 Hi everyone, we'll just wait for a few more minutes to let people come in into the room. Some of the details is that I think from the platform you can actually see that the resources that you can actually use, so some of things such as slides for today, those are things that you could also download ahead of time for you to follow along in terms of what is going to be available. There is also the Q&A portion, so part and parcel of the Q&A portion. I do have a couple of people on the call with me from GitLab as well and they will also be answering the questions during the presentation. So for example, if you have questions and I'm still doing the demo, we can try to answer that for you retrospectively. We'll start now and then we'll see how that goes. So part and parcel of this whole thing is that today we're going to be talking about software compliance through automation and how we can actually achieve that via the GitLab platform and some of our concerns about what's going on in this world of compliance today. Do let me know if you have any questions. Feel free to ask questions in the Q&A box and then we'll try to answer that as possible. So just a bit of an intro for myself. My name is Jonathan and I am based out in Singapore and I am part of the social architect team for the past two and a half years, nearing three years now and sort of worked with the region and a lot of customers here. So my previous background was into sort of like search engine technologies for like and also from a monitoring background. So that's kind of like where I came from and it's been a pretty good time to also know or to hear about like what's going on in the DevOps world. It's really enriched my experience across technology in general. So again, feel free to find in the Q&A chat box, you know, you can actually submit questions, you have questions, you have run-off and questions will follow up with the via email to answer some of those questions or if the longer form questions or you might be interested in, you know, purchasing GitLab in certain ways or that just will go with you. Session will be recorded and then you can actually see it later on. So for example, if the leaks that might have been interested but were not able to attend, please go ahead and share that video later on. So today's agenda is going to be pretty light and I'll try to go through as quickly as possible. So we'll go through some slides first which are pretty short. After that we'll go through like some of the compliance features that we will have including a demo and then the Q&A. So this whole session will be approximately 35 minutes and Q&A as well. It could actually last longer but we'll try and make it short and sweet and have more time for Q&A if there needs to be one. So an intro to compliance, we start out with what is compliance. So compliance as the slide says is a state of being in accordance with established guidelines, specifications of process of becoming. So I think that's just a definition of how it be. Basically in the world of compliance today, there are a lot of standards that are already available such as HIPAA, GDPR, OSHA and many many different others. These are sort of like internationally accepted compliance frameworks but at the same time at an organization level you might have certain compliance that are may not be as sort of as detailed but there are certain things that you would want your organizations to adhere to in terms of like certain standards or so. So some of the things that we will be covering such as maybe every pipeline should always run security checks before it is actually pushed to a protected branch or so. So how can we actually do that in GitLab and how can this be achieved via the various features and tools that GitLab is able to show off in this case. So what happens when you're not compliant? So I mean if you're in Europe and then if you don't comply to certain things such as GDPR, there are definitely a lot of monetary penalties that can come into place. There's also other things such as you might get banned for example in the in the Singapore context if you're in a financial type situation and you are not compliant with MAS or something like that they may not allow you to actually function as a business also. So compliance is a very important feature. It might be very dry and not so interesting but it's a very necessary thing that we need to actually adhere to across and not even small and even more so in today's day and age when you are looking into like a DevSecOps platform where it's getting more and more complex. A lot of customers that I work with their DevSecOps platforms could be a multitude of tools such as maybe five to six different tools and ensuring that all of the different tools out there are compliant it's very difficult and that's where I think like GitLab we pride ourselves as being a DevSecOps platform in which we are able to control a lot of these processes within our platform as a whole. So how can compliance be achieved? And some of the things are setting rules and policies to adhere to workflows, having a single source of truth, having high level and low level audit data. So one way is to ensure that these frameworks are in place but the other thing is also to observe in case people are not able to follow these things or like find workarounds. So having auditable data is very very important especially when it comes back down during your your security audits or when you're doing IT audits you need to know that these things exist and more. So other types of compliance needs that you might have it may not be necessarily regulatory but maybe just at an organization or a team level that you are expected certain types of things to run as needed. Right so what does GitLab have to offer in terms of a compliance feature? First and foremost policy management. So for policy management you can display all of the policies for the available environments so having a single place where you have all your policies in place you can create edit disabled policies and store them as code and the good thing about having them store as code rather than you know like something like a drag down menu or something that you can drag and drop is that these sort of things can be also scalable in the sense where you can copy this code and ship it to multiple different environments or multiple different groups where you can actually do all these things. Last but not least separation of duties because we are able to store these compliance code and policies in separate locations you can then have sort of like a separation of duties where you have link it up with your RBAC controls where certain types of people will have access to the policies but these people will not have access to the underlying code in between right so having two different