►
Description
During this Demo Day, Mathew walks through how developers, operations and security teams work together to deliver secure software using GitHub. We focus on enabling Code Scanning, then configuring and customizing the tool to enable faster and more accurate results.
Developer and Security teams don’t always see eye-to-eye in a lot of organizations and we want to change that at GitHub.
As a developer-focused platform, we’re expanding beyond this with our security products that change the way developers and security experts work together to solve security issues in code.
Resources:
https://www.youtube.com/watch?v=58N0_0HCDPE
https://www.youtube.com/watch?v=nvCd0Ee4FgE
https://www.youtube.com/watch?v=pYzfGaLTqC0
https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#specifying-directories-to-scan
https://help.semmle.com/codeql/codeql-cli/procedures/query-suites.html
https://github.com/github/codeql/blob/main/javascript/ql/src/codeql-suites/javascript-security-and-quality.qls
A
A
My
background
is
primarily
focused
at
security,
focused
role,
but
over
the
past
few
years
I
have
migrated
more
into
developer
and
security
focused
here
and
that's
why
I
moved
here
to
github
with
me.
I
have
my
moderators
as
well
with
me
and
today
we'll
be
talking
about
devsecops
and
working
together
seamlessly
between
developers
and
security,
because
a
lot
of
the
time.
This
is
a
very,
very
complicated
process.
A
A
lot
of
organizations
really
struggle
with
this
from
day
to
day,
as
a
personal
story
like
I've
worked
with
a
lot
of
different
organizations
with
different
maturities,
they've
gone
from
all
sorts
of
backgrounds
but,
for
example,
the
most
common
I've
I've
seen.
A
lot
of
the
time
is
where
developers
are
left
their
own
devices,
security
teams,
kind
of
come,
knocking
on
the
door
every
six
to
twelve
months,
maybe
asked
to
for
a
penetration
test
to
be
done
or
some
black
box
test
of
their
software.
A
So
one
frequently
asked
question
I
get
a
lot
of
the
time
is
what
is
devsecops,
and
this
this
can
vary
between
people
to
people
about
what
this
means,
but
in
essence
it's
all
about
cultivating
a
culture
where
you
and
you,
as
developers
as
operation,
team
and
security,
are
working
seamlessly
together.
Having
shared
responsibility
for
your
security,
making
sure
that
it's
a
collaborative
environment
make
sure
it's
works.
A
A
That
said,
let's,
let's
dive
straight
into
the
to
the
demonstration
here,
so
a
few
of
you
might
have
already
seen
this
in
the
past
before,
but
I'm
going
to
kind
of
go
over
this
for
anybody.
That's
new
that
hasn't
seen
this
before
I've
created
a
a
public
repository
right
now,
because
now
github
advanced
security
has
now
gone
general
availability
and
it's
free
for
all
public
repositories
to
use
you.
You
can
also
follow
along
or
and
set
this
up
yourself
at
a
later
date
as
well.
A
I've
picked
this
this
project,
it's
an
erwas
project.
It's
it's
a
node.js
application
with
an
angular
front-end,
it's
kind
of
my
go-to
for
checking
and
looking
at
security
issues
for
for
javascript,
and
one
of
the
things
that
I've
already
done.
But
I
will
kind
of
go
through
this
process
is
actually
setting
up
github
advanced
security.
A
Now
this,
in
my
opinion,
a
lot
of
pain
points
when
it
comes
to
adding
security
tools
into
c
into
ci
pipelines
is
primarily
around
the
the
adoption
of
of
that
that
tool,
and
that's
one
of
the
things
that's
really
important.
It
should
be
as
as
simple
as
adding
a
lint
into
your
pipeline
or
or
enabling
your
unit
tests
on
the
pipeline
should
be
as
easy
as
that
to
add
security
in.
So
that's
what
we've
strived
for
it
at
github.
A
A
The
one
we'll
be
focusing
on
today
is
actually
like
the
code
scanning
element
of
this,
which
is
powered
by
ql,
which
is
the
tool
that
we
acquired
via
a
company
called
semel
last
year,
so
to
set
this
up
from
a
blank
repository
you'll
actually
get
this
screen.
This
allows
you
to
set
up
workflows
in
actions
to
automatically
run
codeql,
which
is
the
analysis
engine
on
your
repository.
A
A
A
One
of
the
most
important
features
of
of
any
code
scanning
tool
is
actually
to
integrate
seamlessly
into
developer
workflows,
and
one
of
the
important
things
is
that,
for
example,
you're
you're,
making
sure
that
on
when
on
the
creation
of
pull
requests,
your
any
branches
that
you
want
to
protect
any
vulnerable
code
from
being
merged
into
you
want
to
be
protected
in
this.
So
it
could
be
your
master
branch,
your
main
branch,
your
developed
branches,
your
release,
branches,
whatever
you
works
for
your
organization,
this
is
where
it
gets
set
up.
