►
From YouTube: CNCF Live Webinar: Cloud native DevOps security
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
And
let
me
give
y'all
a
little
intro
and
off
we'll
go.
Thank
you.
Everyone
for
joining
us.
Welcome
to
today's
cncf
live
webinar
cloud
native
devops
security,
I'm
libby,
schultz
and
I'll
be
moderating.
Today's
webinar
I'm
going
to
read
our
code
of
conduct
and
then
hand
it
over
to
sebastian
straub
and
simon
milot
solutions:
architects,
with
prismacloud
by
palo
alto
networks,
a
few
housekeeping
items
before
we
get
started
during
the
webinar
you're,
not
able
to
speak
as
an
attendee.
There's
a
q,
a
box
at
the
bottom
of
your
screen.
Please
feel
free!
A
A
Please
do
not
add
anything
to
the
chat
or
questions
that
would
be
in
violation
of
that
code
of
conduct
and
please
be
respectful
of
all
of
your
fellow
participants
and
our
presenters.
Please
also
note
that
the
recording
slides
will
be
posted
later
today
to
the
cncf
online
programs
page
at
community.cncf.io.
A
B
Thank
you
libby
for
your
introduction.
Thank
you,
everyone
for
joining
our
webinar
today.
My
name
is
sebastian
straube
and
I'm
the
cloud
solutions
architect
in
palo
alto
networks.
Here,
I'm
sitting
in
zurich,
switzerland-
and
I
also
want
to
introduce
you
seaman,
milot
he's
also
cloud
susan's,
architect,
hello,
siemen,.
C
Hey
hello
sebastian
here,
thank
you,
libby
for
the
introduction,
and
indeed
I'm
a
cloud
solution
architect
at
palo
alto
network,
so
basically
mainly
focusing
on
christmas
cloud
product
and
yeah.
I'm
happy
to
be
here.
I
prepare
like
a
nice
demo
and
I
will
be
jumping
into
the
demo
after
the
presentation
of
server
10..
So.
B
Thank
you
siemen,
so
I'm
super
happy
seaman
joined
today
he's
our
demo
god,
so
we
all
pray
to
him.
So
all
good.
So,
let's
quickly
start
with
our
presentation.
I
prepared
a
couple
of
slides
for
us
today
here
to
grasp
a
little
bit
around
what
checkoff
is
and
why
check
off
has
something
to
do
with
cloud
native,
devops
security.
B
So
first
thing
we
we
looked
at
in
in
our
quick
research.
We
did.
We
looked
at
public
repositories
in
the
telephone
registry
and
in
the
open
source
code,
and
we
found
a
pretty
interesting
result
here
and
we
we
scanned
these.
B
Misconfiguration
is
one
of
our
biggest
challenges
in
public
cloud
environments
and
also
in
general,
application
development
life
cycle
security,
in
which
we
need
to
think
around
how
we
can
secure
our
codes.
How
we
can
secure
can
we
secure
our
infrastructure?
B
So
we
take
this
away
and
say:
okay,
is
security
checked
in
by
default,
or
how
do
we
think
around
security
and
what
I
want
to
present
you
quickly?
What
checkoff
is
so
for
the
people
who
don't
know
actually
what
it
is?
B
It's
chekov
is
an
open
source
statistic
analysis
tool,
so
it
enables
us
to
scan
infrastructure
as
code
in
a
methodology
that
is
called
policy
is
code
in
which
you
can
actually
then
automatically
scan
code
and
and
introduce
this
as
scan
code
into
and
visibility
in
which
we
see
vulnerabilities
compliance
problems
and
best
practice
problems
in
our
infrastructures.
Code
templates
in
check
up,
we
pre-built
hundreds
of
policies
over
our
compliance
and
best
practices
across
all
the
public
cloud
provider.
B
In
the
moment
on
the
market,
the
natively
supporting,
as
I
said
before,
also
kubernetes
manifest,
but
also
terraform
cloud
formation,
the
arm
and
others,
and
also
what
I
want
to
highlight
here,
is
that
checkoff
is
written
in
bison.
So
it's
fully
extensible.
If
you
want
to
use
the
source
code
and
want
to
extend
some
functions
if
you're
a
python
pro,
you
actually
absolutely
are
in
the
way
to
do
so.
B
So
it's
a
very
simple,
flexible
tool
where
we
actually
can
control
policies
and
enforce
that
we
can
use
our
code.
So,
as
we
said
before,
siemens
is
actually
doing
the
demo
after
I
showed
a
couple
of
slides
in
the
meantime.
B
If
you
want
to
check
out,
you
can
go
to
this
url
and
can
check
the
code,
but
I
just
want
to
give
you
a
couple
of
more
contacts
around
this
product
when
you
have
checked
your
software
development
life
cycle-
and
you
know,
you
need
to
check
every
corner
of
your
code
and
of
your
infrastructure's
code
templates,
etc.
So
our
our
approach
here
is
that
we
actually
try
to
to
find
this
vulnerabilities
and
compliance
issues.
B
We
want
to
fix
them,
so
we
can
fix
them
directly
in
the
either
like,
for
example,
visual
studio
code.
We
have
plugins
for
all
the
major
development
environments
in
the
market,
and
we
also
won't
want
to
prevent
that.
These
problems
are
going
into
production
environments,
but
we
can
also
fix
problems
inside
production
environments,
so
we
can
fix
problems
also
at
build
time.
