►
Description
Consistency in default behaviour of AST scanners and jobs
https://gitlab.com/groups/gitlab-org/-/epics/5334
A
A
B
Yeah,
so
I
guess
it
was
already
answered
in
some
of
the
text
here,
but
my
primary
question
was:
are
the
reports
uploaded
or
they
just
like,
stop
do
the
job
stop
parsing
after
they
find
one
vulnerability
if
that's
allowed
to
fail-
and
I
assumed
it
wouldn't,
but
I
just
wanted
to
be
safe
and
clear
on
that.
So
so
all
the
reports
will
complete
and
upload.
B
A
Don't
think
we
actually
have
control
over
that
somebody
can
correct
me
if
I'm
wrong,
but
I
think
and
there's
a
whole
different
bug
that
we
can
get
to
once
we
get
to
these
questions,
but
I
think
when
you
pass
an
error
code
like
it,
doesn't
it
can't
do
anything
extra
like
it
has
to
use
the
default
text.
C
I
can
have
a
look,
but
I
think
that
default
text
is
job
exited
with
exit
code.
Six,
let's
say,
hang
on.
C
B
D
B
B
Cases
wouldn't
like
I
got
yelled
at
by
dangerbot
and
what
it
did
was
it
threw
a
comment
in
the
mr,
so
I
was
able
to
like
know
why
I
broke
some
rule
right,
so
my
I
guess
my
real
concern
around
this
is:
how
are
we
what's
the
guidance
we're
providing
to
users
with
this
error?
You
know
exit
code,
six
like
I
go
into
the
job
it
failed.
B
A
So
I'm
pretty
sure
I
don't
know
about
dangerbot,
because
that's
a
linter,
so
I
think
it's
slightly
different,
but
usually
when
I'm
looking
at
the
logs,
if
the
logs
are
on
there's,
usually
a
line
above
my
errors.
That
kind
of
hints
at
me
why
it's
angry,
I'm
not
sure
if
we
have
the
ability
to
output,
something
there.
C
A
Hopefully
my
screen
is
explanatory
here
so
like
when
I
fail
a
job
I
usually
go
to
here,
and
it
like
tells
me
the
last
couple
things
it
had
to
say
before
it
got
to
my
error,
and
so
I
usually
look
and
if
the
I'd
say
like
the
two
or
three
lines
above
my
error
code,
tell
me
what
it's
angry
about.
In
this
case,
it's
angry
about
a
blog
post
that
I
didn't
write,
in
which
case
I
stopped
caring
yeah,
because
it's
not
my
blog
post.
A
So
I'm
assuming,
if
we
could
say
like
you,
know,
finding
detected
or
something
like
and
have
that
document
in
our
documentation.
People
then
be
able
to
a
easily
look
it
up
and
b,
be
like
findings.
Oh
they
mean
like
the
things
that
are
going
to
show
up
in
my
mr,
so
that's
kind
of
where,
like
I'm
assuming
this
is
some
kind
of
message
we
can
control,
but
it's
this
one.
We
have
a
zero
control
over.
A
C
And
that's
exactly
what
I
do
and
I
tend
to
ignore
the
last
line,
because
again,
that
is,
exit
code
now
have
a
look
at
the
what's
right
before
that,
and
maybe
that's
we
can.
We
can
use
these
two
lines
in
the
troubleshooting
section
on
the
docks,
because
users
would
look
for
that.
These
exact
two
lines
and
we
will
explain
there.
We
will
explain
how
you
can
tweak
the
job,
I'll
change,
the
load
exit
codes,
whatever.
B
Will
all
of
these,
even
if
it's
allowed
to
fail,
I
guess
it
still
fails.
Everything
will
show
up
in
that
failed
jobs,
tab.
A
There's
kind
of
a
blocker
on
that
right
now,
but
if
we
get
if
we
get
what
we
want,
yeah
so
and
then
here's
kind
of
the
key
thing
if
we
get
what
we
want
as
of
right
now
so
backing
up
today,
everyone
has
allowed
failure
by
default
if
they
use
a
default
template.
