►
From YouTube: 2020.09.08 - Secure::Static Analysis team meeting
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right,
happy,
fake
monday,
and
so
hopefully,
everybody's
week
is
starting
well,
you
had
a
good
week
weekend
and
that
your
week,
your
day
is
feeling
less
awkward
than
mine
is
today
I
am,
I
am
all
sorts
of
discombobulated,
let's
jump
into
the
agenda
first
item,
and
this
is
just
gonna-
be
a
standing
agenda.
We're
gonna
go
project
by
project
on
where
the
vulnerabilities
are
and
let's
figure
out
what
we're
gonna
do
with
them.
A
Time
capped
another
seven
minutes
to
discuss
these
things
we'll
go
through
whatever
we
can
and
we'll
continue
on.
So
I'm
going
to
share
screen.
A
All
right
here
we
are
go
suck.
I
went
ahead
and
threw
in
dismissed
just
to
make
sure
that
I
wasn't
done.
I
wasn't
being
blind
to
something.
There
are
three
that
are
here:
let's
go
and
let's
go
in
critical
order,
criticality
order
and
I'm
ignoring
the
unknown
because
that's
been
filed.
A
B
Can
you
go
to
where
their
source
code
is
go
to
where.
A
A
A
B
A
That's
a
snippet
from
gomod
graph,
just
graphing
for
slash
x
as
opposed
to
for
text.
Oh,
I
gotcha.
E
B
A
D
A
B
Yeah
it'd
be
interesting
to
see.
Let's
sit,
we're
seeing
a
glance
at
his
comment
down
there.
It
said
that
pretty
uses
it
as
well,
which
is,
I
think,
probably
what
logs
are
us
or
logarists
uses
for
output.
D
For
what
is
sort
of,
I
think
it
is
pronounced
logarithms,
because
the
logo
they
use
walmart
and
roji
on
the
github
page.
B
A
A
F
All
right
moving
on,
so
we
do
have
a
secret
detection
bug.
I
wanted
to
get
an
understanding
of
the
back
like
the
backstory
to
this.
Was
this
just
something
we
missed?
I
could
have
swore
this
worked
because
I
have
screenshots
of
my
project
with
it
so
like
it
feels
like
maybe
a
regression
I'm
trying
to
like
figure
out
what
went
wrong
here.
C
C
So
I
looked
into
the
mr,
let
me
see
I
related
to
this
and
I
think
we'll
make
we'll
write
the
integration
test
for
this.
F
So
I
think,
maybe
what
it
was
I'm
trying
to
think
through
like
the
order
of
operations.
Here
too
was
that
we
had
both
of
these
scanners
running
and
I
think,
maybe,
when
we
deleted
the
secret
job
from
the
sas
template.
That's
then,
when
this
got
really
noticed
so
this,
which
is
why
I
think
we've
gotten
this
far
with
this
issue.
F
Does
that
check
out
to
y'all?
Am
I
thinking
through
that
correctly.
A
I'll
vocalize,
what
I
just
wrote-
and
this
is
me,
pulling
memories
out
of
my
head,
so
in
other
words
it
my
internal
voice,
internal
dialogue,
oral
tradition.
When
we
introduced
historic
secret
scanning,
there
was
a
problem
with
the
comparison
logic,
whereas
we
were
looking
at
just
the
commits
that
are
within
a
merge
request.
And
then,
if
you
had
historic
secret
scanning,
it
looked
like
you
had
resolved
thousands
of
problems
and,
as
a
result,
we
wanted
to
take
secrets
related
findings
out
of
the
comparison
logic.
A
A
F
Okay,
yeah,
I
don't
either
I
we
can
move
on
from
this.
I
think
that's
helpful
context
for
me,
so
the
next
one,
based
on
some
of
the
discussions
we've
had
in
previous
meetings,
related
to
some
of
the
interesting
ideas
we're
considering
about
moving
secret
detection
closer
to
the
actual
commit.
I
had
a
discussion
with
the
source
code
team
this
morning
about
what
would
it
look
like
if
we
were
to
extend
push
rules
to
support
a
limited
set
of
regexes
today?
