►
Description
In this session, we’ll take a deep-dive into how GitHub Enterprise can help you build faster, better, and more securely. We’ll show you how to build security into your GitHub workflow, keeping secrets and vulnerabilities out of your codebase from day one. By the end of this session you’ll know how to stay on top of vulnerabilities as they arise and be able to leverage the security community’s expertise (without compromising your code).
0:00 - Start
1:27 - Implement security in 30 minutes
3:11 - Security capabilities in the Supply Chain, in your Code and in the Development Lifecycle (DevSecOps)
4:04 - Secret Scanning in GitHub Enterprise Cloud and eliminating leaked access tokens.
7:13 - Scanning for your company specific custom tokens
11:31 - Code Scanning - Static code analysis with CodeQL
19:56 - Easing tension between Security teams and Development teams
21:39 - Giving developers actionable security alerts, not just more notifications
26:31 - Security overview - The state of security across your entire organization
28:11 - Open source vulnerability scanning and managing the dependency tree
32:45 - Dependency review - finding vulnerabilities before merging changes
34:31 - Q&A
37:06 - Dealing with novel threats and vulnerabilities
https://githubuniverse.com
A
Hello
friends
on
linkedin
from
around
the
world,
thanks
for
joining
me
once
again
for
demo
days,
there's
a
common
notion
that
application
security
is
a
job
for
your
organization's
security
team.
But
the
truth
is
that
you
don't
have
to
be
a
security
researcher
to
significantly
impact
the
security
of
your
applications.
A
Last
week
we
talked
about
one
practical
step:
that
of
using
hardware
security
keys
to
secure
your
github
account.
Today,
we're
going
to
look
at
a
few
more
steps
that
every
developer
can
take
to
mitigate
security
vulnerabilities
and
to
help
me
with
that
today.
I've
got
glenn
wester,
senior
solutions
engineer
over
here
at
github,
and
I've
got
also
rob
derosa
who's,
a
principal
solutions,
engineer
and
he's
in
the
linkedin
chat.
A
B
B
So,
let's
check
out
the
agenda,
I'm
going
to
do
a
cool
directory
style
agenda
here
to
the
extra
hacker.
So
what
I
want
to
do
with
you
today
is:
I
want
to
implement
security
in
30
minutes.
I
think
sometimes
like
we
make
like
shift
left
and
implementing
security
into
like
this
big
mountain,
when
in
fact
it's
pretty
simple
and
github
has
made
significant
improvements
to
its
security,
offering
to
help
you
do
that
very
quickly.
This
is
exactly
what
I
want
to
do
with
you
today
is
over
the
course
of
30
minutes.
B
Ish
is
I
want
to
show
you,
by
the
end
of
this
session,
how
you
can
implement
security
in
addition
to
some
of
our
advanced
security
offerings
so,
first
and
foremost,
we'll
look
into
secret
scanning.
This
is,
if
you
check,
in
a
token
or
a
known
password,
we
want
to
make
sure
that
we
capture
that,
before
it
becomes
a
problem,
we'll
get
into
code
scanning
with
our
static
code
analysis
offering
called
codeql,
there's
also
source
code
that
we
can't
control
like
in
modern
enterprise.
B
Software
development
that
comes
in
the
form
of
open
source
github
is
very
qualified
to
educate
you
about,
like
the
open
source
that
you're
consuming
what
vulnerabilities
it
might
contain,
and
then,
of
course,
too,
across
our
organization
within
github.
We
want
to
find
out
what's
the
state
of
security,
how
many
repositories
have
things
enabled
and
what
are
we
catching?
B
So
that's
what
we'll
cover
in
the
security
overview,
if
you
have
any
questions
as
I'm
presenting,
please
type
them
into
the
chat
box
and
either
rob
will
interrupt
me
or
we'll
take
them
at
the
end,
and
please
feel
free
to
ask
away
okay
with
that,
the
first
order
of
business
I
just
wanted
to
capture
really
quickly
with
just
six
why's
is
that
we
have
a
conference
coming
up
for
those
of
you
that
are
familiar
with
our
conferences.
We
have
two
per
year.
B
We
have
satellite,
which
is
like
more
like
european
time
focus
and
then
universe
which
is
at
hq,
so
that
will
be
pacific
time
if
you
want
to
sign
up
and
see
any
updates
from
the
universe,
just
go
to
get
the
universe.com
and
yeah
we'd
love
to
see
you
there.
We
have
a
lot
of
great
talks
and
getting
really
excited
for
it:
okay,
cool!
So
let's
just
quickly
review.
So
this
isn't
a
slide.
This
is
a
photo
of
a
slide.
It's
a
jpeg,
it's
not
a
pptx!
B
You
know
I
just
want
to
review
very
quickly
the
state
of
security
for
github.
So
of
course,
there's
code
that
we
can
control.
We
call
this
securing
the
software
supply
chain.
They
are
the
components
that
go
into
our
application.
That
then
we
ship
to
our
end
customers,
but
then
also
too,
there
are
things
that
we
are
in
control
of,
meaning
that
the
code
that
our
engineers
are
writing.
We
can
scan
that
and
make
sure
that
it's
high
quality
before
shipping
to
our
customers,
and
then
we
also
secure
this
with
the
development
life
cycle.
B
B
So
the
first
thing
based
on
the
agenda
is
that
we
want
to
get
into
secret
scanning,
so
let's
jump
into
that.
