►
From YouTube: Security at the Speed of GitHub
Description
#30minutestomerge
By driving greater risk reduction and scale without impeding velocity, GitHub Advanced Security allows teams to deploy faster and safer. Andrea will demo tools to improve security of your projects.
A
A
What's
going
on
hello
and
welcome
to
30
minutes
to
merge,
my
name
is
matt
desmond,
aka
beard
of
edu
aka
beard,
and
I
just
wanted
to
welcome
everyone
to
yet
another
session
of
30
minutes
to
merge
super
excited
about
this
one,
just
a
quick
kind
of
behind
the
scenes.
Look,
I
don't
know
a
year
two
years
ago,
andrea
asked
me
if
I
was
interested
in
hosting
30
minutes
to
merge,
and
I
said
absolutely
I
couldn't
wait,
and
today
I
have
the
pleasure
of
introducing
andrea
as
my
guest.
A
B
A
So,
as
always,
I'd
like
to
introduce
my
guest
with
a
couple
of
questions
that
I
asked
beforehand
just
so
you
get
like
an
idea
of
who
they
are
outside
of
maybe
what
they
do
every
day,
at
least
for
work.
So
I
just
wanted
to
kind
of
give
a
quick
rundown
of
who
andrea
is,
and
then
we
can
kind
of
get
into
her
topic
about
security
at
the
speed
of
github,
which
sounds
really
dope.
So
in
terms
of
hobbies
or
things
that
she
likes
to
do
she
likes
to
play
golf.
A
She
practices
yoga
and
the
thing
that
I
thought
was
the
best
was
she's
working
on
becoming
independently
wealthy
in
animal
crossing,
so
that
might
that
might
string
strike
true
for
some
of
you.
I
know
I'm
I'm
still
way
behind
on
pain.
A
A
A
recent
purchase
was
a
second
screen
which
has
helped
for
travel,
which
is
kind
of
a
cool
little
thing
that
I'll
probably
start
looking
into,
which
is
actually
why
I
asked
people
what
they
bought,
because
I'm
just
looking
for
things
to
buy
myself,
because
I
apparently
don't
have
enough
stuff
on.
You
know
my
shelf
behind
me
in
terms
of
any
type
of
open
source
that
she's
contributing
to
or
working
in
or
interested
in,
she's
been
working
in
or
she's
been
looking
at
the
white
house
report.
A
Translation
project
was
the
last
one
that
she
was
active
in
and
typically
she
just
kind
of
forks,
open
source,
repos
and
she's
looking
forward
to
participating
in
some
and
then
my
final
question
is
always
around
what
would
be
a
fun
github
action
that
she'd
like
to
either
create
or
have
created
for
her
and
in
this
one
it's
an
action
that
automates
the
aggregated
reporting
from
multiple
account
platforms,
which
would
be
a
community
person's
dream,
sounds
really
high
level
for
me,
but
it
sounds
pretty.
Cool
data
is
always
awesome.
A
B
B
I
will
do
one,
maybe
two
pull
requests
so
that
we
can
see
our
code
scanning
in
action,
which
is
amazing
tool
and
again
we're
gonna
talk
about
this
because
it
matters.
You
know
there
is
a
reason
why
you
have
a
band
security
exists.
We
need
to
focus
on
risk
reduction.
B
We
need
to
focus
on
allowing
our
teams
to
deploy
quickly
right
and
sometimes
when
we
think
about
a
focus
on
security.
We
start
thinking
that
we're
going
to
lose
speed
and
we're
not
going
to
meet
our
deadlines
and
that's
why
a
lot
of
things,
sometimes
we
just
kind
of
like
let
them
go
and
hope
somebody
catches
it,
but
hopefully,
at
the
end
of
today,
you
will
have
some
tools
that
you
can
go
ahead
and
go
go
after
them
go
enable
them
and
all
the
repos.
B
I
will
show
some
specifics
and
then
at
the
end,
and
I
will
also
share
all
the
links
to
everything
that
we
talked
about,
so
that,
if
you
want
to
go,
do
some
more
in-depth
reading.
You
are
completely
welcome
too,
so
at
all
levels,
whether
you
are
an
individual
contributor
or
you
are
a
em,
an
engineering
manager
right
now
as
a
digital
leader
as
someone
who's
either
writing
the
code
or
participating
in
ecosystem
or
leading
engineers
who
are.
We
have
much
more
challenges
than
we
used
to
before
right.
B
B
The
end
of
the
day
is
that
this
is
somehow
all
our
responsibility,
and
so
it's
important
that
we
have
an
awareness
of
what
tools
can
actually
make
this
easier
in
the
spirit
of
just
making
things
automated
and
not
spending
your
time
carry
so
much
about
what
security
looks
like
in
your
projects,
but
more
about
writing
the
code
and
the
things
that
you
know.
You
really
want
to
do
what's
fun
for
you,
so
I
want
to
ask
you
all
a
question.
B
This
is
something
that
our
cso
actually
asked
us
a
couple
of
times
already
as
part
of
our
all
hands,
and
it's
who
here
is
a
member
of
your
security
team,
whether
you
are,
if
you're
a
student,
do
you
think
that
you're,
a
member
of
the
security
team
on
whatever
project
you're
working
at
school,
if
you're,
a
professional
developer?
Are
you
a
member
of
your
security
team
at
work
and,
if
you're
thinking
about
contributing
to
open
source
projects
when
you're
contributing
to
open
source
projects?
