►
Description
Issac Cohen, Field Solutions Architect, digs into 3rd party integrations with a focus on security and code quality. With GitHub Actions, bring these tools directly into your CI/CD pipeline and get to Production faster and with greater confidence.
Find more at: https://github.com/learn/security
A
Hey
everybody-
isaac
cohen
here
very
excited
to
be
talking
to
you
today
about
git
of
actions,
specifically
third
party
security
actions.
It's
funny
I'm
so
I'm
a
field
architect
here
at
github
and
I've
been
in
the
ci
market.
I've
been
doing
ci
for
about
10
years
now,
I'm
so
very
excited
to
be
talking
continuously
about
ci
cicd,
github
actions,
but
also
its
combination
with
security.
And
how
do
we
start
to
integrate
those
third-party
security
actions
as
part
of
our
cicd
pipelines?.
A
Starting
off
with
just
giving
you
a
brief
introduction
into
github
actions,
of
course,
as
you
know,
a
github
actions
is
the
github
native
cicd
platform.
What's
interesting
is
that
in
the
last
year
and
a
half
that
we've
launched
github
actions,
we
now
have
over
5500
actions
in
the
github
marketplace.
A
A
A
A
A
A
A
Okay,
so
moving
back
to
the
actual
link
or
demo,
I'm
going
to
click
on
github
actions
and
you'll
see
it
gives
me
a
number
of
different
workflows
out
of
the
box,
whether
it's
publishing
a
docker
container,
I'm
just
going
to
create
one
myself.
So
we'll
call
this
docker
ci,
okay.
So
the
first
thing
that
we
see
is
on
push
right.
So
every
time
we
push
or
every
time
we
open
up
a
pull
request,
we
will
run
want
to
run
this
workflow.
A
We
have
jobs,
runs
on
okay,
we're
gonna
want
to
run
on
ubuntu
latest.
That's
exactly
what
I
wanna
do,
especially
because
this
is
a
linux
docker
container,
I'm
gonna
run
this
as
part
of
ubuntu.
It
has
docker
or
the
docker
demian
already
installed,
so
it
makes
our
lives
very
easy
and,
of
course,
the
first
thing
that
we'll
do
is.
We
will
check
out
the
code
okay,
so
now.
This
is
where
we
we
have
to
change
a
couple
of
things
around.
A
A
The
docker
image
and
for
this
one
we're
just
going
to
run
a
command
it's
going
to
be
docker,
build
dash
file,
so
we're
going
to
take
that
docker
file
and
build
it.
We
will
tag
it
we'll
call
this
issc29,
that's
my
username
node
web
app
latest.
I
think
that's
all
I
have
to
do.
Oh
yeah,
let's
add
a
dot
over
there.
Okay,
so
this
is
actually
going
to
build
my
docker
container,
but
the
next
thing
that
I
want
to
do
is
I
actually
want
to
run
anchor.
A
A
This
is
going
to
be
give
me
a
ton
of
information
of
how
to
actually
run
the
the
the
get
up
action.
The
in
core
container
scan
github
action.
So
this
is
going
to
give
me
some
some
examples
that
I
can
get
started
with.
You
know,
let's
see
container
scanning
directory
scanning,
as
well
as
the
action
inputs
and
the
action
outputs
right,
so
action
inputs
are
going
to
be
the
the
knobs
and
controls
that
I
can
do
that.
A
Can
that
that
I
can
configure
in
order
to
configure
the
action
to
the
way
that
I
want
to
configure
it
and,
of
course
the
outputs
are
going
to
be
any
outputs
that
are
that
are
that
are
sent
out
from
the
action
over
here.
It's
going
to
send
me
the
the
path
to
a
json
pile
of
the
vulnerabilities,
but
to
me
I
always
like
to
go
back
to
the
actual
repository
to
to
go
a
little
bit.
Let's
say
a
level
deeper,
so
I'll
click
on
links
and
that'll.
A
Take
me
to
the
actual
repo
where
this
action
was
created,
a
number
of
things
that
you'll
notice.
Of
course
you
have
the
readme,
which
gives
you
pretty
much
the
same
information
that
you
saw
on
the
marketplace
listing.