like role bases that can do their own things. So what are some of these policy types? First and foremost scan result policy right so if vulnerabilities will be detected as part of your pipeline vulnerability checks can you sort of have a dynamic way of requiring approvals from the specific type of people if such things were detected. Secondly your scan execution policies right so during the running of your pipelines can you force people to run certain types of jobs right say for example whenever you run a pipeline you will run you will run a static analysis a SAS scan right to run whenever your pipelines are running into a feature branch. License policy is also one of them so certain types of licenses may be commercial in nature and you don't want your developers to be downloading libraries off the internet and using them in public websites because this would actually we have seen some of these situations happen where people are using libraries and not paying for them and then get into lawsuits because of that so having the automated way of checking for some of these licenses and denying some of these merge requests from happening is very very necessary for this to happen. Last but not least operational container scanning right so this is actually a very highly requested feature over the past one or two years or so in which containerization has become sort of like the norm in terms of like how deployments are being done today and one thing that people want to know is that after deployment and maybe there is no more new development work that's happening for that particular project are there ways in which GitLab is able to help you to scan on these containers on a regular basis to ensure that newer vulnerabilities are being detected as a whole right so not only during the development phase but post development during the deployment phase how are these containers being scanned and make sure that these vulnerabilities are being checked as regularly. Some of these guardrails also ensure that these things can help organizations you know have that check and balances so first and foremost prevent approval by author so can you imagine if you were to write vulnerable code in and then you scan all of your vulnerable code and you decide that okay maybe today I'm too busy I'm not I just don't want to deal with it I'll just merge the code first and I forget about it right so preventing approval by author is a very very important feature that we've seen with a lot of organizations because we want to have that separation of duties again right so other things that you can have you know require user password to approve some of these things to also allow you to have more and more control or have that checks and balances in place so pivoting a little bit we also have compliance frameworks in this case and what these compliance frameworks can be is that you can come out with a whole list of a few over here so for example if you're to ensure that GDPR is at here in your code basis you can have a compliance framework in which you would run assigned compliance pipelines right so you can have a SOC one as well in which that it would also run a different type so what you could do at a project level is that you can then tag individual projects in which they are supposed to adhere to certain types of compliance governance frameworks and then they would automatically also run the code so sort of like an include feature but this include feature is not known to the user and they cannot exclude it as they need to right my side will be complex that's the reason why we will have a demo later to kind of show you a little bit of how this would look like so just to do a little bit of a quick summary here first one we did have some of the policies that we have in place so policies was dynamically you can actually change certain things like if a certain threshold were to be reached then a certain type of action will be done compliance frameworks in this case is slightly different you don't have really a threshold on a condition but in this case is that as long as you are tagged with this particular framework all of these types of frameworks would be actually run on projects wise and you don't have a choice on it right likewise to the policy you have that separation of duties because compliance frameworks can be also managed separately on a different platform or a different project earlier I mentioned it's very important not only to put in place these guardrails and frameworks but also to have the ability to audit some of these things right so auditability so gitlab has an inbuilt audit event system in which that for example if certain types of frameworks were to be changed or if there were changes made to the approvals list who is able to approve all of these things are audited and as a auditor you know this will make it a lot easier for you to audit some of these things and make your organization's life a bit easier as well so these comprehensive reports are already available within the platform or if not we do have apis available for audit events to be exported somewhere else if you want to do it in a big data soft nature right so this one is beyond the scope of policies or compliance but more from an observability standpoint in terms of like how our security analysts how our developers are able to look at these different types of vulnerabilities and able to action on these things so say for example if you have a critical vulnerability what do you do with it what's the workflow that you do with it how does a security engineer is able to flag out such a new vulnerability and then pass it over to the developer easily without having to call them up without having to sit beside them at the table and then discuss all of these things but able to do remotely and able to have that level of assurance that all of these things will be action on if not there is a papal trail out there and then you know there's audit events that you can see these things confidential issues is also a very important one the idea behind it because you don't want to make it known to maybe everyone in the company that there is a vulnerability in case of back actors in this case where they might take note that hey you know there's a vulnerability I can exploit that and I can get some of these information before these things are being fixed so this is the typical workflow as you might see you start out with creation of an issue into a merge request commit your changes and then you go through your security scans going down to like a proof of changes and pipeline runs and all of these different things the ones that are very much focused on in this portion of the of this would be during the code and security reviews and approval changes where we have that guardrails and the ability to actually assign policies