A
A
Our
strong
recommendation
is,
if
you
are
a
very
concerned
group
of
people
writing
code,
you
can
change
the
all
to
only
six,
which
means
any
technical
failures
will
stop
you
and
then
you
have
to
fix
your
configuration,
but
it
will
be
allowed
to
kind
of
continue
on
with
its
life
if
it
finds
findings.
So
they
don't
have
that
granularity
today.
A
But
that's
where
we
recommend
if
there
are
a
I,
I
need
to
find
a
nicer
word
for
because
it's
not
zero.
B
A
Yes,
if
they're,
if
they're
very
cautious,
they
can
certainly
do
that.
Our
number
one
recommendation,
like
our
recommendation
for
all
persons,
is
to
use
mr
approvals
because,
in
my
opinion,
although
not
perfect,
that
today
is
a
better
indicator,
because
mr
approvals
is
a
little
smarter
about
what's
new
and
what's
not
and
that's
like
the
major
catch
with
this,
this
is
not
smart
about.
A
What's
new
versus
not
new,
and
so
like
our
recommendation
and
my
goal
is
to
put
this
on
the
apparently
there's
going
to
be
a
new
configurations
section
or
page
that
russell's
working
on,
but
over
an
application
security.
My
goal
is
to
just
explain
how
things
work
by
default
and
then
on
the
configurations
area.
Russell-
and
I
are
going
to
work
on
saying
like
here-
is
your
options.
Our
first
highly
recommended
option
is
to
use
mr
approval.
If
that's
not,
you
know
careful
and
cautious
enough
for
your
programming
environment.
A
We
recommend
switching
the
allow
all
over
to
the
allow
six
and,
if
that's
still
not
good
enough
for
you,
you
could
just
remove
that
line
completely.
But
we
don't
recommend
that
because
that
just
sounds
like
a
terrible
idea.
So.
C
A
C
Yeah
and
that's
because
we
don't
that's
because
scanning
jobs,
report,
findings
and
some
of
them
might
have
been
dismissed
in
the
ui
and
the
scanning
jobs
are
stateless
not
connected
to
the
database.
Don't
know,
what's
been
dismissed,
so
you're
kind
of
stuck
if
you've
got
dismissed,
philosophies.
A
So
sam
white's
supposed
to
tweak
not
right
now
but
he's
supposed
to
tweak
security
orchestration,
so
people
do
get
a
little
more
of
a
granular
control
and
finesse
over
things
in
the
future.
That's
not
quite
the
cudgel
that
mr
approvals
are.
E
Well,
he's
he's
got
that
now
too,
that's
also
just
to
improve
so
nicole
fabian,
that's
actually.
That
was
a
key
concern
that
I
had
in
one
of
the
issues
I
don't
think
anyone's
had
a
chance
to
respond
to
it.
Yet
so
I'm
going
to
be
opportunistic
and
jump
to
my
question
last
in
the
list,
dismissing
a
finding
is
extremely
common
for
whatever
reason
in
especially
a
large
project,
the
default
branch
is
likely
to
have
at
least
one.
Does
that
mean
the
second?
I
do
that
forever.
E
Yeah
to
me,
I
I
oh,
I
don't
know,
maybe
I'm
overreacting,
but
I
feel
like
that's
the
biggest
unexplored
area,
because
to
me
this
doesn't
feel
like
much
of
a
two-way
door
unless
we
just
rip
it
out
and
turn
it
off.
I
mean
talk
about
a
cudgel.
There's
no
granularity
in
there
at
all
by
status
by
severity.
It's
just
to
put
it
a
different
way.
I
think
anybody
that
has
an
existing
project
that
turns
us
on
is
immediately
going
to
see
all
of
their
jobs
fail.
All
of
the
time
for
all
branches,
which
means
that.
C
It's
not
exactly
true
if
you
got
if
the
scanning
jobs
have
venomity
features
based
on
70,
for
instance,
or
based
on
the
deny
list
like
we
have
in
container
scanning,
then
what's
been
fitted
out
is
not
detected,
and
so
that
might
help,
but
must.