But
the
other
interesting
thing
that
I
always
like
to
look
at
is
the
action.yaml
file.
So
the
action.yaml
file
is
the
source
of
truth
as
to
what
are
the
actual
inputs
and
outputs.
Sometimes
the
documentation
can
be
a
little
slow.
A
A
A
Would
go
to
ink
or
scan
action
tags
and
we
can
see
that
this
is
v2,
so
it's
actually
we're
going
to
reference
this
exact
tag
on
this
repository
for
this
action.
You
know
sometimes
actions
will
change
over
time,
so
it's
usually
very
much
recommended
to
use
to
specify
a
tag
or
a
specific
shot,
because
that
ensures
that
the
inputs
and
outputs
are
exactly
the
same
uses
and
now
over
here
for
the
image
we're
gonna
we're
gonna
use
that
image
that
we
just
created
right
so
issc,
29
latest.
A
A
There
are
a
couple
of
interesting
options
again.
These
are
those
controls
that
you
can
start
to
play
around
with.
Obviously,
we
used
image
over
here,
but
I'm
probably
going
to
want
to
fail
the
build
right.
So
what
fail
build
does
is,
if
there's
a
value
above,
let's
say
you
have:
let's
say
you
have:
let's
say
you
have
any
issues
fail.
Build
will
actually
fail
that
bill.
That
way
in
the
pull
request,
we
can
start
to
get
that
information.
Oh,
let's
see
we
actually.
A
A
I
see
another
question
on
latest
versus
specified
version,
so
I'm
going
to
guess
that
you're
talking
about
the
tag
that
I
created
a
lot
of
times,
you'll
create
a
specific
version.
Over
here
I
was
being
a
little
bit.
Lazy
lazy
by
just
doing
latest,
but,
like
a
lot
of
folks,
will
will
actually
tag
their
docker
images
when
they
build
them
with
a
specific
sha
or
something
like
that
right.
So
there's
a
lot
of
different
ways.
You
can
version
your
containers.
A
Yeah
all
right,
let's
look
at
this
action
completed
it's
continuing
on,
but,
as
I
was
saying
so,
we
are
going
to
want
to
turn
on
fail,
build
when
this,
when
this
works,
we're
also
going
to
want
to
turn
on
the
severity
cutoff.
So
if
you
could
think
about,
like
you
have
a
number
of
different
options,
maybe
you
have
vulnerabilities
that
are
low,
medium,
high,
critical,
etc.
A
A
Scan
the
image,
if
we
scroll
down,
so
we
can
see
that
we
actually
found
a
number
of
different
vulnerabilities.
But
what's
interesting,
of
course
like
as
we
were
mentioning,
we
didn't
actually
fail
the
build
right
like
we
got
a
check.
So
this
is
where
we
want
to
modify
this
a
little
bit
and
then
and
then
actually
fail
the
build.
So
let's
do
that
right
now,
kelsey
david!
What's
what
what
which
repo
on
github?
So
let
me
actually
put
this
in
the
chat
right
now.
A
A
Now
one
thing
that
we
can
do
is
we
can
view,
obviously
the
results
within
the
ui,
but
sometimes
you
want
to
actually
create
or
store
that
that
build
file
like
that
json
file
with
all
the
vulnerabilities.
Well,
we
can
do
that
very
easily
with
actions,
and
this
is
where
the
upload
artifact
action
comes
into
play.
So
going
back.
So,
while
that's
running,
let's
modify
this
again.
Let's
look
at
upload
action.
A
A
A
A
A
A
A
So
what
we
need
to
do
is
we
need
to
put
some
some
configuration
options
in
order
to
ensure
that,
even
if
the
the
last
step
has
failed,
we'll
actually
want
to
continue
on
anyways,
and
this
is
a
great
example
of
looking
at
the
documentation
looking
at
the
documentation.
Oh,
let's
pull
out
the
full
documentation.
A
A
I
can
see
that
there
are
a
couple
of
different
options:
job
status
check
function,
so
what
I
can
do
is,
I
can
add,
an
if
statement
and
depending
on
the
job
status
check,
I
can
either
always
run
this.
I
can
run
this.
You
know
when,
when
the
last
step
has
cancelled
or
or
a
couple
of
different
options
over
here
for
for
this
case,
I
always
want
to
run
this
option
of
uploading
the
json
file,
even
if
my
build
has
failed.
