►
Description
Kevin Alwell, Solutions Engineer, uses GitHub’s fully-integrated CI/CD to enable native application security features. Dive into GitHub Actions, code scanning, software composition analysis, secret detection, and policy enforcement to achieve DevSecOps maturity.
Learn more about Security here: https://github.com/learn/security
A
All
right,
friends
welcome
welcome
to
another
episode
or
or
cash
stream,
if
you
will
of
github
enterprise
on
twitch.
Thank
you
so
much
for
being
with
us.
We're
really
excited
to
be
here
through
this
medium
to
just
you
know,
have
a
discussion
with
you
and
share
some
of
the
topics
that
are
top
of
mind
for
us
and
top
of
mind
for
the
customers
and
developers
that
we
speak
to
every
day.
So
it's
really
great
to
be
here.
I'm
also
joined
by
my
colleague,
jonathan
cardona,
who
is
a
solutions
engineer
for
github?
A
A
So
what
we're
going
to
be
sharing
with
you
is
how
to
achieve
devsecops
maturity
with
github.
It's
going
to
be
hands-on.
It's
going
to
be
slightly
technical,
so
hopefully
folks
on
the
line
have
an
appetite
for
that,
and
I
saw
some
people
already
chatting
and
asking
about
like
who
is
this
stream
good
for
who
is
this
content
prepared?
For
so
really,
I
think
any
developer.
A
Anybody
who's
planning
out,
you
know
either
an
adoption
and
scaling
of
github
enterprise
or
an
exploration
of
github's,
advanced
security
or
appsec
capabilities
can
get
something
from
this
stream
and
this
content.
So,
if
you're
here
we're
grateful
that
you're
here
and
we
think
that
there
will
be
something
for
you
now,
just
as
we
kick
off,
I'm
gonna
go
ahead
and
share
my
screen
and
share
a
resource
with
you
right
out
of
the
gate.
A
So
this
is
an
ebook
that
we
shipped
recently
and
basically
it's
gonna
walk
you
through
a
lot
of
the
content
that
we're
gonna
go
through
together
today,
okay,
and
so
what
I
would
encourage
you
to
do
is
and
hollywood,
if
you
don't
mind,
if
you
just
paste
this
link
back
in
that
twitch
chat,
so
folks
have
it
I'd,
encourage
you
to
come
along
to
this
site,
download
the
pdf
and
follow
along
on
your
own
and
there's
a
few
ways.
A
Otherwise,
if
it's
something
just
that
you're
exploring
and
you
want
to
just
watch
totally
fine
too
or
you
know,
if
you're
an
open
source
developer
and
you
have
projects
just
on
github.com
that
are
public,
you
can
actually
sign
up
for
our
beta.
If
you
haven't
already
and
hollywood
one
last
thing
I'll
ask
you
thank
you
so
much.
A
Can
you
share
the
link
to
sign
up
for
our
beta,
so
folks,
who
are
interested
in
that
can
can
get
access
along
the
way?
So
again,
if
you
just
joined
we're
going
to
be
talking
about
achieving
devsecops
maturity
with
github
and
we're
basically
going
to
be
measuring
our
maturity
with
this
oas
framework,
called
the
devsecops
maturity
model
and
we'll
talk
about
what
that
means
and
what
the
levels
are
and
what
your
program
might
look
like
as
you
achieve
the
various
levels
of
maturity
through
the
program,
so
go
ahead.
A
Okay,
so
I'm
going
to
go
ahead
and
do
that
and
again
I'm
going
to
be
monitoring
the
chat
myself
so
along
the
way.
If
you
have
questions
comments,
if
you
want
to
just
modify
what
it
is
that
I'm
sharing
with
you,
we're
totally
open
to
that
feedback,
and
we
want
you
to
get
the
most
out
of
this
stream
right,
it's
fun
and
we
love
engaging
with
you
as
an
enterprise
community
or
as
the
developer
community.
A
But
really
this
is
an
opportunity
for
you
to
pull
from
us
whatever
you
need
to
accelerate
your
own
development
right,
so
I'm
going
to
go
through
the
workflow
that
I
encourage
you
to,
which
is
to
come
to
this
site.
Here
the
link
is
in
the
chat,
hollywood
just
shared
it
so
download
that
pdf
and
you
should
get
access
to
something
that
looks
like
this.
A
So
I'm
just
going
to
talk
through
before
we
actually
get
started
with.
You
know
what
are
the
capabilities
of
of
github
that
are
going
to
allow
us
to
enable
devsecops
at
scale
across
our
enterprise.
I'm
going
to
talk
us
through
what
this
maturity
model
is
what
the
framework
is,
so
we
all
have
a
baseline,
contextual
understanding
of
what
we're
working
towards
right.
So,
let's
just
lay
that
out.
So
what
we're
going
to
be
talking
through
together
and
what
this
white
paper
describes
for.
You
is
really
a
framework.
A
That's
been
developed
by
this
open
source
community
for
helping
you
understand,
not
just
your
own
organizational
apsec
maturity,
but
also
helping
you
understand
how
you
can
get
to
that
next
level
and
maybe
what
it
means
to
achieve
that
next
level
in
a
healthy
way
as
you're
working
towards
implementing
some
of
these
capabilities
and
the
axes,
or
that
you
know
the
kind
of
things
that
you
would
measure
yourself
on
that
you'll
explore
in
this
edoc.
A
As
you
read
it
on
your
own
or
as
we
work
through
it
together,
the
axes
are
really
four
things
that
you're
measuring
yourself
against
at
least
initially
right
to
be
really
simple.
So
we
want
to
measure
against
the
static
and
dynamic
depth,
which
is
how
comprehensive
are
the
static
and
dynamic
scans
we're
doing
against
our
application
in
the
ci
pipeline,
and
so
those
are
two
axes
that
we're
going
to
use
to
measure
our
maturity.
A
Now
two
that
really
stand
out
for
me
as
somebody
who's
implemented,
these
pipelines
at
scale
using
a
variety
of
tools,
is
in
intensity
and
consolidation.
So
those
are
the
two
other
axes,
so
the
intensity
really
means
the
frequency
at
which
you're
scanning
your
applications
for
vulnerabilities
and
when
we're
talking
about
vulnerabilities
in
this
context
it
could
be
semantic
vulnerabilities.
It
could
be
tokens
that
you've
leaked
back
in
your
source,
inadvertently
right
or
it
could
be
vulnerabilities
through
your
dependencies.
A
So
how
frequently
are
we
actually
implementing
those
scans
and
something
I
talk
to
our
customers
about
all
the
time?
Is
you
know
we
have
a
conversation
around
as
an
apsec
leader
or
a
security
engineer?
How
do
I
influence
the
developer,
workflows
in
a
way?
That's
healthy
and
productive,
and
not
a
blocker
right?
So
actually,
what
I
would
encourage
you
to
explore
is
the
possibility
that
at
level
one
maturity
we're
actually
not
going
to
block
a
developer's
merge
from
the
pull
request
workflow
with
our
scans
and
there's
a
reason
for
that.
A
A
So
consolidation
is
really
about.
How
do
you
surface
the
insights
in
a
meaningful
way
in
order
to
actually
remediate
these
vulnerabilities
that
are
popping
up?
You
know
across
your
developer,
workflows,
and
I
want
to
be
really
specific
about
where
they
should
be
surfacing.
