►
From YouTube: Demo Days - Developer first security analysis
Description
Bas van Schaik, Product Manager for the CodeQL analysis engine explains how you can tap into an entire community of security researcher knowledge to scan your own code for vulnerabilities. Beyond your own code, learn how you as a developer can write your own queries, contribute back to the community, and more effectively create secure code for everyone.
Get involved with the GitHub Security Lab: https://securitylab.github.com/get-involved
A
Good
morning,
good
afternoon,
good
evening,
everyone,
wherever
you
are
my
name-
is
baz
and
I'm
a
product
manager
here
at
github,
and
I
look
after
the
code.
Ql
analysis,
engine
that
powers
github's
code
scanning
functionality
and
for
those
of
you
who
haven't
heard
about
goat
scanning,
yet
not
to
worry
I'll
I'll
go
through
all
of
that
today.
A
It
does
exactly
what
it
says
on
the
tin.
It
scans
your
code,
it
scans
the
code
that
developers
write
and
flags
up
security
vulnerabilities
in
that
code,
and
this
new
feature
is
currently
in
in
public
beta.
So
that
means
that
anyone
can
sign
up
and
I'll
tell
you
more
about
that
later.
A
So
today
I
would
like
to
show
you
that
code
scanning
functionality-
I
will
actually
go
a
little
bit
under
the
hood
and
show
you
how
the
internals
of
it
work,
and
I
would
then
like
to
show
you
how
there's
an
entire
community
of
security
researchers
who
are
here
to
help
you
to
to
secure
your
code
if
you've
tuned
into
this
channel
before
then.
You'll
know
that
this
will
all
be
in
the
form
of
a
live
demo
and
I'll
be
hopping
between
github.com
on
my
browser
I'll
be
doing.
A
Some
coding
live
coding
and
visual
studio
code
and
I'll
probably
do
some
bits
and
bobs
in
my
terminal
as
well,
and
if
you've
done
this
sort
of
a
live
demo
before
then,
you
probably
know
that
there
will
almost
certainly
be
something
that
goes
wrong
at
some
point.
I've
literally
roasted
some
coffee
beans
earlier
today
as
an
offer
to
the
demo
gods.
A
So,
let's
hope
that
it
will
all
be
good
today,
one
of
the
other
things
that
we
always
have
to
worry
about
slightly
when
we
demo
our
new
security
functionality
is
that
we
might
actually
end
up
revealing
a
vulnerability
that
wasn't
known
yet
so,
in
other
words,
if
I'm
not
careful,
then
I
might
end
up
dropping
a
zero
to
here
on
twitch,
which
is
typically
frowned
upon
in
the
community.
A
So
if
you
were
here
hoping
for
me
to
do
that,
then
I
will
hopefully
I
will
hopefully
have
to
disappoint
you,
and
I
won't
be
doing
that
today.
Luckily,
I'm
not
here
on
my
own
and
my
colleagues,
xavier
and
and
edition,
are
hanging
out
in
the
twitch
chat,
and
I
have
aj
and
elsa
lin,
providing
technical
and
moral
support
in
the
background
as
well.
A
I'll
keep
an
eye
on
the
chat
as
well
myself.
So
if
you
have
any
questions,
just
pop
them
in
there
and
I'll
try
and
answer
them
directly
for
the
purpose
of
this
demo,
I
will
step
into
the
shoes
of
an
engineer
who
is
writing
in
your
java
application,
and
let
me
now
share
my
screen
there.
We
go.
You
should
be
able
to
see
my
screen
now.
I
have
started
to
write
a
java
application.
A
It's
a
simple
hello
world
and
I've
got
a
github
repository
set
up
as
you
can
see,
and
I'm
now
really
ready
to
continue
developing
from
here.
A
Now,
if
you
don't,
if
you're,
not
particularly
familiar
with
with
java
or
with
reading
zip
files,
don't
worry-
I
won't
go
into
that
too
too,
too.
Deeply.
What
I'm
doing
then
in
in
that
loop
for
every
single
entry
in
a
zip
file
I'll
get
the
file
name
for
the
for
the
file
in
the
zip
file.
I
prefer
my
file
names
lowercase,
just
to
make
the
demo
a
little
bit
more
interesting,
and
now
I've
got
to
do
something.
