►
From YouTube: Opening Keynote - GitHub Satellite 2020
Description
GitHub Satellite: A community connected by code
On May 6th, we threw a free virtual event featuring developers working together on the world’s software, announcements from the GitHub team, and inspiring performances by artists who code.
More information: https://githubsatellite.com
Schedule: https://githubsatellite.com/schedule/
A
A
Okay,
let's
do
this
thing
good
morning,
welcome
to
satellite
20/20
I'm,
coming
to
you
from
my
home
here
in
San,
Francisco
I'm
sure
most
of
you
are
in
your
homes
as
well.
So
from
my
home
to
yours.
Welcome
I
was
just
eating
some
Cheerios,
but
I'd
rather
be
here
talking
to
you
about
github.
So
we
have
a
lot
of
really
great
announcements
to
make
today,
but
I
thought
it
would
be
great
to
start
off
with
just
a
recap
of
some
of
the
stuff
we've
been
doing
at
github
over
the
last
few
months
last
year.
A
A
Now
in
March,
we've
launched
native
apps
for
iOS
and
Android
and
if
you
haven't
tried
them
yet,
you
should
because
I
think
they're,
just
they're
gorgeous
I
mean
they're,
beautiful,
they're,
buttery,
smooth
and
one
interesting
fact
about
the
apps
is
that
the
number
one
action
that
people
take
with
our
mobile
apps
is
actually
to
review
and
approve
pull
requests,
not
exactly
what
I
expected,
but
it
kind
of
makes
sense.
I
mean
if
you're
out
and
about
or
maybe
you're
just
like
in
your
backyard
reading.
A
Cheerios
and
one
of
your
colleagues
is
trying
to
get
something
done
and
you're
blocking
them.
You
don't
want
to
block
them.
You
want
to
unblock
them.
So
it's
sort
of
an
unblocking,
your
colleagues
app
it's
turned
out.
Hundreds
of
thousands
of
people
are
using
it.
They
really
seem
to
like
it.
We
hope
you'll
give
it
a
try
too.
We
also
recently
expanded
github
sponsors
to
32
countries,
and
now,
in
less
than
six
months,
we've
actually
paid
out
millions
of
dollars
to
open
source
contributors,
maintainer
x'
already.
A
Our
goal
is
to
give
every
developer
the
option
of
actually
making
a
living
working
on
open
source.
It's
an
ambitious
goal,
and
it's
one
we're
excited
about.
In
general,
we
think
price
shouldn't
be
a
barrier
to
joining
the
communities
that
live
on
github,
whether
their
work
is
public
or
even
private,
and
so
last
month
in
April
we
actually
made
a
huge
pricing
change.
A
This
is
a
major
event
where
we
made
it
possible
for
you
to
add
unlimited
collaborators
to
your
private
repos
for
free
and
we've
already
seen
teams
around
the
world,
picking
this
up
in
pretty
big
numbers.
So
one
example
is
India
where
we've
seen
two
times
as
many
organizations
choosing
github
now
than
ever
before,
and
then
the
day
after
we
did
that.
Actually
we
completed
the
acquisition
of
NPM,
which
I'm
standing
here.
With
this
t-shirt,
we
were
really
excited.
I
was
personally
excited
and
honored
actually
to
welcome
NPM
into
the
github
family.
A
You
all
probably
know
NPM
is
the
largest
JavaScript
registry
in
the
world,
there's
over
a
million
packages
and
fun
fact.
Last
month
in
April,
there
were
over
84
billion
downloads
from
NPM,
so
it's
basically
used
by
nearly
every
JavaScript
developer
and
probably
nearly
every
company
that
writes
software.
We
take
the
responsibility
of
running
NPM
seriously
and
we're
already
working
really
hard
to
improve
NPM
and
we're
excited
to
hear
your
and
your
feedback.
A
Okay
and
then
another
big
milestone.
I
was
just
last
week.
Actually,
the
50
millionth
developer
signed
up
for
github.
This
was
on
Sunday
April
26th
at
406
p.m.
local
time,
and
this
developer
was
from
Great
Britain,
so
welcome
to
github,
anonymous
github
developer
from
Great
Britain
and
we're
glad
you're
here
and
with
all
the
things
that
are
going
on
in
the
world.