So
for
those
of
you
on
initiative,
this
is
something
called
the
github
enterprise
account.
Github
is
two
core
offerings
for
our
enterprise.
We
have
something
called
github
enterprise,
server
and
github
enterprise
cloud.
What
I'm
showing
you
is
cloud
here.
It's
a
fully
managed
offering
where
we
can
combine
many
different
github
organizations
into
one
kind
of
parent
account
called
an
enterprise
account.
B
This
lets
us
apply
policy
and
security
over
all
the
organizations
that
we
manage.
I
just
want
to
make
you
aware
too,
that
if
you
want
to
do
this
stuff
on
prem
you
can
we
have
a
local
github.com
called
github
enterprise
server.
You
can
fully
air
gap
it.
It's
a
virtual
appliance
that
you
install
locally
behind
your
firewall
and
people
can
use
it
and
you
get
to
have
complete
control
over
it.
So
it's
not
managed
at
all
you'll,
be
standing
up
a
server
and
maintaining
it
and
doing
upgrades
and
a
c
of
github
enterprise.
B
If
you're
using
this
for
work,
we'll
give
you
see
it
on
both,
so
we
don't
care
which
one
you
use.
I
just
want
to
make
you
aware
of
both
offerings
so
secrets.
This
is
something
that
impacts
every
everybody
working
with
the
enterprise
customers
in
the
west.
Here
I
get
to
work
with
some
of
the
largest
companies
in
the
world,
and
I
would
say
we
see
this
happen
all
the
time.
It's
not
like
just
something
that
junior
developers
do.
B
We
see
people
that
have
been
developing
software
for
20
years
committed
secret
accidentally,
and
you
know
the
objective
here
is
not
hire
people
that
don't
do
that,
because
good
luck!
What
we
really
want
to
do
is
that
we
just
want
to
check.
We
want
to
make
sure
that
we're
not
committing
secrets
which
can
become
problems
like
down
the
line.
If
somebody's
savvy
enough
to
decompile
your
application,
they
might
be
able
to
scrape
that
password
in
plain
text
or,
if
somewhere
down
the
road.
B
Secret
scanning
for
private
repositories
works
in
two
ways:
we're
scanning
for
known
tokens
from
known
providers.
We
have
something
like
125
different
providers
that
we're
looking
for
so
kind
of
like
the
most
popular
services
that
you
possibly
want
to
use
or
we're
scanning
for.
What
we
do
is
that
we
partner
with
these
companies
and
we
find
out
the
signature
of
their
tokens
and
secrets.
B
B
Let
me
show
you
a
quick
example
of
like
one
that
like
how
this
looks
so
in
this
case
I
just
have
a
little
bit
of
regex
written
in
this
case.
We
want
to
make
sure
that
we're
not
committing
any
ipa
addresses.
Now.
This
might
not
be
like
super
high
profile,
like
maybe
you'd,
want
to
put
a
token
in
here
or
other
passwords
that
you
want
to
be
looking
out
for.
B
What's
really
cool
too.
Is
that
within
this
dialog
box?
Is
that
we
can
test
this
as
well?
So
if
you
do
want
to
see
like
169.168.,
we
can
see
that
we're
matching
very
quickly
based
upon
this
rejects
pattern,
and
again
this
is
completely
customizable
right
now.
We're
setting
this
up
at
the
enterprise
account
level.
B
What
happens
is
that
if
this
condition
is
met,
you'll
get
an
email
saying
that
you
committed
a
token,
and
then
you
can
choose
a
method
of
remediation,
meaning
in
private
secret
scanning,
we're
not
going
to
do
any
automatic
remediation,
because
you
might
want
to
vary
what
you're
doing.
With
that
actual
token,
you
know
either
putting
it
into
encrypted
storage
or
removing
it
completely
or
using
some
other
mechanism.
B
Let
me
show
you
how
this
looks
to
you
within
an
organization,
so
an
organization
of
course
is
where
our
repositories
are
going
to
be.
If
we
click
into
settings
and
we
go
into
security
and
analysis,
we
can
see
here
that
we
have
secret
scanning
and
in
this
case,
we're
doing
an
email
check.
In
this
case,
we
want
to
make
sure
that
no
one's
committing
their
email
address
into
our
source
code.
Again,
you
can
put
token
formats
in
here
or
secret
formats,
and
you
can
always
test
it
before
implementing
it.
B
B
The
security
tab,
too,
is
going
to
contain
most
of
what
we're
talking
about
today
so
depend
about
code
scanning
alerts,
and
here
we
have
secret
scanning
alerts.
So
when
you
do
commit
a
secret,
it
will
show
up
in
the
secret
scanning
alert
you'll,
get
a
notification
by
default
administrators
and
repository
owners.
This
information
is
scoped
to
them.
So
if
you
do
find
a
secret,
you
know
you
might
not
want
an
intern
to
join
your
organization
and
then
see
all
your
secret
and
token
token
formats.
B
You
know
like
maybe
that
wouldn't
be
something
that
you
want
them
to
see.
So
what
we'll
do
is
that
we'll
scope
it
initially
just
to
the
repository
owners
and
also
to
for
the
administrators
of
the
enterprise
account
or
github
organization,
we'll
report
them
in
this
window,
like
let's
just
say
that
you
did
have
a
terraform
key,
that
you
were
committing?