A
Of
course,
you'll
want
to
have
that
kind
of
organizational
overview
or
the
org
level
aggregate
insight,
but
as
a
developer,
I
own
the
infrastructure,
the
operational
aspects
of
the
applications
that
I'm
shipping
and
increasingly
in
in
the
case
of
what
we're
talking
about
today,
right
devsecops,
if
you
will,
which
really
should
be
included
in
any
healthy
devops
program,
as
I've
had
conversations
with
folks
along
the
way.
You
know:
how
are
we
going
to
bring
these
tools
together?
A
How
are
we
going
to
enable
developers
to
own
the
security
of
the
applications
that
they're
shipping
and
make
that
actionable
right?
So
you
know
that's
just
a
little
bit
of
an
overview.
I
wanted
to
talk
through
like
what
it
is
that
we're
actually
measuring
ourselves
against
what
is
dsom
as
a
you
know,
as
a
kind
of
short
way
to
say
the
devsecops
maturity
model
go
ahead
and
download
this
document,
if
you
haven't
already
and
you
just
dropped
in
we're,
gonna,
be
walking
through
an
implementation
together.
A
So
thanks
all
for
joining
okay,
so
go
ahead
and
as
you're
working
through
this
we're
gonna
start
scrolling
through
and
either
reading
through
what
the
dsom
is.
If
you
want
a
little
bit
more
detail
or
trying
to
understand
at
the
next
level
right,
if
we
understand
the
baseline
of
what
dsam
is,
how
do
we
define
what
level
one?
What
level
two
and
all
these
different
tiers
are
of
this
framework,
and
how
do
we
actually
get
there
with
github
tools?
A
We
all
say
that,
and
we
say
hey.
We
want
to
partner
with
the
development
teams
and
one
way
to
do
that
is
really
to
begin.
By
surfacing
the
insights
and
saying
hey,
we
may
we
notice
something
in
your
pull
request
and
there's
a
certain
probability
that
you
should
go
back
and
actually
you
know
see
if
that
vulnerability
is
worth
looking
into
right
versus,
saying,
hey,
you
can't
move
on
to
the
next
step.
A
So
we're
going
to
go
ahead,
we're
going
to
implement
sca
using
github
native
capabilities,
we're
going
to
implement
github's
native
code
scanning
capability
and
we're
also
going
to
walk
through
zap,
so
we're
going
to
walk
through
just
the
open
source,
dast
implementation
of
zap
as
part
of
our
cd
pipeline.
So
you
may
have
been
here
in
the
past
if
you
join
our
first
demo
day
where
we
actually
walk
through
the
ci
cd
of
this
same
application
and
defining
those
pipelines
as
git
of
actions.
A
So
that's
what
we're
going
to
be
doing
together
first
is
actually
defining
ci
cd
pipelines
for
an
application
that
we've
built
and
and
then
actually
implementing
security
as
part
of
those
as
part
of
those
steps
within
those
delivery
pipelines,
and
so
we're
going
to
walk
through
all
of
that
together.
Now
what
I
did
want
to
share
with
you
even
before
I
start
walking
through
that
specific
implementation
for
a
singular
repository.
Is
this
example
here,
so
you
may
not
be
familiar
with
this
interface
if
you
know
a
you're,
not
a
github
admin.
A
So
this
is
what
your
github
admins
actually
can
see
in
terms
of
your
org
level
settings
those
higher
level
settings
for
github
enterprise
right,
and
you
may
not
also
be
familiar
with
some
of
these
capabilities.
If
you
just
don't
have
advanced
security
enabled
so
don't
be
alarmed
if
you
don't
see
something
like
secret
scanning
or
when
I
get
into
the
code
scanning
capabilities,
if
you
don't
see
that
surfacing
in
your
ui,
you
do
need
to
have
that
feature.
A
A
What
is
really
important
to
understand
is
that
you
can
enforce
these
capabilities
at
a
few
different
levels.
I
think
what
I
wanted
to
share
with
you
first
is
the
org
level
settings?
Okay,
so
you
can
standardize
on
some
of
these
practices.
In
this
case,
it's
sca
practices,
software
composition,
analysis
across
all
of
your
repositories,
okay,
and
so
let
me
walk
through
what
the
dependency
graph
is
and
how
you
kind
of
benefit
from
that
open
source
community
on
the
platform
of
something,
like
I
don't
know,
50
million
developers
that
are
on
the
platform.
A
So
if
you
enable
the
dependency
graph
at
the
org
level
or
at
the
repository
level,
we're
going
to
have
as
github
an
understanding
of
all
the
dependencies
of
your
repository,
we'll
scan
your
manifest
and
actually
understand
you
know
what
your
footprint
is
not
just
from
your
direct
dependencies,
but
through
your
transitive
ones
as
well.
Okay,
and
so
by
checking
this
enable
all
box
for
all
your
repositories,
you
say:
hey
github!
I
want
you
to
understand
what
my
dependency
footprint
is,
and
why
might
you
do
something
like
that
right?
A
What's
the
incentive
there
for
me
as
an
organization,
so
what
you
get
from
that
are
two
really
great
capabilities:
at
least
two
capabilities,
so
you'll
get
the
next
feature,
which
is
the
pen
about
alerts,
and
you
may
have
seen
this
in
your
own
personal
development.
If
you're
an
engineer,
an
individual
contributor,
you
see
the
alert
surface
and
the
cli
and
we
ignore
them
there.
I
know
I
do
in
the
ui
and
via
email
right,
but
what's
really
great
about
this
is
taking
it
to
the
next
level.
A
So,
yes,
you
can
enable
this
across
your
org,
we'll
send
alerts
to
all
your
developers
anytime,
there's
a
vulnerability
in
any
of
the
projects
that
they're
consuming
right.
So
here
we
understand
what
your
dependencies
are,
and
here
we
alert
your
developers
if
there
are
any
vulnerabilities
in
the
projects
that
we
just
found
that
you
were
consuming.
A
The
next
step
is
and
you're
actually
twice
as
likely
as
a
developer
to
patch
a
vulnerability
in
your
dependencies
over
48
hour
period.
If
you
enable
this
feature,
so,
if
you're
an
appsec
program
manager,
I
encourage
you
check
out
this
capability
and
definitely
consider
enabling
it
for
your
entire
organization.
A
So
what
we
do
is
we
have
this
piece
of
automation
that
says
hey.
I
know
that
you
have
these
dependencies
in
this
project,
and
I
know
that
there
are
these
vulnerabilities
from
the
github
advisory
database.
You
know
attach
those
dependencies,
and
so
what
we'll
do
is
we'll
open.
A
poll
request
on
your
developer's
behalf
will
give
you
a
compatibility
score
which
will
give
your
developers
an
idea
hey.
If
I
merge
this
update,
am
I
going
to
introduce
a
regression
or
not
right?
A
So
I
encourage
you
to
explore
also
enabling
that
now
the
last
thing
secret
scanning
is
exactly
what
it
sounds
like.
I
just
love
how
explicit
the
name
is
here.
Nobody
needs
to
fish
for
details.
We
will
continuously
scan
for
any
tokens
for
a
number
of
service
providers.
I
think
it's
something
like
27
plus
service
providers
that
we
support
out
of
the
box
today
in
the
future.
A
You'll
also
be
able
to
define
your
own
patterns
to
search
for,
and
we
can
basically
alert
you
through
a
very
similar
flow
that
you
have,
with
your
depend
about
alerts
and
you'll,
see
soon
in
your
code
scanning
alerts,
if
anybody's
inadvertently
pushed
a
token
back
to
your
repository
okay,
so
there's
no
need
to
have
you
know
either
pre-receive
hooks
or
any
sort
of
checks
in
your
ide.
