►
Description
Issac Cohen, Field Solutions Architect, digs into 3rd party integrations with a focus on security and code quality. With GitHub Actions, bring these tools directly into your CI/CD pipeline and get to Production faster and with greater confidence.
Find more at: https://github.com/learn/security
A
Hey
everybody-
isaac
cohen
here
very
excited
to
be
talking
to
you
today
about
git
of
actions,
specifically
third
party
security
actions.
It's
funny
I'm
so
I'm
a
field
architect
here
at
github
and
I've
been
in
the
ci
market.
I've
been
doing
ci
for
about
10
years
now,
I'm
so
very
excited
to
be
talking
continuously
about
ci
cicd,
github
actions,
but
also
its
combination
with
security.
And
how
do
we
start
to
integrate
those
third-party
security
actions
as
part
of
our
cicd
pipelines?.
A
Starting
off
with
just
giving
you
a
brief
introduction
into
github
actions,
of
course,
as
you
know,
a
github
actions
is
the
github
native
cicd
platform.
What's
interesting
is
that
in
the
last
year
and
a
half
that
we've
launched
github
actions,
we
now
have
over
5500
actions
in
the
github
marketplace.
A
I
mean,
as
I
mentioned
beforehand,
though,
we're
specifically
going
to
focus
on
the
third
party
security
actions
today
and
I'll
actually
walk
you
through
how
to
to
integrate
a
number
of
different
tools
that
are
available,
so
we're
going
to
focus
on
three
tools
today,
we're
going
to
focus
on
in
core
which
is
concerned
with
container
scanning
looking
for
vulnerabilities
within
containers,
I
will
look
at
rubocop,
which
is
looking
for
vulnerabilities
within
ruby
applications,
then
finally,
codec,
which
gives
us
a
number
of
different
options
from
code
quality
to
also
running
a
number
of
different
tools.
A
In
the
background,
it's
important
to
note,
though,
that
there
are
a
lot
more
integrations
that
we're
not
going
to
cover
in
this
session
today,
mainly
one
of
them
being
code
ql,
which
of
course,
is
the
github
integrated
security
solution
and,
of
course,
other
partners
that
we
just
don't
have
time
to
to
review
today.
A
A
So
if
you
find
any
vulnerabilities,
of
course,
in
production,
or
even
as
a
as
a
result
of
a
breach,
it's
exponentially
more
expensive
to
fix
and
to
remediate
than
if
you
find
them
earlier
in
that
life
cycle
in
the
development
part
or
the
or
or
really
before,
any
qa
occurs.
A
So
this
is
why
we're
trying
to
integrate
all
of
these
different
tools
as
part
of
our
ci
cd
pipeline,
but
also,
as
we
start
to
integrate
this
earlier
on,
developers
are
at
least
able
to
remediate
those
issues
as
quickly
as
possible.
What's
interesting
is
when
I
used
to
develop
full
time.
A
So
a
lot
of
the
stuff
I'm
going
to
be
showing
you
today,
you
can
follow
along
all
on
open
source,
repos
we're
going
to
start
with
angkor
and
really
integrating
the
inquiry
engine.
As
I
mentioned
beforehand,
encore
engine
is,
it
is
an
open
source
project,
so
this
provides
centralizer.
A
That
so
moving
over
to
my
repo
that
I've
created
for
this,
of
course,
you
can
follow
along
github.com,
issc29
you'll
notice
that
this
is.
This
is
a
demo
instance.
This
is
a
this
is
a
demo
repository
that
I
created
yesterday.
A
A
A
Thank
you
for
that
question
key
host,
so
you
do
have
the
ability
to
run
a
self-hosted
runner.
It's
actually
pretty
easy
to
get
started
with
that
check
out
the
documentation
for
github
actions,
self
hosted.
A
Runners,
so
if
you
check
out
that
this
this
documentation,
it
will
show
you
how
to
get
started
on
azure
to
to
create
your
own
runner
on
azure
and
then
use
that
as
it
what
we
would
term
as
a
a
self-hosted
runner
with
github
actions,
it's
really
just
a
small
file
that
you
need
to
run
and
that
will
then
connect
up
to
the
github
orchestration
as
part
of
github.com
and-
and
you
know
obviously
like
with
azure
aws
gtb,
whatever
cloud
hosting
provider
you're
using,
then
you
can
control
how
much
resources
you
have
cores
memory,
etc,
etc.