B
What
we'll
do
is
we'll
show
you
what
files
are
impacted
and
then,
most
importantly,
the
developer
is
now
aware
of
this.
You
can
put
this
into
a
better
mechanism.
You
can
see
what
files
it
impacts
and
then,
most
importantly,
once
you
have
it
resolved,
you
can
mark
it
as
revoked
or
false,
positive
or
you're
not
going
to
fix
it
for
whatever
reason,
once
you
do,
that
too,
then
we'll
be
able
to
see
from
the
closed
secret
alerts.
B
What
was
the
sort
of
pattern
that
we
used
to
resolve
this?
One
more
important
thing
I
want
to
mention
is
that
this
is
always
running
meaning
without
any
additional
configuration
outside
of
just
enabling
it.
This
is
constantly
running
and
it's
running
on
github's
platform,
so
there's
no
additional
configuration
that
you
have
to
do
per
repository
and
the
reason
why
I
want
to
mention
this
is
this
makes
it
very
easy
for
enterprises
to
roll
out,
meaning
that
there's
no
additional
configuration
file
per
repository.
B
Customer
that
I
talk
to,
in
addition
to
our
own
company
to
github
our
engineers
are
human
too.
We
commit
secrets
all
the
time
again.
The
solution
really
is
to
be
checking
for
these
things,
not
to
think
that
you
can
hire
people
that
don't
make
mistakes
so,
especially
on
a
friday
right,
okay,
cool.
So
if
you
have
any
questions
on
secret
scanning,
please
let
me
know
in
the
chat
and
we
can
take
those
either
now
or
at
the
end.
C
B
Of
our
advanced
security,
offering,
which
is
an
additional
cost
on
top
of
github
enterprise,
if
this
is
something
that
you're
interested
in
interested
in
trying
either
for
work
or
just
for
your
own
account,
please
let
us
know
we'll
have
aj,
add
a
qr
code
at
the
end
where
you
can
reach
out
and
find
out
some
more
information
or,
if
you're
interested
in
exploring
a
trial.
We
can
also
kick
that
off
as
well.
B
B
A
very
quick
kind
of
too
long
didn't
read
is
that
we
make
a
database
of
your
code
base
a
compilation
time
so
we'll
create
a
database
that
we
can
query.
Then,
with
these
queries
that
we
write
for
security
vulnerabilities,
so
I
would
say,
like
the
more
I
work
in
security,
the
more
I
realize
that
it's
really
not
magic.
It's
really
just
an
a
lot
of
effort
that
has
to
be
taken
into
writing.
B
B
Most
of
github's
products
are
free
for
open
source
and
we
do
that
by
design
first,
we
want
to
encourage
everybody
to
be
writing
software
and
contributing
to
open
source
and
just
improving
the
quality
of
software
everywhere
pretty
much,
but
also
too.
This
helps
contribute
back
queries
that
then
we
can
execute
against
their
code
bases
in
private
source
code.
B
So
you'll
see
if
you
click
around
github,
if
you
go
into
like
their
branch
protections
and
see
like
their
pull
requests
and
see
like
what
are
the
required
status
checks
which
we'll
get
into
in
just
a
little
bit,
we
can
see
that
people
are
using
codeql
to
scan
their
code
bases
before
they
release
it.
I'm
a
big
space
fan
like
in
like
personal,
like
hobby.
B
What's
really
neat
too,
is
that
it's
a
good
solution
for
earth,
but
also
to
nasa
uses
this
technology.
Jpl
is
one
of
our
customers
and
they
want
to
make
sure
you
know
that
they
have
high
quality
releases,
a
lot
of
customers
that
I
talk
to.
They
always
talk.
You
know
about
mission
critical
and
it's,
like
you
know,
what's
more
mission
critical
than
like
an
interplanetary
space
mission.
B
Of
course,
the
code
is
open
source
by
the
way,
if
you
ever
want
to
go
check
it
out
and
see
that
required
status
check,
you
could
just
always
go
into
the
mars
ingenuity
flight
code.
You
can
always
just
click
into
a
pull
request
too
and
see
like
what
are
the
required
status
checks
and,
in
this
case,
they're
doing
a
ton
of
checks.
These
checks,
by
the
way,
are
just
making
sure
that
we're
checking
everything
that's
important
to
us
before
we
allow
the
code
to
be
promoted
into
main
branch,
and
this
will
vary.
B
Don't
worry
about
this
name
here
lgtm.
This
is
like
the
open
source
version
of
codeql
that
we
named
before,
but
this
has
now
been
sort
of
rebranded
into
github,
advanced
security
and
that's
what
you
can
use
it
now
in
your
repository,
but
you
can
see
here
that
they
were
doing
code
ql
analysis
for,
in
this
case
c
and
c,
plus,
plus
and
python
okay.
So
let's
actually
implement
this
and
show
you
how
you
can
do
this
within
your
own
code
base
and
show
you
how
you
can
configure
this.
B
So
what
I'll
do
is
I
just
have
a
repository
here
now.
This
also
requires
github
event
security.
So
again,
if
you
want
to
initiate
a
trial,
but
you
can
also
try
this
today.
If
you
have
a
public
repository
in
your
security
tab,
you'll
be
able
to
access
the
codeql
scan
again.
Codeql
is
free
for
open
source.