A
A
So
let
me
also
just
clarify
at
this
point
that
code
scanning
is
really
about
scanning
your
own
code,
because
I
get
frequent
questions
about
this.
It's
about
scanning
your
own
code,
the
code
that
you
write
yourself
as
a
developer.
There
are
other
github
features
that
will
scan
your
dependencies.
The
libraries
that
you
depend
on,
but
code
scan
code
scanning
is
really
here
for
scanning
your
own
code.
A
A
And
I
see
the
code
scanning
option
right
here
when
I
click
on
that
it
suggests
multiple
engines
that
we
can
use
for
the
code
scanning
functionality
and
today,
when
anyone
can
really
develop
their
own
engine
for
their
favorite
tool.
But
today
I
will
of
course
show
you
our
own
sort
of
the
engine
that
github
have
built
in-house,
which
is
called
the
code.
Qr
analysis
engine
now,
every
everything
in
encode
scanning
all
of
these.
These
scanning
jobs
are
run
in
github
actions,
the
github
ci
cd
system,
and
that
is
configured
as
code.
A
It's
all
configures
code.
So
if
I
click
set
up
this
workflow,
that
means
I'm
going
to
set
up
the
workflow
for
my
github
action
for
scanning
my
code
with
codeql,
and
it
presents
me
with
a
with
a
with
a
with
a
template
for
this
workflow
and
I'll
quite
quickly.
Talk
you
through
a
few
bits
and
bobs
here.
A
So
one
of
at
the
top
of
this
you
see
when
the
code
scanning
codeql
actions,
action
actually
gets
run
and
it's
run
on
any
push
to
my
my
default
branch,
which
is
called
main
and
is
also
run
whenever
there's
a
pull
request
against
that
branch
by
default.
It
also
suggests
that
I
schedule
it
in
the
form
of
a
sort
of
a
cron
style
job.
Now,
if
you're
like
me,
then
you
always
forget
exactly
how
cron
the
con
syntax
syntax
works,
but
there's
a
nice
handy
mouse
over
there.
A
I
can
save
this
file
to
my
repository,
commit
this
file
to
my
repository
right
here,
and
it
goes
straight
to
the
main
branch
there
we
go
now.
You'll.
Remember
that
I
actually
configured
the
workflow
to
trigger
whenever
there's
a
push
to
main.
So
if
everything
is
working
as
expected,
we
should
now
see
on
the
actions
tab
that
there
is
one
workflow
running.
A
A
I'll
now
take
a
few
minutes
moments
to
sort
of.
A
Let
me
have
a
look
actually
yes,
so
the
the
analysis
will
now
just
take
a
few
moments
to
actually
prepare
the
environment
and
set
things
up
for
us
and
in
the
meantime,
why
don't
we
actually
create
a
pull
request
for
the
new
functionality
that
I'm
about
to
introduce
I'll,
just
create
a
create
a
draft
ball
request,
because
I'm
still
working
on
this.
A
A
So,
while
we're
waiting
for
for
that
to
happen,
let's
go
back
to
our
editor
and
actually
write
the
code
that
we
we're
still
needing
to
write.
So
let
me
just
zoom
in
a
bit,
so
it's
a
little
bit
clearer
for
everyone
to
see
how
bad
my
java
skills
are.
A
We
were
left
over
here.
There
was
a
to-do
and
I
needed
to
do
something
with,
I
believe,
a
file
output
stream
and
I
always
forget
exactly
how
those
work
but
file
output
stream.
A
A
A
A
This
is
probably
also
a
good
moment
for
me
to
just
step
back
and
actually
have
a
look
under
the
hood.
What
is
actually
happening
in
the
background?
What
is
code
ql
doing?
How
does
good
ql
work?
A
A
So
that
means
that
when
we
create
such
a
database
or
to
create
such
a
database,
we
extract
the
useful
bits
and
bobs
from
the
source
code
and
store
that
into
that
purpose-built,
relational
database
for
compiled
languages
like
java
and
c
and
c
plus
the
extraction.
The
extraction
process
happens
by
very
carefully
monitoring
the
build
process.
A
A
A
A
A
So
you
can
actually
see
it's
doing
some
compilation
and
it's
monitoring
the
compilation,
and
it
then
creates
a
database
for
me
and
stores
it,
and
it
is
indeed
now
on
my
disk
okay,
so
we
have
a
database.