and everything like that so that's where where we will be focusing a lot more on today right so now we'll go on to the demo again I wanted to mention I want to keep the Q&A sorry I wanted to keep the sort of like the presentation slides as little as possible and move into like the actual platform but again feel free to ask any questions in the Q&A box while I'm doing the demo and we'll just sort of like go through a few different features of what GitLab has and do let me know you know if I am there's something that needs to be I can see that there is a slight delay on this platform so if I'm going too fast which I'll try my best to go a bit slower let me know if not I will just continue on all right so first and foremost let's see what the let's kind of familiarize or navigate around on what I'm going to be demoing on right so let me just see I'm on the right screen yeah okay all right so this is the GitLab platform and this is my group right so I have a compliance workshop group here and I have a few different projects that have been created or are being created because of this this this demo first and foremost simple notes that's my demo application over here separation of due so there's also like security policies and as well as compliance frameworks there are separate projects all together I do also have a separate subgroup in which I would actually segregate my QA team as well as my security team as well right so why I do this is because I can add members to these separate subgroups of people and assign them relative work to be done right so if the security team will need to approve certain security related vulnerabilities I can just refer them to the security team right if you link this up well with your own LDAP system or if you have your own SSO system this can be dynamically done so as an organization level you don't have to worry that much all right right so looking at this structure we'll just go into the project directly so this demo project is basically made up of a few different languages it has a little bit or about 50% of Python also a little bit of HTML a little bit of shell a little bit of JavaScript and a little bit of CSS right so this is a demo application it's just a demo I could be anything else over here one thing to take note is that there is of course this tag that I have here and basically this is where the compliance framework is applied accordingly I'll show you later on how this is applied and where do you actually change some of these things but that's a little bit later let's just go through the basics of the project scrolling down we can see like this is basically the source code of what the project is pretty standard type of a structure of a layout but one thing I would just want to highlight quickly is like the GitLab CI file so the GitLab CI file is sort of like the backbone of what GitLab CI CD is like so all your jobs and all your tasks that are required to be run as part of your CI CD pipelines all of these things will be stored in GitLab CI file and let's quickly take a look at what this looks like so within this GitLab CI file we can actually see that there are multiple stages that have been defined over here and what this does is that this gives you a structure in terms of like a staged way of like how tasks are being built in place reason why you want to do this because maybe certain jobs might be required to be run first before other jobs are depending on some of the things such as maybe you're built nature right you want your build to run first because you want to build a dockerized container in which you can then run your security scans on you don't want that to happen after that all right some of these things right so there could be multiple reasons on how you want to structure these things some of these templates have been added as well so GitLab we do have a lot of security templates that are involved and I'll go through some of the security scans that we have but what all these templates do is that this makes your life a lot easier because you don't have to specify that this is a Java project or this is a .NET project this is a JavaScript project also our templates are dynamically smart enough in a way to be able to sense what kind of languages you have in your package and therefore apply the correct scanners accordingly right so below here you can see that there's a much more detail in terms of like the different stages or so what we're doing during the build stage in the pages in the unit tests and everything like that gymnasium that's for our dependency scanning some of the different things that we have here right so there's a lot of different kinds of things that come to place I will not go through in detail what these are this is probably another session for more for security or more for CI CD in terms of like structure and nature so you might look out for those type of workshops that might be running later on when we do have some of these ones so if you see here just do a quick look you can see that there are certain types of jobs that are being run here and these are the stages right so let's quickly just do a run of that inside our CI CD pipelines and see how that looks like right so I've already done a few jobs but let's like quickly show how that's done so over here you can run it for your multiple different types of branches I'll just run it for the main pipeline now and let's see how that looks like so automatically you can see that certain jobs have been run like the build job there is a verify poem there is the test job and then there's like the deploy job followed by your desk and so and so forth right so multiple different jobs that have been running and this would take a little bit of time right something to take note is that part and parcel of the prerequisites of setting this up was that all of these jobs are running on a kubernetes cluster right uh to us at GitLab we feel that kubernetes is one of our recommended way of how you can actually scale your runners and what your runners basically do are sort of like the work horses that actually run all of these individual jobs for you kubernetes is a great tool because not only is it sort of like auto scaling you don't actually use as much resources if you are not actually using anything or and you can scale back and scale forward as the amount of traffic increase so how can that be done just very quickly over here you can come into your infrastructure and kubernetes cluster where you can actually link them up with various flavors of your kubernetes right so some of your various flavors but you could be doing some of the server serverless types of kubernetes like eks and so on so forth or you can have using vanilla kubernetes and just installing that the required components and linking them up right so i'm not going to