Right
now,
like
lots
of
people
have
been
asking
me
how
behavior
and
github
has
changed
with
world
events.
Are
people
spending
more
time
on
github
they
engaging
less?
A
They
working
with
us
what's
happening
exactly
and
we've
been
looking
over.
The
data
and
I
wanted
to
share
a
few
of
the
things
we
found
with
you.
So
since
January
we've
actually
seen
a
25%
increase
in
the
number
of
issues
created
on
github,
so
people
are
basically
collaborating
more
on
issues
and
coordinating
their
work
more
in
open
source
projects.
A
In
particular,
we've
seen,
pull
requests,
take
four
hours
less
to
get
reviewed
and
merged
on
average,
which
is
pretty
interesting
and
then
on
the
whole
developers
are
spending
about
an
hour
more
per
day
on
github,
and
that
might
be
because
maybe
they
don't
have
a
commute
anymore
and
so
that
time
that
was
spent
commuting
can
now
be
spent
working
or
it
might
be,
hey.
You
know
you're
you're
inside
and
you're
not
able
to
pursue
some
of
your
other
hobbies.
A
So
you
spend
a
little
bit
more
time
on
the
weekends
or
in
the
evening,
writing
code
and
sharing
it
with
the
world.
But
basically
the
trend
is
we
see
more
collaboration
than
ever
before
and
that's
kind
of
amazing
to
see
it's
sort
of
in
any
age
of
social
distancing.
People
are
turning
to
social
coding,
and
so
we
take
that
super
seriously.
All
right!
That's
a
recap
of
some
of
the
stuff
we
did
recently
and
we
have
a
lot
of
exciting
new
announcements
today
in
four
areas:
communities,
code,
Enterprise
and
security,
and
first
up
is
communities.
A
A
A
This
is
a
place
where
you
could
have
open-ended
conversations
and
ask
a
question
and
get
an
answer,
or
maybe
brainstorm
about
a
new
idea
that
might
turn
out
to
be
a
brilliant
idea
or
just
a
place
to
get
recognition
for
the
work
that
you're
already
doing
to
help
build
a
community
or
support
the
project
which
may
not
be
coding.
Not
all
of
the
productive
work
that
drives
communities
forward
is
actually
writing
code.
There's
lots
of
other
important
things
that
happen
also,
and
also
maybe
just
a
place
to
say.
A
Thanks
now,
some
people
might
say
why
not
just
have
these
conversations
in
github
issues
but
getting
up
issues,
it's
fundamentally
a
productivity
tool.
Imagine
if
thousands
of
people
had
right
access
to
your
personal
to-do
list
and
they
were
using
it
to
have
open-ended
conversations
about
all
the
things
that
they
think
that
maybe
you
should
do
someday
now.
Look
some
of
their
ideas
are
probably
great.
A
So
you
want
to
encourage
that
conversation
to
happen,
but
in
order
to
keep
your
to-do
list
kind
of
an
order
and
not
intermingle
lots
of
other
stuff,
you
might
want
to
move
those
conversations
to
another
place.
So
that
those
discussions
can
have
their
own
space
to
take
place
so
sort
of,
in
short,
like
every
every
community,
needs
a
Town
Square
and
so
today
I'm
happy
to
announce
that
we're
building
it
and
it's
called
github
discussions
so
get
up.
A
B
Snap
github
discussions
is
more
than
just
a
space
for
conversations
on
github,
it's
a
configurable
home
for
your
entire
community.
So
let's
take
a
quick
look
around
discussions
because
there
are
so
many
great
features
to
unpack
here.
With
discussions,
we've
provided
a
home
for
your
community
right
where
they
exist.
B
Today,
in
your
repository
at
the
top
of
the
page,
you
can
see
spotlights
where
communities
can
configure
discussions
to
look
and
feel
just
like
your
home,
and
it
also
makes
sure
that
the
most
important
discussions
are
super
visible
to
the
community
members,
but
most
important
of
all.