What
do
we
do
with
a
database?
Well,
what
you
always
do
with
a
database
is
to
actually
fire
queries
at
it.
You
you,
try
and
find
out
more
about
the
data
that
you've
stored.
You
try
and
find
out
more
about
the
code
that
is
in
that
database
and
we
have
a
special
language
for
querying
this
database.
A
A
A
A
Whether
there's
anything
in
this
database,
so
I'm
going
to
go,
I'm
going
to
check
which
files
are
in
the
database
from
all
of
the
files
in
this
database
and
we'll
call
these
things
f.
I
want
to
check,
let's
say,
all
the
files
that
have
more
than
10
lines
of
code,
and
I
would
like
to
know
more
about
that
file.
A
I
would
also
like
to
know
how
many
lines
of
code
there
are
and
where
that
file
lives.
Okay,
so
now
one
of
the
downsides
of
doing
it
doing
a
twitch
stream
like
this
is
that
to
some
extent
it
actually
feels
like
I'm,
I'm
talking
a
little
bit
into
into
into
a
void,
and
I
can't
see
the
expression
in
people's
faces.
But
if
I
have
to
guess,
then
some
of
you
are
staring
at
your
screen
and
thinking
hold
on.
A
This
looks
a
bit
like
sql
and
the
order
of
the
query
is
all
wrong
and
there's
dots
in
it,
and
it
looks
a
bit
object-oriented.
What's
going
on
here
and
you're,
absolutely
right,
codeql,
the
query
language
is
indeed
it
has
some
some
similarities
to
sql.
It
is
object
oriented,
and
that
means
that
we
can
very
easily
abstract
away
some
things.
We
can
depend
on
libraries
to
implement
things
for
us.
So,
for
example,
I
don't
really
know
or
mind
how
this
get
number
of
lines
of
code
is
implemented.
A
Another
very
important
key
element
to
the
qr
language
is
that
it's
recursive.
I
won't
go
into
that
much
today,
but
that's
very
important
for
analyzing
source
code.
So,
okay,
we've
got
a
little
bit
of
information
out
of.
We
can
get
a
little
bit
of
information
about
running
this
query
on
our
database.
A
A
That
is
the
file
that
we
just
wrote
fantastic.
So
my
database
contains
some
data,
that's
always
good
to
know.
Now,
let's
have
a
next
query:
we've
successfully
established
the
contents
of
the
database,
so.
A
There
we
go,
let's
actually
find
out
about
the
method,
calls
in
our
application.
So
from
say
all
of
the
meta
accesses
are
that
basically
method
calls?
I
want
to
select
where
things
are
called.
A
I
want
to
know
what
is
being
called
where
that
thing
is
defined,
for
example,
which
class
it
is
defined,
and
I
would
like
to
find
out
what
the
function
name
was
of
what
was
called
there.
We
go
that
should
do
the
trick.
Okay,
I
can
run
that
query
there
we
go
and
there
are
no
five
results.
That
makes
absolute
sense.
So,
on
line
11
of
my
application,
I
call
a
print
line
which
is
defined
in
print
stream
and
a
few
other
bits
mobs.
A
A
I
can
actually
click
on
these
results
as
well.
I
can
just
jump
to
the
code,
and
here
we
see
that
the
database
contains
the
code.
Qr
database
contains
the
source
code
that
we
originally
wrote,
but
it's
a
read-only
database,
so
I
can't
actually
change
it.
You
can
see
that
at
the
top
of
the
screen
here
that
it's
read
only
so
we
know
where
the
method
calls
are
now.
Let's
actually
try.
A
Let's
try
the
opposite.
Actually,
let's
find
methods
that
don't
have
any
calls.
A
So,
let's
find
methods
that
are
not
being
called
at
all,
so
I
want
to
find
from
the
set
of
methods
call
them
where
I'm
going
to
just
count
the
number
of
references
for
every
one
of
these,
and
I
want
to
just
find
all
of
the
methods
that
have
zero
references
and
then
select
the
method,
and
where
was
the
glad
okay,
you
can
run
this
query.
A
Over
eight
and
a
half
thousand
results
well,
there's
not
that
many
method
calls
in
my
application,
surely
but
hold
on.