A
Everything
is
going
to
be
ferreted
out
and
elevated
and
made
you
know,
transparent
and
and
just
available
to
you
as
somebody
who
owns
the
appsec
program
to
review
through
sequence.
Okay,
so
I
encourage
you.
If
you
have
this
capability,
enable
it
I've
seen
a
tremendous
amount
of
value
for
very
large
enterprise
customers
who
turned
it
on
and
it
turned
out
they
had.
A
You
know
over
a
hundred
secrets
that
surfaced
across
their
organization,
so
I
definitely
encourage
you
to
click
that
enable
all
button
here
as
well,
but
if
you're
not
comfortable
doing
that,
all
of
these
capabilities
also
exist
at
the
repository
level.
Okay,
and
so
that's
what
we're
gonna
be
talking
through.
This
is
the
project
that
I'm
gonna
be
working
with
with
you
today
implementing
ci
cd
and
what
did
we
say,
sca
sas
and
das,
so
we
got
a
lot
to
do.
A
Let's
go
ahead
and
get
started
so
here's
my
repository,
I
actually
for
this
stream.
I
kept
it
private
because
there
was
a
token
that
I
had
to
leak
in
here
in
order
for
us
to
see
what
that
experience
is
like,
and
obviously
we're
going
to
have
to
invalidate
that
as
soon
as
we
share
it.
So
all
the
hackers
that
are
here
don't
start
cloning,
my
code,
so
I
did
have
to
push
a
token,
so
I
kept
this
repository
private.
A
But
again,
I
think
if
you've
downloaded
this
document
from
the
link
that
hollywood
shared,
you
should
have
most
of
what
you
need
to
implement
this
on
your
own
in
your
own
repositories.
And
so
I
encourage
you
to
explore
that
so
the
first
thing
that
I'm
going
to
do
I've
already
cloned
this
repo
locally.
A
So
I
cheated
a
little
bit
in
that
sense,
but
I'm
gonna
go
ahead
and
just
make
sure
that
I
can
stand
up
the
application
and
run
my
test
locally
before
I
actually
push
it
back
to
github
and
try
to
automate
my
deployments
and
everything.
So
let
me
go
ahead
and
do
that
so
I'm
gonna
open
up
my
my
terminal
here.
A
And
now
you
can
see
this
big
nice
terminal
getting
some
street
cred,
of
course,
for
opening
up
the
terminal
on
a
stream,
because
anything
can
happen.
So,
let's
go
ahead
and
the
first
thing
we'll
do
is
I've
already
npm
installed.
I'm
just
gonna
run
npm
test
just
validate
that
my
tests
will
successfully
pass.
A
Okay,
so
my
tests
run
locally.
All
I
have
to
do
is
say
npm
test
and
that
script
lives
in
my
package
json,
and
it
will
run
my
tests
automatically
awesome.
Now.
What
is
this
application?
You
say
it's
just
a
very
simple
node
web
app
and
I'm
going
to
actually
run
it
locally
so
that
we
can
see
what
the
interface
is
and
make
some
changes
on
the
fly.
A
So
let
me
go
ahead
and
go
back
to
my
localhost
lol
localhost.
Here
we
are
okay
cool,
so
this
is
our
local
host.
You
can
see.
This
is
an
ai
powered
calculator,
because,
if
you
add
one
plus
one,
it
automatically
knows
it's
two.
So
it's
pretty
intelligent-
and
you
might
have
seen
this
in
the
past
from
a
previous
stream
that
we
did
so
it
should
be
a
little
familiar,
but
I
think
what
we're
gonna
do
together
is
modify.
A
A
So
you
can
see
that
they're,
both
this
blue
color
here
and
I'm
going
to
ask
if
anybody
on
the
line
actually
wants
to
anybody
on
the
stream
wants
to
share.
You
know
a
a
hex
I'll,
actually
change
the
background.
Color
to
that
and
drop
you
in
the
co.
Your
github
handle
in
the
comments
here
so
go
ahead
and
drop
in
a
color
that
you'd
like
to
see
this
background.
Color
be,
and
I'm
going
to
go
ahead
and
update
this
and
push
it
back
to
our
github
repo.
So
we
can
get
started.
A
So
if
anybody
wants
to
share
a
color
in
there,
I'd
encourage
you
to
do
that
and
we'll
go
ahead
and
update
this
and
it'll
make
its
way
back
into
prod.
Otherwise,
I
have
my
own
ideas.
We
got
some
purples
go
ahead
and
if
you
want
purple,
I'm
happy
to
do
purple,
I
don't
know:
can
I
just
drop
in
a
purple
here
rather
than
a
hex?
I
probably
could
so
go
ahead
and
drop
in
a
color
and
then
your
github
handle
as
well.
A
Everybody
wants
purple
okay
purple,
it
is,
and
then
the
github
handle
for
who
said
it
first.
So
it's
qui
science
or
quesas
and
quiescences
so
hey.
I
apologize.
I
totally
botched,
I'm
sure
how
you
pronounce
your
handle,
but
it's
a
great
handle
yet
so
go
ahead
and
drop
your
github
one
in
there.
A
It's
it's
alisa
awesome!
Oh!
So
I
got
a
couple
folks
job
in
here.
So
all
right!
This
is
what
we're
gonna
do.
I
saw
a
few
come
in
there,
so
we're
just
gonna
like
paste
in
all
of
y'all,
so
that
nobody's
left
out,
and
hopefully
you
don't
get
spammed
by
trolls
later
on
or
like.
Oh
I'm
gonna
spam
all
these
people.
A
So
we
got
a
bunch
of
suggestions.
Let's
see,
let's
see
what
the
background
is.
If
purple
works,
I
think
you
could
just
define
that
color
with
that.
Actually
did
I
save
that
file.
I
did
so.
Let
me
just
run
it
again
and
validate
that
we
have
purple
wow
amazing,
okay,
cool,
but
this
is
important
because
it's
going
to
validate
that
our
change
makes
it
from
local
back
into
our
staging
environment,
really
on
azure
right.
So,
okay,
so
we've
changed
that
I'm
going
to
look
to
see
what
my
change
files
are.
A
A
We're
going
to
commit
team
purple
unite,
I
love
that
that's
fun
and
I
think
I
didn't
push
so
I'm
just
going
to
get
pushed.
I
think
I'm
actually
pushing
the
master,
which
I
would
encourage
you
not
to
do
in
your
own
development,
but
you
know
say,
as
I
don't
say
do
as
I
say,
not
as
I
do
right.
That
is
this
kind
of
the
classic
thing
there.
A
A
It's
always
fun
to
hack,
along
with
folks
out
there,
so
very
cool
okay.
We
ran
the
app
locally.
We
talked
through
some
of
the
security
capabilities
at
the
organization
level,
maybe
before
we
implement
ci
cd
together.
Let
me
just
show
you
how
you
can
implement
these
at
the
repo
level.
If
you're
saying
hey,
I
just
want
to
validate
how
these
capabilities
work,
how
they
surface
in
the
developer.
Workflow
before
I
scale
my
implementation,
which
I
don't
I
wouldn't
blame
you
for
that
right.