So
that
means
we
can
integrate
our
scans
into
the
build
time
and
into
the
time
so
in
production,
in
in
running
environments
and
in
our
csd
pipeline.
B
As
we
said
before,
it's
an
open
source
product
and
we
also,
for
example,
can
merge,
pull
requests
and
we
can
detect
and
transform
mis
configurations.
That's
a
very
important
point
and
also
we
enforce
our
policies
in
your
workflow.
So
how
does
it
work?
Actually?
The
this
is
the
challenge
actually
with
with
our
code,
because
today
we
have
the
topic
shift
left.
B
That
is
very
important
to
us,
because
we
want
to
automate
our
code
and
our
security
of
the
codes
in
our
development
environment
and
not
in
the
production
environment,
because
here
on
this
side,
we
see
that,
for
example,
we
we
have
one
misconfiguration
and
vulnerable
code
into
our
bid
pipeline,
and
then
we
deploy
this
template,
maybe
100
times
or
more,
and
then
we
create
actually
in
runtime
a
lot
of
security
alerts
in
production,
environment
and
all
this
whole
shift
left
topic
is
around
reducing
the
security
alerts
in
production
environments.
B
Without
creating
you
know,
tickets,
jira,
pager,
duty
or
service
now,
and
then
actually
need
to
come
back
into
the
build
process,
change
and
then
deploy
again.
So
you
want
to
fix
a
problem
in
the
beginning
and
how?
How
do
we
handle
this?
So
it's
handy
list
like
like
pros
and
we
want
to
show
you
how
this
works.
B
So
what
we
do
is
actually,
when
we,
when
we
do
some
code,
combat,
we
want
to
fix
and
prevent
in
in
the
development
environment
and
per
request
and
build
bid
blocks
that
some
vulnerabilities
are
going
into
the
test
environment,
for
example,
and
then
also
in
the
deployment
operation
state.
We
monitor
and
we
can
remediate
in
in
this
stage
and
what
we
also
do
before
we
actually
commit
this
code.
B
We
scan
these
infrastructure
templates
and
also
make
sure
that
this
configuration
meets
the
requirements
of
your
of
your
department
and
what
you
also
do
is
we.
We
then
show
some
compliance
reports,
policy
engines
and
show
also
some
notifications
around
this
topic.
So
we
can
integrate
in
your
host
csd
pipeline
in
your
workflow
that
you
work
every
day
and
we
make
it
easy
for
you
to
integrate
and
scan
this
whole
different
repositories
and
templates
this.
What
do
we
integrate?
B
B
But
what
I
want
to
highlight
here
is
that
we
support
all
the
major
cloud
provider,
including
kubernetes
here
and
then
also
integrate
with
the
typical
development
environment,
including
github
actions,
jet
lab
and
also
jenkins,
including
also
instant
messaging
alerts
and
communications,
and
also
you
also
integrate
in
infrastructure
is
called
frameworks
like
terraform
and
helm.
B
So
so
this
is
absolutely
a
great
starting
point
for
you.
What's
the
benefit
very
quickly,
so
actually
over
time,
when
you
using
this
kind
of
methodology
in
in
the
checkoff
tool,
you
lower
the
remediation
time.
This
is
really
interesting
because
at
the
end,
you
don't
want
to
fix
the
problems
in
production
rise,
and
then
you
want
to
decrease
the
high
severity
events.
That
means
that
we
find
vulnerability
problems
inside
the
app
and
reduce
the
attack
surface
from
the
beginning.
B
We
simplify
the
compliance
by
checking
compliance
inside
the
template
already
and
then
by
at
the
end.
What
we
do
is
with
all
this
combined
together,
we
are
minimizing
the
attack
surface.
So
what
are
actually
the
requirements
when
we
look
at
how
to
achieve
these
benefits
and
these
requirements
are
that
we
need?
Actually,
these
infrastructure
is
code
security,
a
tool
where
we
implement
some
guard
rates.
B
We
need
drift
detection.
Drift
detection
means
that
we
automate
the
deployment
of
the
of
the
code
with
the
template,
we're
checking
the
template
before
deploying
and
then
when
we
change
something
something
inside
the
clouds.
Some
resources
are
changed
inside
the
cloud
we
detect
this
change
and
then
the
the
notify
on
this
change
and
also
scan
scan
this
change
then,
for
example,
what
you
also
need
to
implement
is
in
secret
scanning,
so
we
want
to
make
sure
that
we
don't
deploy
or
commit
secrets
into
our
production
stage
or
into
other
stages.
B
That's
something
we
really
want
to
avoid
and
then
for
sure,
what's
very
important
is
the
least
privilege
in
identity
access
management.
So
that
means
you
don't
want
to
over
privileged
some
user
that
have
access
to
environments.
So
we
also
check
this
one.
So
one
thing
I
wanted
to
show
you
is
the
box
ticker.
So
checkoff
is
an
upstream
tool,
so
there's
also
a
downstream
tool
for
enterprise
environments,
and
maybe
later
you
can
check
out
what
kind
of
functionality
you
need.
B
But
if
you
need
some
specific
functionality,
then
you
can
also
check
out
the
downstream
tool
so
before
we
going
into
the
demo.
I
just
want
to
give
you
a
glimpse
around
our
approach
and
how
we
tackle
today's
security
situations.