detail again this is probably another session to be had but some of the prerequisites for you to actually run these things would be to set it up a kubernetes cluster all right so this is going to take a while of course there's quite a few things that has been done but let's look at one that has been completed already right so i ran one i think last night as well and then there is something that that this is what it would look like right so there's a few jobs that it would happen right i just want to sort of like draw your eyes to this first job over here the dot pre job if you remember vaguely just now when i was going through the ci file the dot pre job did not exist right inside the ci file there were the other jobs over there i if we have time we'll go through a little bit more but the dot pre job did not exist so what happened was that just ahead of time sort of like giving a bit of a spoiler i was able to actually apply a compliance framework to this particular pipeline such that anyone that is adhering to my pipe my workflow needs to run this pre job right this compliance jobs first before anything else can run right so this again goes back to the idea of that governance and their ability to run jobs and make sure that your developers are not skipping tasks they are not actually avoiding certain types of jobs while they are running their work all right so it goes through the build job it goes through all of the different things over here such as your uh depending on whatever you want so if you can see that verify poem this is a custom stage that we actually created and the custom jobs that we have as well as all the different types of jobs that we have here right i'll quickly go through some of these ones over here so we do have some of things such as container scanning um on container scanning we leverage on certain technologies such as um trivy um to be able to scan some of these things code quality we do leverage on code climate a lot of it we are uh you know git lab is an open source company we do believe in we do believe in open source and we do believe that there are certain tools out there that we can leverage on because they do have a very very good following and a lot of people are contributing to the databases and all gymnasium is something that is uh sort of internal so for dependency scanning wise we do actually mean um uh we do actually manage the database for gymnasium but of course is a project that's available out there so if you have any vulnerabilities or so you can definitely submit there and then we will include that in our database other things such as kicks so kicks is i think is managed by checkmarks as of today and out of and for kicks wise this is for your IACs so your infrastructure at code testing to make sure that you know um while your infrastructure is code testing such as uh things such as like your cloud formation uh templates uh things such as like your ansible scripts or your terraform scripts or so they adhere to certain standards and they don't have vulnerable code in them right so exposing exposing ports that should not be exposed or certain things such as you know your volumes are not being secured or anything like that other things i just want to quickly mention is for example your unit tests so your unit tests in this case um are something that you could define on your own out there uh we do um work with a lot of unit tests um type of solutions out there and as long as these unit tests are within the format as needed to uh that git lab can consume we will be able to consume them as needed secret detection is also a very big one over here so for secret detection it's safe for example developers during the development phase they might actually be hard coding some of the like maybe aws keys or they might be um Kubernetes keys rather than actually using the proper methods of uh you know storing them in a vault like nature and then retrieving them as needed will be right so during development is very understandable you're still trying to figure a lot of things out but over time when you're moving to production you want to make sure that a lot of these things are eradicated from your code base because you know you don't want them into your production code people have access to it that means they will have access to your whole aws environment also right so some of these things are very very important um in in which that you need to be able to scan for these things after that we go through the deploy stage after scanning everything that's available here say for example a question that i think i get a lot is that say for example if one of these uh stages were to fail what would happen does it get all the stages in the end preferably we would suggest that you don't because this is still on a feature branch that's happening right now of course you i i did mention that when i was running this it was on the main branch but during the development phase you would actually create a feature branch you would then run all of these pipelines accordingly and this is only isolated in a development branch right so what you would want to do is that probably you want to actually allow all of your different security jobs to run first get a summarized report and then be able to work on all these things even though they are actually um continue to deploy into a kubernetes cluster or a dev environment second reason is because if you're actually running um your desk right so your dynamic analysis scan you do need a review application or an application where your desk vulnerability scan can run and therefore you should actually still run your deploy stage after running your deploy stage this is where we run our dynamic scanners such as our fast testing and our desk scanning as well right so all is good and all right so you can see that all of it has run to completion there aren't many things next thing is how do we actually see where all of these vulnerabilities are or if there are any vulnerabilities right so if you have a tick over here that doesn't mean that there are no vulnerabilities it just means that the job has been done but where do we actually view all of these vulnerabilities so if you go into the security tab on your screen on my screen i mean you can see that a result page has been generated so within this result page you can see that there are multiple types of vulnerabilities that will be detected as part and parcel of running this pipeline your desk your sast your container scanning and there's quite a lot of container scanning ones over here and then various others as well right so over here we do give you a whole summary you can actually download all of these different results into a sort of like a csv file or something like that but if you would like to work on it directly on the page itself you can