►
From YouTube: Secure::Composition Analysis - Continuous Vulnerability Scanning for Dependency Scanning Demo
Description
This demo covers the changes that the Secure::Composition Analysis team is conducting as part of the continuous vulnerability scanning feature. If you'd like to learn more or track the progress of the work on Continuous Vulnerability Scanning for Dependency Scanning, see the epic below.
- Epic: https://gitlab.com/groups/gitlab-org/-/epics/9534
A
Hello:
everyone,
my
name
is
Oscar
Tovar
and
I'm,
a
back-end
engineer
on
the
composition,
analysis
team
today,
I
will
be
demoing
a
preview
of
the
work
we
are
doing
around
continuous
vulnerability
scans
in
the
context
of
dependency
scanning
The,
Continuous,
vulnerability
scanning
epic,
that
we're
working
on
iterates.
On
the
current
dependency
scanning
approach.
A
If
we
open
up
the
report,
we'll
see
that
this
is
a
cyclone
DX
report
version
1.4,
it
has
the
required
fields
and
it
has
some
extra
properties
that
are
used
by
the
gitlab
taxonomy,
such
as
the
file
path
that
was
scanned
and
the
package
manager
that
was
used
in
this
case.
Npm
further
down
you'll
see
that
there
are
components
so
you'll
have
the
ABAB
component
version
2.0.3.
A
If
we
go
back
to
the
pipeline,
View
we'll
see
that
the
security
tab
has
been
populated,
so
this
is
for
demonstration
purposes,
and
this
is
these
are
not
real
advisories.
But
this
is
to
give
you
an
idea
of
how
the
concept
of
the
concept
of
the
continuous
scanning
will
work.
You
will
no
longer
need
to
actually
detect
the
vulnerabilities
in
the
scanning
itself.
A
If
you
took
a
look
at
the
jobs,
we
had
not
declared
any
license
scanning
either
and
in
this
similar
manner
they
are
also
included.
The
new
licenses
that
were
detected
are
also
included,
so
I
hope
this
has
given
you
a
good
preview
of
what
we
will
be
working
on
and
the
enhancements
that
will
be
iterate,
we'll
be
including
in
the
future
iterations.
Thank
you.