We
have
a
space
dedicated
to
the
links
for
your
code
of
conduct
and
other
critical
resources
that
new
folks
should
be
aware
of.
So
you
know
how
to
best
participate
in
your
community.
B
Discussions
is
not
just
a
place
for
questions,
answers
and
up
votes
that
we
do
have
all
of
those
awesome
features
for
you
today.
This
is
where
folks
come
together.
Talk
give
thanks,
show
off
all
the
incredible
work
that
they're
doing
and
even
sharing
ideas
for
brand
new
work.
This
is
the
home
for
your
community.
B
Next
I
guess
has
been
one
of
the
early
adopters
of
discussions
and
we've
been
iterating
on
this
feature,
thanks
to
all
of
their
feedback.
Next
I
guess
and
others
have
been
experimenting
with
just
how
they
might
use
new
types
of
conversations
in
their
community
that
were
previously
not
so
easy
to
track
or
share
publicly,
but
now
can
become
community
conversations.
B
B
Another
example
of
how
other
communities
are
using
discussions
right
now
is
this
RFC
that
tim
created
for
incremental
static
generation
with
next
is
community
members
have
been
uploading,
this
discussion
as
being
a
great
idea
that
they
value
highly
and
numerous
people
have
been
providing
active
feedback
and
thoughts
on
this
request
for
a
proposal
to
help
Tim
move
toward
the
resolution
to
bring
fluidity
of
conversations
on
github
into
your
core
workflows.
We
have
discussions
right
where
your
community
is
in
your
repository
now
for
questions.
Your
community
no
longer
has
to
sift
through
long
issue
threads.
B
B
Furthermore,
with
threaded
replies,
conversations
can
be
even
easier
to
follow
without
having
to
read
through
tons
of
comment,
references
that
were
copied
and
pasted
over
and
over
again
through
an
endless
timeline
now
I
know
this
is
already
a
lot
of
great
features,
but
we
have
even
more
available
like
issues
converting
into
discussions,
since
we
know
that's
where
so
many
conversations
are
happening
and
soon
you'll
have
the
ability
to
elevate,
really
great
ideas
and
conversations
that
are
happening
in
discuss
back
into
issues.
And
what
more
could
you
want?
Then?
B
A
centralized,
github
notification
experience
with
the
notification
experience
that
we
have
right
now.
That's
been
generally
made
available
to
you
and
the
github
mobile
apps
on
iOS
and
Android.
We
can
provide
you
with
the
full
experience
to
keep
up
to
date
with
discussions
in
the
space
that
best
suits
your
needs.
B
Last,
but
certainly
not
least,
discussions
is
not
just
a
space
for
your
community
to
connect.
This
is
a
critical
space
for
newcomers
and
others
to
receive
recognition.
That
goes
beyond
code.
We
know
that
projects
don't
exist
without
the
help
that
you're
getting
from
other
community
members.
To
answer
your
questions
and
all
of
that
great
work
should
be
applauded
and
recognized
publicly,
so
we're
excited
to
be
bringing
discussions
into
the
contribution
graph
to
recognize
all
of
the
work
that
community
members
are
doing
outside
of
code.
B
We've
been
iterating
for
the
past
few
months
in
the
open
and
getting
feedback,
so
we
can
make
this
space
just
for
you.
We
have
over
60
communities
in
the
beta
already
and
have
been
so
grateful
to
be
working
hand
in
hand
with
hundreds
of
maintainer
zhh
for
this
product.
We
know
that
it's
crucial
to
get
all
of
these
dynamics
right,
which
is
why
your
feedback
is
so
important
to
us.
B
With.
All
of
that
being
said,
I
am
so
excited
for
discussions
to
be
arriving
to
a
repository
near
you
this
summer.
In
the
meantime,
come
back
with
us
in
the
satellite
repository,
so
you
can
use
discussions
right
now
to
connect
with
us
in
the
github
community
and
with
that
I'm
gonna
hand
it
back
to
you
not.
A
Thanks
Becca
discussions
is
awesome,
I'm
really
excited
about
that
and
it
kind
of
fits.