So,
if
you
want
to
try
this
today,
you
absolutely
can
so
within
the
security
tab.
B
Within
my
repository,
I'm
going
to
click
security
code
scanning
alerts
and
this
codeql
analysis
now
one
really
important
thing
to
communicate
about
github
event.
Security
in
general
is
that
you
should
think
of
it
more
like
a
security
hub,
meaning
that
we
can
ingest
results
from
many
other
third-party
tools
as
well.
A
lot
of
folks
that
we
talked
to
yeah
they're
really
interested
in
coql,
but
they
have
existing
tools
that
they
also
want
to
see.
The
results
from
you
can
absolutely
do
that.
As
long
as
that
tool
supports
exporting
a
file
format
called
serif.
B
One
thing
that
we
focus
on
in
event:
security
is
not
only
finding
these
vulnerabilities,
but
also
too.
We
want
to
display
rich
results
to
the
developer,
to
actually
fix
them,
and
it
really
helps
for
all
this
stuff
to
be
under
one
hood
too.
A
lot
of
companies
that
I
talk
to.
They
have
like
security
tools
that
dump
all
the
vulnerability
findings
into
some
like
jira
backlog
which
never
get
addressed,
and
then
they
do
like
a
buy
annual
security
build.
B
What
we
really
want
to
do
is
that
we
want
to
halt
development
intentionally
if
we
detect
code
scanning
results,
but
also
too,
we
want
to
provide
an
actionable
path
forward
for
the
developer
and
that's
exactly
what
this
does.
That's
what
I
want
to
show
you
here,
but
just
to
show
you
really
quickly.
I
just
wanted
to
show
you
that
we
can
also
pipe
into
the
results.
B
B
We
provide
to
you
mac,
linux
and
windows,
computers
that
you
can
leverage
these
dynamically
scale
up
and
down
with
github
enterprise.
You
and
your
team
have
50
000
minutes
to
draw
upon
you
can
also,
if
you
don't
want
to
use
one
of
our
hosted
machines
which
is
provided
automatically
to
you.
You
could
also
have
a
self-hosted
runner
as
well
a
simple
way
to
think
about.
B
It
is
that
you're,
just
adding
your
own
computer
to
the
build
farm,
and
we
can
set
this
up
at
the
organization
level
at
the
enterprise
account
level
at
the
repository
level,
and
you
can
run
on
your
own
machines
for
free
if
you
like,
or
you
can
use
our
machines
and
we
have
different
prices
for
the
different
machine
types
with
mac
being
the
most
expensive,
of
course,
okay.
So
what
we
have
here
is
a
workflow
file.
It
creates
a
coql
analysis,
yaml
file
in
our
dot
github
folder.
B
This
will
end
up
at
the
root
of
your
repository
and
you
can
have
many
ammo
files
with
many
different
analyses
and
linting,
and
everything
else
that
you
want
to
do.
This
is
just
a
default
script
that
we
set
up
for
you
for
for
codeql,
specifically
just
one
thing
really
quickly
like
this
is
a
great
editor
like
we'll
have
like
built-in
intellisense
in
it.
So
if
you
want
to
bind
to
any
web
hook
or
event
that
happens
within
github,
you
can
very
quickly
set
that
up
again.
B
We
make
it
very
easy
for
you
to
automate
anything
within
github,
including
ci,
cd
and
other
things.
In
this
case,
by
default,
we're
binding
to
pushes
pull
requests
and,
in
this
case
we're
scheduling
a
cron
job
for
this
execute,
in
this
case
every
five
minutes.
So
you
can
set
this
different
threshold
and
trigger
on
different
events.
B
Okay,
in
this
case,
it
looks
like
we're
running
on
ubuntu
latest.
The
only
thing
that
you
have
to
change
to
get
started
by
the
way
is
just
the
language
that
you're
scanning,
for
so
in
this
case
very
easily,
I
can
just
delete
python
and
conveniently
we
list
an
account
code
comment
here
in
the
yaml
file,
the
different
languages
that
we
support,
I'll
rob
to
drop
into
the
chat.
What
languages
the
codequo
supports.
B
We
support
the
most
popular
languages
and
then
on
the
short
term
roadmap.
We
have
ruby
coming
up
next
and
then
we'll
have
swift
in
kotlin
in
the
short
term
as
well.
If
there's
any
any
languages
that
we
don't
support
again,
what
you
can
do
is
that
you
can
use
a
third
party
or
open
source
static
code
analysis.
Engine
and
again
you
can
still
pipe
in
the
results
into
github.
Advanced
security
so
still
bring
that
tool
and
we
can
support
it
as
long
as
it
supports
serif.
B
What
this
will
do
is
that
this
will
commit
this
file
and
then
now,
based
upon
that
criteria,
I'm
just
gonna
create
a
pull
request
just
to
get
this
into
main
branch,
and
you
can
see
here
that
we
have
a
check,
that's
being
run
in
this
case.
It's
the
codeql
analyze
phase
for
python,
and
if
we
click
into
the
details
here,
we
can
see
the
sexual
actually
running
within
our
ci
system.
B
This
is
very
simple:
again.
We
don't
have
to
spin
up
machines,
github
provided
us
the
machine
we
just
have
to
click
some
buttons
and
change
one
parameter.
Let
me
show
you
what
this
looks
like
too,
when
this
reports
back
results.