What
is
actually
this
situation?
B
We
are
not
only
looking
at
our
security
of
the
code,
but
the
security
of
our
whole
environment,
and
that
includes
a
lot
of
different
aspects
and
when
we
look
at
these
different
aspects,
we
actually
see
that,
for
example,
gardner
give
us
some
trends
in
strategic
technologies
which
customers
are
looking
at
and
we
want
to
understand
in
which
way
we,
for
example,
understand
cyber
security
measures
and
how
we
can
do
hyper
automation
on
the
on
the
right
side
here,
and
we
also
want
to
understand
how
to
do
data
loss
prevention,
data
classification
and
also
looking
at
virtual
protection
security
poster
management.
B
So
we
emphasize
here
for
for
customers
that
they
actually
introducing
some
kind
of
cloud
native
application
platform
approach,
and
these
cnep
enables
iot
leader
actually
to
laser
focus
on
shift
left
so
bringing
or
removing
the
problems
out
of
the
production
environment.
Bringing
solving
the
problems
inside
the
development
lifecycle
then
also
optimizing
the
deployment
time
and
integrating
security
in
the
devops
processes,
reducing
the
application,
downtime
for
break
fix
procedures,
reducing
security
alerts
and
false
positives
and
stocks
also
very
important,
because
it
takes
a
lot
of
money
and
time
to
solve
them
in
production
environments.
B
C
Start
starting
mine,
thank
you
silverstein
for
the
presentation,
and
let
me
hide
this
one
so
yeah.
C
Basically,
what
I
want
to
show
you
like
today
is
how
to
get
started,
also
with
a
check
off
and
the
first
stuff
that
you
you
need
to
do
that
you
need
to
do
is
like
install
check
off
on
your
laptop
computer,
whatever
so
just
by
doing
like
a
pip3
install
check
off,
and
that
would
be
sufficient
to
get
like
a
checkoff
on
your
on
your
computer
and
then,
as
of
that,
you
can
run
this
kind
of
command
check
off
minus
l
just
to
list
all
the
policies
that
we
have
like
embedded
inside
a
chekhov,
and
then
you
are.
C
If
you
want
to
scan
a
specific
file,
you
can
just
minus
f
docker
file
from
apple.
It
will
scan
a
docker
file,
and
here
on
the
on
the
right
side
of
the
screen,
you
can
see
like
the
fact
that
I
have
scanned
a
directory
which
contains
a
couple
of
like
terraform
templates
whatsoever,
but
that's
the
output.
You
will
get
with
the
cli.
C
So
if
you
want
to
do
this,
you
you
have
the
the
command
line,
which
is
here
it's
minus
d
like
directory,
and
you
have
to
specify
the
territory
here
is
like
the
current
one
and
of
course
there
is
sometimes
like
a
policy
that
could
be
like
not
very
interesting
for
you
in
your
situation,
so
it's
cool
for
what
we
could
call
like
a
false
positive.
For
example,
you
want
to
publish
an
aws
spree
bucket
on
internet
and
yeah.
C
You
you
need
file,
it's
normal,
that
is
publicly
available,
so
you
don't
want
to
get
you
don't
want
to
fail
pipeline
because
of
that,
so
you
can
skip
some
check,
of
course,
and
the
other
solution
is
to
check
if
you
do
check
that
will
specify
only
the
check
that
you
want
to
to
do
so,
for
example,
now,
if
we
go
back,
if
we
go
to
the
demo
here,
I'm
I'm
in
a
directory
where
I
have
like
a
small
python
application.
C
I
hope
it's
big
enough
for
you
guys,
or
maybe
I
can
zoom
it
a
bit
so
and
this
I
have
like
a
python
application
with
like
a
requirement
stay
here
and
I
have
a
docker
fry.
So,
for
example,
if
I
do
like
check
off
minus
f
docker
file,
the
command
that
we
just
saw
in
the
slide,
it
will
scan
the
docker
file
and
will
give
you
like
some
kind
of
recommendation.
C
So,
for
example,
here
you
have
the
ckv
this
policy
from
chekov,
which
is
ensure
that
that
the
user
for
the
container
has
been
created.
If
it's
not
the
case,
because
here
it
was
not
the
case,
but
then
that
means
you
need
to
to
do
some
extra
to
add
the
inside
your
docker
file,
for
example,
or
to,
for
example,
this
one
other
than
check.
For
example.
What
I
could
do
is
like
skip
check
and
just
to
make
it
correct.
So
let's
do
like
that
and
then
comma
security,
doppler,
2
and
yeah.
C
You
don't
need
to
put
a
space
here
and
here
that
will
give
you
only
the
the
correct
the
check
which
was
correct
before
and
that
would
assume
that
those
two
check
they
are
failing,
but
you
assume
that
it's
like
false
positive
for
your
development
before
to
continue.
C
There
was
also
like
a
command
which
is
like
check
off
minus
l
that
will
list
all
the
policy
that
we
have
and,
for
example,
here
you
can
see
that,
for
example,
with
this
kind
of
checkoff
policy
will
check
all
the
aws
access
keys.
So,
for
example,
if
we
find
inside
the
file
aws
access
key,
it
will
create
an
alert
and,
for
example,
it
could
block
the
pipeline
and
and
this
kind
of
stuff.
C
So
you
could
really
try
to
limit
the
fact
that
the
access
keys
is
published
publicly
or
this
kind
of
stuff.