E
A
Well
caveat
on
that
one
I
do
actually
want
to
it's
in
the
like
six
month
list
bucket
at
this
point,
but
I
do
actually
want
to
introduce
the
concept
of
ignore
into
dependency
scanning,
where
we
allow
them
to
populate
kind
of
like
container
scanning.
Does
we
allow
them
to
set
certain
cves
or
whatever
that
it
just
ignores
going
forward
at
or
certain
dependencies
and
versions
just
ignore
going
forward?
Because
there
are
customers
who
just
know
we've
accepted
this
risk?
B
A
When
I
first
started
the
most
common
question
I
get,
is
you
know
it
passed,
but
there
were
findings.
I
don't
understand
and
that's
a
question
I
would
get
from
everyone
on
their
first
couple
of
runs
and
so
to
solve
that
problem.
I
think
we
could
possibly
do
something
in
the
ui
or
when
you're
installing
or
on
the
you
know
like
we
could
do
multiple
places.
So
the
number
one
question
I
always
got
was:
what
do
you
mean
you
found
stuff?
I
passed
the
second
most
common
question.
A
I'm
getting
today
is
account
managers
going
but
like
there's.
Sometimes
it
means
it
found
stuff
and
sometimes
it
means
it
doesn't,
because
I
guess
some
people
are
running
fuzzing
when
they
ask
me-
and
so
I
just
want
consistency.
So
if
we
want
to
go
the
other
way,
then
we
have
to
be
like
okay,
the
rule
is
you
find
findings,
you're,
always
a
zero.
We
have
to.
You
know,
talk
to
fuzzing
about
switching
over
their
stuff,
you
know
and
make
either
direction
we
go.
B
A
A
They
care
about
it
in
the
granular
level,
not
in
the
level
we're
offering.
Today
I
was
trying
to
solve
the
understanding
problem.
We
have
to
wait
for
sam
white
to
get
to
the
more
granular
issue,
because
a
lot
of
people,
the
things
that
I
hear
specifically
there's
been
two
or
three
customers
lately
is
I
only
care
about
certain
types
of
things
and
I
don't
care
about
things
that
I've
dismissed.
A
So
I
know
that
we
in
dependency
scanning
at
least,
have
to
add
in
pre-ignore
dismissal
lists,
because
that's
overwhelming
people
right
now
and
making
them
cranky
and
I
think
the
auto
dismiss
will
help
to
a
degree.
But
in
some
cases
these
customers
know
across
my
organization.
I
never
care
about
this
version
because
we
have
a
workaround,
so
don't
even
ever
bother
me
with
it.
It
aggravates
me
and
then
secondarily
we
as
an
organization
only
care
about
critical
and
high.
C
So
but
yeah,
but
from
a
technical
point
of
view,
it
makes
sense
to
improve
the
dismissal
feature
so
that
you
can
dismiss
based
on
stability
based
on
whatever
many
criteria.
And
then.
A
C
C
Just
just
to
finish
this
idea
that
if
we,
if
we
improve
this,
this
feature
of
the
the
ability
to
dismiss
of
energies,
then
we
can
focus
on
communicating,
what's
been
dismissed
from
the
database
to
the
scanners.
But
that's
worked
involved,
it's
doable,
it's
like
passing
an
artifact.
Maybe
it
wouldn't
have
to
be
in
the
repo.
It
can
be
something
five,
some
kind
of
artifact
that
the
back
end
would
transmit
to
the
would
pass
on
to
their
scanning
jobs.
D
They
can
create
as
much
as
they
need,
but
yeah
fabian
you're,
playing
into
the
I
think,
is
the
right
direction,
because
even
if
you're-
not
talking
only
about
dismissal
but
also
one
thing
that
I've
called
me
I've
seen
coming
into
this
discussion
is
I
want
to.
I
want
to
block
my
pipeline
if
there
is
a
new
vulnerability
that
knowledge
about
what
is
new
from
what
is
passed
is
not
capable,
and
we
are
not
capable
of
defining
this
in
the
scandal,
because
stateless
this
information
comes
from
the
database.
D
So
I
think
we
really
need
this
post
analyzer
process
that
we
grab
information
from
the
database
and
during
the
pipeline
execution
checks.