A
Apologies
now
let
me
make
this:
oh
okay,
sorry
thanks
peter,
so
here
as
well.
One
of
the
other
things
that's
really
useful
is
also
taking
a
look
at
the
scheduler
and
we'll
kind
of
talk
about
scheduling
this
as
a
cron
job
and
we'll
talk
about
in
a
little
bit,
but
primarily
for
a
lot
of
older
code
bases.
In
particular.
A
This.
This
essentially,
is
the
part
that
initializes
code
ql
for
for
scanning
purposes,
with
a
few
properties
that
can
be
set,
there's
also
an
automatic
build
for
any
compiled
languages
as
javascript
is
in
the
compiled
language.
We
won't
be
using
this
and
then
finally,
the
analysis
part.
So
this
is
the
part
where
the
the
engine
will
run
across
the
database
and
and
generate
us
results.
Now.
I've
already
already
done
this,
so
I'm
not
going
to
commit
this,
but
let
me
just
quickly
check
the
chat
as
before.
I
continue
this.
A
Okay,
awesome.
Thank
you
peter
for
responding
there.
So
I've
added
this
last
last
night
I
added
it.
I've
removed
some
of
the
comments
just
to
make
it
a
bit
cleaner,
but
it's
it's
practically.
The
exact
same
when
this
run
there's
actually
run
an
action
in
my
in
my
workflow,
so
you
can
see
here.
I
added
a
code
scanning
this
run
through
its
analysis.
A
A
One
of
the
things
to
note
is
you
can
see
the
what
queries
are
used
and
other
properties
that
are
set
as
well,
which
is
quite
useful
and
we'll
come
up
towards
that
a
little
bit
in
the
in
the
in
the
future
as
well
and
some
other
properties,
and
then
the
part
that
typically
takes
long.
This
is
the
analysis
part.
This
is
the
part
where
it
analyzes
the
code
itself
and
then
runs
the
queries
on
it.
So
once
this
action
has
run,
it
will
then
produce
this.
A
A
This
this
is
the
same
integration
workflow
as
the
other
tools
that
I
mentioned
third-party
tools
as
well
once
once
that
file
has
been
uploaded,
it
will
be
processed
by
github
and
it
will
be
rendered
in
your
security
tab
in
your
code,
ql
alerts
as
well,
so
you
can
kind
of
see
here
there's
a
lot
of
rate
limiting
issues
here
we
have
a
couple
of
cross-site
scripting
attacks.
We
have
some
nosql
issues
as
well,
and
this
is
really
important
to
kind
of
get
this.
A
A
We
can
see
where
the
where
the
security
vulnerability
is
introduced
and
where
the
sync
is
and
if
anybody's
not
familiar
with
what
our
sync
is
for
for
start
for
all
static
code
and
access
tools,
you
need
a
few
main
elements,
but
the
two
cool
ones
are:
what's
called
the
source,
which
is
the
origin
of
the
inputs,
most
like
most
the
time
user
defined
in
other
cases,
it
may
not
be,
and
primarily
the
sync.
So,
on
what
method
does
the
the
issue
occur
and
make
the
the
vulnerability
vulnerable
you
can?
A
It
will
be
displayed
in
github
very
nicely,
showing
you
exactly
where
the
sync
is
so
you
can
see
here.
I
have
my
string
here
where
maybe
I've
got
a
an
issue
that
I
need
to
respond
to
the
user
with
and
it's
this
is
a
500
as
the
status
code
and
then
I'm
sending
back
a
string
which
is
essentially
this
just
this
prefix
string
with
actually
the
contents
of
this.
This
query
in
here
so
from
here.
A
No,
this
isn't
escaped
this,
isn't
encoded
and,
and
you
as
a
developer,
may
not
be
familiar
with
a
security
issue,
especially
junior
developers
coming
out
of
university
or
self-opening
and
may
not
know
about
cross-site
scripting,
for
example.
So
one
of
the
things
that
we've
done
as
well
is
provided
documentation
so
that
users
developers
can
understand
quickly
what
the
security
issue
is
and
then
look
at
what
the
recommendations
are
for
doing
this,
and
example,
snippets
of
codes
to
actually
resolve
this
issue.
A
One
of
the
other
things
that
we
find
very
useful
as
well
is
to
share
content
and
resources
about
this
as
well.
If,
if
any
of
you
are
not
familiar
with
the
owasp
or
the
open
web
application
security
project,
I'd
highly
recommend,
you
take
a
look
at
it
and
you
can
see
what
kind
of
content
there
and
security
issues
you
may
find
as
well.
A
So
one
of
the
things
I
didn't
share
before-
but
I
will
show
it
just
here
for
a
second-
is
the
paths
so
a
lot
of
the
time.
This
isn't.
This
may
not
be
needed,
but
one
of
the
things
that's
super
super
useful
is
for
for
developers
to
see
okay.
Where
does
my?
