
not
thinking
only
about
the
dust,
because
dust
is
very
specific
to
gitlab
like
sas.
A
We
need
to
think
about
like
other
scans
as
well,
so
in
this
mvc,
I'm
supporting
all
of
them
all
security
jobs,
because
that's
simple,
those
jobs
are
specified
here.
That's
what
you
can
have
like.
Fuzzings
container
scanning
coverage
license
test
and
so
on,
and
this
is
the
template
that's
associated
with
with
given
with
given
type,
and
these
types
are
actually
those
types
from
from
that
one.
A
So
I
have
action
scan
sas
and
then
we
take
that
sas
and
and
convert
it
to
a
template
name
and
then,
in
this
model,
we're
reading
that
template
name,
template
vendor
will
help
us
here
and
then
we're
using
yaml
file
to
load
it
and
that's
it
and
then
here
we
are
we're
waiting
for
every
scan
that
is
defined.
So,
okay,
I'm
using
like
scan
templates
method
here,
if
you'll
take
a
look
at
the
scan
templates,
is
go
to
active
policy,
select
those
that
are
applicable
for
the
branch
you're
asking
about
that.
A
A
Then
we
are
deep
merging
all
of
them,
so
we're
reducing
them.
So,
instead
of
like
having
like
multiple
templates,
we're
combining
those
templates
together
and
we're
using
config
extendable
here
to
properly
how
to
call
it
like
okay
I'll
go
to
sas
quickly-
and
I
will
I'll
show
you
that,
maybe
that's
so
every
single
sas
job
has
this
extends,
and
what
it
does
is
something
that
it's
it's
addition
to.
A
What
yaml
is
offering,
so
it
will
just
take
that
go
to
the
zest
analyzer,
which
is
defined
above
and
we'll
include
the
the
things
from
that
into
into
the
the
job,
and
then
it
has
another
like
extent
which
will
take
this
one
and
so
on
so
on,
so
that
that's
the
the
way
it
inherits
the
configuration
by
jobs
right
right
and
and
this
extendable
will
simplify
the
whole
yaml.
It
will
remove
all
extents
and
it
will
include
the
things
it.
A
It
will
actually
extend
the
yaml
file
right
so
that
that's
how
it
is-
and
this
is
this-
is
it
so
as
a
result
of
that
method,
you
will
have
a
yaml
file.
You'll
have
a
hash
with
the
configuration
for
for
running
certain
selected
scans,
okay
and
for
on-demand
scan
template.
It's
a
little
bit
different
because
we
have
a
project
like
a
class
that
is
doing
that
for
us.
So
I'll
go
quickly
here.
I'll
just
tell
you.
B
B
And
we
discover
every
day
and
you
think
and
making
this
general
solution
with
a
lot
of
moving
parts.
You
know,
like
you
know
we're
just
talking
about.
We
should
think
at
international
and
we're
talking
about,
like
you
know,
making
a
general
design
like
if
you're
gonna
think
about
future.
We
shouldn't
be
talking
about
this
at
all.
We
should
be
talking
about
compliance
teams,
think
you
know
yeah
yeah,.
A
B
A
A
So
it's
it's
very
simple:
it
will
load
the
yaml
file
with
the
configuration
and
it
will
extend
it
with
all
variables
from
from
from
profiles
and
and
that's
it
and
if
there's
any
error
instead
of
having
the
proper
configuration
of
desktop,
it
will
create
something
like
that.
It
will
create
a
script,
a
job
that
will
say.
Oh
there
was
an
error
during
the
execution,
this
error
message
and
it
will
exit
with
with
false.
A
For
now,
I'm
allowing
failure
to
be
true
so
so,
like
the
error
could
happen,
but
it
will
not
block
the
the
pipeline,
but
that's
something
that
that
can
be
changed
at
some
point.
Yeah
I'll
I'll,
create
a
mr
for
it
and
you'll
take
a
look.
If
you
like
it
or
not,
I
will
not
create
any
tests
for
it,
because
that
makes
no
sense
to
invest.
B
Direction
we're
gonna
take
like
this
is
my
opinion.
You
know
just
do
it
the
dust
and
create
an
mr,
you
know
and
just
shoot
it
to
ci
team,
because
you
know
we
are
changing
like
it's
a
you
know,
a
general
interface
as
well.
That's
used,
you
know
and,
like
you
know,
versus
compliance
and
didn't
have
to
do
any
of
this
stuff.
You
know
that's
true.
They.
B
B
B
Minimum
bear
dust
solution.
You
know
I'll
look
into
that,
mr
I'll
try
to
combine
with
others
like
once.
You
have
this
base.
Mr,
what
do
you
think
I'll
try
to
combine
with
the
other,
but
you
can
shoot
this,
mr
to
ci
team,
say
guys
this
is
you
know?
How
is
this
thing
looking
like
to
you
like?
What
watch
out.
B
B
A
Forward
is
the
best
that
is
great.
That
is
great
to
mention
that,
because
you
know
I
yeah,
I
have
a
tendency
to
think
about
the
whole
solution
like
the
final
solution,
but
thinking
how
to
build
it
in
steps.
So
I
I
was,
I
was
not
needed
actually
to
think
about
other
scanners,
but
yeah.
I
proved
to
myself
that
we've
given
solution,
we
were
able
to
like
extend
it
in
future.
A
Maybe
maybe
it's
also
happening.
Yes,
it
happened
because
I
truly
believe
that
supporting
many
scanners
at
the
very
early
stage
will
help
us
get
better
feedbacks,
because
not
every
project
needs
to
have
tests.
You
have
projects
that
are
simple
like
libraries
that
they
they
are
not
really
deployable
to
any
website
that
you
can
run
dust
on.
That's
why?
A
B
Like
you
know,
that's
thinking
right.
So,
if
you
make
one
mistake,
you
will
make
five
mistakes
with
all
analyzers.
You
know,
that's
true
you
if
you
like,
you
know,
go
into
that
step
and
you
will
have
to
support
five
different
analyzers
in
backwards
compatible
way.
You
know.
So
you
know
we
are
doing
like
a
happy
path.
Kind
of
testing
we
are
doing
like
you
know.
Looking
like
okay,
it's
working.
It's
it's
working,
our
gdk.
We
did
like
you
know.
We
don't
know
extensivity
like
how
extensive
edge
cases
we
have.
B
A
A
B
Is
so,
let's
imagine
you
made
a
minimum,
mr
now
I
don't
mind
writing
tests
to
it.
Obviously,
and
we
we
show
it
to
c
ci
team.
Okay,
you
show
it
to
ci
team
and
I
can
look
into
writing
tests
to
that.
Also,
I
can
look
into
how
we
can
put
that
thing
in
you
know
we're
working
with
the
compliance
framework
as
well
yeah
both
that.
B
A
You'll
take
care
of
looking
into
how
to
combine
it
with
compliance
framework
and
then
we'll
see
which
option
would
be
better
and
we
can
I'll.
I
can
write
some
tests
for
the
for
the
things
that
will
be
generic
anyway.
That
will
be
working
for
both
solutions.
For
example
like
generating
the
dust
configuration
will
be
working
in
both
either
the
compliance
framework
or
for
us,
because
that
that's
the
same
thing.
What
do
you
think
about
that?.