►
From YouTube: GitLab Secure Stage Overview
Description
GitLab provides Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Container Scanning, and Dependency Scanning to help you deliver secure applications along with License Compliance.
The security scans display vulnerabilities in a uniform UI where a developer can resolve them before merging to master. The Security posture of a project or group of projects can be further assessed via the Security Dashboard.
A
Hi,
my
name
is
Fernando
and
I'm,
a
Technical
Marketing
Manager
here
at
Gila
I'm,
going
to
walk
you
through
gillip
secure
stage
and
show
you
how
to
integrate
security
into
your
development
lifecycle.
Now,
let's
get
started
here,
we
can
see
the
different
components
of
gitlab
secure
stage
which
includes
SAS
or
static
application,
security,
testing
or
dynamic
application,
security,
testing
dependency
scanning
container
scanning
and
license
management.
We'll
take
a
look
at
each
one
in
this
video
here's
an
example
of
the
developer
lifecycle.
The
developer
commits
some
code
and
then
the
Gil
AB
CI
runs.
A
This
begins
the
whole
suite
of
security
scans,
including
tasks
which
can
run
against
the
review
app
after
the
scans,
are
run.
The
developer
is
provided
with
detailed
information
on
the
vulnerabilities.
The
developer
can
also
create
issues
or
dismiss
them,
as
they
see
fit.
Also
note
that
the
security
team
has
access
to
a
security
dashboard
where
they
can
have
an
oversight
of
the
security
posture
of
a
project
or
group
of
projects.
A
Here
we
can
see
the
pipeline
in
action.
You
can
see
that
first
there's
a
build
stage
in
which
the
image
is
built
and
then
a
variety
of
security
scans
are
run.
Then
we
deploy
the
review
up
and
run
dashed
against
it.
Here
are
the
results
of
the
security
scan.
They
are
made
available
in
one
common
view
in
the
typical
developer
workflow,
the
developer
will
continue
to
iterate
over
the
M
R.
Until
all
the
vulnerabilities
have
been
resolved
now,
let's
get
into
each
type
of
scan
and
what
they
do.
A
Here's
an
example
of
sassed
or
static
application,
security
tests,
it
scans
the
application
source
code
and
binaries
to
spot
potential
vulnerabilities
before
deployment
using
open
source
tools
which
are
installed
and
maintained
as
part
of
gate
lab.
You
can
see
here
with
this
pop-up
that
it
detected
a
possible
sequel
injection
vector.
You
can
also
see
that
there's
more
information
on
the
vulnerability
provided
as
well
as
a
link
to
the
line
of
code
in
which
it
has
occurred.
A
Then
there's
the
pendency
scanning,
which
analyzes
all
the
external
dependencies,
such
as
libraries
for
known
vulnerabilities.
Here
you
can
see
a
denial
of
service
vulnerability
was
detected
because
we
were
using
an
older
version
of
flask.
You
can
see
that
there
is
a
solution
provided
as
well
as
a
link
to
more
information
on
this
vulnerability
container
scanning
check,
stalker
images
for
known
vulnerabilities
in
the
application
environment.
It
uses
an
open
source
tool
known
as
Clair.
Here
you
can
see
that
a
vulnerability
was
detected
because
we
were
using
an
older
version
of
Alpine.
A
A
License
scanning
scans
all
the
licenses
within
the
dependencies
of
a
project
and
matches
them
against
an
approved
or
denied
list
which
is
usually
based
off
a
policy
set
by
the
security
team.
Now,
let's
go
over
some
common
developer
workflows,
a
developer
can
dismiss
a
vulnerability
and
provide
a
reason
as
to
why
it's
being
dismissed.
This
will
show
the
vulnerability
has
crossed
out.
The
security
team
will
be
able
to
see
who
dismissed
it
and
why
the
developer
can
also
create
confidential
issues
from
the
vulnerability.