►
From YouTube: sast air gap live demo 2020 03 20
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
Righty
happy
Friday,
so
go
ahead
so
yeah,
so
this
is
for
sassed
and
air
gapped
environment
I'm
gonna
be
sharing
my
screen
the
entire
time
you
can
get
my
entire
desktop
apologies.
If
font
sizes
are
too
small
what
I'm
also
going
to
go
ahead
and
call
out
just
because
I
know,
we've
got
a
combination
of
folks
here
and
I
know.
We've
got
engineers
here
as
well
that
are
eager
to
help
up
and
speak
out
if
I
need
support
or
if
I
need
something
to
learn.
Engineer
to
speak
up.
B
B
B
The
one
thing
that
I'm
going
to
call
out
is
that,
as
we
were,
as
we
were
running
through
all
of
the
stuff
in
putting
this
documentation
through
its
paces
earlier
this
week,
is
that
we
realized
that
we
want
to
change
this
note,
and
so
there's
an
M
R
up
that
is
already
ready.
That
is,
a
more
up
is
already
under
review
and
that
I
need
to
I
need
to
go
polish
and
we're
working
to
do
that
later
today.
That
will
change
the
way.
B
This
note
reads
so
that
we're
making
an
argument
that
the
poll
policy
dr.
pol
policy
on
the
guid
lab
Runner
is
always
is
set
to
always,
and
so
they
don't
see
any
more
for
that
comes
up
later
to
meet,
mr,
that
is
going
to
be
coming
to
be
pushed
through
later
today.
With
that
with
that
being
said,
we
need
to
start
with
environment.
So,
where
we've,
what
we
have?
B
The
reason
for
doing
this
is
that
we
have
a
self
managed
to
the
installation
of
get
lab
running
on
the
air
gap
test
instance,
and
we
have
this
bastion
server
effectively
working
as
a
diode
and
the
reason
that
we
were
wanting
to
do
that
is
we
wanted
to
make
sure
that
we
had
a.
We
could
demonstrate
a
way
in
which
an
example
way
in
which
customers
can
download
the
secure,
analyzer,
docker
images
from
get
the
retro
registry
rocket
lab
comm
and
demonstrate
a
way
in
which
this
could
load
their
load.
B
The
docker
instances
get
lab
instances
docker
container
registry
as
well,
and
so
the
way
that
we're
we
are
enforcing
air-gapped,
and
this
is
a
limited.
This
is
very
much
a
limited.
Access
to
the
public
internet
is
through
AV,
PC,
firewall
rule
and,
if
you'll
give
me
a
moment,
I
will
copy
and
bring
it
over.
B
There's
two
in
question:
one
is
disallow
egress
air
gap
and
the
other
is
disallow
ingress
air
gap.
The
way
this
is
configured
is
that
we're
disallowed.
We
are
not
allowing
any
any
traffic
outbound
to
the
public
internet
from
anything
with
it
as
a
with
this
air
gapped
host
air
gap
test
and
we're
only
allowing
traffic
to
the
air
gap
post
on
ports,
443
and
22.
So
this
is
SSH
and
also
HTTPS.
B
B
C
A
D
D
Can
ask
like
Thomas:
do
you
have
like
neck
Hatter
ins
installed
or
anything
just
to
show
you
can't
get
out,
because
pinging
is
one
thing:
that's
usually
blocked
but
like?
If
you
did
a
net
cat
to
like
port
80
or
443
were
rejected,
then
we
know
no
connections
can
get
out
and
then
I
would
be
satisfied
to
your
question
times.
You
have
the
full
command
line
for
this
used
to
registry
collab
song
and
then
port
space,
443
yep.
D
D
D
B
You'll
allow
me
to
if
we
can
get
past
this
on
the
bastion
aspect
of
this
we
are
part
of
this.
Demo
is
going
to
be
pulling
down,
one
of
our
analyzers
from
registry
docket
lab
calm
and
loading
the
air-gapped
instance
from
that
connection.
From
from
that
particular
instance,
can
we
use
that
as
a
substitute
for
the
bastion
acting
as
a
diode
yeah.
C
C
C
F
Make
just
to
comment
on
the
general
criteria
and
remember
this
is
a
lesson
you
learn
the
hard
way
years
ago.
Is
we
have
to
consider
five
like
done
as
being
like
merged
code
like
released
code,
not
just
like
approval
of
a
stakeholder
or
something
like
that,
or
we
should
at
least
consider
that
it
may
be
bus.
