►
Description
A step-by-step walkthrough of Dependabot code security in action with Andrew Mccoy, Field Solutions Engineer. See how an insecure Docker image is built and broken via a known RCE exploit, then successfully patched and re-deployed with Dependabot.
Learn more about Security here: https://github.com/learn/security
A
All
right
so,
hey
everybody,
my
name
is
andrew
mccoy
or,
as
everyone
actually
calls
me
moose,
it's
an
old
nickname,
going
back
to
my
time
in
the
marine,
so
definitely
a
story
to
chat
about
at
a
different
time,
and
hopefully
we
can
get
together
in
person.
So
in
the
meantime,
I'm
the
latest
one
here
at
github
to
join
us
on
doing
some
twitch
streams.
So
as
we're
going
through
it.
If
you
have
any
questions
or
concerns,
please
feel
free
to
click
the
link.
A
I
think
it's
let
me
see
if
I
can
get
that
right
somewhere
in
the
lower
left
corner
of
the
panel
here
and
go
ahead
and
reach
out
and
our
someone
from
our
great
sales
team,
which
one
of
our
pre-sales
technical
folks
we'll
be
able
to
help
you
out.
So
what
we're?
What
we're
gonna
do
today
and
what
I'm
gonna
walk.
Folks
through
is
one
of
my
favorite
types
of
demos.
A
A
So
where
I'm
going
to
start
here,
is
I
have
a
public
github
repository
folks
that
want
to
follow
along
at
home?
You
can
go
ahead
and
go
to
github.com.
Octodemo
moose
depend
about
twitch
and
go
ahead
and
fork
the
repository.
A
So
it's
a
basic
repository
based
off
of
the
struts2
showcase
app,
which
is
a
free
and
open
source
commonly
used
framework.
Struts.
A
There's
many
products
middleware
all
over
the
ecosystem,
based
on
this
framework
for
for
a
number
of
years,
at
this
point,
as
well
as
continuing
to
be
built
and
maintained
for
the
foreseeable
future,
so
I've
I've
always
liked
to
use
it
because
it
maintains
relevancy
to
a
lot
of
the
clients
that
I
talk
to
and
for
folks
who
might
be
following
along
at
home
this,
whether
you're,
a
javascript
developer
came
out
of
java.
A
Just
these
common
types
of
frameworks
are
something
that
you
could
potentially
reuse
and
talk
to
your
folks
internally,
if
you're
looking
to
start
up
a
security
initiative.
So
that's
why
I
like
you
to
talk
about
this
demo
and
really
how
it's
it's
really
easy
to
replicate
and
tells
a
really
great
story
around
that.
So,
as
you
can
see
here,
I
have
it
all
pre,
pre-wired
and
configured.
A
Let's
see
it's
following
all
right,
good,
we're
good
with
chat
for
now.
It's
my
first
time
streaming,
so
definitely
noob
at
this
one.
So
I'm
gonna
settle
in
and
show
you
guys.
Some
cool
stuff
spoke
some
cool
stuff
today,
so
this
is
originally
done
on
the
an
old
exploit
going
back
to
the
the
struts
cve
working.
A
I
want
to
work
with
our
github
security
team
here
to
to
update
this
and
and
make
some
more
relevant
demos,
so
maybe
I'll
be
back
on
here
in
a
couple
months
with
some
new
new
and
exploit
new
and
exciting
ones
from
the
github
security
lab.
But
for
now
we're
gonna
use
one
that
I'm
familiar
with
here.
So
what
you're
gonna
wanna
do
is
I
have
this
already
cloned
here
locally,
so
I'm
going
to
walk
you
through
what
we're
seeing
here
on
github.
A
So,
as
you
can
see
here,
we
have
the
security
tab.
You
got
to
make
sure
you
go
ahead
and
enable
these
things.
First,
I've
gone
and
done
this
ahead
of
time,
but
on
the
settings
and
security
and
analysis
you
can
go
ahead
and
enable
your
depend
about
alerts
and
depend
about
security
updates.
These
are
great
functionality,
that's
included
with
all
your
public
repositories
and
a
lot
of
the
the
private
repositories
that
you
may
or
may
not
be
using.
A
If
you
have
more
information
kind
of
around
using
these
things
at
scale
across
multiple
teams,
you
can
definitely
reach
out
and,
like
someone
great
like
myself
or
my
colleague,
kevin
who
you've
seen
on
here
a
couple
times
can
dive
deeper
with
you
as
well.
So
on
the
security
overview,
you
have
many
things
you
can
do
here.
You
may
have
read
about
setting
up
a
security
policy,
so
if
you're,
an
open
source
maintainer
go
ahead
and
communicate
to
the
world.