The
theme
of
everything
we
work
on
at
github
I
mean
everything
we
do
at
github
is
really
about
making
software
development
more
collaborative
and
more
approachable,
and
discussions
is
obviously
a
big
piece
of
that
for
communities,
but
what
about
code
now
over
the
years
a
lot
of
people
have
asked
me.
The
question:
hey
like
I'm,
a
developer
I
want
to
become
an
open-source
contributor.
How
do
I
do
that?
How
do
I
become
an
open-source
contributor?
A
My
answer
has
always
been
just
super
simple
and
concrete.
First,
you
have
to
find
a
project
that
you
want
to
improve,
and
then
you
have
to
get
it
running
on
your
local
machine.
You
know,
get
it
to
build
on
your
local
machine
and
get
a
dev
environment
set
up
and
the
reason
is
you
can't
make
a
change
until
you
have
the
source
code
and
you've
gotten
it
to
build
and
run.
So
that's
always
the
first
step,
but
way
too
often
that
first
step
is
actually
a
real
barrier.
A
You
know
in
theory,
you
can
just
read
the
readme
and
run
the
magical
script
that
sets
everything
up,
but
in
practice,
there's
often
prerequisites
to
install,
and
maybe
those
prerequisites
actually
conflict
with
some
stuff.
That's
already
installed
on
your
machine
or
like
if
you're
like
me,
you've
messed
up
your
Python
paths
again
and
so
Python
2.7
is
not
playing
nicely
with
Python
3
and
so
before
you
can
even
get
started
learning
how
the
code
is
structured.
A
It's
hosted
in
the
cloud
so
instead
of
spending
all
your
precious
time,
setting
up
dev
environments
and
trying
to
get
them
to
work
across
all
the
projects,
you're
working
on
you
can
get
started
as
a
developer
on
a
project
with
just
one
click,
and
so
best
of
all
codes
is
powered
by
vs
code
and
supports
every
V
s.
Code
extension
out
of
the
box.
You've
got
to
see
this
to
understand
how
awesome
it
is
so
to
show
you
a
demo.
Please
welcome
Allison.
C
Thanks
Matt
I'm
really
excited
to
show
you
more
about
code
spaces
and
how
revolutionary
I
think
it
is.
But
first
I
want
to
tell
you
a
little
bit
about
myself
I'm
a
mom
of
two
young
kids,
which
basically
means
I
have
no
time
and,
in
addition
to
being
a
mom
I'm,
an
engineering
director
I
like
to
play
around
with
new
technologies,
jump
into
side
projects
or
open
source
and
make
changes
and
commits
on
the
go
code.
C
Spaces
gives
me
the
power
and
ability
to
tinker
and
add
value
to
my
team,
no
matter
how
much
time
I
have
so
here.
I
have
a
super
simple
app
to
help
me
manage
everything
going
on
right
now,
called
pre-school
call
tracker.
Now.
If
I
wanted
someone
to
contribute
to
this
app
first
they'd
have
to
clone
the
repo,
then
they
have
to
follow
the
readme.
C
Now
this
one
is
pretty
simple,
simple,
but
most
of
us
have
experience
with
really
complex
ones
that
have
a
ton
of
different
instruction
steps
installations
and
a
high
likelihood
of
me
losing
hours
of
time,
troubleshooting
some
obscure
setup
error.
This
was
a
problem
that
we
wanted
to
fix
on
our
main
repository
page
you'll,
see
a
brand
new
code.
Menu
clicking
on
that
menu
includes
some
options,
you're
already
familiar
with
like
cloning,
a
repo
and
opening
and
github
desktop.
C
We
also
have
a
new
option
to
open,
with
an
editor
and
in
the
future,
you'll
be
able
to
open
the
repo
using
any
code.
Editor
so
will
be
compatible
with
your
preferred
desktop
IDE.
In
addition
to
opening
a
repo
with
these
options,
I'm
delighted
to
introduce
you
to
a
new,
faster
choice,
a
way
to
develop
in
the
cloud,
let's
open
with
code
spaces.
C
So
this
takes
a
few
seconds
to
spin
up.
I
already
have
a
code
space
ready
to
go.