So
I'm
going
to
add
this,
if
always
to
to
my
step.
A
A
While
that's
completing
I'm
just
going
to
show
you
the
documentation
again
so
looking
at
the
workflow
syntax,
you
can
see
that
we
use
a
number
of
different
keywords.
Name
on
right,
like
these
should
all
be
a
little
bit
familiar
to
you,
one
of
the
key
syntaxes
that
we
just
used
was
this
if
statement
so
you
can
use
an
if
so
it's
pretty
much
a
conditional
to
prevent
the
job
from
running
unless
that
condition
is
met
for
us.
A
Obviously,
this
this
became
very
useful
because
because
we
wanted
one
step
to
run
pretty
much,
always
okay,
so
you
could
see
that
this
this
job
has
failed.
We
knew
that
that
was
going
to
happen,
but
now
it
also
has
this
artifact
that
we
can
download-
and
this
will
contain
all
of
my
vulnerabilities
that
we
picked
up
in
this
case.
There
are
a
lot
of
vulnerabilities
that
we
picked
up,
because
this
is
a
dummy
application
with
well
a
lot
of
vulnerabilities.
A
A
A
Let's
get
some
more
information
on
that
so
again
like
this
is
a
a
specifically
a
ruby
static
code
analyzer.
The
way
robocop
works
is
a
little
bit
differently
from
other
actions
in
general,
with
robocop
we're
going
to
install
this
gem,
so
we'll
install
the
gem
and
and
then
rubocop
will
report
back
what's
going
on.
A
So
let's
do
that.
The
difference
over
here,
though,
is
we're
going
to
use
something
known
as
code
spaces.
For
those
of
you
who
have
never
heard
of
code
spaces,
I'm
going
to
create
a
new
codespace.
What
codespaces
is
is
a
an
integrated
online
ide
right.
So
this
isn't
just
some
simple
workflow
editor.
A
A
If
you
look
for
that
over
here,
you
can
get
some
more
information
about
how
code
spaces
works.
Of
course,
you
can
see
that
we're
right
now,
initializing
the
code
space
in
the
background
actually
what's
happening,
is
it's
it's
building
a
container.
The
container
that
I
specified-
and
this
is
going
to
give
me
my
full
ide
now
this
may
take
some
time
in
order
to
boot
up
so
I
already
started
a
codespace.
A
The
reason
why
it's
going
to
take
some
time
to
boot
up
is,
in
the
background
it's
actually
going
to
install
all
of
the
it's
going
to
do
a
bundle
install
for
those
of
you
familiar
with
notice,
the
same
thing
as
npm
install
it's
going
to
install
all
the
dependencies
in
the
background,
so
that
usually
takes
a
couple
of
minutes
in
order
to
start
I'm
gonna,
I'm
gonna
skip
that
for
now.
So
let
me
go
back
to
issc
29
go
back
to
my
repos.
A
A
We
have
a
question
from
kelseydavid.
How
do
I
get
a
code
space
to
edit
code?
I
made
the
request
from
the
beginning,
but
unfortunately
have
haven't,
got
the
functionality
for
my
account.
So
I
do
know
that
we
are
continuously
adding
additional
users
into
the
code
spaces
beta.
It
is
going
to
take
some
time.
We
are
prepping
to
ga
that
so
so
stay
tuned.
You
should
be
added
pretty
pretty
soon
so.
A
Okay,
so
you
can
see
that
this
is
my
code
space,
of
course
like.
If
you
are
familiar
with
vs
code,
it
looks
very
similar
to
vs
code
and
the
reason,
of
course,
is
the
background.
It
all
is
vs
code
going
back
to
my
previous
codespace
that
I
created
right.
So
this
is
this
is
the
new
one
that
I
created.
A
Let's
look
at
the
creation
log
just
get
a
little
bit
more
information,
and,
of
course
you
could
see
that
this
is
where
the
configuration
remember
how
I
told
you
that
it's
going
to
automatically
create
your
own.
It's
going
to
automatically
install
dependencies,
so
this
is
actually
where
those
dependencies
are
being
installed.