A
Okay,
so
moving
back
to
the
actual
link
or
demo,
I'm
going
to
click
on
github
actions
and
you'll
see
it
gives
me
a
number
of
different
workflows
out
of
the
box,
whether
it's
publishing
a
docker
container,
I'm
just
going
to
create
one
myself.
So
we'll
call
this
docker
ci,
okay.
So
the
first
thing
that
we
see
is
on
push
right.
So
every
time
we
push
or
every
time
we
open
up
a
pull
request,
we
will
run
want
to
run
this
workflow.
A
We
have
jobs,
runs
on
okay,
we're
gonna
want
to
run
on
ubuntu
latest.
That's
exactly
what
I
wanna
do,
especially
because
this
is
a
linux
docker
container,
I'm
gonna
run
this
as
part
of
ubuntu.
It
has
docker
or
the
docker
demian
already
installed,
so
it
makes
our
lives
very
easy
and,
of
course,
the
first
thing
that
we'll
do
is.
We
will
check
out
the
code
okay,
so
now.
This
is
where
we
we
have
to
change
a
couple
of
things
around.
A
A
The
docker
image
and
for
this
one
we're
just
going
to
run
a
command
it's
going
to
be
docker,
build
dash
file,
so
we're
going
to
take
that
docker
file
and
build
it.
We
will
tag
it
we'll
call
this
issc29,
that's
my
username
node
web
app
latest.
I
think
that's
all
I
have
to
do.
Oh
yeah,
let's
add
a
dot
over
there.
Okay,
so
this
is
actually
going
to
build
my
docker
container,
but
the
next
thing
that
I
want
to
do
is
I
actually
want
to
run
anchor.
A
A
This
is
going
to
be
give
me
a
ton
of
information
of
how
to
actually
run
the
the
the
get
up
action.
The
in
core
container
scan
github
action.
So
this
is
going
to
give
me
some
some
examples
that
I
can
get
started
with.
You
know,
let's
see
container
scanning
directory
scanning,
as
well
as
the
action
inputs
and
the
action
outputs
right,
so
action
inputs
are
going
to
be
the
the
knobs
and
controls
that
I
can
do
that.
A
Can
that
that
I
can
configure
in
order
to
configure
the
action
to
the
way
that
I
want
to
configure
it
and,
of
course
the
outputs
are
going
to
be
any
outputs
that
are
that
are
that
are
sent
out
from
the
action
over
here.
It's
going
to
send
me
the
the
path
to
a
json
pile
of
the
vulnerabilities,
but
to
me
I
always
like
to
go
back
to
the
actual
repository
to
to
go
a
little
bit.
Let's
say
a
level
deeper,
so
I'll
click
on
links
and
that'll.
A
Take
me
to
the
actual
repo
where
this
action
was
created,
a
number
of
things
that
you'll
notice.
Of
course
you
have
the
readme,
which
gives
you
pretty
much
the
same
information
that
you
saw
on
the
marketplace
listing.
But
the
other
interesting
thing
that
I
always
like
to
look
at
is
the
action.yaml
file.
So
the
action.yaml
file
is
the
source
of
truth
as
to
what
are
the
actual
inputs
and
outputs.
Sometimes
the
documentation
can
be
a
little
slow.
A
A
So,
let's
get
let's
move
back
a
second
and
let's
get
started
so
I'm
going
to
copy
this.
A
A
Yeah,
I'm
always
loves
it's
exact,
spacing
okay,
so
we're
gonna
scan
this
image
using
inkor
we're
going
to
use,
ink
or
scan
action.
We're
gonna
use
version
two,
so
version
two
is
the
latest
version.
That's
currently
out
the
way
that
you
would
you
would
if
you
wanted
to
actually
check
that.
A
Would
go
to
ink
or
scan
action
tags
and
we
can
see
that
this
is
v2,
so
it's
actually
we're
going
to
reference
this
exact
tag
on
this
repository
for
this
action.
You
know
sometimes
actions
will
change
over
time,
so
it's
usually
very
much
recommended
to
use
to
specify
a
tag
or
a
specific
shot,
because
that
ensures
that
the
inputs
and
outputs
are
exactly
the
same
uses
and
now
over
here
for
the
image
we're
gonna
we're
gonna
use
that
image
that
we
just
created
right
so
issc,
29
latest.