F
F
Take
a
look
at
any
thoughts.
You
have,
of
course,
there's
some
concerns
about
what
performance
implications
there
would
be.
It
does
appear
that
push
rules
run
within
italy,
so
this
is
like
an
entirely
different
system.
We
normally
don't
interact
with
in
general.
I
think
this
would
be
the
source
code
team
that
would
build
this,
but
it's
directly
relevant
to
our
secret
detection
work.
So
take
a
look
at
that.
F
I
doubt
we
would
be
willing
to
open
this
up
fully
just
given
the
performance
and
the
potential
compute
needed
to
do
this,
but
yeah
take
a
look
at
that
add
any
comments.
Help
me
push
that
forward.
B
Would
any
leaks
be
a
good
match
for
this?
I
wonder:
can
you
use
that
as
a
get
module
or
sorry
a
go
module
zack.
D
You
can't
I
mean
you
can
use
it
as
like
a
library
so
yeah
I
mean
you,
you
could
just
kind
of
shin
that
into
get
elite,
and
that
should
work.
I
mean
for
what
it's
worth.
I
think
this
is
this
is
similar
to
what
github
is
doing,
where
they
have
their
own
push
rules
and
they
have
it
finely
tuned
so
that
you
know
the
rejects
that
they're
using
are
not
open
to
anyone,
and
I
think
it
they
only
have
it
with
certain
like
sas.
D
I
mean
like,
like
aws
or
or
whatever
so
yeah.
You
could
use
any
leaks.
But
again
this
is
kind
of
just
like
you
need
to
check
the
contents
of
objects
being
pushed
up
and
prevent
that
if
there
is
a
secret
detector,
so
I
mean
yeah.
This
is
this
is
for
sure
something
to
to
look
into
should
probably
come
and
help
us.
You.
B
B
That's
a
really
good
point
that
the
regular
expressions
are
probably
a
big
trade-off
for
how
fast
this
runs.
F
I
will
say
that
the
push
rules
system
today
does
support
basic
regexes,
but
it's
based
on
the
file
name,
so
they
already
do
have
some
built-in
capabilities
for
this.
So
the
thought
is
it.
It
may
not
be
very
difficult
to
expand
the
current
reject
system.
They've
got
to
just
actually
look
at
the
contents
of
the
files
as
well.
So
yeah
put
your
thoughts
in
that
issue
be
aware,
it
is
a
public
issue.
F
We
do
have
the
confidential
issues
related
to
the
things
that
we've
talked
about
previously,
so
no,
we
have
two
of
them
now.
F
E
F
A
Right,
the
the
the
axiom
that
it
or
position
that
is
coming
to
mind
and
I'll
just
state
it
here
for
the
record,
since
we're
on
recording
anything
we
can
do
to
narrow
our
problem
domain.
I
am
in
favor
of
anything
we
do,
that
is
that
will
expand.
C
A
Broaden
our
problem
domain-
I
is
a-
is
a
hard
argument
to
make
for
me
given
given
how
the
velocity
we're
trying
to
move
things
forward.
So
I
have
a
strong
opinion
about
how
this
should
work,
but
I
can
be
knocked
off
that
particular
pedestal.
It
just
takes
a
strong
argument
response.
F
F
Continuing
on
here,
I
just
wanted
to
put
these
issues
out
there
for
you
all
to
be
aware
of
so.
We've
now
moved
lots
of
things
down
to
core.
We
had
the
aha
moment
about
a
week
and
a
half
ago
that,
like
the
core
experience,
is
not
really
that
great,
you
kind
of
have
to
know
what
you're
looking
for,
even
if
the
tools
find
vulnerabilities.
F
F
Anyone
be
aware
that
security
scanning
is
something
that
we
offer
so
there's
a
current
sort
of
landing
page
in
the
product
that
50
of
customers
can
see
that
just
lets
them
know
that
we
do
secrets
or
security
scanning.
So
that's
going
to
roll
out.