B
Are
you
a
member
of
the
security
team
for
those
projects,
and
so
I
love
to
see
what
kind
of
answers
are
coming
up
with
so
just
kind
of
add
your
at
your
convenience
kind
of
take
a
quick
moment
to
think
about
it,
and
just
let
me
know
if
you
think
that
you
are
in
fact
a
member
of
your
security
team
and
then
I'll,
hopefully
ask
the
same
question
at
the
end,
and
then
we
shall
see
if
the
answer
change
or
not
right,
but
let's
go
ahead
and
get
started.
B
I
want
to
share
with
you
all
a
super
compelling
graphic
that
you
might
have
seen
this
before
is
making
the
rounds
for
a
reason,
because
we
are
the
home
of
open
source
and
we
support
over.
I
want
to
say
the
last
number
is
83
million
developers,
which
is
just
unbelievable
to
think
about,
we've
been
able
to
study
the
source
code
that
is
open
and
do
some
analysis
to
help
us
better,
enable
our
tools
to
support.
You
know
code
at
this
massive
scale.
B
This
graphic
is
one
of
my
favorites
because
it
just
kind
of
represents
that
curve
where
you
see
like,
like
the
sun,
says
more
money
more
problems,
but
in
this
case
there's
more
code,
more
problems
right,
the
more
you
collaborate,
whether
it
is
a
project
that
you
started
yourself
and
then
you're
trying
to
scale
an
app
and
you're
thinking.
Well,
I
maybe
I'm
not
super
keen
on
doing
front-end
stuff,
so
I'm
gonna
bring
somebody
in
it,
doesn't
matter
the
size
of
the
project.
B
At
some
point,
you're
gonna
end
up
collaborating
and
the
more
you
collaborate.
The
more
issues
are
introduced
into
your
code.
This
slide
shows
us
why
this
is
even
important
to
github
and
why
we
chosen
to
make
an
investment
in
the
space,
so
we
had
at
the
time.
I
think
it
was
70
million
lines
of
open
source
code
right
and
part
of
the
analysis
was
to
take
a
look
and
see
when
the
actual
security,
vulnerabilities
and
security
concerns
started
coming
into
influx
right
and
key
takeaways.
B
You
know,
as
the
lines
of
code
go
up
so
the
threats
software
of
course
runs
the
world.
I
don't
need
to
tell
you
this
you're
here,
because
this
is
what
you
do.
B
One
thing
that
we
can
point
out
is
specifically:
if
you
take
a
look
at
that
green
line,
you
can
see
that
these
are
the
new
security
threats
that
are
introduced
to
those
repos,
and
so,
even
though,
all
of
you
already
have
a
clear
understanding
of
certain
things
that
you
can
do
to
prevent
your
code
from
not
being
as
secure
as
it
could
be.
We
still
continue
to
make
errors,
and
this
is
not
because
you're
not
a
great
developer.
B
This
is
simply
by
human,
we're
humans.
We
make
mistakes
and
inadvertently
we
sometimes
commit
things
that
we're
not
supposed
to,
and
so
it's
important
to,
like.
First
of
all,
give
yourself
grace.
If
this
has
happened
to
you.
If
you
have
been
the
person
that
has
done
something
that
gone
into
production,
that
you
regretted,
listen,
it's
not
your
fault
to.
B
You
can
see
the
mismatch
between
the
expectations
of
developers
and
security
expectations.
I
think
there
is
some
number
out
there
like
for
e
for
one
developer
or
yeah
well,
per
one
100
developers,
there's
only
10
security,
folks
or
secure
researchers.
Something
like
that,
but
it's
to
say
basically
that
the
thought
of
the
past
was
securing
somebody
else's
job.
So
you
develop
this
kick
ass
app
and
you
chip
it
and
your
before
you
ship
it.
Hopefully
you
have
a
security
person
in
a
corner
and
a
basement
somewhere.
B
That's
actually
taking
a
look
at
the
in
running
audits
on
that
code
and
doing
pen
testing
doing
everything
else
that
they
need
to
do,
and
then
they
give
you
a
thumbs
up
and
off.
You
go
to
to
the
next
thing,
but
the
reality
is
that
not
every
team
has
those
capabilities
and
all
of
these
tools
that
github
has
created
and
continues
to
enable
and
grow
are
not
to
replace
security,
researchers
and
security.
Folks.
This
is
not
the
case
at
all.
B
This
is
just
to
give
you
a
hand
and
make
you
as
a
developer
more
aware
and
just
have
a
more
comprehensive
view
of
all
the
things
that
you
can
do
yourself
to
make
your
job
easy.
At
the
end
of
the
day,
you're
gonna
ship
that
to
a
security
person,
they're
gonna
find
the
whatever
xyz
violations
or
whatever
your
organizational
policies
are,
and
then
they're
gonna
turn
around
to
you
and
ask
you
to
fix
it.
B
So
you
know
it
saves
you
time
to
just
go
ahead
and
have
the
awareness
of
the
things
that
you
shouldn't
do
and
then
you
can
move
one
from
there
all
right
awesome.
So
we
look
at
application
security
as
a
comprehensive
tool,
so
we're
thinking
about
the
project
development
cycle
as
a
whole
and
we're
going
to
talk
about
some
of
the
tools
that
we
can
do
that
with
here.
Some
of
the
tools
that
again,
you
can
start
using
right
now,
it's
important
to
understand
that
again,
this
is
not
happening.
B
Security
vulnerabilities
are
not
happening
in
your
code
because
you
are
not
a
good
programmer
when
we
have
most
projects
that
I
think
at
an
enterprise
level,
80
of
the
code
comes
from
open
source,
so
you
know
inadvertently,
and
these
projects
are
also
taking
their
own
security
measures,
but
again
we're
all
human
and
mistakes
happen.