What
you're
looking
at
is
vs
code.
The
editor
itself
running
in
my
browser
in
a
VM
with
two
cores
and
4
gigabytes
of
RAM
completely
set
up
with
all
of
my
dependencies
running
automatically
logged
into
my
github
account
with
even
my
personal
fat
files
installed,
everything
works.
Everything
is
ready
to
go
so
wait
like
the.
C
Yeah,
the
real
real
editor,
let
me
show
you
real
quick
I
can
open
a
file
type
I
have
yes
intellisense
and
Intelli
code
stars.
The
most
appropriate
suggestions.
I've
got
full
colorization
I've
got
mini-map
since
any
BS
code.
Extension
works,
I,
have
es
lint
and
can
click
on
the
bottom
here
to
see
any
warnings
or
issues
in
my
code,
I
can
even
put
a
breakpoint
in
here
to
debug.
All
I
had
to
do
to
set
up
this
dev
environment
was
click
one
button
and
it
was
completely
tailored
to
this
project.
C
Your
personal
are
also
automatically
available
because
they're
being
cloned
from
your
personal
files,
repo
my
dot
files
repo,
contains
all
of
my
personal
customizations
for
bash,
did
team
ox
and
more.
If
a
dot
files
repo
exists
in
your
github
account
code,
spaces
makes
an
immediate
connection
and
copies
them
into
your
code
space.
C
We
started
our
server
in
the
terminal
and
you'll
notice
that
I
can
hover
over
this
link
and
click
through
to
a
new
URL,
but
the
link
is
to
a
local
host
and
we're
not
on
my
laptop
were
in
the
cloud
what's
happening.
Is
that
we've
specified
in
the
dev
container
that
we
want
to
run
this
app
on
port
3000
and
forward?
Is
that
port
on
from
your
cloud
hosted
machines
securely
to
you?
So
you
can
see
your
app
running
live
just
like
you
would
locally.
C
Let's
make
sure
this
thing
is
really
working,
so
I
have
a
meeting
title
in
here
right
now
and
I
don't
need
the
meeting
title
I
just
need
to
know
when
it
is
not
what
it
is.
We'll
come
back
into
the
code
and
delete
this
meeting
credo
now
that
it's
deleted.
We
have
this
unused
Quran
being
passed
in
here
and
to
see
the
full
power
of
vs
code.
We
see
that
intellisense
has
dimmed
the
pram
and
hovering
over.
It
gives
me
the
ability
to
click,
quick
fix
and
clean
up
our
code.
C
We
can
go
back
to
our
app
refresh
and
see
that
there's
no
more
meeting
title.
Ok,
so
I
really
like
this
change.
Let's
commit
and
push
from
here,
I'll
use
the
good
extension
right
now
we're
on
master,
which
you
can
see
at
the
bottom,
but
you
can
also
spin
up
a
code
space
from
a
branch
as
well
and
push
directly
to
that
branch.
So
we'll
create
a
new
branch
called
meetings
stage
we'll
do
a
quick,
commit
message
and
commit
and
push
ok.
C
Now
we
can
go
back
to
our
repo
page
and
see
that
that
branch
and
commit
or
showing
up
right
here
code
spaces,
allows
me
to
maximize
the
time.
I
have
available
I
mean
if
I
can
get
all
of
this
done
within
a
couple
of
minutes.
Imagine
what
I
could
do
during
a
kids
nap
time,
even
if
it
was
a
short
one.
Whenever
you
want
to
get
started
and
wherever
you're
starting
from
now,
you
can
just
click
code
thanks,
everyone
back
to
you,
net.
A
Alison
that
was
awesome.
Thank
you.
So
much
all
right.
There
was
a
lot
in
that
demo.
So
let's
do
a
quick
recap
of
what
we
just
saw
code
spaces
gives
you
all
the
full
power
of
vs
code
running
in
your
browser
with
a
container
a
containerized
cloud
based
development
environment.
That's
fully
integrated
with
github
all
ready
to
go.
You
just
click
code.
Now
we
plan
to
offer
code
spaces
with
really
simple
pay-as-you-go
pricing
that'll
be
built
into
github,
so
you
don't
have
to
sign
up
for
any
other
subscriptions.
