►
From YouTube: 2020.03.03 - Secure brainstorming
Description
Security Approvals outside of the Merge Request context
A
Create
morning
everyone
I'm
chilly
perfectly
distinguished
in
general,
did
that
for
secure
and
defending
30-day.
We
look
as
charts
in
your
back
engineer
for
secure
and
we're
going
to
talk
about
secret
approvals
outside
of
the
modulus.
It
gives
a
bit
of
Baggins
here
we
owe
and
yet
something
in
the
merge
request.
We
find
the
Lincolnshire
that
Shana
screen
make
sure
it's
alright.
A
So
basically,
anyone
with
at
least
the
developer
responsibilities
in
the
project
can
go
to
the
dashboard
and
dismissed
pretty
much
whatever
a
very
black
and
being
not
just
completely.
So
we
don't
want
that
to
happen.
If
we
provide
this
than
a
feature
for
just
another
security
gate,
we
should
also
have
something
outside
of
the
mode
request.
A
Moving
in
the
dashboard,
the
problem
that
we
have
is
this
Google
is
using
some
features
that
we're
relying
on
in
the
multi
quest
each
other
approval
system,
and
so
it's
only
happening
in
the
context
of
emerge,
because
there
is
nothing
outside
of
that.
So
how
would
we
ensure
that
no
one
is
able
to
dismiss
anything
at
the
project
level
and
the
more
the
group
level,
because
the
group
level
we
are
completely
outside
of
the
context
of
the
projects?
A
B
How
did
the
the
existing
way
that
approvals
work,
but
I'm
also
mixed
on
that
I
think
that
might
be
getting
a
result
in
terms
of
I,
don't
know
if
the
one
who
actually
exposed
the
same
functionality
or
start
from
a
different
direction.
In
the
case,
it
was
like
something
like
using
the
existing
approval
rules
functionality,
but
within
the
context
of
security,
dashboard
I
think
that
that
could
be
complex.
But
maybe
we
just
look
at
what
we're
trying
to
accomplish
first,
so
maybe
to
figure
out.
A
By
an
hour
would
be
I
would
quote
protected
because
were
only
getting
the
results,
but
not
into
that
one,
especially
not
in
the
group
dashboard.
So
you
can
find
part
of
the
github
own
group.
For
example,
I
can
go
to
the
dashboard
and
dismiss
tremor,
which
is
many
different
places,
and
we
don't
have
a
timeline
penalty.
I
created
an
issue
to
follow.
A
If
we
are,
the
timeline
would
be
able
to
spot
that
someone
started
to
peek
around,
and
this
means
a
lot
of
things
that
could
solve
partially
solve
this.
This
problem
I'm
also
afraid
that
if
we
start
using
the
rules
outside
the
context
of
the
modulus
like
in
the
poverty,
we
could
rely
that
that
could
be
confusing
for
the
users,
because
it's
explicitly
this
is
explicitly
same
in
the
in
the
documentation
and
in
the
in
the
settings
that
this
rule
supplied
during
an
odd
request.
A
B
But
at
the
same
time,
if
we
go
the
other
direction,
would
it
be
confusing
to
have
two
separate
ways
that
that
works
right?
So
I
guess
on
a
similar
similar
to
that
do
we
would
you
ever
want
a
different
group
of
approvers,
emergent
quest
versus
the
dashboard?
Is
it
that
if
you
do,
then
we
wouldn't
need
to
be
a
business
separate
functionality
regardless.
B
A
I
would
have
a
Security
Center,
where
I
can
manage
everything.
Where
did
the
security
and
I
would
move
that
away
from
the
merge
request?
Approvers
I
was
I
was
demoing
that
the
other
day
and
I
honestly
completely
forgot
at
some
point
where
it
was
bigger,
and
you
know
during
the
demo,
I
didn't
wanted
to
click
around
and
to
me
to
be
more
and
more
machining
than
it
was.
