►
From YouTube: SAST Offline Environment Live Demo #2
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
B
That
is
the
intent
of
today's
demo.
That
is
what
it
is
scoped
to
and
in
this
spirit
end,
and
so
the
additions
to
this
environment
are
to
add
two
new
analyzers
to
so
we
because
we
only
pull
down
a
subset,
the
first
time,
as
opposed
to
every
last
one
of
them,
so
I've
added
two
more
I
want
to
show
you
which
ones
those
are
I've
got
two
test
projects
that
exercise
those
each
of
those.
B
B
Good,
ok,
moving
forward
all
right,
two
new,
the
two
new
analyzers
here,
one
is
PHP,
so
yes,
security,
audits
and
the
other.
So
no
that's
the
one
new
one,
the
other
one
we
had
in
here
was
go
sack
which
we,
which
we
loaded
in
last
time,
that
we
did
not
exercise
with
their
test
projects.
So
those
are
the
two
that
we
are
using
just
to
verify
it.
So
everybody
can
see
that
they're
here
so
I've
dug
into
this
particular
project,
we're
going
to
its
container
registry.
B
B
This
is
here
also,
so
these
are
loaded
they're
ready
to
go
first
test
I'm
going
to
go
in
opposite
order,
I'm
going
to
start
with
pH
PCs
composure,
all
right.
This
is
it.
This
is
a
effectively
a
clone
of
a
test
project
that
we
have
within
get
lab
calm
today,
I
afforded
it
over.
This
was
ported
over
through
through
our
Bastion,
so
I,
just
kind
of
I
used
that
as
a
go,
which
wanting
to
get
the
private
lens
D
and
to
go
ahead
and
show
this
we're
looking
at
master
so
wrong
file.
B
B
We
have
also
limited
down
the
default
analyzers
to
only
the
pH
BCS
security
audit,
just
to
make
sure
that
we're
scoped
to
what
we
what
we
want
a
demo.
You
will
note
that
I
have
not
satisfied
documentation
for
offline
for
sass
and
that
we
haven't
declared
the
prefix
like
we
did
with
our
JavaScript
test
project
and
just
to
remind
everybody
what
that
looks
like.
B
B
Offline
mode
for
sass
we're
going
to
go
ahead
and
show
the
changes.
The
changes
are
twofold:
one
we're
adding
in
the
necessary
environment
variable
to
satisfy
our
documentation
and
secondarily
we're
adding
in
our
check
to
to
once
again
show
that
we
can
not
get
back
to
registry,
get
lab
calm
and
therefore
we
are
truly
working
within
the
context
of
of
this
instance
and
we're
not
relying
on
anything
within
a
with
ENCOM.
B
B
C
That
your
your
registry,
that
you're
using
locally
is,
is
on
port
four,
five,
six,
seven
I'm,
assuming
that
was
just
a
local
config
choice
and
and
the
the
default
port,
a
five
thousand,
is
normally
fine,
which
is
what,
through
the
documentation.
It's
just
that's
a
choice
that
you
made
in
your
individual,
like
test
environment.
Is
that
an
accurate
assumption.
B
B
B
We
have
found
six
vulnerabilities
and
go
ahead
and
expand
you'll
notice
that
we've
got
a
couple
of
highs
and
four
lows.
So
these
are
the
vulnerabilities
that
were
found
by
this
particular
scan.
So
this
is
this
was
part
one
of
showing
Doug.
We
got
a
whole
bunch
of
different
severity,
so
within
that
are
within
one
merge
request
within
one
project.
D
C
D
B
C
B
C
E
A
And
I
guess
maybe
just
to
to
ground
out
entirely
on
this
Thomas
was
that
did
you
just
pick
a
port
arbitrarily
this
time
or
or
was
it
a
selected
one
for
any
particular
reason-
or
this
was
part
of
this
environment-
set
up?
Okay?
Okay,
so
so
that's
fine!
That's
like
I
said
so.
It
was
defined
in
some
fashion.
Basically,.
B
B
B
Come
on,
I've
got
a
wait
for
it.
Merchant
duck
that's
right,
duck
we're
gonna,
give
this
a
moment
to
allow
the
pipeline
for
the
merge
to
complete
that's
when
this
occurs.