B
So
we're
going
to
take
a
look
at
how
we
can
prevent
some
of
the
things
that
we
can
do
ourselves,
for
example,
taking
a
look
at
code
scanning,
taking
a
look
at
how
we
can
prevent
secrets
from
being
exposed,
taking
a
look
at
our
dependencies
and
understanding
how
we
can
automate
some
of
these
things,
basically
just
to
bring
the
security
topic
closer
to
the
development
lifecycle.
B
You
come
to
this
platform,
you're
writing
code
here
this
is
where
you're
collaborating.
It
only
makes
sense
that
we
provide
you
the
tools
to
make
sure
that
that
process
is
as
smooth
as
possible
when
it
comes
to
security
and
again
that
you're
not
working
twice
as
hard.
So,
let's
get
started
first
thing
that
I
want
to
talk
to
you
about.
It's
gonna,
be
the
pandora
and
I
will
be
super
thrilled.
B
If
all
of
you
please,
please,
please
just
kind
of
give
me
the
grace
of
going
to
any
repo
that
you
have
that
you're
using
whether
something
that
you
have
public
facing
any
project
that
you
have.
I
don't
care
how
big
or
small
and
enable
depend
a
lot.
Please
do
it
do
it.
Do
it
do
it
today,
it's
a
hundred
percent
free.
It
will
remain
to
be
free
forever.
B
I
know
that
when
the
acquisition
of
the
pandora
first
happened-
and
there
were
a
lot
of
integrations
into
github
firsthand-
there
were
a
lot
of
folks
that
had
concerns
about
notifications.
Some
of
you
were
getting
bombarded
with,
like
a
thousand
emails
from
projects
that
were
old.
Maybe
those
dependencies
did
not
even
matter
to
you,
but
the
tool
was
doing
its
job
right
and
his
job
is
to
create
an
inventory
of
all
the
dependencies
on
your
projects.
B
All
of
this
amazing
open
source
code
that
let's
say
we
stand
on
the
shoulders
of
giants,
no
need
to
reinvent
the
wheel.
Why
work
harder?
So
we
take
all
these
dependencies
depending
on
what
is
gonna,
create
this
inventory
and
then,
when
the
first
integration
happened,
everybody
got
just
bombarded
with
notifications,
I'm
happy
to
share
with
you
that
you
can
now
configure
how
you're
notified.
So
if
this
is
one
of
the
things
that's
kept
you
from
enabling
the
pando
ad,
you
now
have
options
right.
You
can
go
ahead
and
enable
it
in
your
repositories.
B
Right
now.
It's
super
simple.
What
this
is
going
to
do.
Obviously,
once
you
enable
it
it's
going
to
allow
you
to
automate
the
way
that
dependency
updates
are
happening,
it's
going
to
monitor
those
dependencies
and
give
you
a
child
when
either
there
is
a
newer
version.
Now,
sometimes
there
are
security
flaws
within
those
dependencies
and
when
they're
identified
sure
the
dependency
creator
might
update
it.
B
But
unless
you
manually,
this
is
before
you
manually
go
in
and
update
bump
those
dependencies
up,
you're
going
to
find
yourself
with
a
vulnerability
in
your
code,
so
you
enable
the
pandora
and
guess
what
dependo
is
going
to
do
this
for
you.
So
I
encourage
everyone
to
please
enable
it.
Today,
you
can
see
how
on
the
screen,
there
is
an
example
of
an
application
and
it
had
a
depend
on
notification
and
it's
bumping
it
now
and
basically
it's
going
to
create
a
pull
request.
B
B
So
how
do
you
turn
it
on,
and
this
is
something
that
please
go
and
do
right
now,
super
simple
go
on
to
the
settings
stuff
and
please
let
me
know
if
you
can
see
my
screen
or
if,
if
I'm
missing,
like
chopping,
the
top
off,
I
do
that
sometimes,
but
I
will
need
you
to
please
go
under
the
security
tab,
I'm
sorry
sending
staff
and
go
into
code
and
secure
analysis
again.
This
is
free
for
public
repos,
free
for
open
source
people.
Private
repos,
it's
gonna,
be
always
free,
enable
your
dependency
graph.
B
Why,
when
you
enable
the
dependency
graph,
then
we're
gonna
start
creating
an
inventory
that
I
mentioned,
and
then
we
can
start
performing
the
analysis
and
telling
you
hey.
This
needs
to
be
bumped
up,
go
ahead
and
enable
depending
what
alerts
again.
There
is
a
magnificent
prompt
right
here
that
will
take
you
straight
to
configuring,
your
notifications,
so
you
don't
have
to
worry
about
getting
a
thousand
emails.
Then
we're
gonna
enable
the
security
updates.
B
This
is
gonna
automatically
create
those
pull
requests
that
are
gonna
help
you
resolve
those
alerts
and
then
a
super
cool
thing.
Now
that
is
actually
kind
of
newer-ish,
and
it's
going
to
be
the
dependable
version
updates.
Where
automatically
we
can
set
the
pandora
to
open
the
request,
and
when
the
update
is
because
there
is
a
new
version
it
will,
it
will
do
the
entire
process
automatically.
B
You
can
enable
that,
and
it's
going
to
automatically
create
a
template
this
for
most
projects.
More
than
suffices,
the
only
thing
that
you
need
to
do
is
tell
it
which
package
ecosystem.
You
are
working
on
like
where
your
dependencies
are.
So
I
think
most
of
the
things
in
this
project-
and
this
is
a
very
flawed
project
for
a
reason,
it's
a
it's
a
fork
of
a
wasp
project,
that's
for
testing
and
showing
this
type
of
demonstration.