A
A
A
In
this
organization,
we
have
it
all
enabled-
and
so
you've
already
seen
some
security
alert
surfacing
and
some
pull
requests
popping
up
as
the
pen
about
saying,
hey,
you're,
already
vulnerable,
and
all
these
hackers
on
your
twitch
stream
are
gonna
start.
You
know,
hacking,
you
and
stealing,
all
your
stuff.
A
So,
okay,
you
can
implement
it
here
and
there's
also
on
the
security
page.
I
do
want
to
do
a
quick
sneak
preview
from
a
code
scanning
perspective.
This
is
what
you'll
see
when
you
have
advanced
security,
enabled
in
the
public
space
or
in
your
enterprise.
Org
you'll
start
to
see
these
code
scanning
alerts
or
this
capability
pop
up
on
your
security
tab
and
then
you'll.
A
Have
these
workflows
that
you'll
be
able
to
enable
on
the
fly
so
I'll
show
you
what
that
experience
is
when
we're
implementing
sas
together,
but
we're
just
not
there
quite
yet,
so
I
just
wanted
to
tease
them
and
make
you
aware-
and
I
know
you're
all
dying,
to
see
what
my
secret
is
again.
So
you
control
me,
but
I'm
going
to
hold
off
on
that
just
for
now
cool
all
right.
A
So
let's
go
ahead
and
and
let's
actually
just
implement
a
ci
workflow
together
again
for
the
folks
who
have
been
here
in
the
past
or
seen
other
you
know
streams.
This
should
just
be
a
little
bit
of
a
refresher
for
you,
it's
kind
of
simple
right.
How
do
you
implement
ci
with
a
node
application
using
a
pre-existing
workflow
from
the
community?
A
I'm
going
to
go
ahead
and
walk
us
through
that,
so
I'm
in
my
repository
I'm
just
going
to
go
the
actions
tab,
I'm
going
to
scroll
through
my
workflows.
In
this
case,
we
have
some
org
level,
workflow
templates,
so
these
are
defined
by
what
is
our
ci
cd
team
at
you
know,
inside
of
our
demo
organization,
so
they
standardize
on
these
projects
and
I
can
adopt
them
and
use
them
if
I
choose
to
actually.
A
As
a
matter
of
fact,
it
looks
like
someone
dropped
a
perfect
node
workflow
in
here,
so
I'm
going
to
use
that
oh,
this
was
workflows
made
for
my
javascript
repository.
These
are
the
templates
here,
okay,
workflows
created
by
octodemo,
so
these
the
org
templates-
and
these
are
the
ones
that
are
just
using
the
detection
of
the
languages
that
I'm
using.
So
in
this
case
it's
node
and
it
looks
like
it's
running
ci.
So
I'm
just
gonna
go
ahead
and
set
up
this
workflow.
A
All
right,
so
I
appreciate
it
if
anybody
wants
to
drop
in
what
I
should
name
this
file.
That
would
be
awesome,
otherwise,
node.js.yaml.
I
feel
like
that.
I
don't
know
that
that
is
necessarily
the
best
extension,
but
maybe
it's
the
new
default.
So
let
me
know
what
you
want
me
to
name
this
workflow
and
I'll
name
it
as
such,
and
I'm
just
going
to
walk
through
really
quickly,
because
I
think
this
might
be
familiar
with
some
of
you
all.
A
You
know
what
this
workflow
actually
does
and
then
we'll
continue
to
roll
forward
a
cd
before
security.
Okay,
very
quickly,
we
define
the
name
of
the
workflow
and
you'll
see
that
pop
back
up
in
our
live
logs
from
lines
6
to
10.
You
see
the
event
triggers
and
how
we
filter
those
triggers
on
push
pull
request,
branch
directory,
and
then
we
have
a
matrix
build.
A
So
now
we're
testing
not
just
against
you
know
a
specified
node
version,
but
a
matrix
of
node
versions
on
the
fly
in
a
linux
environment
using
the
latest
github
linux,
runner
and
then
we're
running.
Basically,
if
you
look
past
all
this
kind
of
setup
steps
where
we
pull
the
latest
version
of
your
repository,
we're
actually
running
ci.
A
So
let's
go
ahead
and
not
run
a
build
because
I
just
don't
think
we
need
that
and
then
we're
just
going
to
run
npm
install
because
I
did
not
push
my
node
modules,
I'm
going
to
run
npm
test.
Actually
I
think
somebody
in
our
last
stream
said
mpmci
also
installs
your
dependencies,
but
I
just
don't
have
confidence,
because
I
just.
A
I'm
just
going
to
do
this,
is
I
don't
know
ci
workflow,
I
didn't
see
anybody
drop
anything
in
there,
so
I
guess
it
just
nobody
cares.
So
I'm
just
going
to
name
that
ci
workflow
and
then
we'll
just
keep
rolling
forward,
ci
workload.yaml
and
let's
go
ahead
and
just
commit
this
directly
back
to
master
which
a
push
to
master
should
trigger
it.
A
So
we'll
see
pretty
quick,
whether
or
not
this
this
works
and
again
be
aware
of
this
in
this
dot,
github
directory
you're
going
to
be
doing
a
lot
more
work
if
you're
doing
any
level
of
configuration
or
customization
across
your
orgs
or
across
your
repos.
This
is
where
you're
going
to
be
defining
your
ci
cd
workflows,
using
actions
in
the
future
policies,
as
code
will
live
here,
that's
a
little
bit
of
a
you
know,
teaser
for
you,
and
also
your
code
scanning
workflows
and
any
workflows.
A
You
define
around
scanning
your
dependencies
or
other
das
tools.
Okay,
so
here
is
my
workflow:
it's
running
it's
in
progress.
You
can
see
that
I've
triggered
it
and-
and
you
can
do
some
filtering
on
that,
but
okay,
so
it
looks
like
our
test
may
have
been
successful
for
node
10,
which
is
awesome.
I
just
wanted
to
validate
that
before
we
push
it.
So,
yes,
you
can
see
the
live
logs
spit
out.
We
got
some
successful
tests.
That's
cool!
A
A
Let's
go
back
to
create
a
new
workflow,
and
this
is
the
awesome
thing
I
mean
so
most
of
us,
as
developers
have
used
a
you
know,
tremendous
amount
of
tools
that
are
either
in
terms
of
ci
cd
in
terms
of
appsec
tool,
implementation,
whatever
it
is
having
that
community
is
so
powerful,
because
a
lot
of
what
we
want
to
develop
already
exists
out
there
and
we
just
have
to
do
some
small
degree
of
customization
to
it
in
order
to
make
it
our
own
right.
And
so
that's
what
this
is
really
showing
us:
hey!
A
Here's
these
templates
created
by
these
service
providers.
Look
we
have
an
azure
web
app
to
stand
up
and
we
can
use
aws.
We
can
use
google
all
these.
Modern
service
providers
have
already
developed
these
workflows
for
you
to
use
and
that's
super
cool
and
helps
make
your
work
a
little
faster.
So
I'm
going
to
deploy
the
node.js
to
an
azure
web
app.
It
popped
up
with
node,
because
it
knows
that's
the
technology
that
I'm
using
I'm
going
to
hop
and
go
ahead
and
set
up
this
workflow.
A
Okay.
So
the
actually
it
looks
like
initially
the
trigger
here.
So
if
you're
looking
on
lines
15
to
17
the
trigger
is
on
a
release,
created
we're
going
to
go
ahead
and
trigger
this
workflow,
but
I'm
going
to
do
something
even
more,
maybe
primitive.