So,
of
course
the
developer
is
going
to
be
pushing
code
and
we
can
report
back
as
soon
as
we
execute
the
scan
about
how
the
quality
is.
B
Things
I
would
say
like
where,
like
the
contention
comes
from,
is
that
if
the
developer
gets
blindsided
with
security
results,
meaning
that
they
don't
know
about
them
until
they
finally
open
up
their
pr
and
then
like
they're
trying
to
go
home
for
the
weekend
and
then
they
get
blindsided
by,
like
you
know,
80
000
security
results
and
they
can't
go
home.
That's
usually
where
they
get
pretty
angry
as
with
anybody.
B
But
if
we
are
doing
this
as
part
of
development,
if
we're
doing
this
triggering
on
the
push,
for
example,
then
we
can
bring
up
in
our
stand
up
like
hey.
I
have
six
security
things
that
I
have
to
fix,
and
then
it
gets
that
work,
sort
of
gets
prioritized
and
we've
seen
that
be
a
lot
more
effective,
so
like
in
this
sort
of
initiative
of
shifting
left.
B
It
really
also
too
helps
with
communication
that
you
can
get
onto
your
own
managers,
wrote
you
know,
sort
of
into
their
purview
that
you
have
a
lot
of
things
to
fix
and
culturally.
If
your
company
cares
about
security,
which
I
hope
they
do
they'll
give
you
the
time
to
fix
them
because
again,
they'll
impact
our
our
sort
of
end
users.
B
B
You
have
a
vulnerability,
we
can
look
within
our
pull
requests
here.
We
can
see
the
files
that
have
changed.
People
are
going
to
be
commenting
why'd,
you
add
this,
or
this
is
great,
and
you
can
see
here
on
line
66,
that
we
have
a
code
scanning
results
and
you
can
get
a
notification
for
this
as
well
to
your
email,
but
it
looks
like
online
66
here
that
we
have
a
query
built
from
music
controlled
sources.
B
If
we
show
more
details
here-
and
this
is
really
where
this
product
shines
get
of
event
security
code
scanning
with
codeql-
is
that
we're
not
just
going
to
give
you
a
single
line
and
be
like?
Okay?
Great
good
luck?
You
should
fix
this.
You
have
a
major
sql
injection
problem.
What
we
really
want
to
do
is
that
we
want
to
give
your
developers
a
good
picture
of
how
they
can
fix
this,
because
the
first
thing
the
developer
is
going
to
do
is
say:
okay,
shoot.
B
This
is
extremely
useful
to
save
your
developers
that
extra
step
and
they
can
start
to
wrap
their
heads
around
what
the
fix
is
no
security
fix,
is
ever
going
to
be
a
single
line
that
you
just
you
know
address
just
there.
These
fixes
can
be
complex
depending
on
what
type
of
problem
it
is
and
what
type
of
query
was
was
reported
for
the
security
vulnerability.
B
So
this
is
something
that
we're
really
proud
of,
and
we
have
seen
be
very
effective,
but
even
more
than
that,
you
know
like
we're
no
strangers
to
sql
injection.
We
can
also
provide
to
you
a
rich
fix
as
well,
so
these
queries
are
written
in
the
form
of
ql
files,
and
these
ql
files
contain
within
them
recommendations
that
then
we
can
offer
to
your
developer.
B
I
just
wanted
to
say
too,
like
what
queries
are
we
executing?
We
have
an
entire
pack
of
default
queries,
as
I
mentioned
before.
These
queries
come
from
different
sources.
They
come
from
open
source
security
community.
They
come
from
github
and
microsoft,
co-ql
engineers,
but
also
too,
they
also
come
from
other
companies
as
well,
so
for
our
customers,
including
microsoft,
and
the
windows
team.
They're
queries
that
are
constantly
being
written
against
vulnerabilities
that
are
coming
out.
Security
is
a
constantly
changing
landscape
and
tomorrow
there
might
be
another
vulnerability
that
comes
out.
What's
really
cool
about.
B
This
is
that
you
don't
have
to
wait
for
some
big
company
write
a
query
in
certain
cases
within
24
hours,
the
open
source
secure
security
community
is
already
posting
on
twitter,
like
a
new
query
for
a
new
vulnerability
that
just
came
out
that
we
didn't
know
about
yesterday.
So
we
can
immediately
put
that
query
into
our
query
pack
and
then
we
can
execute
it
against
our
code
base
and
get
ahead
of
it.
I
would
say
what
I
see
the
most
mature
organizations
doing.
B
Is
that
they're
very
quick
and
dynamic
to
adapt
to
new
security
threats,
and
that's
like
the
difference.
It's
not
like
that.
Every
company
that
spends
a
lot
of
money
in
security
is
completely
immune
a
lot
of
times.
It's
just
very
quickly,
adapting
and
making
sure
that
you
patch
your
code
very
quickly
because.
B
B
So
what
I
was
saying
here
is
that
the
recommendation
is
provided.
We
can
give
you
an
example
of
a
bad
fix,
a
good
fix
and
your
developers
will
love
this,
because
this
is
an
actionable
path
forwards.
The
first
thing
that
most
people
will
do
is
go
to
stack
overflow
or
some
other
websites
to
read,
like
oh
shoot,
a
sql
injection
problem,
I'm
directly
executing
out
of
my
database,
something
that
was
user
inputted.
