►
From YouTube: June update on the GitLab Inventory Builder
Description
Philippe Lafoucrière, Engineer in the Security Department, introduces the GitLab Inventory Build, and the current progress on the project.
Links:
- GitLab Inventory Builder: https://gitlab.com/gitlab-com/gl-security/engineering-and-research/gib
- Example inventory: https://gitlab.com/gitlab-com/gl-security/engineering-and-research/inventory-example
- OKR: https://gitlab.com/groups/gitlab-com/gl-security/-/epics/106
- Issue to share your ideas: https://gitlab.com/gitlab-com/gl-security/appsec/appsec-team/-/issues/162
- Categories MR: https://gitlab.com/gitlab-com/www-gitlab-com/-/merge_requests/83315/
A
This
is
something
that
I
started
at
the
beginning
of
the
quarter,
so
the
project
is
kind
of
brand
new,
but
I
already
got
a
lot
of
questions
from
various
team
members
inside
the
security
department
and
outside
of
the
security
department.
So
I'm
trying
to
answer
all
these
questions
in
this
video.
So
why
did
we
create
this
inventory
in
the
first
place?
A
So
if
we
take,
for
example,
the
gitlab
project
that
we
all
know
who
sit
under
our
gitlab
org
slash
git
lab,
if
we
want
to
see
all
the
dependencies
of
this
project,
we
have
this
dependency
list
page
here.
The
dependency
list
is
using
the
dependency
scanning
feature
and
relies
on
the
pipeline
running
on
this
project.
The
problem
here
is,
if
I
want
to
know
exactly
what
are
the
dependencies
running,
I
have
to
browse
180
pages
and
there
is
no
search
in
there.
A
So
it
took
me
approximately
five
to
six
months
to
get
rid
of
this
of
this
problem,
and
I
had
to
ask
around
pretty
much
every
single
team
if
they
were
using
disco
version
and
we
discovered
that
we
are
using
actually
go
115
at
that
time.
In
all
of
these
projects,
I
had
to
do
this
work
manually,
and
that
was
very
tedious.
I
don't
want
to
do
that
again
in
the
future.
A
If
we
have
another
visually
on,
go
or
python
or
ruby
or
whatever,
we
need
to
know
exactly
what
we're
using
and
where
it's
used.
So
that's
why
I
started
this
project.
The
github
inventory
builder
currently
residing
in
the
engineering
and
research
sub
department,
where
I'm
working
it's
a
very
simple
project.
I
like
efficiency-
and
I
started
this
project
with
this
conference
in
mind.
I
didn't
want
to
start
something
shipping
with
gitlab
directly
in
the
rails
application,
because
I
wanted
to
ship
something
as
fast
as
it
could,
because
I
just
have
required
to
experiment
with
that.
A
So
it's
something
on
the
side,
but
it's
very
simple
to
use,
and
actually
you
can
already
use
that
today
and
any
of
our
customers
could
use
that
today
if
they
want
what
they
need,
is
only
a
gitlab
ci
configuration
file
in
an
empty
project
and
include
this
template
here
that
I
created
this
template
defines
a
lot
of
variables
so
that
you
can
configure
how
you
want
to
run
this
inventory
builder
and
the
other
part
of
the
configuration
is
this
data
structure.
A
So
every
everything
is
done
through
a
tree
structure
within
this
data
deer,
which
is
the
root
of
the
data
folder
that
we
want
to
to
synchronize
and
every
folder
in
there
is
going
to
be
synchronized.
That's
exactly
the
three
structure
that
we
have
on
gitlab.com.
We
have
a
gita.com
project,
the
github.org
project
and,
for
example,
I
already
created
these
two
subdirectories,
because
I
don't
want
to
synchronize
them.
A
But
if
I
run
the
gitlab
inventory
builder
on
this,
it's
going
to
synchronize
all
the
subgroups,
all
the
subprojects
within
gitlab.com
and
gita.org,
and
so
for
every
single
project
and
subgroups
that
we're
going
to
synchronize
I'm
going
to
store
the
metadata
of
the
project
within
the
tree
structure,
along
with
the
group
metadata
and
the
point
of
all
of
these
is
to
be
able
to
categorize
the
projects.
So
there's
this
merge
request
that
is
currently
in
a
draft
mode,
because
I'm
still
working
on
the
different
categories
and
how
we
are
going
to
work
with
these
categories.
A
So
I
already
defined
a
few
categories
here
to
get
started
and
based
on
these
categories,
I
define
two
things.
First,
one
is
rules,
so
rules
are
actions
based
on
categories,
so,
for
example,
if
it's
a
product
project,
so
something
that
is
involved
in
the
final
package
of
gitlab,
it's
something
that's
going
to
ship
with
gitlab
the
rule
is.
I
want
to
download
different
arbitrary
reports.
A
I
also
want
to
define
some
policies
based
on
these
categories,
so,
for
example,
if
the
project
is
a
website
external
meaning,
it's
a
user-facing
application
and
it's
dealing
with
yellow
or
render
or
red
data,
then
we
will
require
you
to
enable
dust.
What
I'm
doing
with
that?