A
A
So
this
of
course
ran
robocop
manually
we
found
1100
offenses
detected.
The
next
thing
that
I
want
to
do
is
just
understand
what
the
output
of
that
last
command
was.
So
you
can
see,
of
course,
that
over
here
I
see
a
an
output
of
one
now
one
an
exit
code
of
one
of
course
means
that
there
was.
There
was
an
offense
right.
There
was
a
vulnerability
that
was
detected,
so
this
gives
me
you
know
there
are
similar
type
options,
of
course,
with
rubocop
as
well,
in
order
to
define
what
exactly
is
a?
A
What
exactly
is
considered
a
bad
vulnerability
right
like
we
can,
we
can
put
a
severity
level
as
well.
Let's
see
rouble
cup
well,
I
forgot
where
that
was,
but
you
have
that
option
to
do
that
as
well,
and
then
that
would
return
that
to
a
zero
if
it
doesn't
meet
the
specified
version,
so
the
specified
critical
vulnerability
level,
but
let's,
let's
actually
get
this
as
part
of
a
good
of
action.
So
let
me
go
back
to
github.com.
A
A
A
So
we're
setting
up
ruby
first,
of
course,
we're
using
ruby.
We're
gonna
want
to
install
any
dependencies
so
very
similar
to
what
we
were
doing
in
the
code
space
we're
going
to
want
to
run
a
a
bundle,
install
and
then
finally,
we're
going
to
want
to
run
rubocop.
So
we're
actually
going
to
run
it
in
a
very
similar
manner
to
how
we
did
before
this
time.
We're
not
going
to
use
an
action,
but
we're
going
to
manually,
run
it
so
robocop
run
and
we'll
take
that
run.
A
A
Okay,
what
this
is
doing
is
it's
running
rubocop
and
it's
also
going
to
format
our
output
as
sarif
output.
Now,
for
those
of
you
who
are
familiar
with
serif,
I'm
sorry
if
it's
pretty
much
an
interchange
format,
so
it's
a
format
that
other
tools
understand
very
similar
to
json.
Sarif
is
the
standard
for
security
tools
and
the
reason
why
we're
going
to
do
that
is
we're
going
to
run
rubocop,
but
now
we're
also
going
to
put
those
results
into
the
github
security
dashboard
right.
A
A
A
A
This
is
sort
of
where
we're
going
so
just
to
give
you
a
visualization,
especially
for
those
who
have
open
source.
This
is
available.
Today
you
can
go
to
code
scanning
alerts
and
start
to
view
those
those
the
results
that
we
pick
up
directly
over
there
as
well.
If
we
were
to
create
a
pull
request.
So
let's
do
that
in
the
meantime,
maybe
we
will
change
something
on
the
readme.
A
A
You'll
start
to
see
that
these
checks
start
to
come
in
as
well,
so
you
can
see
the
ci
build
is
is
currently
queued.
We
happen
to
be
running
travis
in
the
background
as
well,
but
that's
ci
build
and
then
you'll
also
get
a
status
as
well
for
for
robocop
and
anything
like
that.
So
we're
getting
a
lot
of
information
directly
within
the
pr
and
of
course
we
are
now
just
waiting
on
this
on
a
couple
of
these
actions
to
complete
okay.
So
that's
how
I
would
integrate
robocop
as
part
of
our
workflow.
A
A
A
A
A
And
go
to
repository
now.
The
first
thing
that
I'm
going
to
do
on
this
end
is
I'm
going
to
run
the
analysis
through
the
build
server.
So
what
this
does
is
the
analysis
is
actually
going
to
run
on
github
actions
instead
of
it
running
on
the
code
as
the
end.
Really,
all
we're
going
to
do
is
then
pipe
in
the
results
to
codec
afterwards.
A
That
allows
you
to
integrate
this
directly
as
part
of
your
ci.
Instead
of
having
an
external
service.
Have
it
have
to
do
this?
The
next
thing
that
we're
going
to
do
is
we
can
see
that
github
is
already
integrated
right,
so
we
have
code
to
see
integrated
as
part
of
post
commit
hook
as
well.
As
part
of
you
know,
this
will
send
back
the
pull
request
status.