A
A
And
the
cdi
run
so
again,
what's
going
to
happen
now
is
we're
first
going
to
build
the
docker
image,
then
we're
going
to
run
some
scanning
now,
while
this
is
running,
I
did
want
to
look
at
a
couple
of
other
options
that
we're
probably
going
to
want
to
turn
on
as
well.
A
There
are
a
couple
of
interesting
options
again.
These
are
those
controls
that
you
can
start
to
play
around
with.
Obviously,
we
used
image
over
here,
but
I'm
probably
going
to
want
to
fail
the
build
right.
So
what
fail
build
does
is,
if
there's
a
value
above,
let's
say
you
have:
let's
say
you
have:
let's
say
you
have
any
issues
fail.
Build
will
actually
fail
that
bill.
That
way
in
the
pull
request,
we
can
start
to
get
that
information.
Oh,
let's
see
we
actually.
A
Let's
see
we're
building
the
docker
image,
we're
doing
a
docker
build
and
then
oh
look
at
that
two
latest
that
didn't
make
any
sense.
Let's
try
that
again.
A
I
see
another
question
on
latest
versus
specified
version,
so
I'm
going
to
guess
that
you're
talking
about
the
tag
that
I
created
a
lot
of
times,
you'll
create
a
specific
version.
Over
here
I
was
being
a
little
bit.
Lazy
lazy
by
just
doing
latest,
but,
like
a
lot
of
folks,
will
will
actually
tag
their
docker
images
when
they
build
them
with
a
specific
sha
or
something
like
that
right.
So
there's
a
lot
of
different
ways.
You
can
version
your
containers.
A
Yeah
all
right,
let's
look
at
this
action
completed
it's
continuing
on,
but,
as
I
was
saying
so,
we
are
going
to
want
to
turn
on
fail,
build
when
this,
when
this
works,
we're
also
going
to
want
to
turn
on
the
severity
cutoff.
So
if
you
could
think
about,
like
you
have
a
number
of
different
options,
maybe
you
have
vulnerabilities
that
are
low,
medium,
high,
critical,
etc.
A
Over
here,
the
default
is
is
medium,
but
we
can
actually
play
around
with
that
and
the
interesting
thing
about
playing
around
with
that
is
it's
going
to
control
whether
or
not
this
this
build
is
going
to
get
failed,
become
failed.
Okay.
So
we
can
see
that
this
we've
scanned
the
image.
A
Scan
the
image,
if
we
scroll
down,
so
we
can
see
that
we
actually
found
a
number
of
different
vulnerabilities.
But
what's
interesting,
of
course
like
as
we
were
mentioning,
we
didn't
actually
fail
the
build
right
like
we
got
a
check.
So
this
is
where
we
want
to
modify
this
a
little
bit
and
then
and
then
actually
fail
the
build.
So
let's
do
that
right
now,
kelsey
david!
What's
what
what
which
repo
on
github?
So
let
me
actually
put
this
in
the
chat
right
now.
A
A
So
now
this
time
around,
we
are
expecting
the
the
bill
to
actually
fail,
because
we
specified
that
the
bill
should
fail
if
we
find
any
at
least
medium
level
vulnerabilities.
A
A
Now
one
thing
that
we
can
do
is
we
can
view,
obviously
the
results
within
the
ui,
but
sometimes
you
want
to
actually
create
or
store
that
that
build
file
like
that
json
file
with
all
the
vulnerabilities.
Well,
we
can
do
that
very
easily
with
actions,
and
this
is
where
the
upload
artifact
action
comes
into
play.
So
going
back.
So,
while
that's
running,
let's
modify
this
again.
Let's
look
at
upload
action.
A
A
A
A
A
A
A
Okay,
so
the
only
issue
with
this
upload
artifact
now
is
that
it's
never
actually
going
to
run
so
remember
if
this
build
is
going
to
fail.
Actually,
what's
going
to
happen
is
any
of
the
steps
that
occur
afterwards
are
not
going
to
run
because
the
build
has
failed.
A
So
what
we
need
to
do
is
we
need
to
put
some
some
configuration
options
in
order
to
ensure
that,
even
if
the
the
last
step
has
failed,
we'll
actually
want
to
continue
on
anyways,
and
this
is
a
great
example
of
looking
at
the
documentation
looking
at
the
documentation.
Oh,
let's
pull
out
the
full
documentation.
A
This
is
where
I
look
for
the
this
is
really
where
I
want
to
look
at
specific,
workflow
syntax,
and
I
would
definitely
recommend
being
very
comfortable
with
with
the
documentation,
because
this
is
where
a
lot
of
the
syntax.