We
get
the
customer
to
purchase
based
off
of
a
non-production
to
go
over.
Some
of
that
we
may
want
to
hold
our
sauce
the
stand
up.
We
actually
got
this
out
there.
It
did
not
slow
release.
F
C
Thank
you
Rick.
We,
we
do
have
a
stop
mitigation
plan
for
that
with
them.
There's
a
integration
demo
down
below
in
the
real
environment.
We
could
take
it
there
and
we
could
update
the
five
score
to
capture
something.
That's
like
production
production
is
ready
in
the
interest
of
of
crossing
this
item
out.
I
think
three
is
a
safe
spot
to
land
and
then
I'll
take
feedback
from
Eric
to
with
Todd
to
work
on
the
next
iteration
of
the
grading
criteria.
What
do
you
want?
What
does
the
working
good
thinking
that
sounds
reasonable
to
me?
C
B
We
may
be
old
off
that
score
later,
but
I'm
not
gonna
speak
for
everybody
else.
I'm
going
to
be
demonstrating
on
the
bastion
here
momentarily
alright
I'm,
going
to
continue
on
and
I'm
dropping
down
into
the
I'm
dropping
down
to
the
shell
on
the
bastion
itself
and
what
I'm
doing
is
navigating
to
something
a
series
of
scripts
that
we
have
created,
and
these
are
very
much
example-
scripts-
we're
not
intending
for
these
to
be
considered
to
be
production
use
because
we
do
not
know
our
code.
B
We
anticipate
that
there's
going
to
be
a
broad
variety
of
requirements
as
far
as
how
these
Andrews's
would
get
loaded.
But
in
the
interest
of
providing
examples
we
have
a
few,
and
so
what
we're
going
to
be
demonstrating
is
how
we
can
load
one
of
the
SAS
scanners
within
the
air-gapped
instance
of
within
the
air
gap
itself.
And
so
there
are
three.
There
are
three
scripts
that
are
in
question:
I'm
going
to
be
walking
me
through
a
couple
and
we're
going
to
execute.
B
The
art
one
is
this
one
you'll,
and
so
the
if
you
will
allow
me
to
just
shortcut
the
walk
through
as
opposed
to
doing
this,
there's
a
full
code
review.
We
are
looking
at
one
analyser,
cube,
Seck
and
then
we're.
What
did
this
is
a
doing
is
that
it
is
doing
a
docker
pull
from
registry
get
loud
calm.
So
this
is
how
we're
get.
This
is
my
proof
that
we
can
get
out
and
it
is
saving
it
locally
as
a
tarball
and
we're
doing
that
intentionally.
B
This
script
will
take
over
and
we'll
push
it
onto
the
the
air-gapped
instance
itself,
and
so
that
way,
we're
making
sure
that
this
is
two
hops.
We're
not
doing
this
in
one
step.
We're
trying
to
make
sure
that
this
has
a
this
has
a
deliberate
two
steps
itself.
This
is,
and
so
that's
that's
what
we're
about
to
run.
This
is
all
going
to
be.
This
is
all
going
to
be
executed.
B
B
B
B
You
will
note
that
it
is
also
loaded
with,
in
this
instances,
docker
container
registry,
so
what
we
have
done
with
this
now
through
the
Bastion
we
have
called
out
to
the
doc
registry.
We
have
grabbed
a
cube,
Seck
analyzer
and
we
have
pushed
it
into
a
container
registry
within
the
within
the
air-gapped
environment
itself.
B
This
script
doesn't
quite
go
all
the
way,
so
there's
a
couple
of
things
that
I
need
to
do
real,
quick
to
make
sure
that
we
have
it,
because
if
we
were
to
leave
it
right
here,
so
this
is
our
air-gapped
instance.
I
am
logged
in.
I
have
overridden
my
my
hosts
file
so
to
make
this
domain
work
to
map
to
a
particular
IP
address,
and
so
what
I'm
going
to
do
is
go
ahead
and
move
over
to
groups.
We
have
a
series
of
analyzers
that
are
available
here.
B
This
is
the
cute.
This
is,
and
this
is
to
provide
a
path
for
which
we
can
view
these
particular
analyzers
themselves.
Right
now
we
have
a
huge
section
eliezer.
It
is
available
right
here
we
loaded
to
dinner.