A
We're
launching
code
spaces
in
private
beta
today
and
you
can
go
to
the
code
spaces
website
to
sign
up,
get
early
access
and
learn
more
about
it.
Ok,
that
was
code.
Let's
move
to
chapter
3
Enterprise.
Now
we
talked
about
the
communities
on
github
and
interest.
Some
of
the
most
important
communities
are
actually
companies
we're
proud
that
github
hosts
more
than
3
million
organizations,
including
more
than
half
of
the
Fortune
100,
who
actually
rely
on
github
to
power
their
internal
software
development
at
huge
scale.
Now
enterprises
want
the
same
thing.
A
All
of
us
want
love,
I
mean
agility.
They
want
agility
and
innovation,
just
like
the
best
software
teams.
They
want
to
attract
the
best
developers
and
they
want
to
create
the
conditions
to
make
them
really
productive
and
happy.
So
the
best
person
to
tell
you
about
the
work
we're
doing
in
enterprise
is
Mario.
Rodriguez
Mario
are
you
here?
A
D
I
am
gracias,
not
an
excellent.
Today
give
up
Enterprise
comes
in
two
topologies
server,
which
you
can
deploy
on
premises
and
cloud
or
SAS,
offering
quick
aside
on
cloud.
If
you
look
at
the
engagement
metrics,
which,
as
the
product
manager
I
love
to
do,
it
is
easily
outpaces
the
rest
of
Gale
comm,
so
there's
pretty
good
demand
there,
as
you
can
expect
we're
constantly
meeting
with
customers
that
want
to
migrate
to
the
cloud.
I
mean
those
casual
conversations
you
find
there
is
a
subset
of
them
that
face
very
strict
regulations.
D
This
results
in
advanced
security
and
compliance
aspect
to
us
now
today,
there's
not
an
offer
in
the
entire
in
the
entire
market
that
would
meet
those
requirements
which
you
know
honestly
made
us
reflect,
and
so
we
decided
to
build
it
and
today
I'm
happy
to
be
announcing,
get
her
private
instances.
A
good
way
to
think
about.
This
is
as
the
most
compliant
and
secure
way
of
working
in
the
cloud,
even
for
the
most
stringent
of
customers,
as
you
would
expect,
it's
a
fully
managed.
D
Github
enterprise
no
surprises
there,
but
it
does
differentiate
in
a
couple
of
capabilities.
For
example,
it
has
Priyank
a
encryption,
it
has
private
connections
and
it
also
has
the
highest
compliance
standards,
an
example
that
would
be
we
plan
to
certify
for
FedRAMP
high
to
allow
government
use.
We've
only
have
a
couple
of
pilot
customers
in
flight
and
we're
looking
forward
to
get
it
to
market.
D
Now.
Last
year
was
a
busy
year
for
us.
We
extended
give
up
across
the
DevOps
workflow
you
search
one
and
and
that
integrated
offering
from
code
to
cloud,
and
we
made
that
possible
with
the
releases
of
github
packages
and
github
actions.
The
reception
of
both
products
has
been
incredible
and
in
all
the
presentations
I
do,
which
is
quite
a
lot.
Action
is
by
far
the
most
requested
agenda
topic.
D
This
is
why
I'm
thrilled
to
tell
you
that
both
actions
and
packages
will
be
available
in
github
Enterprise
Server
later
this
year,
so
big
shout
out
to
the
internal
teams
for
this
milestone.
This
gives
you
on
premise,
access
to
the
same
tools
and
workflows
as
on
github.com,
and
that
is
pretty
cool.
So
we
also
know
that
you
need
more
customers,
you,
as
a
customer.
You
want
to
know
how
are
we
doing
how?
How
do
we
measure
progress?
How
do
we
understand
what's
functioning
well
and
where
the
areas
to
improve
in
software
development?
D
As
you
know,
this
is
a
very
hard
problem.
We
haven't
figured
this
out
entirely,
and
that
is
the
reason
why
we're
building
github
insights,
to
give
you
answers
to
these
questions
and
a
lot
more.