actually see them here right so there are certain types of things here like okay i can also sort them by different types of severity levels and also sort of different types of tools here right so for example if i'm a security analyst and my job is not to focus on sast but i would like to focus on today what should i focus on all right let's focus on dependency scanning in this case right so if i go into dependency scanning automatically helps me to sort out what the dependency scanning vulnerabilities are i can come in here and then i can look through some of these ones there's quite a few critical um there's quite a few ones that you could potentially look at so maybe if i were to click into one of them what this does is that it gives me a summary of what my vulnerability looks like right it has been detected where hasn't been detected so it's obvious uh from uh because it's a vulnerability uh as a dependency scan it's actually looking through the yarn.log file all right identifiers right so how how is it identified so there's of course some of the cvs that are available now and what the solution is so they'll tell you exactly where the vulnerable package is as well as some of these solutions that will be so over here you can then create an issue or you can dismiss the vulnerability if your security team or when you'll have discussions you decided that hey you know this is considered a false positive or something that is not going to be relevant in my organization that's something that you can definitely do fine all right so this is from a single pipeline and later on i'll kind of show you a little bit about how this can be viewed in terms of a project level or even at a group level basis going back into the top right so we go back into the pipeline we can actually see that the jobs are being run we can actually see the different licenses as well what kind of licenses there are right so there are denied licenses as well and i'll go a little bit into this as well because we can we'll be i'll be showing you how to set those up as well as some of the things such as code quality right you can actually see some of the different things right so i hope you can kind of see like the beauty of how this whole platform has been set up in a way that when you run a single pipeline you're able to see not only just a like one tool or like what the results are for one tool but everything is consolidated in a single report for you as part of a platform right so you don't have to do contact switching where you're logging into multiple systems and on all that all right so quickly what we're going to do is that right now we can see that there's there are vulnerabilities but what we want to do is that how are we able to actually set up some of these policies right so we go into security and compliance and we go into policies here quickly there are some of the policies that are created previously but let's just do a new one so the first policy i'm just waiting for my screen to catch up yep so for my first policy that i want to look at is that first and foremost is my scan result policy right so scan result policy means that after you know just now you've seen the results of like all of the different vulnerabilities how are we able to actually action all of these things or ensure that the proper quality gates are put in place right so let's select this policy right over here you can see that there are some of the things that we can actually configure here you can actually run it in the YAML format so you can if you would like to you can write it here in the YAML format but let's use the UI for today so today we're just going to do one that is for just now we were doing one for dependency scanning right and in enable so here is where you kind of define the rules if the security scan from dependency scanning finds more than zero critical or high vulnerabilities newly there are newly detected and an open merge request as for all for all branches for in this case then you require an approval right so that is the ability for you to actually control and allow that quality gate to be put in place right so I just repeat it a little bit quickly is that first and foremost we are creating a scan result policy and what this does is that when a scan runs to completion there are more than zero means there's one one or more critical and severe vulnerabilities from dependency scanning I would like for approval action from the security team right so over here you can then search for your users here let me just quickly do for my team for limb demo slash compliance workshop slash approvals then from the security team oh okay so automatically this gives me the ability to control who has the has one so this is actually very important because maybe your security team might be built up of multiple different people or you might have different approvals that you might want one for qa one for security and you want to have multiple levels of approval sort of like a workflow nature right so here we're going to configure if a merge request and what you see here is that it actually brings me into a different project which I'll show you later as well just now remember earlier on I did show you sort of like the navigation way we have our demo application and we have a separate project that is only for my policies so this is where the policy nature is and then I can just quickly merge this right so of course now I'm a person who has the ability to do across two projects but if I were to go back quickly as well I'll to look at my workshop this could be a separation of duties because you don't want your developers to be able to set their own policies by themselves right so now I'll go back into my application just now where I was was at the security security policy project over here automatically git lab will help you to create that project for you and if you have an existing project it will just help you to actually organize all of these things into your security policy project right so step one done right so step one is we have actually created a dynamic policy in which that if there are new dependency vulnerabilities that are being scanned automatically it will check the gains if they are highly critical or if they are and there's a degradation in that sense the security team will then have to step into place to actually approve some of these things next thing we will look at it from a license nature so how do you actually do it right so I go back into my security and compliance I can come into my license compliance here in my license compliance way over here I can actually see all the different types of licenses that are detected so automatically by default git lab will actually detect the licenses for you all you need to do is really to create the policies as you needed so over here