B
But
again
we
can
provide
a
good
example
of
a
fix.
Your
developers
can
read
this
and
then
we
can
provide
two
examples
for
like
why
we're
saying
this,
I
don't
take
our
word
for
it.
If
you
want
to
read
more
about
this,
we
can
we
link
you
to
the
the
vulnerability
links
which
to
find
and
explain
what
this
bug
is,
why
it's
a
problem,
your
developer
will
go
ahead
and
fix
this.
We
can
rescan.
B
We
can
make
this
a
required
check
as
part
of
a
branch
protection
and
we
can
make
it
so
that
developers
can't
circumvent
this
required
status.
Check.
We've
seen
this
be
extremely
effective
at
helping
secure
code
bases.
What
we
want
to
see
over
time,
of
course,
is
that
we
want
to
see
the
total
number
of
vulnerabilities
decrease
over
time
and
just
to
show
you
some
more
code
scanning
where
it's
here
too.
This
will
all
end
up
in
your
security
tab.
B
The
critical
ones
usually
have
to
do
something
with
like
something
really
bad
like
arbitrary
code
execution.
These
are
ones
that
we
want
to
make
sure
that
we
address
immediately.
I
would
say,
when
you're
rolling
this
out
too
initially,
you
can
perform
your
sort
of
initial
scans
and
then
later
you
can
make
this
a
blocking
activity.
Just
you
know,
because
this
is
a
demo
day.
I
just
want
to
show
you
too,
if
you
ever
want
to
make
this
a
blocking
activity
or
any
required
status
check,
we
can
add
something
called
a
branch
protection
rule.
B
B
So,
like
I
showed
you
before
in
that
mars
helicopter,
which,
by
the
way
is
like
doing
great,
we
can
add
this
record
status
check
that
we
want
to
add
codeql
to
this,
and
if
we
want
to
to,
we
can
allow
certain
people
to
circumvent
the
status
check,
and
then
we
can
audit
that
activity
later,
okay,
great
so
that
is
code
scanning
with
codeql.
Let's
go
back
to
our
agenda
really
quickly.
I
want
to
quickly
cover
the
panabot,
and
I
also
want
to
show
you
the
security
overview
as
well.
B
Okay,
so
within
any
organization
where
we
have
github
advanced
security,
enabled
you'll
see
a
new
tab,
get
added
to
your
organization
called
security,
big
surprise
here,
like
very
quickly
as
people
start
to
roll
this
out.
They
want
to
see
what
the
data
security
across
github
this
dashboard
lets.
You
do
exactly
that.
It
lets
you
see,
which
repositories
have
this
enabled?
Who
has
code
scanning
who
has
append
about
who
is
secret
scanning?
Then,
more
importantly,
like
you
know,
we
have
companies
that
have
you
know
50
000
repositories
in
github,
so
very
quickly.
B
We
want
to
see
kind
of
like
the
state
of
security
across
the
business,
and
then
we
can
sort
like
we
can
say:
okay,
who
has
the
most
amount
of
unaddressed,
secret
scanning
alerts,
for
example,
or
code
scanning
alerts,
and
we
might
want
to
go
bug
those
repository
owners
like
here
in
this
bookstore
tests.
You
can
see
that
we're
generating
a
ton
of
these
scanning
alerts
and
we
might
want
to
go
bug
that
repository
on
it
to
go
ahead
and
go
to
address
these
or
like
who
has
the
most
amount
of
secrets.
B
Like
15
unaddressed
secrets,
we
should
go
bug
that
person
to
go
put
those
into
encrypted
storage
and
we
added
one
other
thing
too.
We
can
also
show
you
across
the
entire
business,
so
that
means
all
the
repositories
in
the
organization.
We
can
show
you
all
the
key
types
too
like
if
you
can
sort
of
correlate
like.
B
The
last
thing
I
want
to
cover
is
with
regards
to
open
source
and
the
open
source
packages
that
we're
consuming,
and
I
would
say
today
we're
consuming
more
open
source
than
ever.
It's
really
amazing.
Actually,
we
can
do
a
lot
by
building
upon
the
work
of
others
and
in
a
lot
of
cases
we
just
don't
have
the
time
to
build
all
the
stuff
that's
available
in
open
source.
Your
bosses
will
not
give
you
time
to
build
what
exists
as
an
open
source
dependency
already.
B
What
I
like
to
say
is
that
github
is
very
close
to
the
signal
and
like
a
good
trusted
advisor
to
make
you
aware
of
what
vulnerabilities
might
be
in
there.
In
fact,
github
is
now
a
cve
numbering
authority
as
well,
where
we
can
actually
empower
open
source
maintainers
on
our
platform
to
raise
new
vulnerability
alerts,
because
the
code
is
also
going
to
be
within
github's
platform.
So
again,
what
I'd
like
to
say
is
that
we
can
notify
you
first
with
any
vulnerabilities
that.
A
A
B
Best
but
sometimes
vulnerabilities
just
end
up
in
them
and
again
they
do
the
best
to
fix
them.
What
we
want
to
do
as
enterprise
software
developers
is
that
we
want
to
be
very
careful
to
make
sure
that
we're
on
the
correct
version
and
that's
exactly
what
github
provides
you
when
you
develop
on
our
platform,
is
that
in
this
case
we
look
at
your
dependency
file
here.
I
fork
vs
code.