A
How
you
want
folks
to
report
security
vulnerabilities,
whether
you're,
leveraging
the
great
functionality
to
publish
the
cve
by
us
at
github,
or
you
can
go
ahead
and
maintain
it
privately,
but
it
allows
your
developers
and
community
security
researchers
to
to
re
communicate
with
you
in
the
most
effective
manner,
security
advisories.
This
is
where,
if
you're
gonna
go
ahead
and
create
your
own
open
source
vulnerability
on
your
project,
you
can
start
this
draft
advisory
right
here.
From
that
security.
A
Tab
note
this
is
here
because
I'm
working
on
a
public
repository
today,
zoom
in
a
little
all
right.
Thank
you.
A
A
So
I
already
have
these
are
being
brought
up
as
part
of
kind
of
scanning
through
the
open
source
repository
and
the
code
and
the
palm
xml
in
here
and,
as
you
can
see,
we're
using
stretch
2
core,
as
I've
already
mentioned,
common
framework
and
we're
being
given
a
quick
little
remediation
here,
and
we
already
have
a
pre-existing
pull
request,
some
more
to
come
around
that,
and
I
can
show
you
how
effective
that's
going
to
be
for
us,
but,
as
you
can
see
here,
this
thing's
riddled
with
vulnerabilities,
not
something
we
want
to
use,
but
let's
go
ahead
and
see
how
vulnerable
it
really
is.
A
A
A
So
now,
if
I
go
ahead
and
pull
up
the
commands
I
had
from
before,
so
we're
going
to
go
ahead
and
do
a
mbnw
clean
package.
This
is
going
to
go
ahead
and
use
the
maven
wrapper,
which
I've
pre-tanned
in
this
repository
for
folks
at
home
that
want
to
use
it
and
it
allows
you
to
build
it
without
necessarily
having
to
have
all
the
maven
overhead
installed
on
your
local
machine.
A
Then
you
can
go
ahead
and
run
a
docker
build.
I'm
tagging
this
one
as
hack
me
and
then
the
the
period
for
the
local
docker
file,
and
then
I
am
also
it's
off
screen
right
now.
A
You
can
see
here
we're
going
to
do
a
docker
run
and
then
we're
going
to
be
running
it
on
port
9080
and
then
we're
going
to
be
running
the
image
that
pre
we
just
built
so
we're
going
to
go
ahead
and
run
that
we
can
see
I'm
skipping.
I
already
have
everything
precached,
because
I've
been
testing
this,
so
everyone
can
save
seeing
all
the
downloads
that
maben
and
java
like
to
do
every
time
you
build
something
for
the
first
time,
all
right,
so
build
sent
build
one
through
successfully.
A
A
A
A
And
orders
three
should
be
what
we
need
to
hit
all
right.
So
now
we
can
see,
we
actually
have
this
application.
It's
running.
We
can
create
a
new
order.
Let's
say
mona
wants
to
buy
500
of
our
widgets
here
and
we
have
new
order
created
successfully
for
mona
yay
all
right.
Let's
see
how
how
dangerous
this
exploit
really
can
be
any
questions
here.
A
All
right
looks
like
we're
doing
good,
let's
see
history,
and
now
I'm
going
to
want
to
look
for
my
python
commands
I've
run
in
the
past,
so
I'm
just
going
to
go
ahead
and
grab
this
one
to
start
for
folks,
those
following
along
at
home
can
kind
of
see
where
this
is
going
eventually,
so
let's
go
ahead
and
hit
the
right
port.
This
time.
A
All
right,
so
what
I
just
do
there
if
I
go
back
so
the
exploit
that
I
referenced
here,
it's
a
python
script
that
we're
going
ahead
and
passing
in
the
the
command
into
it.
So
I
can
pull
this
up
so
good
demos,
nothing
without
some
proof.
So,
as
you
can
see
here,
we
are
passing
in
a
command
to
the
to
the
exploit
here
which
builds
up
the
the
payload
header
and
sends
that
across
which,
when
we're
executing
the
command,
we
embed
the
command.
A
A
I
do
that
on
the
right
port.
Again
there
we
go.
Uh-Oh
looks
like
we're.
Writing
this
one
as
root.
That's
not
really
a
good
thing
to
happen.
A
A
Oh,
that
doesn't
look
good,
so
let's
go
back
in
and
oh
something's
not
found.
Now,
if
I
come
over
here
my
website,
my
application
is
now
crashed,
so
I
remo
was
able
to
show
a
remote
code
execution.
I
could
have
gone
on.
There
began
executing
script
at
the
end
of
the
day.
A
I
want
to
kill
the
service,
and
so
I
just
simply
was
able
to
kind
of
remove
the
route
underneath
it
very
simple
at
the
end
of
the
day,
but
achieving
the
goal
of
showing,
at
the
end
of
the
day,
how
dangerous
this
can
be
if
you're
not
managing
your
open
source
dependencies
properly.