A
A
I
can
see
that
there
are
a
couple
of
different
options:
job
status
check
function,
so
what
I
can
do
is,
I
can
add,
an
if
statement
and
depending
on
the
job
status
check,
I
can
either
always
run
this.
I
can
run
this.
You
know
when,
when
the
last
step
has
cancelled
or
or
a
couple
of
different
options
over
here
for
for
this
case,
I
always
want
to
run
this
option
of
uploading
the
json
file,
even
if
my
build
has
failed.
So
I'm
going
to
add
this,
if
always
to
to
my
step.
A
What
you
will
be
able
to
see,
though,
is
the
actual
artifact
that
it
generates
and
we'll
be
able
to
look
at
that
artifact.
For,
for
you
know,
a
lot
of
people
will
use
this
for
archiving
purposes.
A
So
this
is
a
great
way
to
to
integrate
your
your
ink
or
container
scans
directly
within
github
itself
directly
as
part
of
your
as
part
of
any
pushes
that
occur
within
github
actions
or,
of
course,
viewing
those
results
within
a
pr
as
well.
A
While
that's
completing
I'm
just
going
to
show
you
the
documentation
again
so
looking
at
the
workflow
syntax,
you
can
see
that
we
use
a
number
of
different
keywords.
Name
on
right,
like
these
should
all
be
a
little
bit
familiar
to
you,
one
of
the
key
syntaxes
that
we
just
used
was
this
if
statement
so
you
can
use
an
if
so
it's
pretty
much
a
conditional
to
prevent
the
job
from
running
unless
that
condition
is
met
for
us.
A
Obviously,
this
this
became
very
useful
because
because
we
wanted
one
step
to
run
pretty
much,
always
okay,
so
you
could
see
that
this
this
job
has
failed.
We
knew
that
that
was
going
to
happen,
but
now
it
also
has
this
artifact
that
we
can
download-
and
this
will
contain
all
of
my
vulnerabilities
that
we
picked
up
in
this
case.
There
are
a
lot
of
vulnerabilities
that
we
picked
up,
because
this
is
a
dummy
application
with
well
a
lot
of
vulnerabilities.
A
A
Alrighty
moving
on
we're
now
going
to
move
on
to
the
second
section,
which
is
what's
actually
really
exciting
for
me,
we're
going
to
look
at
an
application
that
was
known
as
rails,
goat.
A
A
Let's
get
some
more
information
on
that
so
again
like
this
is
a
a
specifically
a
ruby
static
code
analyzer.
The
way
robocop
works
is
a
little
bit
differently
from
other
actions
in
general,
with
robocop
we're
going
to
install
this
gem,
so
we'll
install
the
gem
and
and
then
rubocop
will
report
back
what's
going
on.
A
So
let's
do
that.
The
difference
over
here,
though,
is
we're
going
to
use
something
known
as
code
spaces.
For
those
of
you
who
have
never
heard
of
code
spaces,
I'm
going
to
create
a
new
codespace.
What
codespaces
is
is
a
an
integrated
online
ide
right.
So
this
isn't
just
some
simple
workflow
editor.
A
This
is
actually
the
full
power
of
vs
code
running
in
the
cloud,
so
I
can
open
and
create
a
new
workspace
and
that
will
install
all
of
the
dependencies
and
everything
that
I
need
to
do
in
order
to
get
started.
So
this
will
make
our
lives
very
easy.
It's
right
now
in
beta,
you
can
check
it
out.
A
If
you
look
for
that
over
here,
you
can
get
some
more
information
about
how
code
spaces
works.
Of
course,
you
can
see
that
we're
right
now,
initializing
the
code
space
in
the
background
actually
what's
happening,
is
it's
it's
building
a
container.
The
container
that
I
specified-
and
this
is
going
to
give
me
my
full
ide
now
this
may
take
some
time
in
order
to
boot
up
so
I
already
started
a
codespace.
A
The
reason
why
it's
going
to
take
some
time
to
boot
up
is,
in
the
background
it's
actually
going
to
install
all
of
the
it's
going
to
do
a
bundle
install
for
those
of
you
familiar
with
notice,
the
same
thing
as
npm
install
it's
going
to
install
all
the
dependencies
in
the
background,
so
that
usually
takes
a
couple
of
minutes
in
order
to
start
I'm
gonna,
I'm
gonna
skip
that
for
now.