Where
does
the
origin
of
this
this
user
input
come
from
and
where
does
it
occur
now?
You
can
imagine
that
this
starts
being
really
complicated,
with
very
complex
projects
and
applications,
but
in
this
case
it's
relatively
simple.
A
A
So
what
we
kind
of
discussed
in
the
actions
workflow
is
actually
the
integration
into
your
your
pull
requests
here
now,
one
of
the
things
that's
really
nice
about
this.
You
can
see
here
last
night
I
just
created
a
sample
for
this.
We
actually
created
a
new
feature
in
this
case.
Let
me
just
skip
to
my
vs
code
drop
down
into
one
second,
let's
drop
down
into
here,
I
actually
created
a
new
advanced
search.
Initial
function
in
in
javascript
in
in
node,
so
I'm
just
taking.
I
have
a
root,
I'm
just
calling.
A
I
have
my
function
here
that
does
the
when
it's
invoked
it
will
run.
Actually
it's
it's
the
exact
same
as
here,
but,
of
course,
this
is
just
the
initial
one,
but
maybe
I
want
some
of
the
team
to
add
some
machine
learning
or
something
in
here
to
to
entice
people
using
the
advanced
search
features,
and
you
can
see
here
it's
a
very
similar
vulnerability
to
the
one
we
saw
earlier.
A
A
A
One
of
the
really
nice
things
is,
of
course,
most
developers
use
ci
pipelines
to
make
sure
that
the
app
can
deploy
correctly.
There
is
no
breaking
of
any
unit
tests
if
you
have
any
linter
requirements.
Those
are
on
as
well
and
to
make
sure
your
code
quality
is
up
to
scratch.
All
these
kinds
of
things
are
run
instantaneously
and
security
should
be
done
at
the
same
time
as
well.
A
This
is
this
is
really
important
and
the
reason
why
we've
we
focused
primarily
at
the
pull
request
level-
is
that
we
want
to
make
sure
that
users
developers
don't
introduce
new
security
issues
in
a
lot
of
a
lot
of
studies
that
we've
done.
One
of
the
things
that
we're
actually
we've
seen
is
that
developers
when
they
see
a
vulnerability
or
see
a
breaking
of
their
pipelines
in
a
feature
in
a
in
a
pull
request
or
a
feature.
A
Of
course,
you
go
through
a
typical
developer
review
process,
but
maybe
it
should
maybe,
if
there's
things
that
come
up
in
your
static
analysis
issues.
Maybe
it's
maybe
it's
time
to
start
adding
some
of
those
security
people
there,
maybe
especially
if
you,
if
you,
if
there's
a
security,
vulnerability
that
comes
up
and
you're,
maybe
not
familiar
with
with
how
that
vulnerability
is
actually
exploitable
in
this
as
well.
A
One
of
the
really
nice
features
about
this
is
that
it
will
break
fail
your
pipeline,
when
this
is
done,
you
can
actually
go
into
the
details
about
exactly
what
this
is.
In
this
instance,
we
have
one
new
alert,
which
is
an
error,
and
this
will
show
us
our
cross-site
scripting
attack,
and
you
can
go
into
the
similar
viewers
view
as
we
we
showed
before.
A
This
is
a
different
line
number
though,
and
a
different
branch,
but
it
has
the
same
similar
details
as
well,
so
this
this
is
really
powerful
for
for
a
developer,
to
see
that
those
changes
and
see
those
issues
occur.
One
of
the
other
nice
features
that
I
find
is
actually
like.
Super
super
intuitive-
and
this
was
actually
done
prior
to
any
security
elements
in
this-
was
being
able
to
look
into
the
delta
or
the
changes
that
we've
been
done
in
in
github
itself.
A
The
the
issue
is
natively
being
placed
into
the
github
user
interface.
You
can
actually
start
conversations
inside
github
around
security
issues.
So
in
this
case
maybe
I
want
to
maybe
it's
not
auto
prompting,
but
you
could
say,
for
example,
let's
start
a
conversation
where
I
want
to
start
where
I
want
to
start
a
conversation
with
the
developer
around
hey.
A
B
A
There
aren't
native
added
framework
support
for
that
particular
framework.
But
if
that's
something
that's
that's
requested,
we
can.
We
can
always
kind
of
like
puts
put
it
in
our
backlog
of
like
frameworks
to
support
and
things
like
this
as
well.
So
this
is
really
important.
I
saw
as
well
peter's
just
shared
the
link
to
all
of
the
supported
languages,
and
so
you
can
take
a
look
there
and
things
like
this
as
well.
A
Will
you
be
able
to
configure
code
scanning
for
the
blockchain
so
right
now
for
hyperledger
fabric
framework?
It
is
if
it's
written
in
javascript
and
there's
nothing
based
off
no
syntactical
problems
with
the
javascript
itself
and
it's
very
similar
to
native
javascript.