So
let's
go
ahead
back
up
here.
A
Let's
take
a
look
at
this
pull
request.
It
says:
pull
requests,
as
I
highlighted
before.
It's
automated
pull
request
fixed.
So
this
is
one
generated
once
you
enable
that
depend
about
security
updates
and
we
go
ahead
and
you
can
see
you
know
see
a
full
depth
of
the
compare
view
here.
A
Looking
at
what's
being
changed,
that's
actually
some
of
the
code
from
the
struts
commits
excuse
me,
so
we're
giving
you
some
of
the
the
view
into
the
open
source
view
of
what
chains
on
the
open
source
project
and
then
also
you
know,
bumping
the
palm.xml
for
your
for
your
project
and
very
simple
demo.
Repository
building
this
out
over
time,
it'd
be
nice
to
include
some
ci
checks
in
here.
That
will
really
so
as
you're
as
a
developer.
These
pr's
come
in
your
ci
process
runs.
A
A
And
let's
just
go
ahead
and
do
see
that
that
changes
here
before
we
go
ahead
and
pull
it
locally
and
yep.
You
can
see
here
we're
at
the
right
version
there
all
right
so
back
over
here
to
the
terminal,
so
we're
going
to
go
ahead
and
clear
the
terminal
and
let's
see
we're
going
to
want
to
rebuild
this-
let's
go
back
up
except
I'm
going
to
name
this
one
fixed
me.
A
A
A
A
A
A
A
A
Yeah
great
live
demo,
so
mona
doesn't
get
an
order
this
time,
but
as
part
of
this
testing
process,
let's
go
ahead
and
see
if
our
exploit's
fixed.
A
Well,
that
didn't
work
because
we're
running
on
the
wrong
port
one
of
these
days
I'll
get
the
ports
right
all
right
and
that's
that's
the
that
is
the
expected
response
when,
when
the
exploit
is
not
working
here
so
you're
just
getting
essentially
the
html
returned
to
you.
It
was
patched,
but
unfortunately,
as
you
just
saw
when
I
went
ahead,
to
create
this
order.
A
As
with
all
good
things,
it
looks
like
we
have
some
regression
testing
to
do
yep
so
as
with
all
things
with
software,
we're
going
to
go
ahead
and
then
now
create
a
ticket
and
go
ahead
and
get
that
bug
fixed,
but
maybe
that's
something
we
can
tune
in
on
a
different
stream.
Let
me
go
ahead
and
switch
over
here
to
see
if
we
have
any
questions
now,
someone
met
me
a
while
back
in
dfw,
interesting
good
to
see
you
again,
sir.
A
Small
world
yeah
I
do
run
in
and
in
the
roles
we
do
travel
around
a
lot.
So
oh
swami,
I
think
yeah,
hey
swami,
good,
to
see
you.
A
So
awesome
any
questions
here
can
hang
out
for
a
couple
minutes,
but
I
don't.
I
don't
need
to
sit
here
and
think
if
anybody
has
how
long
got
one
coming
up
looks
like
how
long
should
would
someone
get
back
to
you
reach
out
to
us?
Someone
should
be.
We
have
a
decent
sized
team
over
here,
so
someone
should
be
able
to
reach
out
to
you
pretty
quickly.
There.
A
Believe
aj
still
has,
I
can't
see
the
stream.
I
believe
it
should
be
down
there
in
the
lower
left
hand
corner
here,
but
any
questions
regarding
the
demo
depend
about
things
along
those
lines.
I'll
hang
out
for
a
minute
or
two,
but
I
just
wanted
to
jump
on
here.
Give
you
folks
a
quick
example
that
you
could
take
home
replicate
play
with,
and
hopefully
I'm
going
to
be
back
here.
I'm
definitely
going
to
work
on
some
other
ones.
There's
any
requests
of
other
ex
potential
security
exploits
potentially
throw
them
in
chat.
A
I
can
take
them
and
do
some
research
but
yeah
more
to
come
awesome.
Thank
you
very
much
straight
for
us
appreciate
that
yeah.
This
was
my
first
time
doing
this,
so
just
stretching
outside
my
comfort
zone.
I'm
definitely
looking
forward
to
being
back
out
here
all
right.
Well
that
doesn't
no
questions.
Thank
you.
Folks.
Very
much
and
again,
thank
you
again
again
reach
out
to
us
at
github
sales.
You
can
do
the
contact
sales.
It's
in
the
lower
left
hand
corner
here.
A
You'll
you'll
have
the
pleasure
chat
with
someone
such
as
myself,
kevin
corey,
there's
countless
people
that
have
been
on
here,
as
well
as
our
wonderful
product
team
talk
soon.
Thanks
all.