So
let
me
go
back
to
issc
29
go
back
to
my
repos.
A
And
we'll
go
back
to
rails.
Go
you
can
see.
Of
course
this
is.
This
is
getting
started
that
code
space.
I
already
have
this
one
started
up.
A
We
have
a
question
from
kelseydavid.
How
do
I
get
a
code
space
to
edit
code?
I
made
the
request
from
the
beginning,
but
unfortunately
have
haven't,
got
the
functionality
for
my
account.
So
I
do
know
that
we
are
continuously
adding
additional
users
into
the
code
spaces
beta.
It
is
going
to
take
some
time.
We
are
prepping
to
ga
that
so
so
stay
tuned.
You
should
be
added
pretty
pretty
soon
so.
A
Okay,
so
you
can
see
that
this
is
my
code
space,
of
course
like.
If
you
are
familiar
with
vs
code,
it
looks
very
similar
to
vs
code
and
the
reason,
of
course,
is
the
background.
It
all
is
vs
code
going
back
to
my
previous
codespace
that
I
created
right.
So
this
is
this
is
the
new
one
that
I
created.
A
Let's
look
at
the
creation
log
just
get
a
little
bit
more
information,
and,
of
course
you
could
see
that
this
is
where
the
configuration
remember
how
I
told
you
that
it's
going
to
automatically
create
your
own.
It's
going
to
automatically
install
dependencies,
so
this
is
actually
where
those
dependencies
are
being
installed.
A
Okay,
so
let's
do
we
have
full
access
to
terminal
of
course?
So
let's
do
a
bundle,
install.
A
A
A
Okay
installed
so
now,
if
I
wanted
to
run
usually
when
I'm
integrating
a
security
tool,
I'm
going
to
run
this
first
manually
and
then
I'm
going
to
create
the
action
workflow
file
just
to
see
how
it
works
normally,
so
I'm
going
to
do
a
bundle,
oops
bundle,
exec.
A
So
this
of
course
ran
robocop
manually
we
found
1100
offenses
detected.
The
next
thing
that
I
want
to
do
is
just
understand
what
the
output
of
that
last
command
was.
So
you
can
see,
of
course,
that
over
here
I
see
a
an
output
of
one
now
one
an
exit
code
of
one
of
course
means
that
there
was.
There
was
an
offense
right.
There
was
a
vulnerability
that
was
detected,
so
this
gives
me
you
know
there
are
similar
type
options,
of
course,
with
rubocop
as
well,
in
order
to
define
what
exactly
is
a?
A
What
exactly
is
considered
a
bad
vulnerability
right
like
we
can,
we
can
put
a
severity
level
as
well.
Let's
see
rouble
cup
well,
I
forgot
where
that
was,
but
you
have
that
option
to
do
that
as
well,
and
then
that
would
return
that
to
a
zero
if
it
doesn't
meet
the
specified
version,
so
the
specified
critical
vulnerability
level,
but
let's,
let's
actually
get
this
as
part
of
a
good
of
action.
So
let
me
go
back
to
github.com.
A
A
A
A
So
we're
setting
up
ruby
first,
of
course,
we're
using
ruby.
We're
gonna
want
to
install
any
dependencies
so
very
similar
to
what
we
were
doing
in
the
code
space
we're
going
to
want
to
run
a
a
bundle,
install
and
then
finally,
we're
going
to
want
to
run
rubocop.
So
we're
actually
going
to
run
it
in
a
very
similar
manner
to
how
we
did
before
this
time.
We're
not
going
to
use
an
action,
but
we're
going
to
manually,
run
it
so
robocop
run
and
we'll
take
that
run.
A
So
we
can
do
that
same
ruble
cop,
but
I'm
gonna
add
in
another
feature
that
I'm
going
to
describe
right
now.
So
let
me
just
copy
this
over
more
time.
A
Okay,
what
this
is
doing
is
it's
running
rubocop
and
it's
also
going
to
format
our
output
as
sarif
output.
Now,
for
those
of
you
who
are
familiar
with
serif,
I'm
sorry
if
it's
pretty
much
an
interchange
format,
so
it's
a
format
that
other
tools
understand
very
similar
to
json.
Sarif
is
the
standard
for
security
tools
and
the
reason
why
we're
going
to
do
that
is
we're
going
to
run
rubocop,
but
now
we're
also
going
to
put
those
results
into
the
github
security
dashboard
right.