I have some of the license here right so say for example I choose not to have a Apache license right so if any time that an Apache license were to be used depending on the libraries that you have imported so and so forth I would want to deny that and only if a security person or a QA person were to actually approve this nature then it can be merged into a master branch or a protected branch or so right so let's show let's see how that can be done so you can create a deny license approval and then you can actually add a certain license type so for example if I were to add something like this right so I don't want anything that is using the Academy free license version 2.0 and then I will deny this automatically when I create this denial it will actually create a new rule here a policy rule such that any time it sees that particular license being used it would actually create that approval thing license approvals are inactive over here so I have not created that as well so automatically it comes here and then it will also what you need to do is that you need to update approvals as needed to be and over here you can then search for groups over here as well so same likewise you can do for me is jungle compliance from my QAT over here and then I add that approval right so now this has been done and in the future for example if one of these few licenses will actually have this issue what will happen will be that my QAT will need to step in place and look at it in that nature all right so that's kind of like how we actually run this this thing next thing is let's see from a workflow just now when I show you like a developer workflow we actually start out from creating an issue all the way to actually creating a merge record let's do that just now what we did was that we only did a pipeline run directly and on the main branch but we didn't do it for anything else all right so we started with an issue and I'll create a quick issue here our issue board again we probably have another webinar to talk about it we have different types of epics workflows and things such that we can do in terms of like assigning story points proper tag natures and everything like that but let's start with something simple here so we'll do another one which is that we're going to add new code that's vulnerable obviously in the real world you're not going to do that but we're just going to show you how that could be potentially done as well right I see that there are some questions over there there's like a pre-stage and everything I'll show you that a little bit later that's more from not from a policy standpoint but more from a compliance framework standpoint I'm just going to show you like sort of like the overarching thing as well unfortunately to be honest like we're trying to cover as many things as possible but we might miss out a few things because of like the time all right so let's create an issue over here and with this issue let's create a merge request right so of course details you can actually fill them up later with like labels and everything like that like critical and everything but that's not focused on that now so if we create a new feed new merge request here of course there's some of the things such as you know approval rules right so over here like what we mentioned here you can create your approval rules it can be dynamic or it can be something that is hard coded in this case right so if you know there are certain things like you will require them you're not really trying to do it from a policy type nature you're just going to have a certain team that always needs to approve certain things you can do it directly over here as well or if not our best case is that we will always try to do it from a policy nature because that's more dynamic right so I'll add one more approval rule here and then I'll just add someone from like the from my namespace generic approval so you could do that here so quickly I have I will then create a merge request and we will just look at it in another we will try to sort of like simulate this so here we will actually do some of it which is like we'll open the code in the web IDE to show how this looks like so recently we did quite a bit of changes in terms of our web IDE and how we are actually you can actually sort of like do this web remote web development so more details can be you can read a blog about it and like we are we are actually going to be doing a lot more work on on this as well so from our cifl maybe I'll just do a very quick you know just an additional line of code here and then we will do a merge over here right so you'll comment the new branch and maybe you know put like proper commit messages like adding comments to ci file so since we are over here I just want to also let you see there is no pre-stage there being here and I'll mention it a little bit later right so I'll commit to a new branch and then I will also let it run as needed so let's go back to the project over here and see what has been done automatically you can see that there are certain pipelines that are running and then at the same time a merge request has been has been is also created as well so let's look at this one over here and then there's the pipelines that are running so of course this will take a little bit of time but one but once these pipelines will start to run afterwards there will be certain things that will come into play so let's take a look at something that has been completed right so after you have all of these things because what it needs to do is that the jobs have to run to completion the policies need to come into place because they are dynamic depending on what kind of results you get from these pipelines but one of the things that you will be able to see is that everything would then be put in place in terms of a pipeline nature right so like I mentioned earlier this pipeline has come into place you do have your approvals that you need to come into place here so for example if you have the different types of approvals here you would then see a summarized overview in terms of something that has changed so quality hasn't changed because I haven't changed any real code I've only added in some comments some of the things such as license compliance has come into place right so such as policy matchings and everything like that so far it has detected nine licenses but it hasn't uh there isn't a problem with regards to that security scanning also it gives you a multitude of like the different types of security scan right so all of these things are things that you should be thinking earlier on when I was showing you security scans they were just individual by the same time once what we are showing here over here is that it's not only just individual it's actually from a merge request perspective right and then ready