That's
when
this
will
that's
when
that
will
be
populated,
while
we're
waiting
I'm
going
to
go
to
a
companion
project.
That's
over
here
using
go
modules.
B
B
Merge
request
is
here
this
one's
bigger,
because
I
was
then.
This
is
where,
if
I
can
be
accused
of
ad-libbing,
this
is
where
I.
This
is
where
I
was
number
one
for
configuration
same
setup.
This
is
the
exact
same.
This
is
the
exact
same
prefix
that
we
were
using
for
others.
We've
also
added
in
our
check
offline
job.
B
The
other
changes
were
to
this
particular
project
as
well,
which
is
yet
another
test
project
we
have
for
sassed
to
exercise
everything,
and
the
reason
for
these
changes
is
because,
since
this
is
an
offline
environment-
and
it
cannot
make
external
calls
to
things
like
github,
which
is
where
these,
where
these
particular
third-party
modules
live.
So
these
particular
changes
were
to
remove
those
requirements
and
to
add,
in
some
additional
modules
that
are
baked
into
going
to
the
going
language
itself
and
what
we're
and
to
replace
the
functionality
that
was
used
for
I
this
third-party
logging
module.
B
So
this
is
to
bring
this
is
to
make
the
this
sample
project
use
gos
own
logging
module,
as
opposed
to
something
that
is
an
override,
and
the
other
thing
that
is
added
here
is
a
new
vulnerability
that
is
separate
and
distinct
from
our
test
project.
This
particular
vulnerability
was
chosen
because
it
is
of
a
high
severity.
This
is
an
in
this
is
an
integer,
overflow
or
wraparound,
condition
which
the
go
SEC
tool
itself
will
declare
as
a
high
severity
as
a
high
severity
vulnerability,
and
so
that's
why
this
particular
change
was
introduced
within
this
chain.
B
B
D
B
All
right,
all
that
has
merged
let's
head
back
over
here,
see
if
we've
had
time
for
this
too.
Here
here's
our
project,
security,
dashboard,
will
notice.
We've
got
two
high,
four
low
and
so
showing
once
again,
these
are
just
for
sassed
and
we
have
the
ability
to
filter
for
these,
as
one
would
expect.
So
this
is
showing
that
that
everything
is
that
all
of
these
filters
are
working
as
we
would
expect.
B
B
These
are
two
new
projects
within
the
tests
group
and
the
reason
for
going
that
direction
was
to
make
sure
that
when
we
came
up
to
the
group
security
dashboard
and
we
filter
it
for
sassed-
and
we
have
a
spread
of
vulnerabilities
that
are
available
across
multiple
projects
and
we
can
show
it
and
we
can
show
vulnerability
x'
over
time
as
well
as
everything
else
that
is
within
this
particular
views.
Functionality,
I'll
pause
there.
B
I'll
be
honest:
that's
what
I
came
prepared
to
demo
today,
because
this
was
the
one
gap
that
was
identified
the
first
time
that
we
that
we
went
through
this,
that
we
went
through
this
particular
exercise
for
static
analysis.
So
is
there
anything
else
that
you
would
like
to
see
that
I
have
neglected
to
prepare
or
show
or
demonstrate.
C
C
E
I
had
had
comments
on
the
next
time
around.
Do
we
want
to
not
do
we
I
think
we
should
reconcile
the
steps
and
if,
if
we
need
a
few
more
checkpoints
to
cross
all
the
marks,
then
let's
add
some
rolls
for
that.
Our
is
the
SAS
demo,
using
the
steps
in
the
scorecard
only
and
do
we
need
any
any
similar
external
cross
wings
like
the
others,
and
do
we
need
to
do
it
for
the
next.
The
next
demos
I
think.
D
E
So
what
we
talked
about
last
time
is
in
the
steps,
keep
it
lean
and
link
to
the
scratch
pad.
What
I'm
saying
is:
should
we
just
clean
up
the
structure,
so
there's
nothing
in
the
scorecard
right.
There's
only
one
links
to
like
the
anchor
heading
into
the
scratch
pad
is
not
the
script.
That
should
be
clear
enough,
so
it's
clear
when
people
digest
it
scorecard
would.