A
A
A
A
The
sarah
file
again
like
we
can
upload
this
very
similar
to
how
we
did
it
with
the
json
file
as
an
artifact,
but
this
time
I'm
actually
going
to
upload
it
into
github
in
order
to
visualize
that,
as
part
of
as
part
of
the
security
tab
as
well,
and
that's
going
to
get
us
a
lot
of
information
directly
integrated
as
part
of
the
the
github
native
workflow.
A
This
is
sort
of
where
we're
going
so
just
to
give
you
a
visualization,
especially
for
those
who
have
open
source.
This
is
available.
Today
you
can
go
to
code
scanning
alerts
and
start
to
view
those
those
the
results
that
we
pick
up
directly
over
there
as
well.
If
we
were
to
create
a
pull
request.
So
let's
do
that
in
the
meantime,
maybe
we
will
change
something
on
the
readme.
A
A
You'll
start
to
see
that
these
checks
start
to
come
in
as
well,
so
you
can
see
the
ci
build
is
is
currently
queued.
We
happen
to
be
running
travis
in
the
background
as
well,
but
that's
ci
build
and
then
you'll
also
get
a
status
as
well
for
for
robocop
and
anything
like
that.
So
we're
getting
a
lot
of
information
directly
within
the
pr
and
of
course
we
are
now
just
waiting
on
this
on
a
couple
of
these
actions
to
complete
okay.
So
that's
how
I
would
integrate
robocop
as
part
of
our
workflow.
A
The
last
thing
that
I
wanted
or
really
the
last
integration
that
I
wanted
to
go
over
is
codec.
Codec
is
a
little
bit
different
from
the
last
two,
so
we
ran
angkor,
we
ran
codec,
we
ran
income,
we
ran.
We
ran
romo
cop,
we're
not
going
to
go
over
to
courtesy.
I
already
created
a
profile.
A
A
But
the
nice
thing
over
here
as
well
is
that
there's
a
ui
that
we
can
start
to
visualize
what's
going
on
as
well.
So
let's
look
at
that.
Ui
first.
A
Of
course,
automated
code
review
and
analysis,
I'm
gonna,
look
at
repository,
so
I'm
gonna.
So
I
have
this
other
repository
right.
So
this
one
you
can
check
on
my
profile
as
well.
Oh
well,
let's
find
it.
A
I'm
going
to
go
to
your
repositories
and
yeah
the
php
codec
demo,
so
you
can
check
out
my
profile.
This
is
the
new
repository
that
we're
working
on
right
now
and
php.
So
let
me
add
that
into
codec
add
repository.
A
And
go
to
repository
now.
The
first
thing
that
I'm
going
to
do
on
this
end
is
I'm
going
to
run
the
analysis
through
the
build
server.
So
what
this
does
is
the
analysis
is
actually
going
to
run
on
github
actions
instead
of
it
running
on
the
code
as
the
end.
Really,
all
we're
going
to
do
is
then
pipe
in
the
results
to
codec
afterwards.
A
That
allows
you
to
integrate
this
directly
as
part
of
your
ci.
Instead
of
having
an
external
service.
Have
it
have
to
do
this?
The
next
thing
that
we're
going
to
do
is
we
can
see
that
github
is
already
integrated
right,
so
we
have
code
to
see
integrated
as
part
of
post
commit
hook
as
well.
As
part
of
you
know,
this
will
send
back
the
pull
request
status.
A
The
thing
that
I
also
want
to
do
is,
I
want
to
add
a
project
api
I'll,
show
you
why,
when
we
go
through
the
action
so
now
we
know
the
drill
right
when
we
want
to
add
any
security.
Third
party
tools,
we're
going
to
want
to
go
to
actions
and
create
another
actions
workflow.
So
let's
do
this.
For
the
final
time.
A
Okay,
we're
going
to
check
out
we're
going
to
remove
this
over
here
and
here's
where
we're
going
to
want
to
look
at
courtesy
again
and
we're
going
to
check
out
the
codec
analysis
cli.
So,
let's
look
at
the
full
marketplace
listing
again.
We
have
a
couple
of
different
options.
A
You
can
see
that
the
way
to
integrate
it
would
be
to
use
this
courtesy,
analysis,
cli
engine.
Of
course
we
can
take
a
look
at
the
links.
You
know
this
is
always
what
I
do
go
to
action.yaml.
A
Hopefully
this
is
familiar
at
this
point.
We
look
at
all
the
inputs
as
well
as
all
of
the
there
are
no
outputs.