What's
new,
what's
called
what's
dismissed
and
this
is
what
will
be
providing
us
the
ability
to
have
a
smart
orchestration
in
the
pipeline
and
decide
whether
or
not
we
want
to
block
based
on
the
rules
so
based
on
feedback
from
math?
Maybe
we
need
this
first
additional
step
about.
Okay,
I
need
to
inject
this
post
analyzer
logic
that
grab
information
from
the
database
into
the
scan.
Just
one.
D
Maybe
just
one
scan
would
be
enough
and
tell
is
this
a
dismissed
or
is
this
a
new
one
and
then
adjust
the
exit
code
based
on
that,
but
there
is
possibly.
A
But
there's
people
do
care
about
both
those
some
customers
care.
Are
there
any
highs
that
we
haven't
dismissed
other
customers
care
about?
Are
there
any
new
highs?
So
there
is,
I
mean
we
could
do
some.
You
know
polls
to
ask
people,
but
there
are,
I
believe,
people
who
would
want
those
two
different
things
which
are.
E
Very
good!
No,
if
I
fully
agree
about
that
first
case,
because
anyone
that
cares
about
a
high,
that's
not
dismissed.
That's
not
a
question
of
new
feature
branches,
it's
already
by
definition
in
the
default
branch.
So
it's
in
a
location
where
it's
it's
already,
causing
problems
right,
so
you're
now
blocking
any
new
net
new
feature
development.
Upstream.
From
that
I
mean,
if
you
want
to
do
that,
I
feel
like
you're
you're,
addressing
it
in
the
wrong
place,
and
so
that's
more
of
a
fabian.
C
Sorry
yeah.
I
want
to
object
here.
Maybe
there's
some
misunderstanding
from
me,
but
in
the
case
of
defense
scanning
and
to
a
lesser
extent,
in
the
case
of
sas
and
other
scanners,
we
can.
We
might
be
in
situation
where
we
check
the
same
code
base
again
and
again
and
because
we
have
new
values,
new
advisories,
in
the
security
database.
We
get
new
stuff,
possibly
highly
critical
vietnamese
and
it's
also
possible
in
the
case
of
sas,
because
we
might
improve
the
scanners,
get
new
rules
and
the
ability
to
to
detect
new
things.
A
I
suspect
I'm
just
I'm
gonna
point
out,
that's
exactly
it.
They
matt
you're
thinking
about
them
as
like
I
existed
yesterday
and
I
so
like
yesterday.
Maybe
I
was
time
clock
version
one
and
I
had
some
highs
that
I
had
and
I
you
know
we
moved
on
with
my
life
at
that
point,
but
now
today
time
clock
version.
One
has
a
critical
that
somebody
found,
and
so
maybe
I'm
I'm
thinking
about
it
slightly
wrong,
and
maybe
we
could
parse
it
slightly
differently,
but
it
it.
E
E
Still,
either
existed
in
the
default
branch
already,
and
it's
just
that
the
updated
information
was
first
applied
to
an
outstanding
feature
branch
that
had
come
from
the
default.
In
fact,
I've
heard
this
complaint
from
customers.
I'm
a
developer.
I
just
opened
a
new
branch.
I've
committed
a
readme
file
and
you've
stopped
me
dead
because
I
had
a
critical
vulnerability.
What
I
didn't
introduce
one
well,
it's
because
the
analyzers
had
updated
the
information,
but
there
was
a
stale
default
branch.
So
again,
I
think
this
is
more
of
a
tool
use
problem
than
an
actual.
A
This
was
newly
found
and
your
security
department
says
no,
you
know
like
they've,
dismissed
other
stuff
on
this,
but
this
is
a
new
one
and
it's
it's
a
new
thing
against
an
old
dependency.
E
It
totally
does.
I
guess
my
concern
is
that
there
are
so
many
different
potential
use
cases
and
setups
that
organizations
have
if
we
move
them
into
a
mode
where
there
are
these
new
sort
of
failures,
and
there
isn't
any
nuance
or
granularity
like
we're
talking
about
here,
exactly
what
olivier
had
said.
