►
From YouTube: Protect PM/CS Sync - December 2021
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Welcome
to
our
monthly
sync
up
with
protect
for
the
protect
stage,
and
we
just
we've
got
a
lot
coming
out
in
14
6.
So
we
don't
have
a
huge
group
here.
I
know
a
lot
of
people
couldn't
make
it,
but
I
wanted
to
record
for
everyone's
benefit
and
just
talk
briefly
about
some
of
the
things
we
have
coming
out
in
14-6.
A
So
the
first
one
on
the
list
here
is
support
for
sas
scan
execution
policies.
So
we've
been
making
some
really
good
progress
there.
We
added
support
for
dast.
Initially,
we
added
support
for
secret
detection
policies
and
now
we're
adding
in
support
for
sas
sas
is
really
complicated,
because
there
are
a
lot
of
different
things
that
can
be
configured,
so
it
is
worth
noting
that
we
just
run
sas
the
way
it's
configured
by
default
like
if
you
turn
on
auto
devops
and
run
sas.
That's
how
we
run
it.
A
So
we
don't
have
support
for
all
of
the
different
options
that
there
are
to
configure
sas
scanners,
yet
most
notable
as
anything
that
requires
you
to
feed
in
a
pre-compiled
binary
into
the
sas
job
will
not
work
with
this.
As
of
yet
so
it
just
runs
the
default
out
of
the
box.
Auto
devops,
you
know
sas
scan
scanner
with
those
default
settings.
We
are
letting
you
customize
one
variable.
So
if
you
want
to
turn
off
some
of
the
sassed
analyzers
specifically,
you
can
do
that,
but
otherwise
that's
the
only
variable.
A
You
can
customize
right
now,
but
that
opens
us
up,
of
course,
to
iterate
more
in
the
future
and
there
are
only
a
few
languages
that
require
you
to
feed
in
pre-compiled
binaries
anyway.
So
we're
hoping
that
this
meets
at
least
you
know
eighty
percent
of
the
use
cases
and
we
can
clean
it
up
and
follow
it
up
to
address
the
other
twenty
percent
later
on.
A
The
second
big
item
is
one
actually
that
was
requested
by
this
group,
I
think
by
samir
a
while
ago,
but
we
are
going
to
start,
including
any
system
level
dependencies
that
we
find
as
part
of
the
container
scanning
job
we're
going
to
include
those
in
gitlab's
dependency
list.
So
it
provides
a
more
complete
s-bom
for
customers
to
review
and
instead
of
just
the
application
dependencies
like
your
npm
and
you
know,
python
packages
that
are
being
used,
it's
also
going
to
show
all
of
the
operating
system
package
manager,
packages
that
are
installed.
A
You
know
from
your
app
or
your
young
package
manager,
or
you
know
what
depends
on
which
package
manager
you're
using,
but
those
will
show
up
in
the
dependency
list
right
alongside
everything
else
that
was
being
shown
there
before
and
then
the
last
big
thing
we've
got
coming
out
in
14
6
is
custom.
This
one's
really
hard
to
explain
it's
kind
of
a
mouthful
of
a
sentence:
custom
container
scanning
vulnerability,
deduplication,
but
really
what
this
is
is
some
customers
are
not
able
to
use
container
scanning
because
they
have
a
naming
strategy
for
their
images.
A
That
puts
the
branch
name
in
the
image
name
like
as
part
of
the
image
name
itself,
and
when
this
happens,
the
the
logic
for
deduplicating,
vulnerabilities
and
matching,
which
vulnerabilities
are
new
versus,
which
ones
already
exist
in
the
default
branch.
It
just
falls
flat
on
his
face
and
it
breaks.
A
So
you
know
basically
because
every
time
a
developer
creates
a
separate
branch.
It
now
has
a
different
name
in
that
image,
and
so
it
looks
as
though
it's
a
totally
new
vulnerability,
so
it
basically
makes
it
unusable
by
these
customers,
because
when
you
go
to
try
to
create
a
merge
request,
it
shows
that
all
of
the
vulnerabilities
were
newly
introduced
and
doesn't
say
you
know
it
doesn't
identify
any
of
them
as
pre-existing
in
the
default
branch.