to merge and so and so forth so this one is one of the examples that everything is fine and then it did not trigger any of these things but say for example one that I created about a week ago this is something that it did not allow me right so there's approval that is required from my security team and unless I get that approval I will see this result which is merge is locked right so I'm not able to allow that merge to happen because it actually goes against the policies that I do have right so this whole thing as you can see we looked at two different ones first and foremost our scan result policy so for example if something were to how do you say violate that the scan result policy you will be able to see that something is blocking for example if it's something that is related to your licenses as well those are the things that also will also block as needed to be all right moving very quickly into the next one which is our compliance so just now I think there is quite a bit of ask about hey you know where exactly is this pre-stage that I actually created and it's forced to run no matter what even if I have not defined it over here so let me show you where that is actually today right so if you see over here within my folder I have a lot of like different types of applications that I've worked with customers on this is at the top level group so this is the John Lin demo top level group as you can see here from my a bit small but it's at my top level group of my project and what I see here what you can see here is also under my settings okay I think I zoomed in a bit too much so over here you can actually see that under the general this is where you define your compliance frameworks right so you can add a new framework and the one that we are actually doing is from the compliance deploy framework what it does is that what you are able to do is that you can name a framework and then you can you can then specify a particular pipeline right so over here what it does is that any projects that are tagged with this particular framework it would actually have to go through this particular pipeline first before other things can be run right so if there's any conflicting natures depending on like the dynamic things certain things can be defined and then also overwritten as needed to be but whatever that happens in this compliance framework pipeline needs to run right so certain things you can also leave out so where is this actually so it's under my workshop and compliance file so very very quickly I'll let me show you where that is so in my compliance workshop here I do have a compliance file that is on that's under the folder of HIPAA and if I'll look into here this is where this pre-job is running right right so whatever that you see that that stage of pre-job is running is happening over here within my compliance framework pipeline right so everything that every job that has been run they no choice because the whole project has been tagged by this compliance framework everyone needs to run this particular job so of course this is just more from demonstration perspective you can slash it out a little bit more so I know companies who you know at various different stages of their whole pipeline they might require certain things to be run so that you know people don't skip on certain types of job right so that's an explanation of a few different features first and foremost you do see them from a result policy you do see it from a licensed perspective and you do see it from a compliance pipeline nature let's look at it and sort of shift gears in a different way to see it from a security standpoint so if I were to go back to my application I know this is a bit jumpy but in terms of like separation of duties I'm trying to do like two or three different roles and therefore that's kind of it but the idea of it is the separation of roles and the control that you might have with actually doing these sort of things right so coming back here just now we looked at security vulnerabilities at a pipeline level at a merge request level but how about from a project level so if we do come in here and look at it from a security and compliance standpoint you can look at it from a vulnerability report what this does for you is that it actually allows you to see a summarized overview of all the different types of vulnerability right and as I mentioned earlier there are many different types of vulnerabilities and you can have all the different types of filters that you can put into place so say for example let's look at something that is under our desk scanning right so what we see here is that there are certain types of things and what you could do here is that maybe this is a low vulnerability and I find that this is I can consider this you know I don't really need to deal with so what I can do here is that I can change my status to something that's dismissed and change that first and foremost important thing is that all these things would be locked under my also this all these things would be known and it doesn't mean that once you dismiss it you will it will be lost for the future if you want to see something that's dismissed you can also come in here and see all of the different types of statuses as well so you can come back to it as well all right so those are my desk and automatically you can see that it has disappeared from here because of the filters that I put into place let's not look at desk but let's look at something that's dependency scanning and over here maybe I just want to look at something like this high prototype pollution in async issue here it tells me all the details as I mentioned before it tells me all the different things and then it tells me a solution over here right pretty straightforward so something that a developer can do very quickly and then can resolve it accordingly what I can do here is that then automatically I can actually create this into an issue the moment I create an issue automatically it helps me to populate everything nicely here I can then assign this to the developer say for example I'm assigning it to Bernard who is on the call and helping me with the Q&A today he's not part of the project so maybe I'll assign it to someone else so I'll assign it to Ian and then I can create this issue automatically he gets a notification depending on how you set up a notification and what he needs to know now is that hey you know I have something that I need to work on and then he has all the details that he needs importantly also like I mentioned earlier this is confidential you don't want everybody to know about it you only need the people required to actually see some of these things happen right so that's kind of that workflow that we want to see as well the next thing that you also that I just want to like sort of like demo