What
we
see
here
is
actually
that
code
qr
has
included
actual
java
standard
library
things
in
a
database,
and
that
makes
sense
because
we
sometimes
you
want
to
query
those
as
well.
So
I
can
quickly
adjust
my
query
to
say:
I
want
to
have
only
methods
that
are
actually
defined
in
my
source
code,
I'll
run
that
there
we
go
so
now.
I
have
two
methods
that
are
not
called
in
my
application.
A
A
So
these
are
some
examples
of
simple
query
cases:
simple
use
cases
for
code.
Qr
codeq
is
capable
of
much
more
advanced
analysis
and
one
of
the
most
powerful
features
that
that
qr
has
is
what
we
call
inter-procedural
team
tracking.
That
means
that
codeql
can
track
data
or
can
recognize
data
that
is
potentially
under
the
control
of
an
untrusted
user,
and
we
call
that
tainted
data
and
then
code
cure
can
track
that
data
through
your
application
through
method
calls
through
data
structures
into
where
it's
potentially
used
in
a
place.
That
can
be
dangerous.
A
So,
for
example,
if
you
have
untrusted
user
data
that
flows
back
and
is
printed
back
to
a
web
page
that
could
be
cross-site
scripting
or
if
you
have
a
user
entering
their
password
and
you
accidentally
log
that
to
a
plain
text
file.
That's
also
a
good
example
of
where
you
would
use
plain
tracking
or
data
flow,
and
we
have
many
of
these
queries
that
do
this
type
of
analysis
and
all
of
these
queries
are
actually
open
source.
Let
me
actually
show
you
where
they
are.
A
Of
course
they
live
on
github,
and
here
they
all
are
for
all
different
languages
and
you've
probably
sort
of
guessed
what's
happening
in
the
background.
What's
happening
in
actions
when
the
codec
analysis
runs
the
code
scanning
code,
ql
action
builds
the
database
and
then
runs
a
large
number
of
standard
queries
against
your
database
and
any
results
are
then
flagged
up
as
alerts.
A
A
It's
a
very
simple
example
of
how
tank
trucking
was
used
to
recognize
that
the
file
name
inside
of
or
the
file
name
of
files
inside
a
zip
file
are
actually
untrusted.
You
never
quite
know
what
people
send
you
and
that
file
name
might
well
contain
dot,
dot,
slash,
dot,
dot,
slash
dot
dot,
and
if
you
carelessly
then
extract
the
contents
of
that
file
into
your
file
system,
you
might
end
up
extracting
data
to
a
place
that
you
weren't
expecting
and
you
might
be
overwriting
all
sorts
of
important
files
in
your
file
system.
A
So
this
category
of
vulnerability
is
called
path,
traversal
vulnerability,
it's
a
part
of
liturgy
and
it
was
first
described
back
in
the
early
2000s,
but
it
got
a
bit
more
attention.
It
got
back
into
the
spotlight
in
the
summer
of
2018
when
a
security
company
called
snick,
you
might
have
heard
of
them
organized
a
campaign
around
this
vulnerability
or
a
particular
subset
of
this
vulnerability
about
zip
files
and
as
you've
probably
guessed,
they
called
this
type
of
vulnerability,
zip
slip.
A
Now
you
might
wonder
who
actually
writes
these
analyses,
who
writes
these
queries
and,
of
course,
my
colleagues
and
security
experts
at
github
write
a
lot
of
these
queries,
but
we're
not
the
only
ones
who
do
that.
There's
a
very
quickly
growing
community
of
security
researchers
who
are
helping
us
secure
the
world's
code
by
taking
their
security
knowledge
and
turning
that
knowledge
into
code,
qr
queries
and
because
all
of
those
queries
are
open
source,
they
contribute
them
back
to
us
and
guess
what
this
particular
query.
A
It
was
back
in
2018
just
as
that
that
vulnerability,
as
sneak
was
releasing
a
vulnerability
and
it
was
contributed
by
dennis
levin.
A
Dennis's,
pull
request
was
merged.
After
a
couple
of
days,
there
was
a
bit
of
code
review
and
as
soon
as
it
was
merged,
it
was
then
deployed,
and
it
was
then
immediately
used
to
scan
hundreds
of
thousands
of
open
source
projects,
and
that's
not
the
only
example
of
an
external
contributor
that
we
have
over
the
last
12
months.