If
you
will
I'm
just
going
to
say
on
a
push
to.
How
does
that?
How
does
that
actually
work?
Mate
on
a
push
to
master?
A
So,
let's
leave
that
for
now
we'll
see
if
it
throws
an
error
when
we
run
it,
but
it
is
shaking
my
confidence
that
this
will
run
on
the
first
try,
but
I'm
always
used
to
failing,
and
I
try
to
fail
fast,
so,
okay,
so
the
azure
web,
app
name
is
the
one
thing
we'll
have
to
modify
here.
I
just
happen
to
be
familiar
with
this
workflow
and
I
know
there
there's
some
dynamic
data
that
we're
injecting
at
runtime.
So
the
other
thing
you'll
want
to
note
is
where
is
it
the
publish
profile?
A
A
So
the
published
profile
is
a
dynamic
value
that
you
should
set
using
your
native
secret
store
again
that
secret
store
lives
at
in
two
places
at
the
org
level,
so
anyone
can
consume
them
or
you
can
define
specific
repos
that
consume
can
consume
your
secrets
or
you
can
define
them
at
the
repo
level
so
check
it
out.
A
I've
already
defined
the
azure
web
app
published
profile
here
just
so
I
didn't
have
to
drop
that
in
on
twitch,
but
I
do
also
have
the
org
secrets
here
that
are
available
for
me
to
consume
in
my
workflows
dynamically.
Something
that's
really
cool
that
we
do
do
is
automatically
attempt
to
redact
your
tokens
if
you
leak
them
into
your
logs,
which
is
a
very
common
attack
vector
that
we've
seen.
A
B
A
And
it'll
probably
automatically
through
azure
web
apps
or
on
npm
start.
Oh
there,
it
is
npm
itself
build
and
test.
So
we're
just
modifying
some
of
this
workflow
on
the
fly.
Again,
I
didn't
have
to
define
this
workflow
from
scratch.
I
just
consumed
it
from
what
was
already
available
in
the
community.
A
So
there
is
an
api.
I
see
some
people
trying
to
dig
into
the
security
aspect.
There
is
an
api
that
is
available
to
consume
any
code,
scanning
alerts
or
dependency
alerts
that
have
surfaced.
I
think
I
think
I
lost
you
there
for
a
second,
but
there
is
an
api
that
exists
for
any
alerts,
yeah
that
come
across
your
repository
and
you
can
aggregate
them
for
your
organization
as
well,
so
we
can
go
ahead
and
just
commit
this
new
file.
A
I
think
I
lost
internet
for
a
second
there,
but
I'm
back
we're
live
okay,
so
we
want
to
see
if,
where
is
it
this
pocket
calculator?
I
think
it's
here
yeah.
So
we
want
to
see
if
this
live
app
actually
turns
purple
team
purple
was
pretty
adamant
about
the
color
we
used,
so
we're
going
to
see
how
that
goes.
Oh,
what
is
this?
It's
running
my
ci
first,
because
I
pushed
the
master.
I
should
have
known.
B
B
A
Sure
that
I
do
that,
I
guess
I'm
just
gonna.
I
guess
I'm
gonna
have
to
because
we're
live
on
the
stream,
and
I
don't
wanna
waste
your
time.
Troubleshooting
my
cd
workflow.
Let's
go
ahead
and
just
reset
up
a
workflow
and
say
I
don't
know
this
is
a
cd
work
though,
and
it's
probably
something
that
I
messed
up
on
the
fly.
B
A
Every
engineer
on
the
lines
like
we
want
to
go
back
and
troubleshoot
to
see
what
the
problem
is,
and
I
I
agree
with
you.
I
also
am
going
to
spend
a
little
bit
of
time
digging
into
that,
but
just
for
the
sake
of
getting
to
the
security
piece.
I'm
gonna
fly
through
this
myself.
So
let's
go
ahead
and
commit
back
to
master,
create
cd,
workflow.
A
Okay,
that's
so
funky!
I
don't
know
what
happened
there.
I
lost
it
in
the
ether,
but
the
good
news
is
that
our
cd
workflow
lives
in
our
repo
now
and
while
that
is
being
run
and
we're
deploying
back
out
to
azure.
Hopefully
it
runs
successfully
we'll
see
when
it
comes
back.
Let's
go
ahead
and
implement
some
of
the
security
capabilities
and
see
where
we've
gotten
so
far.
A
But
it's
telling
me
hey
if
you
have
a
vulnerability
in
any
of
your
dependencies
or
or
that
I
do
have
a
vulnerability
in
one
of
my
dependencies,
and
so
I
should
see
the
depend
about
alerts,
and
so
this
button
will
take
me
to
the
security
tab
where
I'll
have
visibility
into
my
dependable
alerts,
and
so
this
is
a
list
of
the
packages
that
I'm
consuming
that
have
a
known
vulnerability
that
map
against
some
given
cwe
or
cve.
A
So
you
can
we
sort
these
by
default.
I
think
by
severity,
or
maybe
you,
okay,
these
are
sort
of
by
newest
by
default,
and
we
show
you
the
manifest
that
they're
in
when
they
were
committed
and
when
the
vulnerability
actually
surfaced.
So
this
is
really
interesting
and
this
is
actually
a
really
good
example
to
start
with.
So
a
few
things
here.
A
First
of
all,
it
says
the
pentabot
cannot
update
to
the
required
version,
and
so
in
the
case
that
in
the
case
that
we'll
introduce
a
regression
by
bumping
the
version
of
your
package,
we
will
not
automatically
open
a
pull
request,
and
so
there
is
a
compatibility
threshold
that
we
actually
even
propose
to.
You
know
open
that
pr
on
your
behalf,
but
we're
here
saying,
hey
kind
of
is
a
package
you're
consuming
and
it
kind
of
makes
you
vulnerable
to
cve.
A
A
A
So
that's
the
probability
that
I'm
going
to
introduce
a
regression
through
this,
but
the
nice
thing
is
we
can
set
our
checks
so
that
on
pull
request,
if
we
run
our
ci
on
pull
request,
if
we
run
our
code
scan
we'll
report
that
back
in
this
pr,
workflow
and
so
you'll
have
better
visibility
into
you
know
whether
or
not
this
is
going
to
introduce
a
regression
for
you
or
your
teams,
and
hopefully
your
developers,
then
just
say:
okay,
it's
that
simple!
A
I'm
just
going
to
go
ahead
and
merge
this
right
and
after
your
test
pass,
you
see.
There's
no
regressions
it'll
get
bumped
back
into
your
working
version
of
your
application.
So
that
is
fundamentally
what
we're
talking
about
when
we
say
shift
security
left
right,
we're
making
this
ingrained
in
the
developer,
workflows
in
every
sense
and
every
sense
of
that
phrase,
and
so
I'm
a
developer.
A
So
if
you
have
any
comments,
questions
along
the
way
feel
free
to
drop
them
in
the
chat.
I
know
hollywood
is
also
working
with
some
of
you,
so
that's
great
in
that
space.
So,
let's
see,
if
we
deployed
okay,
it
looks
like
created.
Cd
workflow
ran
successfully,
so
let's
go
ahead
and
see
this
workflow.
It
looks
like
okay
set
everything
up
deployed
to
azure
and
last
time
we
were
waiting.
Last
time
we
did
the
same
deployment.
We
were
waiting
to
see
boom,
whether
or
not
it
was
going
to
deploy
okay.
