Conference Demos

Conference Demos #

This application can be used by GitLab employees to provide demos in security focused conferences like RSA, BlackHat, AWS Re:Inforce, etc.

Pre-requisites #

In order to have this application ready for a conference, you must create an issue at least 2 weeks before the demo environment is required to allow ample time for the Developer Advocacy Team to provision an environment. You can also provision this environment on your own instance by completeing the Lesson 1 and Lesson 2.

In the issue you should provide all the team members which need access. Then the Developer Advocacy team will:

  1. Add team members to the conferences group
  2. Setup the Tanuki Shop application with all the items required to showcase GitLab security features
  3. Setup the Tanuki Shop - Custom pipelines

The setup items include:

  1. Merge Request Approval Policy (Vulnerabilities)
  2. Merge Request Approval Policy (Licenses)
  3. Pipeline Execution Policy (SOC2 sample job)
  4. Merge Request with Vulnerabilities
  5. Merge Request with Fix for Basket

Standard Demo Flow #

This section contains what we can quickly showcase at a conference to show the value of GitLab Security and compliance features. Before proceeding with a standard demo, you should ask an attendee the following:

  1. Are they currently using GitLab, if yes, what are they using it for
  2. What are they looking to achieve from a DevSecOps perspective

These questions should determine what to focus on in the demo. If however they just want to see the product in action, you can follow the standard flow:

As you go through the process below, make sure to address questions as they come, you should have a basic understand of the security and governance features in GitLab Ultimate
  1. Show how security scanners can be easily added to the .gitlab-ci.yml
  • Go into the templates and list the scanners GitLab provides
  • Show the pipeline created from the yaml
  • State that the soc2 compliance job is not in the yaml but loaded via a policy, enabling separation of duties
  1. Showcase an MR which introduces several different types of vulnerabilities
  • Focus on showing the code flow provided in advanced sast
  • Explain how vulnerabilities are actionable
  • Show how MRs can be blocked if vulnerabilites or incompatible liceses are detected
  1. Show the vulnerability report and how it contains all the vulnerabilies in the default branch
  • Show details provided for a detected vulnerability
  • Show how vulnerabilites can be triaged
  • Show how a vulnerability can be explained with AI
  • Show how a vulnerability can be resolved with AI
  1. Showcase the SBOM (Software Bill of Materials)
  • Show the fields provided and the value it provides in showing what dependencies are in your application and container image
  • Explain that it can be exported in CycloneDX format
  1. Showcase how an audit will be performed
  • Go to audit-events and show how different events performed are recorded
  1. Showcase the compliance dashboard
  • Show how the compliance report shows areas where a user has fallen out of compliance
  • Explain that GitLab has 50+ out of the box controls
If you don't know how to perform these tasks, go through the lessons provided in this documentation.
May 19, 2025
Edit this page