So
we're
gonna
tell
it
okay,
yeah,
please!
B
My
package
ecosystem
is
npm
and
again,
regardless
of
your
package,
ecosystem
depend
on
what
can
scan
those
for
you
show
us
go
ahead
and
set
the
intervals
and
set
the
location
of
your
package
manifest.
I
think
the
json
file
is
the
primary
on
the
main
branch.
So
when
we
do
anything
else,
I'm
gonna
be
a
bad
person
here
and
commit
straight
to
maine,
but
this
is
simply,
for
you
know
we're
gonna
do
for
demonstration
purposes.
B
So
now
that
I
enable
the
dependency
graph,
you
can
see
how
it's
automatically
it's
already
telling
me
in
your
package.json.
We
found
a
vulnerabilities
already.
These
are
shown
to
the
owner
of
the
repository,
but
now
you
can
set
specific
security
policies
and
see
who
is
in
charge
of
the
security
of
your
repo.
So
if
another
thing
that's
kept
you
from
doing
this
is
the
fact
that
then
you
have
to
come
in
and
deal
with.
It
know
that
you
can
now
delegate
and
find
someone
else
in
your
team
to
maybe
take
a
look
at
those.
B
So
when
we
click
on
the
append
about
you
can
see
how
like
automatically
went
ahead
and
scan
our
package.json
file,
and
if
I
go
back
to
where
it's
giving
me
the
alerts,
I
can
click
on
it
and
it's
gonna
give
me
actually
a
more
comprehensive
explanation
about
each
specific
alert.
So
again,
this
project
is
super
flaw,
so
it's
gonna
have
a
ton
of
alerts
just
for
demonstration
purposes.
B
One
amazing
thing
about
the
way
that
this
report
is
displayed
is
that
you
can
actually
go
ahead
and
filter
them
out
or
organize
them
by
severity.
So
you
know
we're
gonna,
look
at
the
critical
ones
first,
because
it's
important
and
it's
gonna
tell
us.
Actually,
it's
gonna
give
us
a
brief
explanation
of
exactly
what
it
is.
That's
going
wrong
in
our
code,
whether
it
be
because
we
needed
to
bump
a
package.
It
looks
like
for
this
specific
package.
B
You
can
see
how
there
is
not
even
a
fix,
it's
just
actually
giving
us
the
suggestion
to
go
ahead
and
find
an
alternate
package,
because
there
is
no
way
to
fix
it
right
now
and
then
there
it
looks
like
there
is
another
here
we
go.
There
is
a
vulnerability
dependency
here
and
it
looks
like
for
this.
In
particular,
we
will
have
to
go
ahead
and
take
a
look
at
the
log
file.
So
again,
this
is
a
super
flaw
project.
B
If
it
was
something
a
little
bit
more
simple,
it
will
basically
create
the
pull
request
for
you
and
automatically
tell
you
exactly
how
to
bump
it.
So
I
welcome
you
to
fourth
this
repo
and
I
will
share
it
so
just
so,
you
can
test
it
out,
and
actually
I
have
a
simpler
one
that
I
can
pull
up
and
please
ignore
the
20
000
repos
and
all
the
stuff
things
that
shouldn't
be
up
there,
but
I
want
to
say
this:
one
just
has
like
a
dummy
yeah.
Here
we
go.
B
It's
like
a
super
simple
dummy
test
file.
Just
so
you
can
see
what
I
mean.
It's
clearly
a
pretend
package,
but
you
can
see
like,
for
example,
for
this
when
this
was
created
a
long
time
ago.
It
was
five
point.
Ten
point
two,
I
think
yes
length
now
is
up
to
like
18th
or
something
so
for
demonstration
purposes.
Let's
go
ahead
and
do
it
here
because
I
think
it
will.
B
It
will
make
it
a
little
bit
more
it'll
be
easier
to
see
when
you
don't
have
so
many
alerts
as
that
other
project.
So
again
I
went
back
to
settings.
B
I
went
back
to
code
security
and
analysis,
and
now
I'm
enabling
all
these
beautiful
things
the
minute
I
do
that
you
can
start
seeing
insights
and
you
can
start
seeing
it's
going
to
start
taking
a
look
at
the
security
and
what
depend
on
what
alerts
I
have
and
it's
going
to
start
scanning
so
we'll
give
it
a
moment
we'll
go
to
something
else
and
then
we'll
come
back
and
hopefully
we'll
be
able
to
see
some
results
and
the
pull
requests
already
enabled.
B
So
this
is
the
pandavat
again
is
free
for
everyone.
So
I
definitely
please
welcome
all
of
you
to
go
ahead
and
set
it
up.
Then
we're
gonna
talk
a
little
bit
about
secret
scanning
as
well
and
again.
Another
very
important
topic
because
to
wear
is
human
and
I've
heard
the
story,
and
I
never
get
tired
of
telling
it,
because
it's
things
that
happen
right
when
you're
working
and
you
accidentally
leave
your
token
your
aws
stock
in
there
or
you
leave
some
other
information.
B
B
I
have
an
example
here
of
you
can
see
there.
That
is
a
we
had
a
twilio
token,
an
api
key,
I'm
sorry
that
was
embedded
right
there
in
the
code,
and
so
the
idea
is
that,
as
a
developer,
you're
now
presented
with
all
the
information
you
need
not
only
about
yes,
what
happened
when
they
found
the
secret,
but
it's
actually
gonna
give
you
a
timeline,
because
sometimes
these
things
don't
happen
automatically
right,
so
you'll
be
able
to
go
back
and
see
exactly
when
the
secret
was
exposed.