A
As
well,
which
is
awesome,
and
now
let's
implement
scanning
workflow
together,
okay,
so
I'm
gonna
go
back
to
this
repo.
I'm
gonna
go
back
to
this
repo
interface
here
and
I'm
gonna
start
with
where
your
developer
lives
right
and
kind
of
the
root
of
the
repository.
A
So
here
we
are
so
this
is
a
very
familiar
experience
now
that
we've
implemented
ci
and
cd
with
actions
right.
We
have
these
workflow
templates
that
you
can
consume
or
define
as
an
organization
in
the
future
in
order
to
just
enable
devsecops
as
part
of
your
developer,
workflows
right.
So
this
is
named
codeql,
which
is
kind
of
the
secret
sauce
under
the
hood
of
code
scanning.
We
talked
about
it
in
that
blog
post
that
we
shared
with
you
earlier
the
resource
to
download
it.
A
A
This
workflow
will
run
on
push
in
master,
I'm
going
to
remove
that
comma
in
case
it's
breaking
or
pull
request
on
master
again,
and
it's
also
going
to
run
on
a
cron
job,
okay,
and
so
again,
I
would
encourage
you
to
keep
your
pull
requests
as
part
of
your
your
regular
scans
right
in
terms
of
level
one
maturity.
It
is
okay
to
enable
and
integrate
code
scanning
as
part
of
your
pull
request,
workflows
and
your
developers
will
then
see
in
the
pull
request
whether
or
not
they're
introducing
any
vulnerabilities.
A
You
know,
deliver
features
for
the
business
and,
of
course,
we
always
encourage
you
to
keep
the
crown
job
on
so
keep
this
schedule
event
on,
because
you
know
someone
may
report
a
zero
day
and
your
developers
may
not
actually
make
a
contribution
that
triggers
a
scan,
but
you'll
want
to
know
whether
or
not
that
zero
day
is
impacting
your
application,
especially
as
github
includes
additional
scans
for
that
new
vulnerability.
A
All
right
so
you'll
want
to
have
these
on
schedule
as
well
and
so
walking
through
the
workflow
a
little
bit
more.
You
can
see.
We
just
check
out
the
latest
version
of
this
repository,
I'm
going
to
skip
through
some
of
this
stuff
just
a
little
bit.
There's
great
documentation!
Hollywood,
if
you
don't
mind,
sharing
the
documentation
on,
I
think
it's
docs.github.com
for
code
scanning,
so
folks
who
want
to
look
at
the
syntax
more
deeply
for
workflows
and
how
to
actually
include
additional
customization.
A
So
you
know
say
we're
just
scanning
for
a
specific
subset
of
vulnerabilities
right
now.
Maybe
you
want
to
expand
the
number
of
libraries
that
you're.
Actually
you
know
using
to
scan
your
application
against
and
you'll
be
able
to
do
that
by
adding
another
layer
of
customization
hollywood's
going
to
share
the
details
on
how
to
do
that.
Maybe
you
want
to
scan
for
quality
code.
Quality
you'll
also
be
able
to
do
that
by
including
a
library
so
we'll
attempt
to
automatically
build
your
application.
A
Obviously
this
is
a
javascript
app,
so
that's
not
going
to
be
a
problem,
and
then
we
just
perform
the
analysis,
and
this
is
a
really
cool
I'll
show
you
what
it
looks
like
or
the
guts
of
it,
at
least
in
and
when
we
run
this
workflow,
and
I
love
it
because
you
can
actually
see
each
query.
That's
being
run,
and
again,
the
query
is
defined
as
code
ql,
which
is
a
query
language
that
models
security
vulnerabilities.
A
We
run
those
vulnerabilities,
those
queries
against
your
application
in
order
to
see
whether
or
not
you're
exposed
to
the
semantic
vulnerabilities-
and
I
actually
haven't
planted-
and
maybe
I'll
be
kicking
myself
for
this,
but
I
actually
haven't
planted
any
semantic
vulnerabilities
back
in
this
app
so
that
something
surfaced.
I
do
have
an
application.
A
Of
course,
that
does
and
I'll
show
you
the
experiences
there,
but
I
haven't
done
that
here
and
I
think,
when
you're
choosing
yourself
as
an
appsec
program
manager,
whether
or
not
you
you
know
which,
what
type
of
repo
you
want
to
enable
this
on.
Initially
I'd,
encourage
you
to
choose
something:
that's
a
a
large
and
meaningful
application
for
your
business
and
something
that
your
developers
are
actively
working
on
right
and
that
you're
partnering
with
the
security
champion
or
the
developer,
lead
on
that
team.
B
A
A
So
now
we're
going
to
have
check
out
these
workflows
and
again.
This
is
why
I
said
get
really
familiar
and
comfortable
with
this
idea
of
the
dot
github
directory.
So
you
can
see
this
is
where
all
of
our
workflows
live.
We
have
the
cd
workflow,
the
ci
workflow
and
code
scanning
now
fully
integrated
into
this
repository,
and
you
can
roll
this
out
at
scale.
You
can
also
automatically
write
to
your
repositories.
We
have
scripts
to
enable
you
to
do
that.
A
You
can,
I'm
sure,
develop
your
own
as
well,
so
while
that
scans
running
I'll
go
back
and
parse
the
logs
for
us
all
in
a
minute
here,
let
me
show
you
what
the
experience
is
if
I've
leaked
a
secret
right.
So
if
I'm
a
repo
admin
or
an
org
admin,
I
might
want
to
know
whether
or
not
somebody
inadvertently
pushes
a
token
back
into
my
repo.
A
So
we
go
to
my
security
tab
and
I
see
that
I
have
six
open
vulnerabilities.
We
may
see
code
scanning
alerts
pop
up
here.
The
reality
is
that
this
application's
small,
and
so
we
might
not
see
any
meaningful
vulnerabilities
and
that's
okay.
We
don't
want
to
create
a
ton
of
friction
and
noise
where
we
don't
have
to,
and
you
know
I
have
this
conversation
all
the
time
with
folks
who
are
like
well.
A
You
know:
additional
queries
for
quality
checks
and
additional
security
checks
and
that'll
light
it
up,
but
I
think
initially
we
include
a
very
accurate
subset
of
scans
to
ensure
that
if
we
say
you
have
a
vulnerability,
there's
something
like
based
on
the
research
we've
done
at
80,
true
positive
rate,
so
the
probability
that
that
vulnerability
should
be
actioned
or
at
least
reviewed
as
80,
which
is
a
tremendous
differentiator
versus
any
other
tools
that
you
might
already
be
using
and
again.
This
is
all
baked
back
into
the
experience.
A
So
if
we
map
it
back
to
dsom
you'll
say
well,
what's
the
consolidation
experience
like
right,
and
so
it's
all
baked
in
and
so
that's
a
really
tremendous
value,
add
for
your
developers
and
for
you
who's
implementing
this
thing
right.
So
let
me
go
back
to
my
detected
secrets
and
before
I
actually
show
you
what
the
secret
itself
looks
like,
let
me
go
back
to
my
profile
itself.
A
And
just
look
at
my
tokens,
let
me
go
to
my
settings
and
I
should
be
able
to
see
my.
A
You
do
have
to
go
back
in
and
revoke
the
token
and
actually
mark
that
secret,
as
you
know,
remediated
or
closed,
if
you
will
so
let
me
go
in
and
actually
show
you
what
this
looks
like.
