►
Description
Webinar for Commercial customers interested in using more of GitLab Secure stage, focused on implement the various scans and managing vulnerabilities in the dashboards and MRs. Hosted by Maxwell Power and the Commercial TAM group, this webinar covers what customers need to know to implement secure testing quickly.
A
A
The
findings
are
displayed
in
the
vulnerability
report.
This
provides
a
quick
and
simple
way
to
review
all
the
scanners
findings.
This
vulnerability
report
is
also
available
at
the
group
level,
where
you
can
aggregate
all
your
projects
into
one
group
and
see
all
the
vulnerabilities
in
one
place
for
more
advanced
requirements.
A
A
A
But
in
our
case
we
just
need
to
tell
the
file
scanner.
What
file
it's
going
to
use
to
run.
The
fuzz
scanning,
in
this
case
we
have
source
fuzz.js,
which
we
add
at
the
end
of
this
command,
and
our
fuzz.js
file
is
a
really
simple
file
that
just
throws
some
random
strings.
Looking
for
the
words
fuzz
at
the
end,
if
it
does,
it
finds
success
and
it
leaves,
and
if
it
doesn't,
it
throws
an
exception.
A
Next,
we're
going
to
configure
some
of
our
other
scanners,
our
api,
fuzzer,
dast
and
dast
api
for
this
project,
we're
not
going
to
scan
a
live
running
web
application,
we're
going
to
run
the
built
image
above
in
a
service
and
services.
Allow
you
to
add
additional
containers
into
your
ci
jobs
and
we're
just
going
to
pull
the
ci
image
that
we
built
and
alias
this
with
app,
so
that
when
our
jobs
run,
there'll
be
an
app
container,
also
available
that
we
can
use
for
scanning.
A
A
In
this
case,
we
have
a
dashed
website,
our
dashed
api
target
url
and
our
fuzz
api
target
url,
and
these
three
are
set
to
app
8080,
which
is
the
service
that's
running
in
the
containers
we
set
up
below
next
we're
configuring.
Our
das
browser
scan,
which
is
a
new
feature
in
git,
lab
that
scans
using
a
browser
for
dast,
then
we're
going
to
move
on
to
our
dashed
api
scanner,
where
we
set
up
our
profile,
which
is
quick
and
we
give
it
a
har
file.
A
A
hard
file
is
an
http
archive.
It's
an
industry
standard
for
exchanging
information,
about
http
requests
and
responses.
It's
generally
json
formatted
and
contains
browser
interactions
with
a
website.
There's
a
few
options
for
providing
this
data
to
gitlab.
A
hard
file
is
probably
the
easiest,
and
we
use
this
for
doused
api
and
for
our
fuzz
api
scanning.
A
We
need
to
set
a
fuzz
api
profile
which
in
our
case,
is
quick,
10
and
then
we're
going
to
set
a
secure
log
level,
and
this
secure
log
level
allows
you
to
output
more
verbose
information
from
your
security
scanning
jobs.
This
is
useful
when
you're,
initially
configuring,
your
jobs
and
you
want
to
find
out
what's
going
wrong
or
dig
into
any
details,
once
you
move
into
production
for
your
scanning,
you
can
remove
the
secure
log-level
debug.
A
A
A
A
So
what?
If
something
goes
wrong
in
your
job?
How
do
you
debug
it?
So
we
can
come
into
pipelines
and
we
can
find
the
job,
let's
say
in
our
case
semgrepstast,
and
this
will
load
the
job
logs,
so
in
here
you'll
be
able
to
see
any
errors
or
anything
that
broke
while
running
your
job,
which
will
allow
you
to
debug
it
a
little
more.
Sometimes
you
may
need
to
add
some
variables
or
tell
the
gitlab
scanner
where
to
find
your
files
to
scan,
and
all
of
these
are
configured
in
environment
variables.
A
A
In
this
case,
we
have
our
code
quality
code
intelligence.
We
have
some
deploy
jobs
that
we
wouldn't
need.
We
also
have
some
dallas
configuration
scanner,
dependency
scanning,
license
scanning
sas
and
secret
detection,
and
we
also
have
links
to
where
these
templates
are.
So
you
can
click
on
them,
really
quick
and
jump
into
that
template
repo
to
find
the
details
of
this
job.
So
if
you
ever
need
a
quick
way
just
to
include
these
in
your
job,
you
can
load
up
this
template
and
paste
them
right
out
of
here.
A
So
now,
let's
talk
about
what
our
security
dashboard
looks
like,
as
you
can
see
over
time.
This
is
showing
us
what
vulnerabilities
in
our
project
in
this
case
my
project
is
new,
and
so
most
of
this
data
is
from
the
last
little.
While
we
can
also
review
our
vulnerability
report-
and
this
is
where
everything
the
scanners
pick
out-
will
be
stored
and
displayed
in
gitlab-
we
can
choose
our
severities.
A
Gitlab
then
ran
ci
on
that
new
branch
and
that
commit
and
compared
it
to
the
master
branch
in
my
project,
in
your
case,
any
protected
branch,
but
the
primary
default
branch
is
what
gitlab
is
going
to
compare
all
the
security
find
results
to.
So
you
want
to
make
sure
you
set
your
default
branch
in
gitlab
to
the
branch
that
you
want.
All
of
your
merge
requests
compared
against
for
your
security
scanning
and
then
you're
going
to
want
to
make
sure
that
you
run
a
scanning
job
on
the
primary
branch
first.
A
A
Lastly,
let's
talk
about
how
you
can
find
all
the
custom
variables
you
may
need
for
your
jobs.
In
this
particular
case.
This
is
the
staff
job
and
if
we
scroll
up
a
little
bit
here,
we
can
see
our
logging
level
that
we
talked
about
earlier
and
we
can
set
these
to
fatal
error.
Warn
info
or
depug,
which
info
is
the
default.
A
So
in
the
docs
underneath
secure
your
application,
we
have
our
dependency
scanning
static
application,
security
scanning
secret
detection,
dynamic
application,
security,
counting
api
fuzzing.
All
the
docks
are
here
for
everything
you
will
need
to
configure
in
these
scanners
and
inside
of
all
of
these
docs
you'll
find
this
available,
ci
cd
variables
heading
and
under
here.
It
lists
all
of
the
variables
that
you
can
configure
for
this
scanner.
A
Some
of
you
may
have
java
projects
java
tends
to
need
a
version
set,
and
here
we
can
set
the
version
with
a
variable
sas
java
version
same
with
java
path,
and
maybe
any
java
options
you
might
need,
as
well
as
all
sorts
of
other
variables
that
you
can
use
to
configure
the
scanners
thanks.
So
much
for
watching
our
webinar
today
and
happy
to
answer
any
questions
you
might
have.