A
So
what
we've
added
in
is
a
new
variable
that
allows
users
to
basically
specify
what
that
pattern
is
for
matching
so
that
it
it
gives
customers
the
ability
to
name
their
images
whatever
they
want
and
not
have
to
worry
about
this
breaking.
They
can
just
set
the
variable
to
match
their
naming
strategy
and
then
it'll
work
for
them.
A
So
I
know
we've
had
a
lot
of
customers
that
have
not
been
able
to
adopt
container
scanning
because
of
this,
if
your
customers
are
among
those,
this
would
be
a
great
opportunity
to
circle
back
with
them
and
revisit
that
discussion
of
container
scanning,
because
it
should
work
a
whole
lot
better
for
them.
Now
that
we
have
this
extra
customization
option
in
place
so
again
that
one's
a
little
bit
complicated,
but
I'm
hoping
it
broadens
our
user
base
quite
significantly
for
container
scanning
any
questions
on
that
stuff.
A
A
It's
still
going
to
be
an
alpha
for
the
14
6
release,
but
you
will
notice
some
improvements
among
those
we're
introducing
a
new
operational
vulnerabilities
tab
in
the
vulnerability
report
to
split
out
the
development
vulnerabilities
and
the
operational
vulnerabilities.
So
that
way
it
makes
it
really
easy
to
see
which
ones
exist
in
production
essentially
and
which
ones
exist.
Only
in
development.
That's
the
wrong
screen.
I'm
sharing!
A
Let's
try
sharing
the
right
one,
just
a
quick
prototype
of
this
for
mock-up
you'll
see
here:
we've
got
development,
vulnerabilities
and
operational
vulnerabilities
as
two
separate
tabs
is
where
we're
headed.
Actually,
this
might
be
in
production.
Already,
we've
been
making
some
really
good
progress
on
this.
We
still
have
some
work
to
do
to
clean
things
up
on
the
back
end,
because
the
certificate
connection
method
is
deprecated.
A
We're
trying
to
fully
add
support
for
this
for
the
agent
connection
method
for
kubernetes
clusters,
so
we
want
to
make
sure
to
have
that
all
the
way
done
and
in
a
good
shape,
a
good
state
before
we
move
this
to
full
ga.
But
you
will
see
this
new
tab
show
up
and
already
a
lot
of
the
capabilities
there
we're
getting
close,
I'm
hoping
to
have
that
ready
for
the
14
7
release
to
be
an
official,
ga,
ready
state
and
those
as
well.
A
So
those
are
really
the
update
items
that
I
had
for
this
month.
The
last
topic:
you
know
what
other
issues
and
focus
areas
are
you
seeing
in
the
field?
Karen?
Do
you
have
any
to
bring
up
or.
B
Actually
you're
addressing
both
of
them,
it's
fantastic,
so
we
are
seeing
a
lot
of
competition
against
white
source,
but
by
we
I
mean
me
so
that
that's
been
heating
up
lately,
and
so
you
know
for
us
holistically.
That
is
both
our
dependency
scanner
and
our
container
scanner,
and
I
did
recently
just
have
somebody
ask
about
operational
stuff.
So
that's
awesome
that
just
helps
our
positioning
to
to
have
a
a
more
thorough
report
and
then
for
sas
fantastic.
B
I'm
getting
asked
about
that
a
lot
so
from
a
compliance
perspective,
specifically
working
with
somebody
in
finance.
They
want
to
ensure
that
you
know
sas
runs
everywhere.
So
great
first
up,
I'm
it's
all!
It's
all
gravy.
So
thank
you.
A
A
It's
only
available
at
the
project
level,
but
we're
going
to
make
that
available
next
to
the
group
level
and
then
once
the
workspace
concept
is
introduced,
we'll
make
that
available
at
the
workspace
level
as
well,
so
that
users
can
literally
just
go
into
one
place
for
their
entire
gitlab
workspace
or
namespace
and
require
it
for
everything
I
think
is
going
to
be
really
powerful
down
the
road.
You
can
do
that
today,
it's
a
little
bit
of
a
pain.
A
A
Great
well
thanks
for
your
time
today
and
if
for
anyone,
who's
watching
the
recording,
if
you
have
other
areas
that
you'd
like
to
highlight
that
you're,
seeing
in
the
field,
please
just
drop
those
entire
slack
channel
or
send
those
over
async
as
well.
Thanks
have
a
good
one.