That's
a
bit
the
id
then-
and
I
think
I
don't
know
if
I
do
something
like
that-
I
get.
I
think
we
have
had
it
like
last
week
or
like
something
about
look
for
g
for
j
yeah.
That
was
a
miscreation
exclamation
mark
here.
Where
is
my
pipe.
C
Sorry
for
that
so
yeah,
so
for
example,
last
week
we
have
added
like
two
policies
for
the
love4j
finality
that
has
been
discovered
and
basically
this
one
is
just
ensure
that
we
have
a
prevent
message
hookup
in
for
g2,
so
it's
related
to
the
cvg
that
has
been
released
so
and
for
example,
here
we
we
can
see
that
this
one
is
for
cloud
formation,
so
the
type
of
the
policy
is
for
cloud
formation
and
this
one
is
for
terraform.
C
So
we
have
like
two
policies
which
are
checking
the
template
for
cloud
formation
and
making
sure
that
log4g
is
enabled
on
a
web
application
firewall
of
aws
all
right,
so
that's
kind
of
stuff
we
can
do
and
then,
of
course,
if
I
do
like
check
off
minus
d
and
current
directory,
it
will
scan
all
all
the
current
directory
and
doing
some
recommendation
on
the
fire
here
here
in
this
year.
C
I
in
this
principle
so
but
here
we
have
like
a
docker
file,
but,
for
example,
I
had
also
in
my
repository
some
kubernetes
definition
like
this
one
was
to
deploy
the
python
application.
I'll
just
show
you
and,
for
example,
you
should
minimize
admission
of
root,
containers
and
and
stuff
like
that,
so
we
and
of
course,
each
time
you
have
like
some
recommendation
that
you
have
here
and
and
the
guide
also
to
help
you.
C
So
if
you
click
on
it,
you
get
like
a
documentation
with
all
the
security
id,
and
we
have
also
the
bridge
rule.
But
here
is
we
are
talking
about
chekhov,
and
here
you
get
like
what
you
should
do
in
your
communities.
C
Definition
to
deploy
this
application
and
to
make
sure
that
han
has
none
root
should
be
equal
to
true
for
number
this
kind
of
stuff,
and
then
it's
like
much
easier
to
to
fix
your
your
your
different
configuration
files,
all
right,
so
that's
about
like
check
off
in
itself,
so
the
policies
and
so
on,
and
I
remember
if
you
want
to
test
it.
It's
like
like
open
source
of
course,
and
if
you
want
to
test
it,
is
like
as
simple
as
this
set
of
commands.
C
Then,
if
you
want
to
integrate
this
in
a
ci
cd
pipeline,
there
is
already
maybe
first
step
is
install.
The
checkoff
extension
into
vs
code
or
intellij
do
is,
and
then
I
will
show
you
in
this
demo
like
a
an
azure
devops
pipeline,
where
I
do
a
validation,
so
I
will
scan
first,
the
external
module
of
that
I'm
using
in
a
terraform
template.
C
Then
I
will
scan
the
terraform
template
itself,
which
is
deploying
a
communities
cluster
and
virtual
machine
on
azure,
and
then
the
I
will
publish
the
report
in
a
g-unit
format
inside
azure
devops,
when
I
do
that,
I
can
do
the
same
kind
of
inside
the
asia
devops.
This
cli
output,
but
with
the
g-unit,
is
much
like,
cleaner
and
easy
to
browse.
If
not,
everybody
is
like
technical
to
go
in
the
in
a
different
step
of
azure
devops
pipeline.
C
Then
it's
like
better
published
and
I
will
show
you
that
also
then
we
have
like
the
second
stage
of
the
the
pipeline
will
be
a
plan
and
then
there
we
will
do
a
terraform
plan
command
and
we
will
output
the
format
into
like
a
main.json
like
a
json
file
and
then
with
chekov.
We
will
verify
the
plan
than
json.
So
that's
the
idea
is
that
you
can
have
like
different
here.
C
I
do
it
everything
in
once,
but
the
idea
is
that
you
can
have
a
different
pipeline
that
generate
a
json
file
and
then
the
json
is
sent
to
a
different
pipeline
and
stuff
like
that.
And
then
I
have
a
stage
which
is
like
yeah
approve
the
change
or
I
don't
approve,
and
then
we
applied
the
configuration.
So
we
do
terraform
apply
and
it
executes
the
terraform
template
against
azure
and
it
creates
like
the
communities,
cluster,
the
content
registry
and
the
virtual
machine
that
we
need
and
in
bonus.
C
But
I'm
not
sure
we
have
the
time
we'll
see
how
it
goes.
The
demo
and
sebastian
put
enough
pressure
on
me
or
as
a
god
of
demo,
but
we'll
see
how
it
goes,
but
that's
the
idea
then.
I
have
also
some
example
in
regards
of
the
github
action
so
yeah,
but
basically
can
everywhere
you
can
run
a
python.
You
can
run
chekov,
that's
the
id,
so
that
means
you
can
integrate
more
or
less
everywhere
that
you
want
it's
just
that,
for
example,
github
action.
We
have
like
a
super
easy
integration.
C
Azure
devops
is
a
bit
less
easy,
but
yeah
you'll
see.
I
will
go
through
all
that
during
the
demo,
all
right.
So
now
I
will
change
of
terminal
I'm
here
in
azure
devops.