That
is
a
precursor
for
the
second
item,
which
is
change
our
configuration
page
to
basically
give
you
a
call
to
action
about
what
you
can
and
can't
do
on
your
given
plan.
F
So
for
sas,
you
would
be
able
to
see
that
the
status
of
the
jobs
and
potentially
be
able
to
configure
them
with
our
minimal
configurator
tool,
rather
than
our
full
ui
config,
and
then
the
others
would
be
gated
behind
sort
of
a
start,
a
free
trial.
So
take
a
look
at
that.
If
you
have
any
comments
or
anything,
this
would
be
some
of
the
first
time
that
will
actually
put
in
product
call
to
action
upgrades
in
the
product.
So
don't
hesitate
to
put
your
your
thoughts
and
honest
opinions
on
that
issue.
F
This
kind
of
rolls
into
the
third
one,
which
is
on
the
mr
experience
we
have
currently
today
for
ultimate
customers.
You
get
the
little
colorized
banner
that
tells
you
how
many
vulnerabilities
and
then
you
get
the
diff
widget.
The
proposal
in
number.
Three,
basically
is.
We
should
show
everybody
the
colorized
banner
that
tells
you
how
many
vulnerabilities
were
found
and
then
for
core
users.
Point
you
to
download
the
artifacts
from
a
pipeline.
F
So
that's
kind
of
the
current
proposed
experience.
We
also
have
put
in
a
tiny
call
to
action
cta,
which
is
hidden
behind
a
tooltip.
I
do
not
want
that
in
our
experience
to
feel
spammy
or
to
feel
upgrade
centric.
It
is
purely
about
trying
to
help
people
realize
there
are
vulnerabilities
that
they
need
to
go
and
remediate
and
that
if
they
were
to
go
and
upgrade,
there
is
a
better
experience
for
them.
So
again
put
your
thoughts
feedback
on
those
issues.
F
That's
kind
of
my
current
thought
in
terms
of
how
we
improve
the
core
experience
and
I'll
give
you
sort
of
a
just
a
general
like
positive
thing.
Is
that
we're
seeing
huge
growth
in
sas
just
because
we're
included
in
auto
devops
now
so
there's
lots
more
jobs
for
us
running.
We
want
to
show
those
customers
the
value
of
sas,
and
this
is
sort
of
a
step
along
the
way
to
make
it
more
valuable
for
users
and
ideally
incentivize
a
portion
of
them
to
actually
upgrade
to
ultimate.
F
So
I'm
not
going
to
claim
to
have
seen
every
screen
in
gitlab,
but
in
general.
Yes,
it
does
look
like
this
would
be.
One
of
the
first
sort
of
actual
inline
product
feature
calls
to
action.
The
way
we
generally
do
feature
upgrades
is
it's
a
landing
page
with
an
empty
state
that
has
like
a
tiny
little
upgrade
message.
This
would
be
much
more
contextualized
in
terms
of
what
the
features
actually
do
and
I
think
we're
one
of
the
first
groups
where
we
have
a
split
experience.
B
Yeah,
that
makes
a
lot
of
sense
with
it
being
kind
of
a
newer
approach
and
maybe
you're
already
doing
this.
It
seems
like
there
might
be
some
strong
opinions,
hopefully
loosely
held
across
the
company.
That
could
maybe
bring
some
good
perspective
too.
So
my
raise
some
of
those
thoughts
sooner
than
later.
If
maybe
you
have
already,
I
don't
know
yeah.
F
I've
been
sharing
this
issue
and,
in
general,
people
are
very
in
favor
of
this
change.
I
think
we're
approaching
it
with
we're
trying
to
help
customers
be
more
secure
and
we've
already
we're
already
giving
them
a
lot
of
free
functionality,
and
this
is
both
help
them
understand
that
functionality
use
it
and
trying
to
be
very
cautious
about
how
we
do
an
upgrade
experience,
but
yeah
put
any
thoughts
or
concerns
you
have
there.