If
we
can't
do
any
sort
of
post-processing,
I
think
that's
where
my
concern
comes
from.
E
E
I'm
just
worried
that
if
we
just
turn
that
on
now
we're
going
to
end
up
in
a
similar
situation
where
developers
are
just
trying
to
put
in
code
and
they're
going
to
start
seeing
things
that
are
all
these
pipeline
failures
and
there's
going
to
be
frustration,
that's
like,
but
I
didn't
do
anything
that
wasn't
my
pain.
The.
E
D
This
is
a
wrong
ui
signal,
I
agree,
but
this
is
not
in
in
their
way.
This
is
not
preventing
their
workflow,
it
will
just
send
it
back
saying
a
lot.
Okay,
why
is
this?
Job
is
not
failing
if
people
really
do
care
about
it
but
yeah.
I
agree
with
you
so.
B
A
B
Have
policies
in
place
that
say
security
jobs
have
to
succeed
in
certain
branches.
So
no
I
I.
What
I
worry
about
is
seeing
this
new
array
of
allowed
to
fail
out
fail,
a
bunch
of
warning,
icons,
warning
icons
and
then
users
going
to
be
like
well
what.
Why
did
that
fail
and
clicking
on
every
single,
secure
job
and
saying?
Oh,
there's
a
vulnerability.
Oh
there's
a
vulnerability!
Oh
this
one,
there's
actual
problem.
I
need
to
fix
and
then
oh
there's
a
vulnerability.
Oh
there's
a
vulnerability!
C
Yeah
but
andy,
if,
if
we
have
a
post,
analyzer
job
that
makes
the
diff
between
what's
new
and
what's
already
dismissed
in
the
database
and
either
job
lists
the
volunteers
with
new
ones
and
exits
with
exit
code
six,
for
instance,
and
that
information
is
can
is
repeated
somehow
in
the
entity
report
page,
then
it
should
make
sense
to
users.
What
do
you
think.
B
C
Right
they're
looking
at
the
pipeline-
and
I
I
focus
on
the
on
the
default
branch,
because
this
is
where
our
penalties
start
in
the
database
come
from
and
let's
suppose
that
they
have
scheduled
pipelines
running
every
day
and
one
day
it
fails
because
they
have
new
vanities
and
these
are
spotted
in
a
bust
analyzer
job,
as
suggested
by
olivier,
where
enemies
detected
by
the
scanning
job
are
compared
to
the
one
the
backend
knows
about
and
making
the
div
again.
So
there
would
be
a
diff
it
would
be.
C
It
would
show
up
as
a
list
in
the
job
for
people
who
care
about
the
jobs,
because
some
people
don't
but
some
people,
users
are
interested
in
the
pipeline
and
what
happens
in
that
pipeline
space?
They
would
see
this
fading
job
open.
It
up,
see
the
log
and
see
the
list
of
new
findings
exit
cut
six
that
would
make
sense
to
them.
I
guess
it
would
make
sense
to
me,
but.
C
B
B
A
Plus
there's
issues,
but
I
think
kind
of
to
matt's
point
until
we
have
a
post
analyzer.
This
may.
A
Put
people
in
the
same
spot
they're
in
today,
which
is
confused
but
more
confused
than
they
already
are
because
they're
confused
today,
and
this
might
put
them,
I
think,
more
confused.
So
what
might
make
more
sense
for
mvc
is
actually
to
get
fuzzer
to
switch
over
to
zero
and
then
spend
between
14
and
15
working
on
defining
a
shared
post,
analyzer
logic
between
the
teams
that
says:
okay
in
14,
we
all
solidified
on
zero,
but
on
15
we're
all
going
to
solidify
on
six
with
a
post
processor
and
the
post
processor.
A
Has
these
three
rules
that
everyone
has
to
follow
where
we
take
out
anything
that
was
previously
found
so
not
like.
I,
I
specifically
do
not
want
to
include
a
new
vulnerability
against
a
previously
found
dependency
like
so,
in
our
logic,
I
would
want
to
make
sure
that
that
still
counts
as
new
and
so
we'd
really
have
to
to
get
down
into
the
nitty-gritty
of
what
do
we
consider
new
today
versus
not,
and
so
in
my
case
you
know
define
that
of
like
this
is
new.