So
there
are
a
lot
of
different
inputs
that
we
can
use
with
the
codec
with
the
codec
tool
tool
tool
timeout,
whether
we
want
to
upload
the
results
to
codec.
In
this
case,
we
are
going
to
want
to
upload
the
results
into
codec
and
and
the
the
the
format
and
stuff
a
lot
of
this
information.
A
You
can
go
back
to
the
tool
itself
and
you'll
start
to
get
some
more
info
on
how
to
create
this
before
we
complete
the
courtesy.
Let's
just
go
back
to
railscope.
Oh
looks
looks
like
we're
still
running
right,
so
remember
we're
going
back
to
rails,
goat
right
now
and
with
rails
go
just
to
refresh
your
memory.
A
We
did
a
couple
of
things.
Looking
at
that
workflow
file,
we
installed
the
dependencies,
we
ran,
we
ran
rubocop
and
we
uploaded
that
serif
output.
So
what
does
the
upload
serif
output
do
now?
This
is
where
we
can
actually
see
it.
So
we
can
look
at
the
code
scanning
alerts.
We
click
on
security
code
scanning
alerts.
We
can
see
that
there's
rubocop
now
and
that
we're
actually
able
to
also
visualize
exactly
where
these
issues
occurred
directly
within
github
itself
right.
A
So
this
is
ingesting
sarif
external
serif
output
into
github
itself,
viewing
this
within
the
security
tab,
but
now
it
makes
it
very
easy
for
developers
to
figure
out
exactly
what's
going
on
in
regards
to
code
scanning
alerts,
it's
important
to
know
that
this
was
also
available
for
ancor.
I
just
decided
to
show
it
to
you
for
rails
goat,
but
this
was
definitely
available
for
aincor
as
well.
You
can
check
that
out.
Really
it's
all
about
uploading.
A
The
sarah
file
into
uploading,
the
sarah
file
to
github,
and
then
we
will
analyze
it
and
present
it
to
you
directly
within
the
github
ui
in
the
security
tab.
We
see
a
lot
of
information
directly
over
here,
such
as
the
exact
line
that
this
occurred,
as
well
as
some
more
information
as
to
what
this
actual
issue
is
giving
some
examples
and
whatnot.
So
this
is
a
very
very
I
don't
want
to
undermine
it.
This
is
a
very,
very
powerful
feature.
A
A
Over
here
we're
going
to
run
the
code
to
see
cli
we're
looking
back
at
those
options
again
like
this
is
we're
pretty
much
copying
and
pasting
from
over.
Here
we
want
to
be
verbose.
It's
just
the
output
over
here,
the
output.
A
The
last
thing
that
you
may
notice
with
codec
is
that
it
requires
a
project
token
in
general,
like
this,
isn't
actually
required.
You
can
run
the
coded
ccli
without
a
project
token,
but
what
this
does
is
this
allows
us
to
upload
our
con
our
results
back
into
codec,
so
we
are
going
to
want
to
use
that,
but
over
here
notice,
something
where
we're
we're
specifying
a
secret
right.
So
this
secret
is
the
codicy
project,
token
secret,
and
it's
located
within
our
secrets
vault.
A
It's
important
to
note
that
when
you
want
to
store
any
secrets
within
a
within
when
you
want
to
access
any
secrets,
maybe
for
third-party
external
tools,
you
should
never
actually
just
put
it
directly
into
a
github
work,
a
github
actions
workflow,
because
then
that's
visible
to
everything
to
everybody.
So
that's
why
we
have
a
secrets
tab
over
here.
You
can
create
your
own
secrets,
I'm
going
to
create
my
own,
pretty
much
codec
project,
token
codec
project,
token
and,
of
course,
going
back
to
the
api.
A
Don't
worry
it's
going
to
be
deleted
very
quickly
after
this
presentation,
so
we
created
our
secret
over
here
now
when
we
actually
do
run
this,
it's
going
to
run
it's
going
to
actually
reference
that
secret
that
we
specified
over
here
note
by
the
way,
like
there's
no
way
for
me
to
ever
view
that
secret
again,
the
only
thing
that
it
can
do
is
update
it.
So
it's
security
for
me
as
well.
I
don't
ever
have
to
remember
what
those
secrets
are
okay,
so
we
did
that
we
did
that.
A
The
last
thing
that
we
need
to
do
is
upload
the
server
file
very
similar
to
how
we
did
beforehand
again
like
this
is
sort
of
optional.