B
F
The
other
thing
I'll
say
is
that
we'll
implement
this
with
some
a
b
testing
capabilities
which
will
allow
us
to
track
revenue
upgrades
through
this,
which
will
tie
us
straight
to
revenue,
which
will
be
excellent
in
something
that
we
have
not
done
before
and
generally
teams
that
can
directly
track
revenue,
get
more
investment,
so
yeah.
There's
that.
C
So
the
only
thing
that
we
need
to
dig
into
whether
we
can
use
the
apis
for
core
users
to
download
the
security
reports
looks
like
it's
only
meant
for
ee
section.
That
means
non-code
users
the
way
the
documentation
is
written.
C
F
I'm
not
surprised
to
hear
that
I
think
there's
a
lot
of
things
that
we
have
moved
down
to
core.
That
was
previously
an
e-experience
and
given
our
own
experiences
with
moving
things
down,
I'm
not
surprised
that
people
missed
moving
things
between
certain
areas
of
the
project.
It's
when
we
can
check
the
plans
and
make
sure
that
we're
not
violating
anything.
But
I
don't
believe
we
are.
C
A
Yeah,
sorry,
all
right,
I
was
wordsmithing
in
my
head
as
we
go
here.
All
right.
Next
item
is
confidential,
so
I'm
going
to
obliquely
reference
it
and
kind
of
give
give
everybody
a
heads
up.
This
is
something
that
has
come
to
mind
in
other
engineering
managers.
Attention
as
of
two
hours
ago,
in
that
there
are
some
reports
that
have
been
made
available
is
for
scans
made
against
containers
that
we
are
the
that
we
maintain
it's
not
by
our
tools
and
it's
mostly
comparison
like
container
scanning
type
of
reports.
A
This
is
something
I'm
struggling
that
I'm
wrestling
with
right
now
if
people
have
opinions,
I
would
certainly
appreciate
collaborating
on
this.
This
brightness
and
there's
there's
more
that
I
will
share
within
slack
later,
but
just
a
heads
up
that
this
just
came
in
and
so
getting
away
from
oblique
and
into
something
that
I
can
do
head-on
so
jamf,
hopefully,
everybody's
heard
about
this.
Before
I
don't
know,
there's
been
an
attempt
to
roll
this
out
company-wide
once
already
and
we're
talking
about
it
again.
A
There
is
a
there's,
an
early
enrollment
period.
That's
going
on
right
now.
Should
you
be
interested
in
being
a
part
of
a
beta
test,
every
bit
of
information
that
I
have
seen
in
about
this
within
what's
happening
in
get
lab
and
engineering
managers
channel
everything
else
that
I've
seen
is
available
here,
including
links
to
epics
about
security.
Compliance
safeguards
with
faq
in
the
handbook
is
available
for
your
review.
So
if
you're,
if
you're
interested
and
willing
and
to
being
a
part
of
this
pilot
program,
please
enroll.
A
Otherwise
I
would
expect
something
like
the
asset
tracking
software
of
some
kind
to
become
a
reality
for
us
in
our
near
future.
A
Somewhere,
there's
jam
for
something
else,
and
it's
it's
just
if
I
mean
if
we're,
if
we're
expecting
a
look,
if
yeah
it's
just
a
compliance
thing
when
we
get
so,
I
I'd
expect
it.
So
if
you
have
questions,
let's
talk
about
it,
it
doesn't
have
to
be
here.
It
can
be
in
a
one-on-one
if
you'd
like.
B
I
am
curious,
do
they
have
any
idea
of
when
it
would
go
out
of
beta
like
when,
when
will
it
be
a
requirement?
No,
I.
A
B
B
A
Go
I
checked
the
handbook.
Thank
you
as
soon
as
I
know,
more
information
I'll
share
it,
but
since
we're
in
a
pilot
program
for
something
I
wanted
to
make
sure
everybody
was
aware
of
it
and
then
call
it
out.
A
All
righty
we're
at
time,
unless
anything,
some
folks
want
to
vocalize
real,
quick
I'll,
go
ahead
and
wrap
up
the
recording.