B
I
didn't
update
it
in
like
over
like
a
year
or
two
years,
and
we
can
see
here
that
we
have
our
open
source
dependencies
listed
with
dependable
alerts,
meaning
that
there's
a
vulnerability
filed
against
these
open
source
dependencies
that
we
want
to
make
sure
that
we
address
so
we
can
sort
by
severity.
The
reason
why
I
have
so
many
again
is
just
because
I
haven't
updated
this
in
a
while.
So
this
pretty
benign
thing,
like
javascript
array,
manipulation
what
ash.
B
Well
this
pretty
you
know
benign
thing
now
is
becoming
a
bigger
issue
because
it
looks
like
there
are
open,
cve
spot
against
it.
That
can
be
exploited,
and
it
looks
like
that.
This
version
that
we're
on
can
be
vulnerable
to
prototype
pollution,
which
could
lead
to
arbitrary
code
execution,
which
is
really
bad.
B
What
is
linked
to
is
our
github
advisory
database.
We
main
and
curate
an
entire
database
filled
with
these
vulnerabilities.
This
is
increasing
every
day.
What's
really
cool
is
that
we
can
provide
to
you
complete
information.
If
you
want
to
find
out
more
information
about
this
vulnerability,
you
can
click
in
we'll
even
give
you
the
pull
request
that
fixes
this
and
the
issue
and
where
people
are
discussing
it.
This
might
be
too
much
information,
though,
for
most
folks,
so,
like
your
security
team
might
be
interested
in
this.
B
B
What
we
actually
want
is
the
most
mature
version
that
has
all
the
open
vulnerabilities
filed
against
it
resolved.
So
that
way,
we
have
the
most
mature
version
that
has
everything
fixed
in
it
and
that's
exactly
what
github
provides
to
you
now
you
can
change
this.
You
can
change
the
dependable
configuration
in
a
file
that
you
include
within
your
repository
to
always
get
the
latest
version.
If
that's
what
you
want,
but
by
default
we'll
give
you
the
version,
that's
most
mature,
that
has
all
the
opencv
e
spot
against
the
address.
B
When
we
first
came
out
with
this
feature,
we
tell
everybody.
Okay,
you
have
a
major
problem
and
like
good
luck-
and
no
one
did
anything
to
make
this
even
easier
for
developers.
What
we
do
is
that
we
automatically
open
up
a
pull
request.
What
we
do
is
we
pack
bump
the
package
version
of
load
ash
and
we
change
the
corresponding
hash,
and
then
we
just
give
you
a
pr
the
more
that
we
involve
development
in
the
security
process.
We
found
to
be
the
most
effective.
B
It's
likely
that,
even
if
you
work
at
a
large
enterprise,
it's
likely
that
your
security
team
is
really
small.
In
fact,
even
the
biggest
companies
in
the
world
sometimes
only
have
a
handful
of
security
people,
that's
something
that
I
learned,
but
we
have
a
lot
of
developers
and
the
more
that
we
involve
developers
in
this
process.
B
B
Show
you,
with
regards
to
the
dependency
review
before
we
stop
and
take
some
questions,
just
find
that
tab
really
quickly.
We
added
a
new
feature
recently,
where,
if
you're,
adding
something,
if
you're
adding
open
source
repositories
to
to
main
branch
within
any
within
your
source
code,
we
had
something
called
the
dependency
review.
B
What
this
is
is
that,
in
that
same
view,
that
we
showed
before,
where
we're
looking
at
the
files
that
have
changed
within
a
pull
request,
we
can
also
make
you
aware
of
new
open
source,
that's
about
to
enter
into
your
application.
So
this
is
really
cool.
This
lets,
you
know
from
the
open
source
dependencies
that
you're,
adding
we
kind
of
give
you
like
a
sneak
peek
about
like
what's
going
on,
meaning
is
that
the
open
source
dependency
that
you're
about
to
add
to
your
software
doesn't
contain
high
severity
vulnerabilities.
B
This
is
something
that
would
be
interesting
to
you
if
you're
about
to
add
this
package
version.
So
what
you
might
want
to
do
based
upon
this
information,
is
not
edit
or
add
the
version
that
addresses
this
vulnerability,
but
again
just
another
sort
of
level
of
oversight.
That
github
is
providing
to
you
to
make
sure
that
for
this
new
code,
that's
trying
to
enter
into
production
that
you're
aware
of
what
might
be
in
it
and
again,
you
can
see
here
that
there
are
vulnerabilities
over
the
place
of
these
versions
that
we
want
to
add.
B
This
is
another
feature,
that's
included
with
github
event,
security.
We'll
make
sure
too
that
that
you
get
the
link
in
case
you're
interested
in
starting
a
trial,
get
of
event
security,
I'm
going
to
stop
sharing
for
a
moment
just
so
that
we
can
see
the
questions
and
we
can
start
to
adjust
them.
There.
B
A
C
B
And
then
you
can
go
ahead
and
merge
that
copilot
is
a
completely
separate
product
where
we're
essentially
doing
advanced
code,
completion
and
generation
for
any
software
that
you're
writing,
and
I
know
that
we
had
a
pretty
lively
hacker
news
post
about
this
again.
If
anybody
wants
to
try
this
and
try
this
out,
please
go
for
it,
but
yeah
they're
kind
of
they
do
different
things
rob
in
general,
but
yeah
great
question.