Then
there
shouldn't
be
a
problem
with
analyzing
it.
The
issue
that
you'll
have
is
that
the
framework
itself,
or
I
shouldn't
say
framework,
but
the
the
that
version
of
the
the
language
may
not
support
the
the
associated
sources
and
syncs
that
I
mentioned
before.
A
That's
core
to
static
code
analysis.
So
if
you,
for
example,
wanted
to
analyze
that
javascript
code
you'd
actually
have
to
add
support
for
that
those
types
of
issues
in
that,
but
it
is
possible.
The
only
time
that
it
may
not
be
possible
is
something
like
a
a
semantical
like
change.
That
needs
to
be
addressed.
A
A
So
what
what
I've
done
is
actually
looked
at
these
these
security
issues
here
and
one
of
the
things
you
may
have
all
noticed.
I've
actually
got
a
recurring
issue
that
keeps
on
occurring
here
called
rate
missing
rate
limiting.
If
you
actually
take
a
look
inside
this
particular
issue,
it's
primarily
because
I
don't
have
any
middleware
or
anything
in
place
in
my
node
application
to
limit
the
amount
of
requests
coming
into
the
application
now.
This
is,
this
is
great
as
a
bit
of
context.
A
Static
code
analysis
primarily
focuses
at
the
code
that
is
analyzing
then,
and
there
so
in
the
in
the
grand
scheme
of
things.
Maybe
this
application
is
is
actually
running
behind
a
load
balancer
or
some
gateway
that
is
actually
rate
limiting
for
you.
A
lot
of
cloud
providers
actually
provide
this
support
out
of
the
box
as
well
with
some
fine
grain
detail,
but
there
there's
two
things:
ways
to
handle
this:
there
you've
you've
got
it
where
you
can
actually
mass
select
a
particular
issue.
So
in
this
case
we
can
do
missing
rate.
A
Limiting
you
can
see
here.
We've
actually
got
quite
a
lot
of
issues
because,
if
you
think
about
it,
every
roots
in
my
application
that
is
present
needs
potentially
needs
to
be
rate
limited
now
from
a
developer
standpoint,
you
could
do
two
things,
one
mark
everything
as
a
false,
positive
resolve
as
a
false,
positive
or
won't
fix,
and
you
can
also
do
some
talk
about
other
other
details
as
well
about
it.
A
But
one
of
the
things
that
I
I
kind
of
focus
on
is
is
maybe
you
don't
want
these
issues
to
reoccur
again,
because
every
time
you
add
a
new
route,
there'll
be
a
new
security
alert.
You'll
have
to
then
remove
it
and
it
becomes
a
bit
of
a
pain,
especially
for
for
developers
when
you're,
when
you're
trying
to
review
a
pull
request
and
you've
got
maybe
some
other
more
pressing
security
issues
that
have
been
accidentally
introduced,
and
you
don't
want
a
few
other
new
rates
limiting
issues
in
this.
A
So
what
I've
done
is
I've
actually
created
a
new
configuration
here?
Let
me
just
let
me
just
change
branches,
so
I
can
demo
this
and
what
I've
done
is
actually
got
almost
a
very,
very
similar
workflow
file
to
what
I
had
in
in
github,
but
with
a
small
change.
The
small
change
is
actually
one
of
the
properties
attached
to
the
initialization
method
of
oh.
Let
me
zoom
in.
I
just
realized,
it's
very,
very
small.
A
This
is
this
can
be
relative
in
the
path
that
you
specify
specifying
your
project,
and
this
will
essentially
get
loaded
at
runtime
when
you
go
into
here,
there's
actually
quite
a
lot
of
different
things
you
can
do
here
now.
The
first
thing
to
note
is
that
you
can
specify
a
name,
so
you
can
have
maybe
multiple
configuration
files,
the
disable
default
queries.
So
this
is
actually
what
one
of
the
ways
how
codeqil
works
is
it
bases
all
of
its
analysis
off
of
what's
called
query
pack
query.
A
Suites,
query:
suites
are
a
large
collection
of
queries
that
are
run
at
analysis
time.
So
what
what
we're
saying
is?
Essentially,
I
don't
want
any
of
the
default
queries
that
have
been
enabled
and
then
I'm
also
pointing
it
to
as
part
of
this
queries
to
this
qls
file
or
the
query
language
suite
file.
A
This
allows
me
to
actually
specify
a
custom
javascript
suite
in
this
case,
and
then
I've
also
got
some
other
paths
here.
Like
paths
ignore,
and
then
paths
also
is
another
variable
that
you
can
say
hey-
I
only
want
to
scan
a
particular
folder.
For
example,
one
of
the
things
that
I
won't
show,
but
I'll
show
you
later
is
actually
there's
a
few
public
javascript
files,
for
example
they're
in
here
like
maybe
to
remove
a
bit
of
analysis
time.
