[0:00]Hello, my name is Alex and I am a Solutions Engineer at GitLab. Today, I'll be demonstrating how to improve your security posture using GitLab's security features. I'll be doing this by walking through a typical developer workflow where a developer opens up a merge request, adds some code, and then merges it into the main branch. And then we'll review what GitLab found and then remediate any findings. So to begin, I've already forked and cloned this project into my local environment. This is a very simple to-do application that has a very easily exploitable vulnerability. And I'll be opening a merge request, adding this vulnerability, and then merging it into the main branch. So to begin, I'm just going to open up my IDE. I'm using VS Code, and I've already created a new branch called security demo. So I'm going to open up my index.js file and add some malicious code here. Now, this is intentionally vulnerable code. It's a command injection vulnerability. And what it's doing is it's taking user input from the to-do item and then directly passing it into the execute function here, which is vulnerable to command injection. So I'm going to save this file and then I'm going to stage it. I'm going to commit this with a message. And then I'm going to push this up to the remote repository. And then from there, I'll be able to open up a merge request. So now that I've pushed that code up to the remote repository, I'm just going to navigate back to my GitLab project. And from here, I can open up a new merge request. I can see here that I have an option to create a merge request from my security demo branch targeting the main branch. So I'll click that, and then I'll create the merge request. Now, the first thing that's going to happen when I create this merge request is it's going to kick off a new pipeline. This pipeline is going to run a few security jobs that GitLab provides out of the box. These include static analysis, dynamic analysis, dependency scanning, container scanning, and license scanning. So if I navigate to the pipeline here, I can see that the pipeline has started running. It's still in the running state. So I'll pause the video here and come back when this pipeline has completed. Alright, so the pipeline has completed. Now that the pipeline has completed, we can review the merge request and see what GitLab found. So the first thing I'm going to do is navigate to the merge request. And from here, I can see a few things. The first thing that I notice is that the security scan found one vulnerability. And there's a new widget here that tells me about the security scanning results. There are 15 vulnerabilities and two of them are critical and three of them are high severity. The first thing that I notice is that the security scan found one vulnerability. And there's a new widget here that tells me about the security scanning results. There are 15 vulnerabilities and two of them are critical and three of them are high severity. So I'm going to navigate to the security tab here on the merge request. And from here, I can see a full list of all of the security vulnerabilities that GitLab found. I can see the one vulnerability that I added with my commit. It's a command injection vulnerability of critical severity. This was found by the SAS scanner, and it's a new vulnerability. So this vulnerability was not on the main branch prior to my merge request. I can also see all of the other vulnerabilities that GitLab found. It found some SQL injection vulnerabilities, as well as some cross-site scripting vulnerabilities. These are existing vulnerabilities that are on the main branch, so these are not new. GitLab also displays all of these vulnerabilities directly in line with the code, so I can go to the changes tab here. And I can see the vulnerability that I added. It's highlighted in red here. And if I hover over this, it tells me that it's a command injection vulnerability. And I can click on this to get more information, or I can even dismiss the vulnerability. So now that I've reviewed the merge request, I'm just going to go ahead and merge this into the main branch. This will allow us to then review the security dashboard. So I'm going to click the merge button here, and it's going to merge that into the main branch. Now that I've merged my changes into the main branch, I'm going to navigate to the security and compliance section here on the left, and then I'm going to click on the vulnerability report. From here, I can see a full list of all of the vulnerabilities that GitLab found. This is a full list of all of the vulnerabilities that are on the main branch. From here, I can filter by severity. I can also filter by tool. I can see here that the SAS scanner found a command injection vulnerability, which is the vulnerability that I added. I can also filter by status. So I'm going to click on the command injection vulnerability here, and this takes me to the vulnerability details page. From here, I can see more information about the vulnerability, including the severity, the status, and the scanner that found it. I can also change the status of the vulnerability. So I can change this from detected to confirmed, dismissed, or resolved. So for the purposes of this demo, I'm just going to mark this as dismissed because it's a known vulnerability and I'll address it later. I can also create an issue directly from here. So if I click create issue, it's going to create a new issue for me, and I can then assign this to a developer to address this vulnerability. So I can see here that the issue has been created, and I can navigate to the issue directly. From here, I can assign it to a team member, and they can then address this vulnerability. I'm going to navigate back to the vulnerability details page. And from here, I can see that the issue has been linked to the vulnerability. And I'm going to dismiss this vulnerability. Now that I've dismissed the vulnerability, it's no longer going to appear in the vulnerability report. And I can also click on the activity tab here to see a full history of the vulnerability. So I can see that I changed the status from detected to dismissed, and I also created an issue for this vulnerability. So now that I've reviewed the vulnerability report, I'm going to navigate to the dependency list. The dependency list gives me a full list of all of the third-party dependencies that my project is using. And I can see here that it's using a few different packages, including Express, which is a web framework for Node.js. I can also filter by license here. And from here, I can see all of the licenses that my project is using. I can also click on each of these to see more information about the license. So now that I've reviewed the dependency list, I'm going to navigate to the license compliance section. The license compliance section gives me a full list of all of the licenses that my project is using. And it also tells me whether or not these licenses are approved or denied. I can see here that the MIT license is approved, but the Apache 2.0 license is denied. I can change the status of these licenses by clicking on the three dots here and then clicking edit policy. From here, I can change the approval status of the license. So I'm going to change this to an approved license. And now it's going to be approved. So that concludes this demonstration of how to improve your security posture using GitLab's security features. Thank you for watching.