Like
you
really
don't
have
to
do
this,
but
this
is
for
the
visualization
within
github
as
well.
A
A
A
A
If
we
want
to
dig
into
a
specific
code
style
issue,
we
can
see
a
number
of
scripts
and
a
number
of
issues
right
like
this
is
so
a
good
place
to
start
to
view
a
lot
of
the
issues
that
we
were
seeing
within
getup
itself,
so
again
like
with
codicy.
The
nice
thing
about
codec
is
that
it's
it's
running
a
number
of
different
tools
in
the
background,
so
it's
not
just
running
a
single
tool,
but
let's
see
it's
running
all
these
built-in
tools
like
brake
man,
it's
actually
running
rubocop
as
well.
A
In
the
background
so
beforehand
where
we
were
running
a
specific
tool,
we
were
running
only
robocop
courtesy.
The
cli
is
actually
running
a
number
of
different
tools
from
robocop
to
brakeman,
to
eslint
and
stuff,
we'll
be
able
to
visualize
those
those
things.
As
well
within
get
up
as.
A
Well,
yeah:
let's
go.
A
A
The
things
that
I
want
to
stress
over
here,
one
is
that
when
you
are
creating,
when
you
do
want
to
reference,
new
actions
definitely
check
out
the
github
marketplace,
either
here
or
by
googling
the
github
marketplace
you're
going
to
get
a
lot
of
different
actions
that
are
available
again,
like
I,
I'm
only
showing
you
three
specific
actions
today,
but
there
are
tons
more
available
on
the
marketplace.
One
interesting.
A
If
other
look
at
github
osar
another
interesting
action,
this
this
runs
very
similarly
to
codec,
where
it's
running
a
number
of
different
tools.
In
the
background,
such
as
bandit
binskim
es
lent.
This
is
you
know
again
like
there's
full
documentation
over
here,
so
you
can
check
it
out
and
then
you
can
also
upload
those
results
to
security
tab.
A
So
if
you
are
running
like,
if
you
create
a
ruby
project,
we'll
give
you
a
lot
of
different
options,
four
workflows
that
you
can
get
started
for
very
quickly.
Obviously,
codeql
is
one
of
them,
but
if
we
wanted
to,
for
example,
run
quota
c
and
instead
of
doing
this
manually,
I
can
just
go
to
code
scanning
alerts.
Click
set
up
this
workflow
and
that's
going
to
give
me
a
full
workflow
file,
already
created,
with
all
the
options
already
selected.
A
A
And
go
back
to
the
encore
demo.
We
can
do
really
the
same
thing
over
here.
Go
to
code
scanning
alerts,
you'll
notice,
that,
because
this
is
a
docker
file,
because
we
detected
this
as
a
docker
file,
we're
going
to
give
you
that
option
to
run
ink
or
container
scanning
click
on
set
up
this
workflow,
it's
going
to
give
you
a
very
similar
style,
very
similar
style,
workflow
to
the
one
that
we
manually
built.
So
you
have
those
two
different
options
of
of
how
you
want
to
create
these
workflow
files.
A
Of
course,
these
templates
are
all
open
source.
You
can
check
them
out
on
on
on
the
github
organization
and
the
actions
organization
as
well,
and
that's
a
very
easy
way
to
get
started
to
start
to
integrate
this
as
part
of
the
pr
and
a
par
and
out,
of
course,
as
part
of
any
push
that
you
do
to
github.
A
Let's
see
if
that
php
codec
finished
we're
still
in
so
this
is
gonna
take
some
time
to
go
it.
It
usually
takes
about
12
minutes
in
order
to
run
so
we
still
have
about
another
five
minutes.
Any
other
questions
before
we
end
this
recording,
let's
check
the
chat,
so
that's
most
of
what
I
had
to
show
you.
You
can
come
check
back
on
these
repos
and
get
a
lot
and
start
to
copy
some
of
the
things
that
I
did.
A
Of
course
everything
is
open
source,
so
you
can
check
out
github.com.
You
know,
phpcodec
demo,
as
well
as
the
other
repos
under
my
username,
feel
free
to
star
them
also
feel
free
to
ping.
Me
afterwards,
they're
happy
to
answer
any
questions
on
twitter.
You
know
twitter's
also,
my
same
handle
so
very
easy
to
reach
me.
That's
it
for
my
end.
Thank
you.
Everybody
also
feel
free
to
send
any
questions
on
afterwards.