A
A
So,
let's
we'll
ignore
that
for
now
and
then
the
the
other
part
was,
we
said
we
were
talking
about
a
custom
javascript
suite
and
this
is
actually
defined
as
another
file.
If
you
go
in
here.
Let
me
just
set
that
to
yaml
and
in
here
there's
a
couple
of
bits
of
detail
as
well
in
here.
One
of
the
primary
ones
is
actually
it
specifies
the
the
context
of
like
what
what's
in
what
query
seats
do
I
want
to
inherit
from
so.
A
In
this
case,
I'm
actually
I'm
inheriting
a
query
c
suite
called
javascript
security
game
quality.
Now
what
this
is
is
if
you
navigate
to
the
codeql
ql,
if
you
navigate
to
the
coql
publicly
available
repository
in
this
case,
I
kind
of
talked
about
this,
but
we'll
talk
about
it
later
is
that
all
the
queries
and
and
and
suites
are
actually
available
in
in
github
itself
for
anybody
to
view
as
well.
A
A
A
So
if
we
go
back
to
one,
if
we
go
back
to
our
configuration
here,
we
can
actually
see
what
query
suite
we're
actually
importing
from.
In
this
case,
I
actually
just
want
to
inherit
the
javascript
security
and
quality.
Now
this
is
actually
a
different
one.
So
this
is
I'm
actually
extending
the
default
query
suite.
A
If
you
can
imagine
the
the
query
sheet,
that's
built
in
by
default
is
actually
a
very
highly
accurate
query.
Suites,
where
you
can.
Actually,
we
have
a
very
low
false
positive
rate,
but
you
can
start
using
some,
maybe
more
of
the
more
experimental
query
suites
as
well,
so
you
can
start
really
start
really
using
a
lot
of
experimental
features
that
might
find
something,
but
of
course
that
might
come
at
the
cost
of
potentially
speed
or
and
accuracy
as
well.
A
Let
me
zoom
in
and
for
example,
as
an
organization
you
maybe
want
to
only
be
focusing
on
particular
things,
so
I've
only
in
my
example
here
I'm
actually
showing
only
the
exclude,
but
one
of
the
really
powerful
things
is.
You
can
actually
do
the
including
feature
as
well.
So,
instead
of
maybe
a
lot
of
security
vulnerabilities
that
you
maybe
as
an
organization
don't
care
about,
you
can
actually
create
a
query
pack
that
only
includes
very
high
results
that
are
security
related.
A
In
my
instance,
I'm
actually
just
excluding
this
one
query.
The
query
can
be
found
as
part
of
this
javascript
project.
One
thing
I
forgot
to
do
is
actually
push
this
and
merge
this,
because
this
it
may
take
a
few
minutes.
But
if
you
can
imagine
that
pipeline
earlier
took
about
four
minutes,
we're
actually
extending
it
massively
the
amount
of
stuff
that
we're
covering
and
we're,
but
we
are
excluding
one.
So,
let's,
let's
go
ahead
and
I'm
going
to
just
quickly
get
push
origin.
A
What's
this
feature
called
sorry
branches
branch?
Okay,
awesome
get
get
push
origin.
I
forgot
the
name
of
this.
That's
fine
and
we're
going
to
just
push
this
up
so
for
this
is
for
for
demo
purposes,
but
forgive
me
all
the
developers
that
are
about
to
cringe
at
what
I'm
about
to
do,
but
for
for
speed
sake.
What
I'm
going
to
do
is
I'm
going
to
just
quickly
merge
this
without
reviewing
it
and
assume
that
my
feature
is
completely
flawless.
A
I'm
actually
running
one
of
my
actions
in
here
as
well,
so
for
time's
sake,
I'm
gonna
just
pop
over
to
the
project
that
I
prepared
a
little
bit
for
this,
but
we'll
wait
for
this
to
run.
But
one
thing
to
note
is:
if
we
go
into
here
into
the
the
adding
code
scanning
part,
so
this
is
the
one
that
I
showed
you
earlier.
A
We
can
actually
go
into
the
initialization
that
you
see
how
many
all
the
queries
that
are
run
here,
the
other
one.
That's
really
great,
as
you
can
see
in
here.
I
think
it's
the
analysis.
You
can
see
it's
one
out
of
64..
So
in
this
current
analysis,
we're
actually
running
64
queries
on
top
of
that
that
kql
database-
and
I
don't
know
if
I
explained
before
but
coql-
generates
what
a
database
that
it
will
run.
A
A
and
then,
if
we
go
to
my
other
project,
just
as
a
quick
run
into
this
one,
this
is
a
very
similar
project,
but
just
somewhere
else.
Let's
look
at.
I
think,
not
that
one
this
one
just
so,
just
as
like
a
jump
into
it,
we'll
go
back
to
the
other
project
in
a
second.
But
if
we
open
up
our
perform
code,
query
analysis:
you
can
actually
see.
