How to run this demo
This Demo is meant to showcase the different workflows which developers and appsec engineers can collborate on, in order to secure an application.
Developer Workflow
- Create an MR with GitLab using a feature branch
- Introduce common security vulnerabilities
- Create an MR, as well as have one that is already available (since it takes too long for the scans to run)
- Describe the pipeline from end to end and go over each test that runs on the feature branch.
- Within MR show the detailed information provided by the GitLab scanners
- Show a vulnerability for each type of scanner
- Show line of code where vulnerability has been found
- Show information on vulnerabilities
- Show how to resolve
- Show how a confidential issue can be created
- Show how a vulnerability can be dismissed
- Resolve a vulnerability and re-run the pipeline
- Display Merge-Request approvals
- Go over Vulnerability-Check
- Go over License-Check
AppSec Engineer Workflow
- Display the Project-Level Security Dashboard
- Go over different types of sorting
- View a vulnerability
- Change the status of that vulnerability
- Show that the user who changed the status as well as when is recorded.
- Display the Group-Level Security Dashboard
- Go over different types of sorting
- Examine rate of change
- Display A-F risk
Configuration
- Display the .gitlab-ci.yml file.
- Go into how to add security scanner templates
- Go over environment variable
- Show how to configure security scans with Auto DevOps
- Show how to configure security scans using UI