In
my
repository
and
here
I
have
couple
of
five.
C
Let
me
zoom
in
a
bit,
so
I
have
my
azure
pipeline,
we'll
go
through
it
like
in
the
second
phase,
and
then
I
have
like
a
here
and
a
case
of
file
that
I'm
using,
which
is
to
deploy
the
azure
community
services
on
azure,
and
here
I
have
also
the
module.tf,
which
is
using
an
external
module
and
I
will
scan
the
external
module
with
check
off.
So,
for
example,
here,
if
I
do
like
like
we
did
before
check
off
minus
d
current
directory,
it
will
scan
the
directory
and
give
you
the.
C
Everything
which
is
not
non-compliant
to
the
policy
that
we
have
and
if
I
go
up,
we
have
like
six
checks
which
are
failed,
a
tweet
that
we
skipped
and
basically
that's
a
way
of,
avoiding
the
fact
that
we
want
to
like
a
false
positive.
So
we
skip
some
check
inside
inside
the
code.
C
I
will
show
you
that
later
and
we
have
to
check
that
has
passed
so
if
we
go
through
them,
for
example,
we'll
see
that
on
the
access
file
there
is
some
ensure
that
aks
enable
private
cluster
and
I
will
go
back.
I
will
go
to
the
to
the
base
code,
and
here
I
have
the
extension,
which
is
a
checkoff.
So
let
me
grab
it
for
you.
C
And
I
the
forgot,
so
this
is
a
the
checkoff
extension
you
just
search
for
it.
You
install
it
and
that
would
be
sufficient
to
run
so
once
it
is
stored.
It
integrates
super
smoothly
inside
inside
of
vs
code,
so
the
id
and
then
let
me
remove
it.
C
Maybe
I
can
zoom
it
a
bit
yeah,
that's
better,
and
here
what
you
have
is
basically,
when
you
receive,
I
will
change
some
configuration.
I
will
hit
a
save
button
and
you
see
that
checkoff
is
running
already
to
scan
the
different
resources
of
this
file.
So
now
you
see
that
here
I'm
creating
a
container
registry
here,
I'm
creating
a
humanities.
Cluster
is
your
community's
cluster,
and
here
I
do
the
whole
assignment
for
the
to
give
the
permission
of
communities
cluster
to
pull
container
images
from
the
container
registry.
C
Of
course,
and
here
you
can
see
that
this
one
is
in
red
and
that
means
check
off,
discover
some
misconfiguration
there
and,
for
example,
here
we
can
see
that
ensure
that
aks
enable
private
cluster
what
we
just
saw
in
the
cli.
So
it's
exactly
the
same.
It's
exactly
the
same
output
that
we
see
once
you've.
You
see
that
then
you,
you
have
a
button
which
is
here
which
is
quick
fixed.
What
you
can
do
there
is
either
you
apply.
C
A
skip
you
generate
a
skip
command
to
evolve
to
to
mention
is
the
fact
that
it's
like
a
false
positive,
for
example,
and
or
for
what.
What
we
could
do
is
also,
for
example,
ensure
that
aks
eks
as
an
api
server
authorized
range
ip,
and
here,
if
I
go
to
the
quick
fix
for
that
one,
I
don't
have
something
like
apply
fix,
which
is
out
of
the
box
from
the
vs
code
extension.
It
will
provide
me
like
a
suggestion
so
and
I
can
only
generate
a
skip
comment,
but
I
don't
want
that.
C
I
I
want
to
fix
that
issue
because
I
want
to.
I
have
a
range
ip
that
I
want
and
I
want
to
allow
only
this
higher
range
ip
to
access
my
communities
cluster.
So
what
you
should
do
is
you
click
on
the
link
and
once
you
are
here,
you
see
that
you
should
just
add
this
this
wrench.
So
let's
do
something
like
that.
C
Let's
copy
the
piece
that
rule
or
we
put
it
in
front
of
the
tag-
and
here
we
have
something
and
let's
say
that
my
ip
is
a
public
ip,
so
117
82
something
and
slash
24.,
let's,
let's
save
and
again
check
off
his
running.
So
this
this
check
should
be
like
okay,
now,
okay,
so
we
just
have
seen
that.
Okay,
let
me
remove
it
again
up.
I
will
save
it
again
and
once
it's
done,
I
will
show
you
also
another
way
to
do
it.
So
here
we
have
the
the
check
off.
C
C
Just
by
doing
this,
quick
fix
generate
and
skip
comments.
Yeah!
That's
let
me
grab
this
one,
and
I
will
add
this
one
up
like
this
all
right
and
I
will
generate
the
other
command
just
to
make
sure
that
it
goes
okay
and
then
I
will
push
the
change
into
the
pipeline
and
I
will
see
how
it
goes
over
there.
C
Integration
so,
and
now
I
can
also
like
quick
fix
and
show
that
enables
private
cluster,
for
example,
and
then
we
have
all
that
which
is
fine
all
right,
and
then
I
will,
I
will
add,
also
the
last
one,
and
it
should
be
all
right,
and
this
is
like
the
skip
comment
and
if
you
have
like
a
skip
comment,
you
can
use
file.