A
The
thing
that
I
also
want
to
do
is,
I
want
to
add
a
project
api
I'll,
show
you
why,
when
we
go
through
the
action
so
now
we
know
the
drill
right
when
we
want
to
add
any
security.
Third
party
tools,
we're
going
to
want
to
go
to
actions
and
create
another
actions
workflow.
So
let's
do
this.
For
the
final
time.
A
A
A
Hopefully
this
is
familiar
at
this
point.
We
look
at
all
the
inputs
as
well
as
all
of
the
there
are
no
outputs.
So
there
are
a
lot
of
different
inputs
that
we
can
use
with
the
codec
with
the
codec
tool
tool
tool
timeout,
whether
we
want
to
upload
the
results
to
codec.
In
this
case,
we
are
going
to
want
to
upload
the
results
into
codec
and
and
the
the
the
format
and
stuff
a
lot
of
this
information.
A
You
can
go
back
to
the
tool
itself
and
you'll
start
to
get
some
more
info
on
how
to
create
this
before
we
complete
the
courtesy.
Let's
just
go
back
to
railscope.
Oh
looks
looks
like
we're
still
running
right,
so
remember
we're
going
back
to
rails,
goat
right
now
and
with
rails
go
just
to
refresh
your
memory.
A
We
did
a
couple
of
things.
Looking
at
that
workflow
file,
we
installed
the
dependencies,
we
ran,
we
ran
rubocop
and
we
uploaded
that
serif
output.
So
what
does
the
upload
serif
output
do
now?
This
is
where
we
can
actually
see
it.
So
we
can
look
at
the
code
scanning
alerts.
We
click
on
security
code
scanning
alerts.
We
can
see
that
there's
rubocop
now
and
that
we're
actually
able
to
also
visualize
exactly
where
these
issues
occurred
directly
within
github
itself
right.
A
So
this
is
ingesting
sarif
external
serif
output
into
github
itself,
viewing
this
within
the
security
tab,
but
now
it
makes
it
very
easy
for
developers
to
figure
out
exactly
what's
going
on
in
regards
to
code
scanning
alerts,
it's
important
to
know
that
this
was
also
available
for
ancor.
I
just
decided
to
show
it
to
you
for
rails
goat,
but
this
was
definitely
available
for
aincor
as
well.
You
can
check
that
out.
Really
it's
all
about
uploading.
A
The
sarah
file
into
uploading,
the
sarah
file
to
github,
and
then
we
will
analyze
it
and
present
it
to
you
directly
within
the
github
ui
in
the
security
tab.
We
see
a
lot
of
information
directly
over
here,
such
as
the
exact
line
that
this
occurred,
as
well
as
some
more
information
as
to
what
this
actual
issue
is
giving
some
examples
and
whatnot.
So
this
is
a
very
very
I
don't
want
to
undermine
it.
This
is
a
very,
very
powerful
feature.
A
A
A
The
last
thing
that
you
may
notice
with
codec
is
that
it
requires
a
project
token
in
general,
like
this,
isn't
actually
required.
You
can
run
the
coded
ccli
without
a
project
token,
but
what
this
does
is
this
allows
us
to
upload
our
con
our
results
back
into
codec,
so
we
are
going
to
want
to
use
that,
but
over
here
notice,
something
where
we're
we're
specifying
a
secret
right.
So
this
secret
is
the
codicy
project,
token
secret,
and
it's
located
within
our
secrets
vault.
A
It's
important
to
note
that
when
you
want
to
store
any
secrets
within
a
within
when
you
want
to
access
any
secrets,
maybe
for
third-party
external
tools,
you
should
never
actually
just
put
it
directly
into
a
github
work,
a
github
actions
workflow,
because
then
that's
visible
to
everything
to
everybody.
So
that's
why
we
have
a
secrets
tab
over
here.
You
can
create
your
own
secrets,
I'm
going
to
create
my
own,
pretty
much
codec
project,
token
codec
project,
token
and,
of
course,
going
back
to
the
api.
A
Don't
worry
it's
going
to
be
deleted
very
quickly
after
this
presentation,
so
we
created
our
secret
over
here
now
when
we
actually
do
run
this,
it's
going
to
run
it's
going
to
actually
reference
that
secret
that
we
specified
over
here
note
by
the
way,
like
there's
no
way
for
me
to
ever
view
that
secret
again,
the
only
thing
that
it
can
do
is
update
it.