E
Yeah-
and
I
think
just
to
I
don't
want
to
labor
the
point,
but
from
a
developer
perspective
I'll
probably
go
check
the
pipeline
if
it
failed-
and
I
can't
get
my
mr
through
and
if
I've
introduced
a
clean
branch,
my
code
doesn't
have
any
new
vulnerabilities
and
the
mr
security
widget
shows
me,
like.
You
know
nothing's
here
good
to
go.
But
then
I
look
over
at
the
pipeline
and
I
see
individual
security
jobs
that
have
failed.
E
I'm
gonna
be
like,
but
I
don't
see
anything
in
my
code
and
I
I
don't
disagree
that
you
can
go
into
the
pipeline
job
and
see
what
the
failure
is
for
exit
code
six.
But
in
the
case
of
something
you
know
currently
fairly
noisy
like
a
dast
or
a
sas
scan,
there
could
be
hundreds
or
thousands
of
dismissed
findings.
E
Once
I
do
that,
a
couple
of
times
that
job
is
dead
to
me,
I
never
look
at
it
again
and
that's
what
I'm
worried
about
is
that
we're
introducing
something
intended
to
be
helpful,
that
if
it
doesn't
go
far
enough,
people
are
going
to
become
information
blind
and
they
will
never
go
back
to
it,
and
I
know
nicole
and
I
have
been
fighting
with
stuff
like
this
in
the
ui
at
least
I
have
since
we
started
where
it's
like.
No,
no,
it's
better!
Now.
A
So
I
think
we're
looking
further
down
the
road,
but
we
could
like
start
working
on
stuff,
maybe
put
it
behind
a
flag
and
let
people
opt
in
because
I
just
don't
want
to
like
accidentally
break
people's
but
like
maybe
we
introduced
behind
a
flag
and
get
feedback,
and
that
would
be
great.
So
I
still
absolutely
want
to
do
that
and
I'm
going
to
have
to
have
a
conversation,
obviously
with
sam
kerr,
then
and
be
like.
I
need
fuzzing
to
agree
to
get
on
board
with
this.
A
E
Nicole,
too,
in
this,
if
we
do
go,
I
mean
like
I
really
like
the
idea
of
a
post-processing,
because
it
does
solve
a
number
of
problems,
I'm
wondering
if
we
probably
could
leverage
what
we've
already
got
on
the
vulnerability
management
side,
because
we're
having
to
do
that.
Diff
compare
to
populate
the
mr.
E
Post-Processing
job
that
any
of
the
security
jobs
would
feed
into
and
it
would
feed
back
to
in
theory,
even
a
third
party
could
potentially
just
almost
get
that
for
free
right.
If
that's
the
single
place,
where
we're
saying
oh,
this
is
where
I've
put
all
my
exception.
Rules
like
I
don't
care
about
cwe
one,
two:
three,
because
whatever
my
organization
has
controls
or
whatever
right.
So
it's
like
this
generic
thing
where
all
the
security
jobs
feed
into
and
then
pull
back
it
could
be
really
valuable.
I
think
that's
what
I'm
saying
but
yeah.
If.
A
I
just
need
to
completely
change
the
verbiage
of
it,
because
the
entire
goal
of
this
thing
was
still
to
have
consistency
and
clear
documentation,
which
is
absolutely
what
I
still
want,
and
it's
just
the
post
mvc
is
now
aimed
for
15-0
with
an
early
release
under
a
feature
flag.
Once
we
can
get
some
post-processing
which
we
will
discuss
in
a
separate
issue
of
for
each
scanner.
A
C
D
C
C
It's
very
matte,
it's
very
similar
to
what
we
do
in
the
match,
quest
and
that's
that's
inspiring.
Maybe
we
can
use
code
and
simplify
things.
Yeah,
I'm
just
worried
about
the
possibly
the
ability
to
remove
the
post,
analyzer
jobs.
You
know
the
approval
step,
but.
E
E
That's
a
future
fix
right.
