Demo Script - Fork

Loose Script

For this demo it is best to have it forked twice, one where you can set up the merge request and another where you have already merged the mr. That way you will not have to waste time waiting for pipelines to run.

Shifting Security Left Demonstration

• Step 1: Sell Shifting Left

  • Explain that we will first be taking a look at the scans and the tools we provide in ultimate
  • In the MR start by talking about shift left mentality on how everything was kicked off with a simple commit
  • Explain how automatic tests are kicked off, you can even show this by opening the ide and making a change then going back to the pipelines to see the change
  • Explain the "Review" job to be able to see changes to the application before deploying to production.
  • Explain the security report
  • Dont have to click merge as it will have been merged already

• Step 2: Showing the ran pipeline

  • Go here: https://gitlab.com/gitlab-learn-labs/webinars/compliance-lunch-and-learn/devsecops-workshop/-/pipelines/653432632 and explain all of the scans and jobs that have been run
  • After you explain the scans, show how easy it was to do by looking here: https://gitlab.com/gitlab-learn-labs/webinars/compliance-lunch-and-learn/devsecops-workshop/-/blob/completed-pipeline/.gitlab-ci.yml
  • Make sure you call out the templates that were brought in, open in editor to then show how they can click the includes tree in the top right to see exactly what they are adding

• Step 3: Reports and Dashboards

  • Now explain to audience how on a bigger team lots of MRs and commits could be flying in at all times so they couldn't possibly look at each individual pipeline to gage overall security, instead they can look at the reports and dashboards that were generate
  • Start with the security dashboard, a higher level individual will find this useful to find trends in overall app health over some time. Can show gitlab.com to show we dog food: https://gitlab.com/gitlab-org/gitlab/-/security/dashboard
  • Same with vulnerability report. Go ahead and take a look at a critical vuln using the filters and show we can find it in the code. Then filter for a lower severity and dismiss it with a comment
  • Show the Dependency List with open source components and associated vulnerabilities explaining the SBOM aspect and generated JSON cyclonedx format.

  Go back to slides to present compliance

Compliance Demonstration

• Step 4: Compliance
  • License compliance - go through the process of showing the license identified from the scan, and then actively show how you could block one by creating a license policy
  • Audit Events - show what we keep track of and explain that you could audit the actions of bad actors
• Step 5: Compliance Framework Pipeline
  • Start by going here to show we have one set up already, show how another could be set up: https://gitlab.com/groups/gitlab-learn-labs/-/edit
  • Then take a look at the compliance pipeline we defined: https://gitlab.com/gitlab-learn-labs/sample-projects/compliance-framework Explain each part how it enforces what jobs, what order, specific jobs, and then runs the default pipeline
  • Go back here https://gitlab.com/gitlab-learn-labs/webinars/compliance-lunch-and-learn/devsecops-workshop/edit and explain that we will add the framework to the project we have been using, then click the project home screen to show its applied
  • Need to decide if we make a simple pipeline branch to show that its ran

Back to slides for wrap up

Could dos On demand scans, personal configs of jobs

• [ ]