So
it's
security
for
me
as
well.
I
don't
ever
have
to
remember
what
those
secrets
are
okay,
so
we
did
that
we
did
that.
A
A
A
A
A
If
we
want
to
dig
into
a
specific
code
style
issue,
we
can
see
a
number
of
scripts
and
a
number
of
issues
right
like
this
is
so
a
good
place
to
start
to
view
a
lot
of
the
issues
that
we
were
seeing
within
getup
itself,
so
again
like
with
codicy.
The
nice
thing
about
codec
is
that
it's
it's
running
a
number
of
different
tools
in
the
background,
so
it's
not
just
running
a
single
tool,
but
let's
see
it's
running
all
these
built-in
tools
like
brake
man,
it's
actually
running
rubocop
as
well.
A
A
A
The
things
that
I
want
to
stress
over
here,
one
is
that
when
you
are
creating,
when
you
do
want
to
reference,
new
actions
definitely
check
out
the
github
marketplace,
either
here
or
by
googling
the
github
marketplace
you're
going
to
get
a
lot
of
different
actions
that
are
available
again,
like
I,
I'm
only
showing
you
three
specific
actions
today,
but
there
are
tons
more
available
on
the
marketplace.
One
interesting.
A
If
other
look
at
github
osar
another
interesting
action,
this
this
runs
very
similarly
to
codec,
where
it's
running
a
number
of
different
tools.
In
the
background,
such
as
bandit
binskim
es
lent.
This
is
you
know
again
like
there's
full
documentation
over
here,
so
you
can
check
it
out
and
then
you
can
also
upload
those
results
to
security
tab.
A
So
if
you
are
running
like,
if
you
create
a
ruby
project,
we'll
give
you
a
lot
of
different
options,
four
workflows
that
you
can
get
started
for
very
quickly.
Obviously,
codeql
is
one
of
them,
but
if
we
wanted
to,
for
example,
run
quota
c
and
instead
of
doing
this
manually,
I
can
just
go
to
code
scanning
alerts.
Click
set
up
this
workflow
and
that's
going
to
give
me
a
full
workflow
file,
already
created,
with
all
the
options
already
selected.
A
A
And
go
back
to
the
encore
demo.
We
can
do
really
the
same
thing
over
here.
Go
to
code
scanning
alerts,
you'll
notice,
that,
because
this
is
a
docker
file,
because
we
detected
this
as
a
docker
file,
we're
going
to
give
you
that
option
to
run
ink
or
container
scanning
click
on
set
up
this
workflow,
it's
going
to
give
you
a
very
similar
style,
very
similar
style,
workflow
to
the
one
that
we
manually
built.
So
you
have
those
two
different
options
of
of
how
you
want
to
create
these
workflow
files.
A
Of
course,
these
templates
are
all
open
source.
You
can
check
them
out
on
on
on
the
github
organization
and
the
actions
organization
as
well,
and
that's
a
very
easy
way
to
get
started
to
start
to
integrate
this
as
part
of
the
pr
and
a
par
and
out,
of
course,
as
part
of
any
push
that
you
do
to
github.
A
Let's
see
if
that
php
codec
finished
we're
still
in
so
this
is
gonna
take
some
time
to
go
it.
It
usually
takes
about
12
minutes
in
order
to
run
so
we
still
have
about
another
five
minutes.
Any
other
questions
before
we
end
this
recording,
let's
check
the
chat,
so
that's
most
of
what
I
had
to
show
you.
You
can
come
check
back
on
these
repos
and
get
a
lot
and
start
to
copy
some
of
the
things
that
I
did.
A
Of
course
everything
is
open
source,
so
you
can
check
out
github.com.
You
know,
phpcodec
demo,
as
well
as
the
other
repos
under
my
username,
feel
free
to
star
them
also
feel
free
to
ping.
Me
afterwards,
they're
happy
to
answer
any
questions
on
twitter.
You
know
twitter's
also,
my
same
handle
so
very
easy
to
reach
me.
That's
it
for
my
end.
Thank
you.
Everybody
also
feel
free
to
send
any
questions
on
afterwards.