A
B
So
this
is
a
constantly
changing
landscape
and
again
these
like
we
don't
really
know
what's
gonna
come
out
tomorrow,
like
we
would
love
to
know
that,
and
if
anybody
knows
please
let
me
know,
but
more
importantly,
everybody
gets
blindsided
by
this
at
one
point
or
another.
What
we
want
to
do
is
that
we
want
to
very
quickly
adapt.
In
short,
I'm
getting
to
answer
your
question.
In
short,
we
update
our
queries,
which
we
then
modify
our
default
query
packs,
which
we
then
use
code
ql
to
scan
our
code
bases.
B
B
So,
yes,
the
question
like
how
can
we
help
protect
ourselves
against
malware?
Well,
these
are
pretty
sophisticated
things
that
are
happening
these
days
like
you
know,
now
that
we're
getting
really
good
at
kind
of
patching
these
security
and
finding
these
we
kind
of
have
the
upper
game
and
the
security
end
too,
as
these
hacks
get
more
sophisticated,
and
this.
A
B
In
particular,
you
might
not
have
found
it
at
all
if
all
you
did
was
look
at
text,
but
given
the
unique
way
that
codeql
generates
this
database
of
compilation
time,
we
can
actually
look
at
the
delta
between
what
is
happening
at
compilation
time
and
what's
in
the
source
code
and
in
the
case
of
solarwinds.
What
was
happening
is
that
there
was
at
compile
time
there
was
injection
of
malicious
code
again.
What
we
can
do,
then,
now
that
we
know
about
it,
is
that
we
can
scan
for
it
we'll
share
a
link
that
we
open
source.
B
All
the
codeql
queries
that
we
can
use
to
determine
this
maliciously
injected
code.
That
happened
at
compilation
time.
This
gets
added
to
our
offering
and
again
what
we
can
do
is
now
we
can
scan
our
code
bases
for
it
moving
forwards
so,
depending
on
what
the
malware
is
and
depending
what
what's
happening,
there
we'll
write
a
query
against
it
and
then
we
can
scan
for
it
moving
forwards.
B
I
want
to
mention,
too
that,
if
you
have
anything
that
is,
that
is
specific
to
your
code
base
or
if
you
have
anything,
that's
a
problem
for
your
organization.
Specifically,
we
can
also
augment
the
default
queries
that
are
provided
with
coql
by
writing
it
ourselves.
This
is
something
that
your
security
team
can
do.
In
this
case,
we
can
use
like
the
vs
code
extension
for
codeql
and
we
can
write
different
queries
for
custom
things
that
might
happen
within
our
code
base.
B
But
of
course,
there
will
be
code,
quality
issues
and
things
that
we
want
to
fix
with
the
things
that
are
specific
to
our
code
bases
by
the
way
this
includes
microsoft
and
github,
and
every
other
major
software
company
is
that
yellow
things
that
are
specific
to
you,
you
can
author,
these
queries
locally.
You
can
execute
them
against
the
database
that
we
create
from
your
code
base.
The
results
will
be
posted
here.
C
B
Yep
great
question
so
yeah,
I
think,
like
people
think
sometimes
that,
like
open
source
software
is
not
like
software.
What
I
mean
by
that
is
open
source
software
relies
on
open
source
software
too.
So
it's
what
we
call
a
subdependency
or
transitive
dependency.
So
the
answer
is
yes:
if
down,
you
know
it's
dependencies
all
the
way
down.
B
It's
like
recursive
that
the
open
source
library
that
you're
pulling
into
your
application
is
also
going
to
contain
open
source
and
then
guess
what
that
dependency
also
has
the
dependencies
or
series
of
dependencies
and
again
it.
You
can
build
this
tree.
That
goes
like
all
the
way
down
and
its
dependencies
all
the
way
down.
B
So
yes,
we
can
inform
you
that
if
a
vulnerable
dependency
gets
wrapped
up
into
a
direct
dependency,
we
can
notify
you
that
as
well
that
you
have
a
vulnerability
there
and
I
would
say
we
can
drop
into
the
chat
as
well.
If
you
want
to
see
the
list
of
manifests
that
we
support
and
dependency
files,
we'll
also
make
sure
that
we
leave
that
into
the
chat
there
as
well.
B
B
Yeah,
absolutely
so
you
can
always
just
email,
roberai,
maybe
me
and
only
give
rob's
email
address,
or
you
could
use
the
qr
code
that
we
just
display
the
aj
head
up.
If
you
just
want
to
reach
out
and
find
out
more
a
lot
of
things,
I
showed
you
again
we're
covered
in
our
advanced
security,
offering
so
we'll
have
to
set
you
up
with
a
trial.
If
you
want
to
do
that
in
private
source,
just
be
mindful,
if
you're
an
open
source
developer,
you
can
leverage
code
scanning.
C
B
A
Awesome
thanks
again
glenn.
I
appreciate
it
and
rob
you
two
in
the
chat
thanks
for
helping
out
today
and
we'll
see
you
soon.
Yeah
thanks
all
have
a
great
friday
and
just
another
reminder:
github
universe
is
coming
up
at
the
end
of
october.
Completely
free.
All
you
need
to
do
is
go
to
githubuniverse.com
and
register.
There's
going
to
be
two
hours
of
live
sessions
over
two
days,
as
well
as
a
lot
of
amazing,
on-demand
content.