This
is
the
experience
we'll
surface.
I
did
have
personal
access
token,
where
we
know
who
the
service
provider
is,
and
I'm
actually
this
token
no
longer
exists,
so
it
might
actually
close
itself
while
we're
talking,
but
you
can
see
the
the
directory
and
the
file
itself
that
this
is
a
part
of
you
can
see
the
token
itself.
A
A
There's
no
integration
of
other
tools,
everything's
already
consolidated
right
and
that's
why
dson
makes
so
much
sense
to
measure
against
or
such
a
great
validating
framework,
really,
if
you
will,
because
so
many
of
those
axes,
the
depth
of
static
and
dynamic
analysis
and
the
consolidation
experience
and
the
intensity
is
very
easily
defined
when
it's
all
baked
into
the
same
platform,
so
code
skating
alerts-
I
don't
know
if
we
finish
our
workflow
run
now
it's
still
running
the
initial
time,
nothing's
cached,
so
the
initial
scan
will
take
an
extended
period
time.
A
Okay,
so
this
actually
did
finish
just
now
cool.
So
let's
look
at.
I
didn't
want
to
show
you
what
it
actually
looks
like
when
we're
running
the
scan.
So
let
me
go
back
here
and
it
should
be
something
like.
Maybe
analyzing
javascript
yeah,
so
I
want
to
show
you
this
because
I
think
it's
really
illustrative
and
I
think
on
your
screen-
it's
probably
tiny
and
you're
having
trouble
reading
it,
but
that's
okay.
So
the
point
is
I
wanted
to
show
you
that
what
we
do
is
go
through.
A
This
library
of
query
is
defined
as
these
dot
ql.
You
know,
code
ql
queries
that
model
vulnerabilities
then
run
each
of
them
against
your
application,
and
that's
why
we
say
you
can
write
your
own
queries
as
an
organization
and
customize
it.
You
can
include
your
you
know:
quality
scans,
additional
security
scans,
and
we
just
include
those
as
the
codeq
analysis.
Codeql
analysis
is
actually
happening
and
hollywood
shared
that
in
the
docs.
A
So
if
you
have
a
question
about
how
you
can
incorporate
additional
libraries
or
a
little
bit
more
information
about
codeql
generally
feel
free
to
drop
your
questions
in
the
chat
there
and
mr
hollywood,
I'm
sure
we'll
get
to
you.
Okay.
So
what
do
we
have
now?
We
have
already.
It
feels
like
we
haven't
done
much,
but
the
reality
is:
we've
already
implemented
token
scanning
we've
implemented
our
sas
tooling.
A
We
have
sca
enabled
with
the
pentabot
and
your
dependency
graph
and
scanning
your
dependencies
now.
The
last
thing
is
dynamic
analysis,
so
we
don't
have
a
dynamic
analysis
native
tool
yet,
but
the
cool
thing
is:
if
you
go
to
actions
actually,
maybe
I'll
go
to
marketplace.
I
think
so.
I'm
going
to
create
a
new
workflow
using
zap
and
zap
is
just
an
open
source
tool.
I
think
they
also
have
an
enterprise
offering,
but
I
use
the
open
source
baseline
scan
out
of
the
box.
A
It's
pretty
solid
stuff,
so
I'd
encourage
you
to
explore
that
as
well.
So
I'm
gonna
go
to
my
marketplace
and
I
think
I'm
going
to
look
for
that.
You
can
see
that
I've
been
here
before
and
you
can
see
so.
Zap
has
already
shipped
and
actions
integration
again.
Most
service
providers
that
you
use
will
have
integrations
available
here.
So
that's
super
cool,
okay,
so
here's
the
baseline
scan
go
ahead
and
do
you
know
check
this
out
on
your
own
hollywood?
A
Do
you
mind
just
linking
this
baseline
scam
for
the
folks
who
are
following
along
or
in
the
future,
looking
back
link
to
this
baseline
scan
action
for
ozap?
I'm
just
gonna
go
ahead
and
look
at
what
the
usage
is.
It
looks
like
I
can
just
in
my
steps
in
a
great
zap
like
this
okay.
So
let's
see
what
that
experience
actually
is.
So
I'm
going
to
say
what,
if
I
could,
just
click
use
latest
version.
What
would
happen
then?
A
A
Scratch:
okay,
I'm
sure
that
skip
this
and
set
up
a
work
for
yourself.
Okay,
I'm
sure
there
is,
but
I'm
not
going
to
spend
your
time
doing
that
together.
So
I'm
just
going
to
call
this
a
dast
scan.yaml,
okay-
and
this
is
not
going
to
be
so
yeah.
This
is
going
to
be
a
desk
scan,
okay
and
so
we're
going
to
run
it
on
a
push
against
master
is
the
again.
This
is
that's
familiar
workflow
we're
committing
this
back
to
the
github
directory
right.
A
So
here
we
are
we're
setting
up
an
ubuntu
environment,
we're
checking
it
out,
run
a
one
line.
Script
we're
gonna,
echo
hello
world,
but
I
just
wanna.
Do
this.
B
B
A
Ahead
and
paste
this
in
here-
and
I
again-
I
don't
know
whether
or
not
this
is
going
to
surface
any
vulnerabilities-
I'd-
imagine
from
a
desk
perspective
that
it
will
just
because
I
haven't
gone
through
the
pain
of
actually,
you
know
putting
the
security
and
controls
around
just
this
demo
environment,
because
I'm
going
to
tear
it
down
right
away.
But
let
me
go
ahead
and
commit
this
file
back
to
my
master
branch
and,
let's
just
see
what
happens,
this
zap
scan
is
really
cool.
A
It
runs
the
baseline
scans,
like
oh
us,
top
10
type
vulnerabilities
on
your
app
if
it's
deployed,
and
then
it
also
produces
an
issue
of
a
report
of
all
the
vulnerabilities
that
found
on
your
app
and
that's
really
nice,
and
so
now
you
can
see
we
have
das.
We
have
code
scanning,
we
have
ci
cd,
it's
all
baked
into
the
developer
workflow
and
that
just
happens
by
default
right.
So
any
of
these
advanced
security
tools
you're
using
from
github,
it's
already
shifted
left.
Fundamentally
I
mean
that
is
what
we
approach
this
problem
with.
A
Is
that
mindset
we
want
to
put
security
in
the
hands
of
the
developers
and
that's
what
you
asked
for,
and
you
know
I
just
get
to
stand
up
here.
Hollywood
also,
you
know
in
the
chat
we
get
to
take
a
little
bit
of
credit
for
the
amazing
engineers
at
github.
We're
doing
great
work.
So
thank
you
all
for
that.
A
Okay.
So
let's
look
back
in
the
actions
workflow,
so
we're
okay,
so
everybody's
subscribing
to
push
so
you
would
obviously
have
to
refine
the
events
that
trigger
your
workflows.
So
you
don't
trigger
all
these
workflows
every
time,
there's
a
push
or,
if
you're
doing
a
development
on
a
specific
branch,
but
in
this
case
I'd
love
to
see
what
my
das
scan.
How
that's
going
to
do.
A
Okay,
so
this
is
really
interesting.
This
is
what
you
see.
Actually,
it
failed
not
because
the
integration
itself
felt
it
failed,
because
there
were
these
new
warnings
that
surfaced
right,
and
so
this
is
where
you
could
integrate,
as
your
program
continues
to
mature
back
into
a
developer.