A
So
I
would
envision
something
that
is
more
security,
oriented
and
not
really
tied
to
the
market,
especially
so
remove
that
kind
of
security
center,
or
even
better
directly
with
a
skirt
like
I,
would
be
able
to
write
if
I
have
at
least
one
finding
that
is
critical,
high
or
unknown
I
require
the
approval
of
that
group
of
persons.
That's
even
better
because
it's
working
everyone
in
the
budget
quest
in
the
dashboard
anywhere,
where
you
would
interact
with
them
with
the
finding
right.
Now
we
just
technological
sent
ball
that
I
know,
maybe
in
the
future.
A
Api
works
on,
for
instance,
put
something
in
the
UI
and
then
there's
a
way
to
bypass
that,
because
we
can
update
the
venerability
directly
with
the
API
getting
back
to
square
one.
So
and
that's
not
going
to
work
with
a
large
customer
status.
Who
are
targeting
for
to
me
because
there's
any
the
way
to
ensure
that
no
one
is
able
to
mess
around.
So
what.
A
And
this
is
honestly:
we
can't
fit
back
in
and
topic
that
near
the
customers
who
is
really
able
to
dismiss
something
and
when
we
also,
basically
every
developer
is
able
to
do
that.
Hopefully
we
can
get
back
to
them,
saying
oh,
but
if
the
finding
is
pretty
good
higher
and
then
we
will
require
that
report
anyway.
If
anything,
you
distance
that
so
there's
no
way
to
bypass
that.
That's
the
only
place
where
we
do
that
and
that's
that's
a
problem.
B
B
B
B
A
B
A
B
So
be
so
going
to
that
page,
it's
worth
mentioning
the
way
that
this
is
currently
the
way
the
architecture
crown
worship
is
which
is.
There
are
project
level,
mr
approvals
and
then
there's
merge,
request
level
and
are
approvals.
What
happens
currently
is
when
you
open
a
merge
request.
It
inherits
the
project's
approval
rules,
but
you
could
you
can
modify
that
on
a
merchant
class
level
as
well.
So
you
can
take
a
merchant
quest
and
you
can
create
an
approval
directly
on
the
merged
quest.
If
I
said
this
looks
really
scary.
B
A
A
B
So
yeah
there
there
is
decent
API
support,
so
propagating
rules
for
all
projects
in
a
group
should
be
pretty
easily
scriptable,
but
it's
not
going
to
be
sync.
So
any
changes
to
like
any
future
changes
are
not
going
to
obviously
apply
to
the
projects,
at
least
currently.
A
The
problem
that
we
have
is
that
these
users
are
in
the
in
the
DB,
so
you
click
sales,
it's
the
world,
nothing
else,
so
we're
bypassing
all
the
Wardrobe
of
of
the
project.
If
you
define
approvals,
if
you
define
is
going
to
things
and
what
going
through
them,
if
we
had
these
dismissals
in
the
repo
directly,
we
could
use
things
like
project
owners
to
us
for
approval
of
the
particular
good.
A
B
A
A
And
that
means
from
the
dashboard
when
we
want
to
dismiss
something
that
will
bring
you
to
a
new
multiple
stage
where
we
go
through
all
down,
and
you
have
I
like
this
idea,
because
you
have
trusted
irritability,
it's
it's
helping
in
many
different
areas,
and
if
you
want
to
have
that
master,
you
need
someone
from
the
maintenance
group.
Not
everyone
is
able
to
merge
the
master,
so
it
has
to
go
through
specific
list
of
users.
So
that's
why
I
like
this
idea
of
living
and
see
you're
fine
but
I'm,
not
sure
about
that.
A
A
B
A
A
A
B
Doesn't
really
help
with
the
get
blame
problem
and
it
doesn't
really.
This
is
basically
a
workaround
for
having
a
simple
user
permission
level
within
get
lab
like
this.
This
would
be
the
same
thing
as
adding
the
a
drop
down
somewhere.
That
said,
permission
for
secure
dashboard
and
select,
like
you
groups,
I,
don't
think
this
solves
the
issue
of
like
tracking
individual
dismissals.