@@ -15,9 +15,9 @@ In the last lab, you introduced the SAST and Secret Detection scanners into your
1. In the security report, select **Severity** to change the sort order. Ensure that the arrow is pointing down so that severity is sorted from highest to lowest.
1. Select the severity vulnerability **GitLab Personal Access Token**. It should be at the top or close to the top.
1. Select the vulnerability **Active debug code**.
1. Review the vulnerability. You will see that the finding is valid, as the `main.py` file contains a GitLab API token.
1. Review the vulnerability. You will see that the finding is valid, as the `main.py`'s HTTP debug code is set to 'True'.
1. In the top right corner, click **Edit Vulnerability**, and then choose **Change status**. Set the status to **Confirmed**, and click **Change status**.
@@ -45,25 +45,23 @@ At this point, we've created two issues to address as security issues in our app
1. Navigate to **Plan > Issues**.
1. Select the issue titled **Investigate vulnerability: GitLab personal access token**.
1. Select the issue titled **Investigate vulnerability: Active debug code**.
> In a real scenario, you will also need to rotate this key. Deleting the line of code only removes it from the current code, but the secret may still be contained in the Git history and should be considered compromised.
1. In the left sidebar, select the **Source Control** icon.
1. Type an appropriate commit message (e.g. 'Removed API key), and click **Create a new branch and commit**.
1. Type an appropriate commit message (e.g. 'Turned off debug mode'), and click **Create a new branch and commit**.
1. Press **Enter** to take the default branch name.
@@ -73,12 +71,10 @@ At this point, we've created two issues to address as security issues in our app
1. Wait for the pipeline in the merge request to complete, and refresh the page. Click on **View all pipeline findings**.
1. Review the findings. You should no longer see the **GitLab Personal Token** issue in the security list.
1. Review the findings. You should no longer see the **Active debug code** vulnerability in the security list.
1. Return to the MR, and select **Merge** to merge the security updates.
1. Try out solving the SQL injection vulnerability on your own!
## Lab Guide Complete
You have completed this lab exercise. You can view the other [lab guides for this course](/handbook/customer-success/professional-services-engineering/education-services/ilt-labs/gitlabsecurityessentials).