C
You
have
to
use
this
in
this
syntax,
which
is
like
a
check
off
and
then
skip
equal,
the
checkoff
id,
and
that
you
have
it
of
course
everywhere
like,
for
example,
this
is
the
checkoff
id
and
then
basically,
you
just
add
like
a
double
point,
and
then
you
put
whatever
command
you
want,
for
it
could
be
like
anything
so
and
for
example,
I
will
azure
policy
either
on
or
not.
That
was
not.
C
Oh
sorry,
this
one
yeah
a
quick
fix.
C
Okay,
I
have
to
generate
so
now
check
if
it's
running
again
for
the
the
last
comment
and
I
lost
like
windows
v
somewhere
yeah,
I
do
okay,
so
I
have
this.
Addon
perfect
is
twice
so
I
can
remove
this
one
so,
and
this
is
what
chekhov
does
it's
really
giving
you
like
recommendation
on
the
on
the
developer
seat?
What
you
should
do
to
improve
your
your
code
before
pushing
it
in
production,
so
now
check
off
his
running
and
we
will
see
how
it
goes.
C
If
we
have
a
green
mark,
that
means
chekhov
does
not
have
any
recommendation
anymore.
Then
we
can
push
the
change
to
the
pipeline
and
in
regards
of
the
pipeline,
what
we
do
here-
and
I
will
come
back
to
that
so
we'll
trigger
the
pipeline-
and
this
is
for
azure
devops,
of
course,
but
we'll
trigger
the
pipeline
on
the
master
branch
and
then
yeah.
We
are
using
ubuntu.
So
we
will
install
check
off
by
doing
by
doing
this
command
peeping
soul
check
off.
C
Then
we
will
in
initialize
the
terraform
and
we'll
give
like
a
couple
of
information
regard
of
the
backend.
So
the
backend
is
safe
on
the
azure
site
and
then
we
will
validate
the
configuration
of
the
terraform
and
then
we'll
check
here
with
check
off
the
current
directory
or
the
the
set
module.
So
we'll
we'll
skip.
C
Also
all
the
check
which
which
is
in
regard
of
docker
and
the
output
will
be
sent
to
with
the
format
of
geonet
xml
and
it
will
be
sent
to
a
specific
file,
then
that
I
will
use
that
file
to
publish
inside
azure
devops,
that's
a
big
id
and
then
once
the
modules
are
okay,
we
will
verify
the
main
file
so
for
the
terraform
template,
which
is
the
aks
terraform
and
all
the
files
that
we
have
seen
before.
C
And
then
we
publish
also
those
results,
and
then
we
have
the
plan
and
the
plan
is
also
has
to
initialize,
because
it's
like
a
different
virtual
machine,
a
different
stage.
So
we
have
to
install
again
the
checkoff.
Then
we
have
to
initialize
the
terraform
template
and
then
we
have
to
execute
the
plan.
And
here
in
the
plan
you
can
see
that
now
we
are,
we
will
show
the
plan
and
we'll
output
inside
a
main.json.
C
That
will
be
scanned
with
the
checkoff
dash
f
command,
and
then
we
will
also
output
that
comma,
that
that
command
yeah
the
output
will
in
g
we
need
xml
as
well,
and
then
we
will
send
the
output
in
that
specific
file
and
then,
of
course,
here
we
have
all
the
parameters
to
go
against
the
azure
environment
that
we
have,
and
here
we
have
the
publish
test
results.
So
we
will.
C
We
will
publish
the
checkoff
plan
report
that
you
can
see
here
all
right
and
then
we
have
the
approved
stage
and
we
have
the
apply
the
apply
again.
We
have
to
initialize
and
then
just
execute
the
terraform
apply.
Auto
approve
command
all
right,
so
I
think
that
would
be
it
in
regard
of
the
explanation
and
then
let
me
first
check.
C
Oh
if
I
don't
have
any
exception
anymore
in
my
file
here
and
I
see
that
ssh
excel
okay,
so
I
have
like
yeah,
that's
one
of
the
modules
I'm
using
inside
the
model.tf
and
it
it
tells
me
ensure
that
ssh
access
is
restricted
from
the
internet.
So
I
should
either
deny
the
access
either.
C
Add
a
specific
port
for
a
specific
range,
so
what
I
will
do-
and
here
it
is
this-
is
the
model.tf.
I
will
just
deny
this
action.
Not.
I
don't
want
to
allow
ssh
from
directly
from
all
the
internet
to
my
to
my
virtual
machine.
So
let's
do
a
check
of
minus
d.
Again,
it's
checking
everything,
and
so
we
have
like
no
skip
check
one,
but
we
don't
have
any
fake
checks.
So
now
I'm
safe
to
push.
So
I
will
push
the.
C
Okay-
let's
push
it
like
that
now
that
should
have
triggered
like
a
pipeline
on
azure
devops,
and
this
is
my
pipeline,
which
is
out
not
failing
yet
yeah.
This
is
the
one
so
it's
running
here
and
it
will
go
through
the
different
stage
I
just
explained.
So
we
have
the
validate
the
plan,
the
wait
for
approval
and
the
apply
so
job
was
expanding.
C
Let's
see
how
it
goes
here,
so
it
will
install
the
check
off
with
the
pipe
by
three
installed
check
off
and
then
yeah
checkoff
should
be
installed
at
the
end
so
successfully
update
it
will
initialize
the
terraform
so
we'll
check.
Also
with
the
oh,
that's
not
good.
B
Can
you
maybe
zoom
in
a
little
bit
so
because
text
is
very
small.