B
If
you,
this
is
part
of
one
of
our
scanning
partners,
our
secret
scanning
partners-
and
I
will
share
the
list
next,
then
this
this
problem
is
gonna,
be
automatically
taken
care
of
they're
gonna,
invalidate
that
secret
for
you,
but
then
sometimes
it
doesn't
happen
as
fast.
So
it's
important
when
you're
starting
to
look
at
remediation,
that
you
know
exactly
have
a
clear
view
of
the
timeline.
This
has
happened
to
folks
that
I
know
personally,
you
know
where
aws
tokens
were
left
and
next
thing.
B
You
know
you
have
a
twenty
five
thousand
dollar
bill
and
you
know
sometimes
amazon
is
super
kind
and
allows
us
to
like
kind
of
go.
Like
sorry
accident
is
but
then
most
times
it's
not,
and
so
you
don't
wanna,
get
stuck
in
a
position
where
you're
supposed
like
that,
especially
some
of
these
other
providers
that
don't
have
set
limits
for
spending
which
kind
of
mind-blowing
but
that's
a
whole
other
conversation.
B
So
in
any
case,
when
the
secret's
being
scanned-
and
it's
found
then
automatically-
we
send
it
to
our
partner
and
we
tell
it
please
go
ahead
and
cancel
out
a
secret
so
that
it
cannot
be
exploited
that
the
activation
process-
it
happens
in
the
space
of
seconds,
so
super
important
that
this
is
enabled
for
your
projects.
Now
for
all
of
your
public
projects
as
a
default,
they
are
enabled
secret
scanning
is
enabled.
B
However,
you
know
if
you
have
an
enterprise
product
project
or
if
you
have
a
private
repo,
you
can
go
back
in
and
actually
enable
it
yourself,
but
it's
gonna
be
looking
for
hard-coded
secrets.
It's
gonna
be
looking
for
embedded
tokens.
It's
gonna
be
looking
to
automate
the
workflows
for
some
of
these
public
repos
so
that
automatically
it's
gonna
deactivate.
B
Those
codes
that
are
have
been
mistakenly
committed
and
I
think,
right
now
we
have
over
36
cloud
organizations
who
are
partners
and
they're
helping
us,
of
course,
streamline
this
process
and
protect
your
leaked
secrets
from
being
exploited,
so
super
important
that
we
take
a
look
at
that
and
understand
why
this
is
only
to
our
advantage
and
again
it's
by
default,
enable
on
all
your
public
repos,
and
this
is
a
not
very
comprehensive
list.
B
I
think
we
have
definitely
more
than
that,
but
these
are
some
of
our
scanning
partners,
and
so,
if
you
use
any
of
these
services,
you
definitely
can
have
a
bit
more
certainty
that
secret
scanning
keyhole
secret
scanning
is
gonna.
Have
your
back
and
help
you
prevent
those
secrets
from
being
committed?
B
Perfect
all
right
now,
let's
take
a
look
at
sort
of
the
third
part.
What
I
wanted
to
share
with
you
today
and
if
you
have
not
used
coke
ql
or
any
code
scanning
tool,
I
definitely
recommend
that
you
take
a
look.
I
do
want
to
share
a
little
bit
about
what
goes
under
the
hood
of
this,
because
I
think
it's
important
to
understand
what
it's
looking
for.
B
Of
course,
this
came
to
us
cook
well
as
part
of
the
acquisition
by
semo
the
super
smart
folks
at
oxford,
university
researchers
that
now
some
of
them
are
actually
part
of
our
github
security
lab
shout
out
to
the
security
lab.
They
do
amazing
work
and
they've
been
just
basically
trying
to
bridge
that
gap
between
research,
academic
research,
understanding
the
vulnerabilities
and
you
making
sure
that
you
know
how
you
can
prevent
your
code
from
being
attacked
by
some
of
those
vulnerabilities,
so
code
scanning,
coql
it
it's.
B
The
ql
is
basically
the
language
that
is
written
on
revolutionary
engine.
Ql
is
not
the
only
scanning
engine
that
we
use
primarily
is
what
we
use.
One
of
the
things
of
beauty
of
coquille
is
that
it
is
a
community
driven
product,
and
what
does
that
mean?
That
means
that
out
of
the
box,
you
already
have,
I
think
it's
like
it
might
be
close
to
2
000
queries
that
have
been
created,
whether
it
be
by
researchers
or
other
people,
just
like
you
who
have
different
use
cases
and
so
well.
B
You
know
what
I'm
going
to
create
my
own
personalized
query
to
go
ahead
and
look
for
the
specific
things
that
are
important
for
my
product.
So
you
can
see
there
is,
I
want
to
say
17
1800
automatically
out
of
the
box
queries
and
then
you
can
also
add
your
own
query
and
help
us
grow
the
understanding
and
grow
the
capacity
as
a
community
for
us
to
just
help.
Keep
our
code
secure.
You
know
it's
community
power.
Of
course
you
can
kind
of
see.
I
love
this.
B
This
particular
slide
because
it
shows
how
you
know
by
the
power
community.
We
actually
can
work
and
scale
a
lot
faster
and
then
the
way
that
it
works.
It's
important
to
note
so
that
you
have
an
understanding,
because
sometimes
obviously,
and
especially,
if
you're
dealing
with
property
code,
that
you
want
to
make
sure
that
you're
not
exposing
yourself
to
anything
else
by
trying
to
scan
it
to
prevent
from
being
exposed,
but
basically
for
compiled
languages.
It
works
as
very
much
like
sql.
What
it
does
is.
B
It
builds
a
database,
it
extracts
the
sort
of
code
and
it's
going
to
basically
create
a
copy.