at the last part of it is also some of the container policies right so let's go back here we've seen it from a overall perspective and the workflow of how a security person will do it say for example a whole project has been developed to completion and now we want to run regular scans on our containers so what we can do is that in the security perspective you're able to look at the policies I can then create a new policy here so if I do a new policy I can say a scan execution policy right so run it at a strategic time frame right so if on a scheduled basis and for the branch on the agent right so select the agent over here I think my agent name is let me quickly I suddenly I can't remember my agent name but from my infrastructure terraform cluster right so if my simple notes agent so this is my this is my cluster in in kubernetes right so in my in the namespaces over here for my agent over here right so for this agent it runs at every night at 12 a.m. then run a desk scan or a container scanning right and then over here for the container scanning over here select automatically and then do do do all these things so what basically this does is that at a regular every day scanning it will then run a continuous uh container scanning at 12 a.m. every day what this does is that this will actually set up this regular scanning portion and if there are new vulnerabilities that will come into place automatically it will go into a report neighbor and then you can actually configure them as need be all right so this is a container scanning and you can configure that at a merge request like the one that we did previously with the scan execution policies this will also be in a separate policy project that you can actually merge over here let's look at where all of these things are so if i go back to my project directly of course i'm a bit more familiar with the way that i'm actually running with all these breadcrumbs but for example if my security and vulnerability report where all of these results will come into place is under the second tab which is operational vulnerability so quickly it's security compliance and vulnerability reports and under operational vulnerabilities you can see that all of these different ones you can see where which clusters they're coming from so if you have multiple kubernetes clusters and they are running separately you can also separate that out individually looking into individual ones of them i can then see what are the ones the scanner is trivy in this case and it's actually certain types of things that i can fix such as like upgrading to another version of python in this case all right so that's kind of a coverage in terms of security execution policies in terms of like scan execution policies in terms of compliance i know i'm running out of time because there's quite a lot that i want to show and i'm quite excited about the features here and last but not least i just want to show you audit feature events right so we have done quite a lot of different works where all of these things locked right so if i changed approval rules and everything like that you can see that everything is locked down as needed to be all right um there are many many more features i can't talk about everything but that's kind of a high level overview in terms of like how we actually govern um get led as a whole uh and i think we do have a few questions in here which i want to quickly go through uh just going to see if i can get help from my team are there any questions that are not answered yet um that we want to answer um let me just see if the answers which ones any answers any questions that are not answered yet looks like most of the questions have been answered jonah okay all right all right all right thanks everyone so if you have any more questions you know maybe a couple more minutes you have any more questions to ask or answer just quickly for that right if not um i think most uh we i honestly rushed through a little bit at the end but there's quite a lot of different features and i just wanted to be a bit more detailed in talking about some of these features um like we mentioned earlier the slides and the recording will be available for downloads in later on the slides i think you already have access to um but please you know try edit and maybe you can set it up on your own you know we have a trial license that you can always set it up on your own where you can actually try some of these features um i see a last one which is uh leslie asking about can these results be accessed by api the answer is yes you can access them by api we do have an api for scan results um a good way to actually look at it is um directly from our gillab api from uh vulnerabilities so our vulnerabilities api is where you can actually do some of these ones and of course all of the different things that you can actually do all these ones um can we have a session recording the other session recording will be available partner specific discussions for sure um i think reach out to us um we are not from the partner team but we can definitely put you in touch i mean we work very closely with the partner team in terms of partner enablement and also helping you know with you know opportunities and everything like that but please reach out to us um um let me show you my email again uh so you can actually reach out to me if if not if you know the partner manager please reach out to the partner manager directly um if not you can reach out to me in our redirect that too because we do have a separate team in a separate social architect and everything like that for partners right uh i think that's the end i did exceed quite a little bit so i would want to end it quickly anything oh my email is not there right right sorry that's a good one uh jlin at gillab.com i forgot to put it down so that's my email address it's just j and lim right so my surname if not i think that's all from me um and thanks for everyone who was attending this call i hope this was helpful for you of course this is only an introduction we do have like workshops that are upcoming in which you can actually do a bit of hands-on and try them out yourself um and then uh some of these things you may be able to get it you get a better understanding of it but again feel free to try them out there are quite a lot of videos available outside on gitlab and you can try those things if not if you have a specific commercial thing that you might want to do you can reach out to me or reach out to whoever that reached out to you earlier on and we will talk then i think for that that's all i have and yeah so tim should we end the session now yep thanks jonah thanks for the very insightful demo um we'll be sharing the recording after this has finished so look out for that in your inbox thanks everybody thank you bye