C
C
C
C
Then
it
will
insert
our
form
validate
the
configuration
of
the
terraform
template
and
then
it
will
check
the
modules,
because
I
have
one
model-
and
I
didn't
show
you
that
much
yet,
but
this
is
how
to
create
the
network,
so
it's
provided
by
azure
and
the
to
create
a
v-net,
providing
like
couple
of
names
and
and
doing
some
fire
fight
the
cost
center
for
cncf.
C
This
is
on
you
guys,
okay,
so
my
config
is
still
not
valid,
so
validate
fade
exit
good
one.
C
The
the
error
just
hit
me,
and
otherwise
I
need
I
will
oh,
I
will
do
something
else
just
for
the
sake
of
the
remote
to
be
able
to
to
go
until
the
end.
I
will
save
this
configuration
and
I
will
see.
C
C
C
Yeah
well
yeah,
for
the
time
being.
Let
me
go
back
to
that,
because
I'm
not
sure
to
understand
why
the
mistake
was
on
the
field
and
appropriate
for
your
setup
yeah.
I
think
it's
like
yeah
and
it's
like
an
array
so
yeah
we
might
instead
of
of
this
okay,
but
anyway
we
we
can
fix
it
later,
I'm
sure
so
here
we
have
the
validate
option
and
yeah.
C
We
see
on
the
last
instance
here
and
we
can
go
in
test,
and
here
we
have
the
full
report,
which
is
ensure
that
a
case
add
an
add-on
cluster
blah
blah
blah
ensure
that
okay
uses
asia,
police
policies,
add-on
communities-
cluster
like
yes,
so
we
can
see
like
which
pipeline
has
failed,
which
action
has
failed
and
we
can
also
see
all
the
path
actions
or,
if
I
clear
all
that,
then
you
have
a
list
of
all
the
policies
that
have
been
checked
and
which
one
have
been
failing.
C
So,
for
example,
here
I
have
the
cave
this
one,
which
is
failing
so
and
here
I
can
go
when
I
go
to
this
fire.
I
will
go
to
that
website
and
see
what
is
the
recommendation
from
youtube?
And
here
basically
they
just
said
that
I
should
enable
this.
I
I
thought
I
have
done
it,
but
let's
go
back
here
and
add
on
profile,
oms
azure
policy
yeah.
I
should
basically
add
just
this
here.
C
C
C
And
that's
a
bit
what
we
are.
C
Wanted
to
show
you
it
was
also
we
can
fail
the
pipeline
in
regards
of
the
configuration
that
we
have
done
and
then
now
I'm
running
a
new
pipeline
with
a
change
I
just
committed.
So
let's
go
here
for
the
live
pipeline.
A
C
Always
a
bit
painful
to
wait
for
the
older
that
to
be
applied,
but
yeah.
That's
the
live
demo
right.
We
need
to
to
be
a
bit
patient,
and
so
now
the
the
different
steps
are
successful.
I
know
I
will
go
to
the
plan
and
like,
like
I
mentioned
before
in
inside
the
pipeline
in
the
plan,
so
we
will
generate
here
the
terraform
plan.
C
We
will
output
the
configuration
to
a
specific
tf
plan
file,
which
is
the
main
and
then
we'll
use
that
file
with
the
checkoff
cli
here
yeah,
basically,
we'll
show
the
the
which
is
on
first
we'll
convert
to
tf
plan
in
json
and
and
then
we'll
scan
the
json
file
with
the
checkoff
okay
and
that's
what
we
do
over
here.
C
Which
is
kinda
yeah,
which
is
which
could
be
interesting
as
well,
is
that
you
have
like
some
like
a
lot
of
affirmation
here
in
the
test
plan.
When
you
go
to
the
once.
I
think
and
I
will
open
it
in
different
tab,
and
I
will
show
you
that
just
right
after
but
oh,
I
can
show
you,
and
that
was
the
one
yeah.
We
don't
have
anything.
C
So
if
you
double
click
here,
you
have
also
this
kind
of
diagram,
and
you
know
that
you
have
eight
checks
which
are
passed
four
that
have
not
been
executed.
So
that
means
those
are
the
the
different
check
from
chekhov.
I
did,
and
I
the
one
that
I
I
passed
for
the
one
I
I
skipped
basically
okay.
C
But
otherwise
yeah,
I
think
we'll
go
like.
Maybe
I
can
show
you
like
very
quickly
on
the
terraform
yeah.
There
is
the
chekhov
website
here
that
you
can
visit
and
I
shared
a
link
in
the
in
the
chat.
C
So
you
can
also
go
there
and
create
some
customer
policies
if
you
want
to,
and
otherwise
just
to
show
you
like
a
couple
of
lines,
how
to
do
the
integration
with
with
github
action
and
here,
if
my
telephone,
basically
that's
how
you
should
do
so,
you
should
set
up
python3.hey
and
then
you
can
with
the
checkoff
action.
You
can
just
pass
a
couple
of
parameters
that
you
want,
and
here
you
have
the
different
options
that
we
have
seen
into
the
cli.
You
have
them
also.
C
C
Too
big
screen
for
me
yeah,
so
basically
yeah.
What
I
was
saying
is
like
we
set
up
the
3.8
python
environment
and
then
we
can
use
the
chekhov
action
which
is
out
of
the
box
file.