It's
going
to
trace
and
extract,
and
what
happens
is
the
tracer
is
going
to
identify
when
the
bill
is
invoked?
And
it's
going
to
take
that
argument,
compile
it
passing
it
to
the
structure,
catches,
the
extractor
and
they
work
very
similar.
It
does
the
lexington
parsing
bill
on
ac,
but
that's
it
that's
when
it
stops,
and
then
that
is
when
coql
comes
in,
it
supports
multiple
multiple
languages
c
chart.
B
I
think
php
python,
java,
javascript
and
growing
the
way
it
does
this
for
the
specific
language
with
people
back
of
their
own
of
of
their
own
compiler
so
like
for
java,
is
a
piggyback
of
javaxxy,
and
you
know
this
is
only
helping
us
look
for
entry
points,
be
a
tracer
and
just
mimic
from
their
own,
so
your
source
code
is
secure
now
for
interpreted
languages.
B
Essentially
it
mimics
an
interpreter
and
it's
gonna
take
a
look
at
the
files
and
then
interrogate
them
directly
the
actual
files
and
help
build
out
like
that
semantic
information.
So
it's
not
reinventing
the
wheel.
It's
just
doing
the
things
that
your
language
already
has
a
provider
for,
but
it's
making
it
all
happen
right
there
in
your
code
integrated
so
there
I
can
share
a
list
of
the
actual
supported
languages
at
the
end,
but
I
want
us
to
quickly
take
a
look
at
a
pull
request.
B
We're
gonna
just
go
back
to
my
other
screen,
because
I
want
to
show
you
just
how
exactly
how
the
analysis
work
and
let's
go
back,
and
I
think
this
might
have
captured
our
alert,
but
we'll
take
a
look
at
it.
For
a
moment
in
a
moment,
so
this
again
a
very
flaw
very
flaw
project.
I
want
to
go
ahead
and
add
an
api
endpoint
to
a
file
here,
and
I
hope
my
screen
is
large
enough.
B
It
says
if
it's
not,
let
me
know
on
your
screen
and
I'll
go
ahead
and
try
and
zoom
in
a
bit
more,
but
we
have
this
file,
which
is
gonna,
be
our
server
ts
file
and
I
wanna
go
ahead
and
enable
add
another
endpoint,
an
api
endpoint
and
then,
as
I
do
this
you'll,
probably
as
I,
because
I'm
just
going
to
copy
and
paste
this
code
and
by
the
way
I
just
type
e
to
go
ahead
and
edit
directly.
B
The
great
news
is
that
actually
co
coquille
has
an
extension
of
visual
studio.
So
you
can
do
all
of
this
right
on
the
editor
I'll
just
stay
here
on
the
under
dot
com,
ui
just
for
demonstration
purposes.
So,
let's
scroll
down
to
the
area
where
we're
adding
our
apps
and
let
me
see
it,
looks
like
yeah.
We
can
stick
it
right
here,
so
I'm
gonna
do
a.
B
Coat
and
paste-
and
if
you
can
see
this
and
you've
done
this
sort
of
thing
before
you
might
already
see
what
the
issues
are
so
this
function
to
add
an
api
endpoint,
and
if
you
know
what
the
error
is,
I
love
to
see
it
on
the
chat
and
right
now,
I'm
not
looking
at
the
chat,
but
I
promise
I
will
take
a
look
later.
So
barry
stack
overflow,
let's
go
ahead
and
just
copy
and
paste
there,
and
so
now
that
we
introduce
that
code.
B
Actually,
I
will
take
one
step
back
because
first,
we
need
to
go
ahead
and
tell
we
need
to
go
ahead
and
tell
our
security
tool
here
to
actually
look
for
this
right.
It
would
be
absolutely
useless
if
we
commit
that
and
there
is
nothing
catching
it,
and
we
do
this
by
via
an
action
and
very
simple
again
just
going
into
actions.
B
You
can
see
how
specific
to
this
project-
actually
it
looks
like
coke
ul,
is
already
enabled,
but
if
it
was
not-
and
I
can
go
ahead
and
just
delete,
this
workflow
runs.
So
you
can
see
what
it
looks
like
when
you
are
enabling
it
wow.
That's
a
ton,
let's
just
leave
them
there
for
now,
but
there
is
a
starter
action
that
you
can
see
for
this
particular
repo.
B
It
looks
like
it's
already
enabled
and
I
thought
I
removed
it,
but
maybe
not,
but
this
is
what
it
looks
like
right
there
and
it's
gonna
give
you
there.
It
actually
shows
us
the
languages
see,
go
java,
javascript,
typescript,
python
and
ruby,
and
then,
when
you
click
on
configure,
it's
gonna.
Take
you
to
again
preset
that
yaml
file
for
you.
If
you're,
not
a
fan
of
yaml,
please
know
that
this
is
actually
super
simple.
B
To
set
up
the
only
things
that
are
super
important
that
you
tell
it
here
is
what
event
you
want
it
to
execute
on,
so
here's
gonna
be
on
push
and
on
pull
request
and
which
branch
you
wanted
to
look
at
and
then
you
can
set
the
scheduler
for.
However
often
you
want
this
scan
to
happen,
this
is
one
of
my
new
favorite
things
that
is
actually
translating
the
cron.
You
don't
have
to
go
elsewhere.
It's
actually
telling
you
exactly
what
that
means.
So
this
is
great.
B
We
can
tell
you
exactly
where
to
look
for
when
to
look
for
it
the
languages
of
our
project
automatically.