I
know
melissa
is
going
to
fix
all
of
her
rights
and
permissions,
and
so
maybe
that
becomes
some
new
special
permission
that
the
post
analyzer
is
automatically
inserted
into
a
pipeline
with
any
security
job,
but
only
special
people
can
turn
off
hand
wave
hand
wave,
but
it
does
open.
I
think
the
post
analyzer,
the
more
that
we
kind
of
talk
about
this.
The
more.
E
I
think
that
that
sounds
like
a
really
promising
idea,
because
you're
right,
you
could
insert
very
special
processing
rules
that
are
specific
to
your
organization
without
having
to
do.
I
guess
all
the
configuration
of
all
the
nuances
of
the
scanners,
and
so
there
could
be
easy
on
off
rules
like
nicole
to
your
point.
A
That's
a
item
I
have
that
I've
been
meaning
to
get
to
for
the
past
three
months
and
haven't
gotten
there,
but
I
want
to
define
what
I
want
from
the
dependency
list,
page
and
sort
of
from
the
vulnerability
list
page.
But
obviously
I
have
to
run
that
by
you
and
one
of
it
is
the
ability
to
pick
my
branch
in
that
I
could
say:
okay
by
default,
we
only
care
about
your
default
branch.
A
However,
one
could
in
some
way
configure
to
add
an
additional
branch
like
you're
saying
whether
this
is
a
upcoming
release
branch-
or
this
is
a
you
know-
a
security
branch
or
whatever
it
is
like
you
could
choose
to
add.
I
would
like
to
add
an
additional
branch
and
then
we'd
have
to
record.
Are
you
default
branch
or
you,
security,
branch
or
whatever,
so
that
I
could
filter
my?
A
E
It
is
pretty
straightforward,
but
absolutely
people
have
requested
that
on
the
vulnerability
management
side
because
they
want
to
do
things
like.
I
have
two
previous
maintenance
branches
that
I
have
to
maintain,
or
I
do
have
the
security
branch
and
in
some
cases
people
are
they're
using
tags,
and
I
want
to
track
a
tag,
not
an
actual.
You
know.
I
don't
want
to
look
at
the
branch
so
to
speak,
because
that's
the
way
that
they
choose
to
do
their
cd.
A
C
A
C
Certainly
yes,
okay
yeah,
so
for
comments.
C
I
mean
I
remember
this,
this
discussion
and
we
we
had
the
I
mean
similar
use
cases
where
we
were
interested
in
now.
Stable
branches
like
we've
got
version
one,
but
now
there's
version
two
coming
and
we
want
to
try
them.
It
is
in
this
branch
too,
but
we
were
told,
no
storage,
that's
going
to
be
too
much
it's
going
to
be
too
much
data,
and
I
like
this
to
be.
On
the
same
same
side,
sorry,
we
should
start
with
the
default
branch
and
then
we'll
see
that
kind
of
cut,
but.
A
For
context
the
database,
because
it's
having
issues
right
now,
I
can't
press
this
yet,
but
I
have
I
have
a
thing
scheduled
with
a
new
to
discuss
the
features
we
cannot
have
today
because
of
concerns
about
database
performance
and
size.
Yeah.
A
A
Issue
to
beg
for
us
to
find
whatever
the
solution
is,
I'm
making
that
issue
in
order
to
beg
for,
in
my
opinion,
but
I
don't
really
care
how
it
happens.
I
would
love
for
secure
and
protect
to
have
our
own
database
kept
at
the
same
version
and
wherever
else
but
like
separate,
and
then
you
know
we
can
do
api
calls
between
the
two
or
whatever,
but.
E
Well,
this
may
also
press
on
a
retention
policy
thing
because
right
now,
it's
a
selling
point
that
we
store
all
vulnerability
data
for
forever.
So
there's
a
full
audit
history,
I'm
a
little
bit
terrified
about
opening
the
ability
for
users
to
actually
remove
vulnerability
records
without
a
true,
writes
and
permissions
model.