You
can
just
use
like
this
and
then
you
give
like
a
couple
of
parameter
parameters
to
skip
some
check.
C
If
you
don't
want
to
skip
some
check
and
you
can
use
white
cards
here
right,
so
you
can,
for
example,
if
you
don't
want
to
scan
to
check
anything
which
is
aws,
you
can
do
ctv
underscore
aws
star
and
to
escape
all
that,
then
you
have
the
quiet
option.
You
have
the
surf
face.
So,
for
example,
if
you
want
to
make
sure
that
the
pipeline
goes
all
goes
okay,
even
if
you
have
like
fade
check,
then
you
just
set
it
through
and
it
will
it
it
will
allow.
C
Anyway,
it
will
return
a
zero
to
the
the
command
instead
of
one
in
case
of
failure,
then
you
have
to
specify
the
the
framework
that
you
are
using
or
and
the
output
that
you
want
and
so
on,
and
then
we
can
in
that
way
we
can
also
in
github.
If
I
come
back
here
in
action.
C
Sure
I'm
almost
done-
and
here
we
have
like
also
this
kind
of
report
that
you
have,
which
are
a
bit
less
sexy
than
the
azure
devops.
So
that's
why
I
spend
most
of
my
time
on
azure
devops
but
yeah.
Basically,
that's
all.
I
wanted
to
show
you
and
if
I
come
back
here
on
the
checkoff
here,
I
have
the
branch
and
here
you
have
the
test,
and
this
is
what
I
wanted
to
show
you
today
so
yeah.
C
If,
if
there
is
any
question,
please
use
the
the
chat
file,
q,
a
box
that
you
have
like
in
the
bottom
right
of
the
of
the
screen.
If
I
remember
correctly
and
yeah,
I
don't
know
if
there
is
any
question.
B
Yeah
we
had
a
couple
of
questions.
I
tried
to
answer
them
already
with
some
questions
around
the
documentation
where
we
can
find
learning
learning
content,
then
we
had
some
questions
around
how
we
create
this
checkoff
policies.
B
I
answered
them
by
using
you
know,
using
the
open
source,
poi
requests
to
create
new
content
and
also
it's
managed
by
the
product
management.
So
when
we
see
new
vulnerabilities
coming
up,
then
we
integrate
them
into
the
latest
version
and
yeah,
maybe
siemen.
When
you
know
from
your
perspective,
when
we
look
at
the
demo-
and
you
know
what
we
can
achieve
with
great
results
here,
including
them
in
the
csd
pipeline.
What
is
the
best
starting
point
that
you
see
for
some
someone
who's
new
to
chekov?
C
It's
like
for
me
and
that's
what
I
did
when
I
discovered
chekhov
is
like
just
install
the
cli,
then
go
inside
the
director
like
a
directory
that
I
used
to
have
and
then
improve
my
terraform
template,
I'm
a
big
fan
of
terraform,
so
yeah
and
I
was
like
really
happy
to
see
how
fast
I
can
go
like
like
improving
my
telephone
template
and
out
to
better
secure,
because
the
problem,
also
like
you
you're
explaining.
C
If,
if
you
have
a
telephone
template
the
idea
behind
it,
is
to
reuse
it
and
reuse
it.
And
then
you
might
end
up
with
a
lot
of
ticket,
because
if
you
need
to
fix,
if
you
discover
that
you
have
like
a
misconfiguration
inside
a
terraform
template
that
you
have
been
using,
I
don't
know
for
like
100
times.
Then
you
have
to
to
fix
like
a
100
production
issue,
and
that
could
be
like
a
lot
of
issues.
So
that's
a
bit
yeah!
C
I
was
like
really
impressed
by
all
the
recommendations
and
how
to
improve
the
security
on
the
yeah
before
to
before,
to
to
push
the
configuration
and
so
on.
B
Okay,
thank
you.
We
have
one
question
one
new
question
from
lorenzo
he's
asking
how
the
british
group
pricing
plan
works.
We
are
actually
counting
in
the
pricing
plan
the
number
of
code
blocks
and
we
have
something
that
is
called
credits.
So
we
you
buy
licenses
through
credits
and
then
we
count
the
code
blocks
against
the
number
of
credits
and,
for
example,
50
resources
would
divide
50
by
3,
and
then
you
have
the
number
of
credits
we
are
using.
B
Any
other
questions
and
yeah,
maybe
as
additional
information,
we
don't
count
execution
of
scans.
We
just
count
how
many,
how
many
number
of
resources
we
are
scanning,
not
the
number
of
scans.
C
So,
for
example,
here
in
my
terraform
procurement
is
cluster.
We
have
a
container
registry,
we
have
a
azure
communities
cluster
and
here
we
have
a
whole
assignment.
That
would
be
like
three
resources.
That
would
count
as
like
one
credit
in
term
of
christmas
load,
but
checkoff
is
free.
I
mean
it's
free
to
use
this
open
source,
so
you
can
use
chekov
without
the
virtual
program
platform
exactly.
B
Okay,
cool,
so
then,
from
my
point
of
view,
it's
thank
you
very
much
for
your
attention
and
for
joining
our
webinar
today.
I
would
like
to
close
the
webinars
a
couple
of
minutes,
giving
you
back
and
simone.
Thank
you
very
much
for
being
the
god
today
and
yeah
enjoying
enjoy
your
day
enjoy
your
evening.
Thank.