We
can
see
what's
supported
and
actually,
if
you
want
to
check
out
the
more
in
depth
documentation,
you
can
see,
you
can
see
it
all
there.
So
this
looks
great.
We
don't
need
to
do
anything,
no
need
to
reinvent
the
wheel
here.
Please
ignore
my
lack
of
commenting
here.
Oh,
this
is
all
because
we
already
have
one
so
we'll
take
it
out,
but
that
other
file
should
definitely
catch
our
error
in
the
code
here.
B
So
let's
go
ahead
and
commit
that
and
if
we
scroll
down
we're
gonna
create
a
pull
request
for
it,
and
so
now,
what's
happening
on
the
background,
is
we're
gonna
kick
off
that
scanning
and
I'll
go
ahead
and
show
you
what
that
looks
like
in
a
moment?
So
here
we
go
we're
creating
a
pull
request,
and
now
we
can
see
if
we
go
back
into
our
actions
tab,
we
should
be
able
to
see
that
there
is
a
pull
request
here.
B
You
have
a
ton
of
options
here
as
far
as
again
when
and
how
and
you're
going
to
see
how.
Now
it's
actually
doing
the
analysis-
and
this
is-
I
mean
that
was
kind
of
a
large
project
file.
I
think
it
scans-
something
like
I
don't
know-
50
000
lines
and
maybe
under
a
minute,
but
we'll
be
able
to
see
here
firsthand
when
it
comes
back
with
the
analysis
and
I'm
gonna
quickly.
B
Take
a
look
at
the
chat
to
see
if
anyone
actually
figured
out
what
the
vulnerability
was
on
that
code
and
there
was
yeah.
There
are
some
guesses
there
like
with
cryptography
yeah.
Definitely
but
we'll
we'll
take
a
look
actually
once
they
analyze.
The
analysis
is
done
it
will.
It
will
give
us
a
more
in-depth,
actually
answer
as
to
what
happened,
and
this
is
taking
a
bit
longer
and
I
think
it's
because
I
have
a
ton
going
on.
B
So
let's
just
go
back
to
the
original
project,
where
I
forked
this
from
because
then
I
can
show
you
what
what
that
looks
like.
So
here
we
take
a
look.
It
looks
like
we
added
that
search
point.
It
completed
the
job,
it
analyzed
it.
I
think
this
is
after
the
remediation,
so
you
actually
don't
see
the
pull
request
there.
But
if
we
go
into
the
actual
pull
request,
we
can
see
how
it's
gonna
run
through
all
the
checks
and
automatically
it's
gonna
tell
us.
Okay,
you
fail
code
scanning
after
six
seconds.
B
They
move
a
lot
faster
here
and
then,
when
I
click
on
the
details-
and
this
is
one
of
my
favorites-
that
it
actually
gonna
give
us
a
brief-
it's
gonna
obviously
show
us
exactly
the
commission
and
it
will
actually
give
us
annotations
on
what
it
is
and
what
line
our
our
issue
was,
and
these
are
two
of
the
errors
that
again
things
that
we
can
commit
to
our
code.
B
That
we
wouldn't
even
be
thinking
about
it
just
quickly
writing
a
function
to
add
an
api
at
start
point
next
thing:
you
know
we're
introducing
these
two
vulnerabilities,
but
before
you
merge
that
pull
request,
this
analysis
is
happening
so
that
it
would
never
actually
become
an
issue,
and
there
were
two
things
there.
B
I
think
something
with
resource
consumption
is
one
and
then
the
other
one
when
we're
not
right
limited,
so
that
makes
us
vulnerable
to
to
denial
of
service
attacks,
so
every
time
that
you're,
adding
an
api
search,
point
or
you're,
adding
you're
opening
yourself
up
like
that,
you
need
to
make
sure
to
apply
rate
limits,
and
that
was
one
of
the
things
I
was
missing
on
that
bit
of
the
code.
So
now
that
we've
seen
exactly
it's
telling
us
okay,
this
is
what's
happening.
It's
been
found
on
the
pull
request.
B
Then
you
have
the
option
to
remediate
right
then
automatically.
You
already
know
that
this
is
not.
This
is
not
good
for
this
particular
pull
request.
I
will
just
close
it
out
and
then
we
can
just
go
back
to
the
code
and
take
a
look
and
see
exactly
where
we
made
the
mistake
and
then
add
those
rate
limits
and
save
ourselves
a
really
painful
experience
after
so
this
is
a
very,
very
powerful
tool
and
again
it's
free
for
public
repos,
the
queries
and
the
amount
of
community
driven
research.
B
That's
been
done
to
make
coke
oil
amazing.
It's
just.
Is
it's
unparalleled,
so
you
have
a
ton
of
options
here
and
if
this
is
like,
I
look
at
it
as
lego.
Sets
that
you
can
stack
tools
on
top
of
the
others,
so
you
can
actually
call
on
other
services
outside
of
github.
You
know
if
you
use
something
like
neck
or
stackhawk
or
any
other
application
security
tool.
B
You
can
use
all
of
this
in
conjunction,
so
that
is
a
really
cool
way
to
keep
just
automate
that
part
of
it
and
then
I
think
we
can
close
on
that
note
we're
going
a
little
bit
over
time
and
sorry.
I
was
talking
too
much
about
animal
crossing
at
the
beginning.
Just
quickly
wanted
to
share
like
why
this
even
matters,
because
this
is
a
this-
is
a
developer,
driven
effort.
You
know
the
fact
that
we
have
the
opportunity
to
customize
all
these
queries
and
do
things
specifically
to
whatever
threat
topology.
B
You
have
in
your
projects
the
fact
that
we
now
have
a
community
behind
it
and
a
security
lab
does
actually
focus
100
on
making
this
a
better
scanning
tool.