Workflow
right,
so
here
are
some
of
the
vulnerabilities.
A
If
you
want
to
hack
me
before
I
tear
down
my
my
ser
my
service
on
azure
and
I'm
not
daring
you,
you
know
these
are
the
types
of
vulnerabilities
that
that
I've
created
in
that
service,
and
I
believe
that
this
is
also
going
to
create
an
issue
yeah
check
it
out.
A
I'm
sure
there's
some
other
automation.
You
can
build
around
that
to
say
hey
if
I
produce
a
zap
report
that
happens
to
have
vulnerabilities
on
it.
I
want
to
you
know:
either
open
another
issue
or
a
jira
task
that
actually
creates
a
work
item
for
my
developers
to
come
back
and
action
it.
But
it's
right
here
where
the
developers
live
in
that
centralized
repository
interface
right.
A
Let
me
go
back
to
code
scanning.
Okay,
that's
interesting.
We
did
get
an
alert,
so
we
did
get
one
alert
with
our
code
scan
and
this,
maybe
will
be
one
of
the
last
things
I
share
with
you.
I
don't
know
how
meaningful
it
is.
So,
let's
see
unvalidated
dynamic
method
call.
So
you
remember
we
ran
our
sas
scan
before
I
wasn't
sure
if
we're
gonna
get
any
actual
alerts,
this
looks
like
a
low
severity
alert.
A
So
this
is
actually
a
warning,
not
an
error,
so
your
developers
might
say:
hey,
I'm
gonna
look
into
this,
but
it's
not
a
critical
priority
right.
The
cool
thing,
though,
is
this
experience
that
I
have
right.
I
surface
that
specific
vulnerability,
so
you
go
back.
Let
me
go
here.
First,
I
surface
this
specific
vulnerability.
It
says
where
that,
where
it
the
vulnerability
lives
in
the
file
on
line
49
and
what
file
and
directory
it's
in,
it
was
detected
seven
minutes
ago
on
the
master
branch.
A
So
let
me
go
ahead
and
click
that
I
can
see
the
file
itself.
I
can
see
the
nature
of
the
vulnerability
as
a
developer.
I
might
not
know
necessarily
you
know
what
what
cwe
754
is
right.
I
know
I
personally
am
just
not
a
subject
matter
expert,
so
I
don't
know
what
this
vulnerability
is,
and
so
I
would
have
to
read
the
recommendation
and
what
the
cwe
points
to
okay
and
the
nice
thing
is.
A
We
actually
give
you
suggestions
in
terms
of
the
code
that
you
can
use
to
patch
this
vulnerability
in
your
app
and
then,
of
course,
as
you
go
back
and
remediate,
it
you'll
have
again
that
familiar
experience.
Where
let
me
just
show
you
the
call
path,
so
it
looks
like
there's
one
two.
Three
four
steps:
this
actually
a
pretty
deep
vulnerability
that
you
would
it'd
be
very
difficult
for
you
to
manually
find
right
where
we're
sourcing,
some
query
parameter
comes
in,
and
it's
probably
just
unsanitized
by
the
time
it
makes
it
yeah.
A
So
it's
just
unsanitized
or
unchecked.
By
the
time
it's
actually
executed
so
from
source
to
sync.
We
can
see
the
call
flow,
nice,
colorful
analysis
and
audit
history,
I'm
going
to
mark
it.
You
know
if
I
actually
patch
this
vulnerability
as
a
developer,
and
anybody
with
right
access
to
your
repo
can
see
these
alerts,
and
that
makes
sense
right
because
they
should
own
as
a
developer,
the
security
of
the
applications-
and
you
know
we're
all
kind
of
agreeing
in
this
new
world
where
developers
have
that
sense
of
ownership.
A
So
I
could
see
it
in
the
pull
request.
Workflow,
you
could
surface
it
there.
I
could.
You
know,
come
back
here
and
mark
it
as
I'm
not
going
to
fix
it.
If
I
choose
to
not
fix
it,
but
otherwise,
once
I
patch
it
in
my
source,
it's
actually
going
to
move
from
being
an
open
vulnerability
over
to
closed
okay
automatically.
For
you,
and
so
one
last
thing
I
want
to
share
with
you
before
I
let
you
go.
A
Is
I
switch
repositories,
so
you
probably
saw
that
switch
out
right
from
one
of
your
face
so
check
this
out.
Here's
a
repo
that
has
63
vulnerabilities,
but
what's
really
cool
I
want
to
share
with
you-
is
the
pr
workflow
integration.
So
isaac
created
this
vulnerability
in
this
poll
request
that
he
opened.
I
came
along
and,
I
said
hey.
This
looks
like
it
introduces
some
vulnerabilities.
Let's
talk
about
that
right
and
the
reason
I
knew
it
introduced
vulnerabilities
was
because
I
saw
the
code
scans
actually
popping
up
in
the
status
checks.
A
Saying
hey,
you
know
your
code
scan
failed.
Some
vulnerabilities
surfaced.
You
can
still
merge
it
right
because
we're
just
not
at
the
maturity
where
we
want
to
block
the
merge.
But
you
know
something's
going
on
here
and
if
I
go
to
files
changed,
I
can
see
if
I
scroll
through
my
files
changed,
give
that
a
mental
load
through
my
files
change.
A
I
can
actually
see
again
the
line
that
this
specific
vulnerability
lives
on,
and
I
can
see
the
path
for
this
specific
vulnerability
from
a
request
coming
in
all
the
way
down
to
when
it
makes
it
to
the
back
end
from
source
to
sync,
and
this
is
fully
integrated
back
into
the
pull
request,
and
this
is
fully
integrated
back
into
where
your
developers
live
and
do
their
actual
development
right.
So
if
we
go
back
to
code
scanning
alerts,
I'd
actually
be
able
to
see
this
as
a
developer,
who's
just
living
within
github
and
patch.
It
myself.
A
All
of
these
insights
will
bubble
up
to
a
security
center.
That'll.
Give
you
a
view
of
all
the
actionable
insights
across
your
organization,
so
you'll
have
that
top-level
view
as
an
appsec
manager
and
as
this
continues
to
mature,
obviously
we'll
continue
to
roll
out
those
features,
and
so
we're
going
to
go
ga
with
code
scanning
and
I
believe,
secret
detection.
A
This
quarter.
So
that's
coming
soon.
I
hope
you're
as
excited
about
it
as
I
am-
and
it
was
really
a
pleasure
to
be
here
with
you
all.
I
think
that's
what
we
had
in
terms
of
the
content
we
have
prepared
to
share
with
you
we're
going
to
stay
on
for
a
few
more
minutes
after
this.
If
you
have
any
questions,
feel
free
to
drop
them
in
the
chat
myself
in
hollywood
will
respond
to
them
and
again
for
the
folks
who
join
late,
go
ahead
to
this
resource
here,
I'll
drop
it
in
the
chat.
A
Since
now,
I'm
no
longer
leading
us
through
the
demo
itself,
go
ahead
to
this
resource
here,
download
the
pdf
explore
what
the
devsecops
maturity
model
is
and
how
you
can
apply
some
of
those
practices
using
advanced
security
capabilities
and
again,
thank
you
so
much
for
your
time.
It
was
great
to
have
you
here.
It's
it's
three
o'clock
in
the
east
coast.
It's
almost
time
for
a
beer,
so
we're
getting
there
I'll
stay
on
for
five
more
minutes
until
305..