A
Because
yeah
we
have
to
consider
for
both
self-hosted
and
for
sas,
because
we
always
have
to
consider
both
but
having
dealt
with
multi-tenant
e-commerce
shenanigans
previously
in
my
previous
life,
having
it
be
a
configuration
option
that
is
executed
through
a
scheduled
job
that
works
through
a
function
reduces
the
concerns
about
permissioning
and
load,
because
you
can
have
that
function,
execute
at
low
load
times.
So
I
think
if
we
were
to
properly
build
in
the
mechanism
where,
if
you
are
self-hosted,
you
can
force
the
function
to
run
earlier.
A
You
know
we
don't
recommend
it,
but
that's
you
know
it's
your
install.
You
can
choose
to
do
that
if
you're
on
sas,
you
basically
put
it
in
a
request-ish
type
situation
through
a
configuration
page
and
then
the
function
will
execute
at
the
time
that
the
function
deems
to
be
proper,
which
might
be
you
know,
24
hours
or
whatever,
and
there
would
be
a
log
of
that
or
a
recording
thereof.
E
E
E
A
Be
a
function
we
would
have
to
tell
them
like
when
you,
when
you
click
this
option
when
you
turn
on
this
option,
you're
going
to
have
to
wait
24
48
hours
before
everything
clears
out
and
then
once
it
clears
out
you
uncheck
test
mode.
Essentially
you
know
in
test
mode.
Maybe
we
have
like
a
you
know,
test
mode,
keep
things
for
a
week
or
test
mode,
keep
things
for
24
hours
or
whatever,
and
it's
like
when
you're.
Once
everything
clears
out,
then
you
uncheck
those
boxes
and
and
go
back
in
or
whatever
that's.
E
A
A
Yeah
all
right,
so
I
will
close
this
out
rewrite
epics.
I
will
post
in
the
the
pm
channel
and
say
sam.
Would
you
be
willing
to
jump
on
board
for
zeroes
for
the
next
12
months
if
the
plan
is
at
15.00
to
use
sixes
but
with
the
post-processor
and
if
not
I'll,
just
start
planning
all
of
my
stuff
with
everything
except
for
fuzzing,
which
would
be
sad,
but
you
know
whatever.
A
I
wouldn't
close
them
yet
so
here's
the
thing
I
and.
C
A
Sort
of
want
to
like
maybe
like,
if
you
go
through
one
and
you're
like
there's
nothing
useful
here,
feel
free
to
to
close
it.
I
feel,
like
some
of
them
might
contain
enough
useful
data
that
we
want
to
move
them
to
the
post
mvc
bucket,
because,
in
my
opinion,
in
the
post,
mvc
buckets
some
of
the
things
we
learned
are
totally
like.
A
A
It
gets
it
gets
crazy
because
some
of
them,
like
there's
like
a
really
good
back
and
forth
that
I
think
you
almost
have
to
travel
through,
but
I
could
be
wrong
but
yeah.
If
we
think
we
can
accurately
summarize
taking
people
on
that
learning
path,
then
we
can
close
it
out
and
like
have
a
new
issue
in
the
post,
nvc
that
points
at
that,
but
otherwise
I
feel
like
there
might
be
one
or
two
issues
that
I
want
to
drag
over,
but
yeah
we'll
read
through
capture
any
learnings
close
out
most
of
them.
A
A
No
you,
you
are
correct
that
until
we
like
this
is
too
small
of
an
nbc.
I
know
we're
supposed
to
like
have
embarrassingly
terrible,
mvcs
or
whatever,
but
this
is
too
small
of
an
mvc
where,
if
we
start
training
people
to
ignore
us,
they
may
continue
to
ignore
us,
even
when
we
don't
want
them
to.
E
I
I
would
almost
call
this
the
a
good
mvc,
but
just
in
the
wrong
order,
like
I
still
think
that
what
is
here
is
going
to
be
useful
and
having
something
other
than
like
did
or
did
not
pass
with.
No
any
other
granularity
is
a
good
objective,
because
then
we
can
start
putting
out
more
rich
information
out
of
the
failures
I
you
know,
the
post
analyzer
could
consume
those
but
yeah.
I
certainly
appreciate
the
time
in
digging
into
all
this,
and
you
know
letting
me
poke
my
dose
into
it.
So
this
is
a.