Okay,
we've
actually
almost
doubled
the
amount
of
queries
that
we'll
be
running.
A
So
a
bit
of
history,
the
coachwell
team
actually
wrote
this
primarily
as
a
as
as
a
code
quality
tool
back
in
2000,
early
2000's
can't
remember
the
year,
and
then
it
changed
to
more
of
a
security
focus.
A
lot
like
a
lot
of
other
tools
in
the
static
code.
Analysis
realm
as
well,
and
you
can
get
a
list
here
as
well,
but
one
of
the
things
that's
also
nice
feature
is.
A
You
can
actually
like
in
the
sarif
file
itself
because
of
the
specific
specifications
of
the
the
the
the
file
format.
It
actually
contains
a
list
of
all
those
those
queries
that
I
run
as
well.
So
an
interesting
project
that
peter
my
moderator
actually
wrote
a
few
weeks
ago
was
actually
a
a
nice
action
to
consume
this
and
display
as
a
pdf
report,
what
analysis
queries
will
run
on
that
code
base
and
things
like
this
so
once
the
analysis
is
run.
A
B
So
matthew
at
the
moment,
one
of
the
questions
is
around
sort
of
the
concept
of
code
coverage
and
how
that
relates
to
our
database
and
the
queries
that
we're
running.
Would
you
like
to
possibly
expand
on
how
we
actually
do
that,
and
you
know
how
we
might
tie
that
into
the
coverage
based
on
the
queries
that
we
provide.
A
A
I
don't
think
we
have
a
plan
to,
but
you
can
actually
use
like
a
lot
of
open
source
actions
and
software
to
actually
do
that,
for
you,
for,
for
I
see
in
the
chat,
was
around
c-sharp
if
it's
more
around
the
analysis
itself,
as
in
the
the
framework
supported
and
stuff
like
that,
that's
actually
built
into
part
of
the
queries
as
well.
So
the
queries
are
extended
per
per
the
frameworks
that
we
do
support,
and
then
this
is
like
added
to
any
consequent
like
next
scans
that
were
ever
scanned.
A
So,
for
example,
if
a
new.net
framework
comes
out.net
core
or
the
net
framework,
was
it
five?
Is
there
going
to
be
the
new
one
in
the
next
year,
or
so
once
that
is
released?
Maybe
there's
some
modifications
and
changes
between
the
previous
versions
we
would
have
to
then
our
security
team
would
add
support
for
that.
But
of
course
we
got
a
little
bit
of
advantage
because
the
the
in
that
case
actually.net
core,
is,
is
open
source.
A
B
A
A
This
allows
you
to
essentially
I
wouldn't
recommend
forking
it,
but
at
least
maybe
taking
a
look
at
the
queries
of
the
languages
supported
and
how
the
frameworks
are
supported
as
well.
These
can
then
be
extended,
as
well
as
peter
rightly
said,
where
developments
can
either
extend
them
themselves.
Security
researchers
can
extend
them
for
for
developers
as
well
and
either
contribute
back.
So,
for
example,
if
a
new
framework
comes
out,
that's
better
than
express,
for
example,
and
and
a
lot
of
developers
want
added
support
for
it.
A
So
it
becomes
a
lot
of
extensibility
as
well
and
we'll
cover
that
in
a
bit
as
well
right,
let's
go
back.
Okay,
it's
still
running.
Let
me
just
jump
to
the
other
project
just
so
you
can
kind
of
see
so
in
this.
In
this
example,
it's
actually
run
and
it's
produced
a
lot
more
results
in
this
case.
But
if
you
remember
correctly,
actually
I
enabled
all
the
code
quality
and
some
of
the
other
pictures
as
well.
A
But
you
have
to
be
very
cautious.
Just
as
a
side
note
is
that
you
could
technically
exclude
all
of
the
queries
and
then
you'd
have
a
clean
bill
of
health,
but
actually
you
didn't
run
any
of
the
analysis.
So
this
is
something
to
really
take
note
of
as
well,
and
one
of
the
other
things
I
did
mention
earlier
is
actually
it
has
discovered
a
few
issues
in,
for
example,
the
angular
minified
version
and
stuff
like
this,
but
we
typically
exclude
this
and
use
something
like
depend,
a
bot
to
actually
analyze
this
as
well.
A
Let
me
just
quickly
see
the
chat.
Okay,
no
more!
No
new
questions
awesome,
so
one
of
the
next
things
I
wanted
to
kind
of
touch
base
on
was
actually
extending
the
queries.
So
one
of
the
really
nice
features
about
kql
is
you
can
extend
the
queries
with
your
own,
your
own
customizations
per
repository
or
even
having
a
third-party
repository
as
well.
For
this,
so
I'll
just
show
you
a
sample
of
this
snippet,
but
you
can
see
that
I
actually
created
this
folder
called
queries
in
the
query.
Pack.
A
Sorry,
no,
not
query!