This
is
making
all
our
life
much
easier.
At
the
end
of
the
day,
it's
going
to
take
a
lot
more
than
just
scanning
and
frequent
scanning.
We
need
to
have
that
developer-centric
focus
security,
mind
to
know
that
this
is
our
responsibility.
B
So
I
love
to
ask
the
question
again,
and
I
hope
the
answer
is
yes,
because
every
single
person
viewing
this
is
a
member
of
their
security
team,
whether
you
think
about
security,
best
practices
or
not,
if
you're
writing
code
you're
a
member
of
your
security
team,
even
if
it's
a
team
of
one,
it
is
your
own
solitary
project
but
yeah,
that's
all
I
had
today.
I
hope
that
you
took
away
some
of
the
things
that
you
can
start
looking
at
today.
B
I
will
share
some
of
the
documentation
and
things
on
the
notes,
so
that
you
can
take
a
look
at
because
there's
a
lot
more
customizations
that
you
can
do
and
again
just
make
this
as
specific
to
your
projects
as
possible.
I
will
be
super
remiss
if
I
didn't
invite
you
all
to
please
join
our
globe.
Meetup
group.
This
is
another
of
the
things
that
I'm
typically
in
the
background.
If
you
didn't
know
it,
we
have
a
meetup
group
official,
get
health
meetup
group
and
we
have
content.
B
That
is
I
mean
I
would
say
it's
of
interest
to
anyone
if
you're
a
developer,
if
you're
interested
in
code,
if
you're
data
scientist,
if
you're
a
researcher,
you
will
find
something
there
for
you,
we
try
and
stay
very
much
on
team
for
certain
events,
so
we'll
have
like
a
security
minded,
meet
up
or
we'll
have
an
open
source.
Maybe
a
couple
of
maintainers
that
come
in
and
talk
about
scaling
their
projects
and
the
talks
vary
from
deeply
technical.
Let
me
show
you
how
to
do
this
to
let's
talk
about.
B
You
know
some
of
the
harder
things
and
maybe
open
source
sustainability
getting
folks
to
contribute
to
your
projects,
etc.
So
I
promise
it'll
be
worth
your
while
join
our
meetup
group
and
yeah.
That's
all
I
have.
I'm
gonna
bring
beer
back,
so
he
can
usher
me
off
because
typically
I
would
be
the
one
pinging
on
the
private
chat,
saying
hello.
The
name
of
the
show
is
30
minutes
to
merge
and
we're
nine
minutes
over.
A
I
don't
think
anyone
can
be
upset
with
being
a
little
over.
That
was
a
lot
of
content.
You
covered
the
entire
advanced
security
suite.
It
was
really
awesome.
I
did
see
one
question
in
chat
about.
If
there's
going
to
be
recording
on
youtube,
there
will
be.
We
actually
have
a
bunch
of
30
minute
to
merge
content
already
there.
A
So
if
you,
this
is
your
first
time
kind
of
jumping
in
with
us,
you
can
see
some
of
the
other
episodes
that
I've
hosted,
which
is
really
just
me
getting
to
introduce
someone
really
awesome.
Then
them
blowing
people
away
and
then
me
coming
in
like
a
bookend
and
saying
it's
been
fun,
but
that
was
awesome.
Thank
you.
So
much
for
showing
off
github
advanced
security
yeah
the
code
scanning
stuff
is
really
cool.
A
I'm
a
huge
fan
of
the
secret
scanning
as
well,
and
then
obviously
dependable
hot's
been
around
for
a
little
bit
yeah,
but
the
pentabot
has
definitely
saved
my
my
rear
a
couple
of
times.
So
it's
really
nice
to
see
it's
shared
with
the
community.
B
100
yeah,
it's
sometimes
some
of
these
things
we
don't
think
about,
and
until
it's
too
late.
So
here
you
have
all
these
preempted
tools
that
you
can
go
ahead
and
enable
so
please
everyone
who
watched
this
stream
go
enable
the
pendulum.
I
want
to
show
my
boss
that
this
actually
matters
and
we
can
actually
see
a
little
move
a
little
bit.
So
please,
please,
please
go
do
it.
I
did
see
someone
asking
about
the
meetup
group
and
yeah.
B
If
you
just
go
to
meetup.com
you'll,
be
able
to
find
it
there,
but
I'll
go
ahead
and
share
this
specific
url.
I'll,
just
add
it
in
the
comments,
so
you
can
see
it
and
if
you
are
from
another
place
and
speak
another
language
or
are
interested
in
speaking,
maybe
more
technical
things
in.
I
don't
know
korean
spanish,
brazilian
portuguese.
We
have
meetups
for
that.
So
join
those
as
well.
Alright,
thank
you
so
much
I
super
appreciated.
Being
here
today,
listen
beard,
you
say
your
only
job
is
to
come
in
and
then
leave.
B
So
super
grateful
and
all
of
you
who
watch
I
am
just
thrilled
and
honored
to
have
a
bit
of
your
time
now
go
forth
and
have
lunch
sorry
we're
going
over,
but
again
also,
if
you
have
any
questions
about
this
or
want
to
get
connected
with
someone
from
the
security
lab,
maybe
you
are
actually
thinking
about
writing
your
own
queries
or
you
want
to
look
a
little
bit
more
under
the
hood.
B
The
end
me,
my
dms,
I'm
open,
like
the
cool
kid
said
and
I'll
be
happy
to
just
make
those
those
connections.
All
right,
folks
have
a
great
rest
of
your
week
and
I
will
catch
you
on
the
meetups.