That's
what
this
step
was
intended
to
do
and
I
skip
the
step.
I
should
have
shown
this
as
empty
before
we
moved
on
already
any
questions
on
what
I
just
did
before
I
move
on.
B
G
B
And
so
basically,
the
requirement
that
we
were
trying
to
satisfy
with
this
was
to
prove
that
we
could
that
we
could
satisfy
a
two-step
loading
process.
So
if
this
was
such
as
this
was
an
environment
that
was
so
locked
down
that
it
required
a
download
of
a
file
onto
physical,
medium,
walk
into
a
skiff
and
then
load
it
in
that
way,
this
was
to
emulate
that
particular
requirement,
which
was
the
most
stringent
that
we
could
think
of
yeah.
G
G
B
E
C
Satisfy
in
the
scorecard
self
or
D
because
I'm
looking
there
and
it's
not,
it
doesn't
say
anything
about
Cusick
in
the
task
in
the
demo
step
and
wondering
if
you
need
to
update
the
scorecard
to
be
like
what
you're
showing
their
genes
kevin
is
satisfied
in
terms
of
the
dependency
that's
downloaded
and
I
can
share
screen
as
well,
and
so
everyone
on
the
call
has
contacts.
C
E
C
C
Say
yeah,
four
or
five
five
is
a
five
is
sign-off
from
customer
success
currently
and
then
four
is
demo
out
according
to
the
definition
of
done
so,
in
this
smaller
setup
steps,
we
would
love
to
have
your
input
on
it.
That's
why
we
had
five
as
your
as
your
sign-off
and
if
you
want
to
be
more
comfortable
with
it
and
get
more
details,
but
this
Brady
that's
four
for
now
and
then
the
next
time
you
can
have
your
sign
up
properly.
If
that's
okay
as
well
yeah.
E
B
Okay,
I'll
keep
going
alright,
alright
and
I
jumped
ahead
a
little
bit.
So
there's
there's
two
groups
that
have
been
configured
on
this,
particularly
since
one
for
analyzers
another
one
for
tests
and
I've
jumped
into
a
project
as
a
JavaScript
test,
project
VARs,
and
that
has
been
preloaded
here.
I
have
also
have
this
particular
I.
B
B
It
allows
see
IMO
this
was
done
intentionally,
and
so
this
is
commented
out
right
now,
the
on
master.
We
do
not.
We
have
a
CI
ml
file,
but
we
do
not
have
SAS
configured
on
it
at
all,
and
so
that
is
the
current
state
of
this
project
and
just
go
ahead
and
show
it
just
so.
Everybody
sees
where,
where
we
are
and
make
sure
that
everybody's
good
and
what
I'm
going
to
do.
B
Check
out
this
particular
branch,
you'll
note
that
this
has
already
has
some
commits
that
commit
associated
with
it.
It's
a
head
of
master
by
one
and
I
will
walk
through
this,
but
I'm
going
to
go
ahead
and
show
the
diff.
So
everybody
had
an
opportunity
to
see
what
we're
doing
effectively.
What
we're
doing
is
we're
turning
on
SAS
and
we
are
providing,
which
should
be
a
new
vulnerability
and
I
will
walk
through
and
show
that
the
files
in
question
is
particularly
want
to
show
the
gitlab
yan
will
file.
B
B
D
B
B
So
pipeline
is
now
running
and
what
we're
doing
here
is
with
the
s
lights
ass.
This
is
currently
running
and
you'll
notice
that
it
is
trying
to
reach
out
to
registry,
get
lab
calm,
but
it
can't-
and
it
will
continue
to
do
so
and
will
alternately
fail,
and
so
so
this
is
so.
This
is
out
of
the
box.
This
is
why
it
will
not
work
with.
We
have
notified.
We
have
seen
our
problem
and
while
we're
letting
this
play
out
and
ultimately
not
succeed,.
E
B
This
time
you
will
notice
that
it's
it's
pulling
the
docker
image
from
where
we
are
today,
this
instances
container
registry
and
the
job
succeeded
and
further
what
we
will
do.
We
should
see
the
checkered
gap,
that's
doing
its
thing,
where
it's
trying
to
find
out
if
it
can
do
if
it
can
get
to
the
gitlab
registry,
the
the
get
lab
comm
registry-
and
this
will
also
succeed
because
it
can't
it's
the
same
thing.
We
didn't
change
this,
so
this
pipeline
from
will
succeed.