A
We've
had
hundreds
of
pull
requests
of
external
contributors
of
security
professionals
who
contribute
back
qr
queries,
some
of
them
work
for
large
application,
security
teams
at
companies
like
microsoft
and
google
and
uber
others
are
independent
security.
Researchers
who
just
have
some
fun
with
kql
and
like
to
share
back
an
example
of
one
of
them,
is
artem.
A
Who's
recently
contributed
back
some
very
important
queries
that
find
injection
attacks
into
attacks,
for
example
against
the
spring
expression,
language
and
another
contributor
who
definitely
deserves
a
a
mention
here
is
jonathan
lachu
who's
been
doing
some
absolutely
fantastic
work
on
finding
a
code
that
might
be
vulnerable
by
http
manual,
attacks
and
code
that
uses
unsafe
random
number
generators,
and
these
two.
These
two
contributors
are
actively
participating
in
the
ql
bug
bounty
program
that
is
run
by
the
github
security
lab.
A
It's
not
we're
not
inviting
you
to
find
vulnerabilities
in
codeql,
but
if
you
do
then
please
tell
us,
but
this
is
a
bounty
program
specifically
for
finding
vulnerabilities
using
code
qr
and
the
the
the
bounty
that's
up
for
offer
goes
up
to
3
000
us
dollars,
so
it's
definitely
worth
contributing
to
that
and
when
you
think
about
it,
we
really
do
need
all
the
help
we
can
get,
because
the
number
of
developers
in
the
world
vastly
outnumbers
the
number
of
apsec
team
members
and
security
professionals
so
to
keep
all
of
that
code.
A
Secure
we
better
work
together
and
with
the
tight
integration
into
github
codeql
and
the
codecure
community
help
developers
do
that
in
in
two
ways,
primarily
of
course,
by
keeping
everyone's
own
code
safe.
The
code
that
I
just
wrote
and
that
introduced
or
almost
introduced
a
vulnerability
but
as
the
open
source
community
is
adopting
code
qr
themselves,
all
of
the
open
source,
libraries
that
we've
come
to
depend
on
become
safer
and
thereby
our
own
applications
become
safer.
A
So
if
you
would
like
to
join
the
the
code
cure
community,
then
there
are
many
different
learning
resources
available.
You
can
find
these
on
at
the
security
lab
website,
that
is,
the
security
lab
securitylab.github.com
and
there's
a
there's,
a
webpage.
That
explains
exactly
what
you
can
do
to
subscribe
to
the
work
that
we
do
to
how
you
can
learn
codeql
through
the
learning
resources
that
we
have.
We
also
have
slightly
more
advanced
learning
resources
in
the
shape
of
a
the
flag
competition.
A
A
A
A
A
A
You
can
get
started
with
kql
from
there.
I
I've
heard
just
just
a
thing
that
we've
had
a
question
in
the
in
the
chat
from
from
jonathan,
I
think,
probably
the
very
same
jonathan
I
just
mentioned
hey
jonathan
good,
to
see
you
again,
the
question
is:
is
it
eventually
the
plan
for
this
codeqr
scanning
action
to
come
be
automatically
applied
to
open
source
repositories
by
default?
A
That's
an
excellent
question
at
the
moment,
we're
not
quite
planning
for
that,
but
we
will
definitely
encourage
open
source
projects
more
and
more
to
automatically
enable
code
scanning
when
they
create
their
repository.
A
A
On
that
note,
I'd
like
to
thank
you
all
for
for
tuning
in
today
and
for
for
for
for
the
questions
in
the
chat.
If
there
are
any
more
questions,
I
would
very
happily
hang
around
for
a
little
bit
longer,
either
on
camera
or
on
chat
to
answer
any
more
questions.
I'll
just
try
and
find
the
window
that
actually
has
them
in.
A
It
so
if
you
have
any
more
questions
about
code
scanning
about
codeql
about
the
analysis,
then
file
them
at
us.
A
You
can
also
find
us,
of
course,
in
that
selection,
in
that
slack
instance
that
are
linked
to
that.
I
mentioned
earlier
in
the
security
lab
website.
A
I'll
hang
around
in
the
chat
for
a
bit
longer
and
thanks
all
for
coming.
Thank
you.
Everyone
who
made
this
possible
today
and
I
hope,
to
see
you
around
in
the
in
the
kurd
cure
community.