Pack
in
here
sorry
in
the
code
qr
configuration
file,
I've
actually
set
up
a
couple
of
additional
steps
so
before
it
didn't
have
these
two
lines
and
I've
done
two
things:
one
is
I've
actually
added
my
own
custom
query.
That's
as
part
of
this
repository
this.
This
needs
to
be
defined
in
the
repository
make
sure
that
the
path
is
is
relative
as
well,
and
then
the
second
thing
we'll
come
across.
I
will
talk
about
in
a
second.
A
A
Anything
inside
contained
inside
this
can
be
defined
as
a
query,
so
in
this
instance,
I've
actually
just
specified
the
languages
and
some
of
the
names
and
and
also
dependencies.
So,
for
example,
this
is
actually
the
core
library
for
all
the
javascript
stuff.
If
you
didn't
have
this,
for
example,
you
can
run
some
of
the
the
default
behavior
that
the
the
built-in
queries
have
and
then
actually,
I've
actually
taken
a
sample
of
one
of
the
experimental
queries
this
this
is
actually
to
do
with
server-side
template
injection.
A
This
is
quite
a
complicated
query,
so
I'll
jump
over
to
another
one,
that's
a
little
bit
easier
to
explain,
but
the
in
this
particular
issue.
What
happens
is
when
you're
rendering
particular
templates
using
a
templating
engine
so
like
pug
or
jade,
or
any
of
those
other
engines
like
this
there's
actually
a
potential
ability
that
if
you
pass
in
user
defined
input
into
the
the
string,
that's
actually
the
template
string.
You
can
actually
get
arbitrary
code
execution
in
this,
so
as
kind
of
like
a
quick
view
over
it.
A
So
if
you
can
imagine
you
calling
compile
you're
passing
in
a
string
and
you're
concatenating,
some
user
input,
that's
that's
very
bad!
You
don't
want
that,
and
there's
also
some
other
frameworks
supported
here,
so
dots
and
e
gs
as
well
and
nunjucks
as
well,
and
then
just
the
the
the
base
query
for
for
code
ql
as
well.
A
I
won't
go
over
this
too
much,
because
this
is
a
little
bit
more
of
a
complicated
one,
but
it's
kind
of
like
an
interesting
one
to
show
you
an
example
of
one
of
the
other
things
I
did
show
earlier
and
I
kind
of
skipped
over
it
was
this
this
this
line.
This
line
actually
allows
you
to
specify
a
repository
or
a
file
inside
a
repository
inside
github
that
contains
a
query
pack
or
and
queries
as
well.
So
in
this
case
I've
actually
got
my
own
repository
called
securityqueries.
A
A
A
All
good
awesome,
so
in
this
case
I've
actually
created
a
query.
Well,
I
didn't
create
this
query.
One
of
my
colleagues
created
this
query
and
it's
a
lot
easier
to
read.
So
this
actually
is
a
query
that
is
not
technically
a
secure.
It
is
a
security
issue,
in
some
case,
in
some
cases,
but
in
older
versions
of
of
low
dash.
If
any
non
non
javascript
developers
are
familiar
with,
it's
lowdash
is
a
utility
library.
A
That's
used
for
simplifying
a
lot
of
tasks
for
you
really
awesome,
but
issues
primarily
in
the
case
of
of
a
particular
one
of
its
functions
called
templates
there's.
Actually
there
was
a
few
comment
fits
months
or
years,
but
in
a
particular
version
there
was
actually
a
security
vulnerability
where
you
could
get
prototype
pollution.
A
I'm
running
just
this
function
here
to
kind
of
get
get
my
dependencies
so,
for
example,
in
that
coql
database
that
I
spoke
of,
they
actually
also
include
things
like
the
node
package
data
as
well.
So
in
the
case
of
this,
I'm
actually
looking
for
a
package
name
that
is
equal
to
lodash
and
then
also
making
sure
that
I
have
I'm
actually
looking
for
the
exact
version
of
that
package.
A
You
can
also
see
there's
and
statements
between
here,
so
it's
kind
of
like
a
sql
plus
object,
orientated
programming,
language
and
then,
finally,
I'm
actually
looking
for
any
data
any
calls
to
the
template
method.
Now,
of
course,
in
this
example,
I'm
actually
not
doing
a
lot
of
the
other
things
you
should
do
like.
If
this,
for
example,
needs
input
from
a
user,
then
you
may
need
to
write
a
configuration
for
that
to
actually
show
the
user
that
is
coming
from
swan
source
to
this.
A
A
So
as
an
example,
an
organization
could
actually
have
a
massive
list
of
their
own
customizations.
They
have
on
particular
branches
particular
teams.
So
maybe
you
have
one
application
team
versus
another
application
team.
Maybe
there
they
have
their
own
queries
that
they
want
to
to
run
on
it.
This
would
actually
be
part
of
either
their
own
separate
repository,
or
it
could
be
just
a
another
branch
of
the
main
repository
that
you
want
to
run
as
well,
so
this
actually
took
much
much
longer.