Is
I'm
trying
to
write
down
all
the
rules
that
were
trying
to
apply
every
day
as
part
of
the
security
team,
but
they
are
not
enforced
and
they
are
not
very
specifically
defined
anywhere,
whether
in
the
end
book
or
documentation
or
anywhere
else.
It's
just
the
case.
A
By
case
we
evaluate
every
single
projects
that
we
are
working
with
and
we
define
if
we
want,
we
have
secret
detection.
If
we
want,
we
have
sas
or
dependency
scanning,
and
we
have
to
do
that
over
and
over
again.
The
problem
is
not
only.
We
don't
have
a
consistency
by
doing
this
kind
of
workflow,
but
also
we
also
have
a
lot
of
dark
corners.
We
have
a
lot
of
projects
that
were
not
able
to
monitor
correctly
because
they
are
just
not
on
our
radar.
Projects
are
created
almost
every
day
at
gitlab.
A
We
have
a
lot
of
engineering
of
of
engineers
of
departments
and,
at
the
scale
of
git,
lab
it's
becoming
quite
impossible
to
following
everything
that
is
occurring.
So
that's
a
good
way
to
not
only
track
what's
happening,
but
also
being
able
to
say.
Okay,
we
have
these
changes
this
week.
We
need
to
understand
what
they
are
referring
to,
how
this
project
is
used.
A
So
not
only
we
have
all
the
dependencies
of
all
the
projects
that
we
want
to
monitor,
but
we
also
download
all
the
video
reports.
So
we
have
a
very
unique
way
to
create
a
dashboard
by
cherry
picking
the
projects
that
we
want
to
to
monitor
within
gitlab.com.org
and
so
on,
because
we
have
a
lot
of
different
projects
under
the
root
namespaces
that
we
want
to
to
track.
A
I
created
here
a
public
example
of
how
to
build
an
inventory,
so
I
started
with
an
empty
project
and
I
just
added,
of
course,
a
redmi
5
to
explain
what's
going
on
there,
but
there's
also
a
gitlab
ci
configuration
file
using
exactly
what
I
was
showing.
So
we
include
the
template
and
I
did
a
few
tweaks
by
overwriting
some
variables
defined
in
this
template.
That's
all
it
takes
to
get
started
and
I
also
created
this
data
folder
with
this
structure.
A
So
actually
I'm
going
to
use
the
web
ide
to
show
you
the
structure,
that's
going
to
be
easier
to
explain
there
we
go
in
the
data
folder,
we
have
the
gitlab.org
root
namespace.
So
that
means
we
want
to
synchronize
things
in
there.
But
there's
an
ignore
file
here.
So
the
gitlab
inventory
builder
will
just
stop
the
synchronization
at
this
point
and
not
try
to
download
everything.
That
is
under
gitlab
or
but
we
also
have
this
five
minute
production
app,
which
is
actually
a
real
project.
A
A
real
group
on
the
architect
board-
and
I
added
this
gif-
keep
fine,
because
I
want
to
keep
this
folder
empty
so
that
empty
folder
is
going
to
be
synchronized
by
the
gitlab
inventory
builder.
So
we
can
see
that
everything
is
happening
in
the
pipeline
and
it's
going
to
validate
that
update
that
and
a
few
things
that
we're
going
to
see
right
after
that.
But
it's
also
going
to
create
a
merge
request
with
all
the
synchronization
that
are
in
there.
A
A
A
I
can
also
add
some
urls
directly
to
the
properties
file
that
we're
using
to
categorize
the
projects
and
since
we're
using
this
url
somewhere
in
the
repo,
I
can
just
grab
these
errors
and
generate
an
artifact
that
will
contain
a
list
of
yours,
never
mind,
and
with
this
with
this
list
of
urls,
what
I
can
do
is
I
can
start
checking
all
the
ssl
configurations,
and
so
I
have
this
job
generating.
A
For
example,
here
for
customers.github.com,
I
have
a
lot
of
details
in
there
and
what
I
want
to
do
in
the
future
is
start
working
with
this
overwork
great
here,
that's
a
b,
so
I
want
to
create
a
policy.
For
example,
that
will
say
if
it's
a
website
user
facing
so
external
and
using
yellow
orange
or
red
data.
A
The
grades
here
can't
be
lower
than
a
that's
something
that
we
can
do
very
easily
planning
to
do
to
use
opa
for
that,
and
it's
actually
super
easy,
because
I
also
generate
the
report
as
json.
So
I
just
need
to
pass
this
json
file
and
look
for
the
grid
in
there
and
check
if
it's
a
or
not
so.
That's
where
I
am
today.
A
If
you
want
to
contribute,
feel
free
to
check
out
the
gitlab
inventory
builder
project,
I
will
share
the
links
in
the
description
of
the
video
there's.
Also,
the
main
occur
that
I'm
working
on
here
and
there's
an
issue
in
their
ids
for
future
iterations.
A
So
if
you
have
any
id
for
this
project,
for
example,
using
dependencies
to
do
anything,
then
I
would
be
happy
to
discuss
that
with
you
directly
in
that
issue.
Don't
forget
to
pick
me
in
there,
so
that's
it
for
today,
thanks
for
watching
and
again,
if
you
have
any
questions,
feel
free
to
reach
out
to
me
directly.