I'll
continue
on.
While
this
is
a
while.
This
is
finishing
up.
B
So,
let's
see
what
our
full
report
is
here,
these
are
all
of
the
vulnerabilities
that
are
currently
present
I'm
going
to
continue
on
with
and
we'll
go
through
this.
So
we
have
our
reports.
We
have
a
link
straight
to
the
the
project
in
question.
Once
again,
this
is
local,
so
that
link
works.
What
file
was
this
in
once
again,
domain
is
the
case,
and
so
we
can
see
exactly
where
this
is
blind.
15
that
link
worked,
and
we
have
the
identifiers
itself,
you'll
notice
that
this
is
to
github.com.
B
E
Works,
can
we
two
questions
if
I
can,
one
is,
is
the
unknown
an
artifact
of
the
air-gap,
or
is
that
just
an
artifact
of
this
particular
scanner
so.
E
Cool
and
the
second
one
is
I
must
be
dismissed
with
it
with.
The
comment
will
also
work.
Well,
not
that
I
need
you
to
yeah,
just
just
yeah,
so
yeah
I
figured
as
much
so
cool
thanks.
C
E
Because
this
is
this
particular
scanner
yeah.
Let
me
let
me
think
on
that
I
mean
as
long
as
we
I
think.
We
explain
the
fact
that
this
is
that
particular
scanner,
but
it's
probably
fine,
because
if
I
have
to
question
someone
else
will
as
well,
maybe
in
a
future
iteration
but
I,
don't
I,
don't
think
it's
as
long
as
we
explained
it.
I
don't
think
it's
really
I
shouldn't
stopper
yeah.
C
E
Yeah
sorry
I'm
just
gonna,
say
yeah
I
mean
if
we
did
have
ones
with
words
returning
severity
z',
because
that
way
you
know
that
they're
coming
from
the
local
database,
that's
in
close
included
in
that
local
image
that
that
probably
would
make
for
a
better
a
better
demo,
if
possible
in
the
future.
Just
yeah.
C
B
C
C
You
should
be
protecting
to
the
the
total,
the
ones
and
dot
that
shows
a
total
of
each
week
and
that's
where
we
call
it
calculating
all
the
scores
and
SAS
is
in
blue
it
maps
directly
to
to
this
course
here
so
going
forward
from
now
on,
I'll
be
clearing
all
the
scores
and
then
we'll
be
tracking
only
the
ones
for
this
week
going
forward,
so
that
is
done
so
making
sure
everybody's
on
the
same
page
and
sign
off
I'm.
So
thank
you
for
that.
Now
we
created
this.
C
This
is
what
I
meant
by
a
column,
i3i
and
4i,
and
all
that.
So
this
was
a
show
in
the
keeps
tech
analyzer
just
now,
and
then
we
need
to
move
back.
Please
sign
off.
We
need
to
create
these
two,
so
Emma
was
created,
we're
a
nice
little
sass
unknown.
We
need
to
have
a
different
scanner
and
then
this
it's
a
four
because
we
didn't
had
any
feedback
and
the
air
Mars
being
run
correctly
and
pipeline
is
was
in
progress.
And
should
this
be
a
three
because
we
need
to
switch
switch.
The
scanner.
E
Young
good
with
those
two
I'm
going
to
confirm
with
the
customer
if
we
might
even
build
a
simplify
it
by
doing
the
changes
in
the
web
IDE
as
opposed
to
the
command-line.
When
I
asked
that
question
and
and
yeah
I
grew
the
the
three
on
the
pipeline
and
we
haven't
seen
the
dashboard
results.
Yet
that's
coming
up
I
think
I
see
okay,.
C
B
B
B
B
B
B
E
E
E
B
E
B
B
Thanks
so
we've
shown
the
we
have
shown
the
environment.
We
have
shown
how
we
can
load
in
scanners.
We
can.
We
can
load
in
scanners
from
the
right
from
registry
to
get
lab
comm.
We
have
shown
an
example
project.
We
have
worked
it
through
a
merge
request,
workflow.
We
have
also
demonstrated
project
and
group
security
dashboards.
B
H
E
E
E
H
E
B
G
B
E
B
E
Really
you
can
scroll
down
to
the
because,
obviously
that's
the
list
of
all,
though,
if
you
wanted
all
those
tools
to
work,
we
just
did
one
that's
cool
and
then
yet
just
include
the
analyzer
in
the
docket.