A
But
let's,
let's
take
a
look
at
the
the
logs
for
my
my
test
environment
here,
so
I
did
the
exact
same
where
I
actually
just
forced
merged
quickly,
just
to
kind
of
show
you
an
example
of
this,
but
you
can
kind
of
see
a
couple
of
things
in
here,
but
one
of
the
things
is
the
initialization
function.
This
is
the
important
one
so
we're
seeing
what
we
saw
earlier
around
all
the
different
queries
that
are
loaded
in
at
runtime.
A
A
One
of
the
things
you
may
have
saw
is,
I
didn't
specify
the
query
so
here
I'm
actually
specifying
the
query
in
as
part
of
a
repository,
but
here
I'm
actually
not
so
any
any
ql
files
that
are
contained
in
that
repository
actually
automatically
loaded
as
well,
and
you
can
kind
of
also
see
for
for
java
projects.
There's
that
I
I
have
a
a
test:
server
side
request:
forgery,
query
that
I've
been
I've
been
tinkering
with
and
then
once
that
analysis
is
done,
you'll
actually
see
the
results
of
those.
A
Those
two
queries
now
actually
before.
I
continue
one
of
the
interesting
facts
and
this
server
side
request
that
the
the
server
side,
template
injection
query
is
actually
kind
of
interesting,
because
the
reason
why
this
wasn't
added
to
the
production
queries
is
that
maybe
there's
some
you
can
see
here.
There's
actually
the
the
run
time
and
compile
time
is
actually
a
lot
longer
than
a
lot
of
the
other
ones
like
two
minutes
versus
like
a
few
seconds
for
each
one.
A
So
maybe
the
team
have
not
fully
written
up
the
exact
query
that
will
run
optimally,
optimized
on
that
on
the
kql
database.
So
this,
hopefully,
will
be
coming
soon,
but
right
now,
this
is
not
as
part
of
it
and
you
can
imagine
that
a
lot
of
organizations
might
have
their
own
customizations
that
that
they
want
to
add
that
may
take
a
little
bit
longer
than
than
normal
as
well,
and
you
can
see
also
this
this
low
dash
template
as
well.
A
A
We
have
a
new
vulnerability.
That's
come
out
in
low
dash.
I
want
to
check
the
version
of
it
and
I
also
want
to,
for
example,
check
if
somebody's
invoking
this
method,
with
some
user
input,
for
example-
or
let's
say
it's
in
a
java
library
as
well
like,
for
example,
a
new
vulnerabilities
come
out
in
a
parsing
language,
parsing
library
and
you
want
to
add,
want
to
see
okay
across
my
organization,
which
repositories
are
affected,
you'll
be
able
to
upload
upload,
commit
it
to
this
repository
and
then
any
application
that
is
consuming.
A
This
repository
of
of
queries
can
then
use
those
on
top
of
it
as
well.
So
you
can
get
some
really
big,
powerful
use
cases
with
this
as
well
and,
of
course,
because
it's
all
in
repositories,
it's
all
based
in
git.
So
it's
als,
it's
all
source
controlled,
you
and,
and
you
can
see
different
versions
and
you
can
see
iterating
over
time
a
particular
security
issue
and
things
as
well.
So
let
me
see
if
there's
anything
in
the
chat.
A
How
can
I
graph
graphically
visualize
code
codeql
alerts?
Is
there
any
api
to
grab
coql
code
scanning
results?
So
yes,
so
right
now,
you
can
the
only
way
currently,
but
this
this
will
change
in
the
future.
Is
I'm
in
the
wrong
repository.
It's
actually
the
only
way
you
can
view
them
primarily
is
through
the
user
interface
in
in
github.
A
Now,
if
this
is
not,
if,
if
you
want
to,
for
example,
show
this
as
graphs
and
things
like
this,
this
will
actually
be
coming
at
some
point
in
the
future,
with
our
our
cool
security
center.
But
we'll
we'll
talk
about
that
another
day,
but
the
the
other
thing
that
you
can
do
and
I've
seen
a
few
customers
do.
This
is
actually
there's
an
api
that
you
can
use
and
peter's,
thankfully
shared
it
in
the
chat
where
you
can
actually
just
call
the
api,
obtain
the
results.
A
A
Let
me
grab
that
there's
a
couple
of
things
that
I
think
would
be
really
interesting
for
other
everybody,
if
you're
not
familiar
with
how
how
to
write
code
ql
or
you
want
you're
a
bit
interested
in
how
to
write
the
rules.
I'll
share
a
couple
of
links
to
some
youtube
videos
of
some
of
my
colleagues
who
are
actually
doing
did
this
about
four
months
ago
as
well.
So
if
you're
all
interested,
you
can
take
a
look
at
this.
Let
me
post
those
in
the
chat
and
they're
great
any
questions.