Today,
curiosity,
you
don't
need
to
demo
this,
but
I'm
just
curious.
What
happens
if
the
doctor
doctor
is
not
set
to
it?
Some
disable.
I
E
B
Fail
it
will
feel
the
reason
that
it
will
fail
is
because
that
involves
code
changes
to
our
orchestrators,
which
are
set
to
go,
gets
get
labs,
comms
container
registry
as
opposed
to
being
overridden,
and
so
since
we're
trying
to
we're
aiming
to
we're
deprecating,
doctor
and
doctor
mode
entirely
where
this
is.
Why
you're
seeing
this
demonstrated
this
way,
yeah.
E
No
I
understand
it
and
it's
totally
fine
and
in
fact
one
of
my
other
customers
is
actually
currently
using
SAS
air-gap.
They
made
the
mods
and
themselves
they
they.
They
noted
they're
still
using
that
set
thing,
they're
expecting
that,
eventually,
that
might
go
away
the
need
to
do
that,
because
I
think
we're
moving
away
from
daiquiri
doctor
in
general
right.
J
Well
done
for
sure,
hey
since
Kevin's
talking
to
the
customer
shortly,
are
there
other
questions
that
we
have
outstanding,
that
I
just
want
make
sure
that,
like
we're
getting
feedback
as
quickly
as
possible,
I
know
there
were
some
things
on
license
compliance.
Those
are.
H
K
H
L
Should
be
there
yeah
and
we
need
to
work
through
that
scorecard
because
license
compliance.
Abruzzi
doesn't
have
the
same
step
so
I
have
the
security
scanners
because
it's
not
reporting
the
remedies
but
licenses,
and
we
need
to
figure
out
how
much
of
license
compliance
feature.
We
want
to
do
more
to.
A
J
H
J
I
guess
what
I'm
saying
is:
this
is
good
like
we
encourage
failure
like
demoing
soon
or
failing
sooner
brings
up
like
we
brought
up
a
whole
bunch
of
issues
if
we
would
wait
another
week
and
those
issues
that
got
resolved
magically
that's
great,
but
that
may
not
have
happened
so
like
we
even
pick
up
some
things
in
this
demo.
So
that's
kind
of
your
whole
point
I'm
trying
to
make
it's.
F
J
Just
sorry
just
won
an
additional
thing
chase.
If
we
get
to
a
five
on
a
certain
area.
Is
it
okay?
If
we
tighten
up
the
demos
because,
like
that'll
just
help
with
time,
because
like
I'm,
just
thinking
in
terms
of
like
Thomas
walking
through
this
whole
thing
today
for
45
minutes
is
awesome
but
like
as
we
get
things
solved,
it
feels
like
we
should
just
tighten
up
and
cover
the
areas
that
need
to
or
if
you're,
okay,
with
that
yeah.
F
I
think
you
can
only
convince
almost
is
like
keyframe
demos
for
like
every
once
in
a
while.
You
want
to
do
the
full
one,
but
it's
totally
acceptable
to
skip
it.
If
we're
really
confident
reason
you
do
keyframe
demos
is
because,
like
we're
still
prepping
for
that
big
dog-and-pony
show
we
have
to
do
for
the
customer.
So
we
don't
want
I
like
mister
regression
or
something
like
that,
but
we
can
definitely
economize
like
we.
If
we
can
over
time
get
this
kind
of
30
minutes.
That's
a
great
cool
I.
J
M
M
No
put
them
during
the
use
of
satellites
or
anything.
We
started
to
experiment
with
that
I'm
working
in
the
security
team,
because
there
are
some
kernel,
extensions
that
we
need
to
compile
and
install
that.
So
in
the
end,
that
means
probably
some
different
runners.
So
we
try
to
avoid
that
and
make
sure
that
we
would
be
able,
in
the
future
to
use
the
regular
runners
if
possible.
If
not,
we
might
need
to
have
some
specific
runners
with
extensions
in
stun
make
sense.
A
J
L
L
Unless
we
have
a
customer
in
the
coal,
would
that
make
sense
to
keep
everything
regarding
the
air-gap
environment,
explanation
and
setup,
because
this
will
be
really
redundant
between
all
the
demo.
We
are
doing
for
the
same
tool
and
between
the
different
tools.
Once
we
get
to
a
five
I,
don't
know
if
we
quit
got
to
a
five
today.
Okay,.