Let's
play
there,
Jeff
absolutely
love
this
one.
So
out
of
the
box,
you
see
industry
proven
metrics,
like
code
review
to
a
runtime,
pull
request
size
and
more
I'd,
really
like
that.
You
be
able
to
easily
set
team
goals
and
make
it
yours
customize
it
and
also
a
little
fun
to
it
further
in
the
year.
D
We're
also
be
gonna,
be
enabling
our
communities
to
create
unsure
new
metrics
and
reports
based
on
github
and
third-party
data,
and
there
you
have
it
actions,
packages
and
insights.
It
is
Devils
with
built-in
continuous
improvements.
So
here's
a
link
if
you
want
to
check
out
and
learn
a
little
bit
more
and
with
that
over
to
you
not.
A
All
right
thanks,
Mario,
okay.
Finally,
let's
turn
to
security
now,
I
think
we
all
know-
and
it's
increasingly
obvious
the
world
runs
on
software
and
it
especially
runs
on
open-source
software.
So
this
is
clearly
true
of
every
or
website
that
you
might
use,
but
it's
also
true
of
most
of
the
physical
devices
that
we're
buying
in
one
way
or
another
or
the
services
that
we
depend
on.
If
you
buy
a
car
from
Ford
today,
the
user
manual
actually
includes
open-source
license
disclosures
in
it,
because
the
car
contains
open
source
software.
So
from
a
security
perspective.
A
What's
happened
is
that
this
web
of
software
dependencies
that
we've
all
collectively
built
has
become
a
web
of
trust
and
kind
of
everything
depends
on
this,
and
so
that's
why
it's
so
important
that
everything
we
do
to
make
this
software
secure.
We
do
so
we've
been
thinking
about
this,
a
lot
of
github
with
some
of
the
acquisitions
we've
done
recently
a
Semillon
QL
and
certainly
with
NPM.
Recently
too,
and
we've
been
studying
a
lot
of
the
open
source
code,
that's
out
there
and
there's
a
trend
that
we've
identified.
A
What
we've
learned
is
that
the
number
of
vulnerabilities
in
your
codebase
tends
to
rise
linearly
with
the
number
of
lines
of
code
that
you
have
in
that
codebase,
so
more
code,
more
vulnerabilities
as
an
industry.
That
means
we
need
an
approach
that
will
actually
scale
as
we
produce
all
this
code.
We
have
to
find
a
way
to
secure
it
at
scale,
and
our
current
approach
isn't
scaling.
So
as
we
thought
about
this,
at
github,
we've
decided
to
take
a
new
approach
and
it
has
two
parts.
A
The
first
part
is:
we
want
a
community
powered
solution
and
our
view
is
basically
that
the
open
source
community
built
all
the
software
and
is
building
and
maintaining
all
the
software,
and
so
only
the
community
really
has
the
expertise
and
the
scale
to
actually
make
it
secure.
We
can't
fix
this
problem
outside
of
the
community.
It
has
to
be
fixed
in
the
community
in
the
way
we
work
in
the
work
that
we
all
do.
A
This
is
what
makes
this
an
area
where
github
can
help
and
can
play
a
role
in
helping
to
improve
security
practices
in
the
security
of
code
overall.
Second,
the
tools
that
we
often
use
for
code
security.
These
days
they
frequently
live
outside
of
the
developer,
workflow
and
sometimes
they're,
even
a
little
bit
at
odds
with
how
developers
want
to
work
so
I
think,
what's
what's
clear,
is
we
want
to
make
it
natural
for
developers
to
do
the
right
thing
with
security
we
want
to
incorporate
security
processes
just
naturally
into
the
developer,
workflow.
Okay.
A
Get
up
code
scanning
will
proactively
scan
your
code
and
identify
vulnerabilities
directly
in
your
code
review
workflow,
and
it
does
this
with
the
power
of
code
QL,
which
is
the
world's
most
advanced
semantic
analysis
engine
together
with
code
QL,
queries
that
have
been
written
and
shared
by
the
entire
security
researcher
and
open-source
community.
So
to
show
you
this,
please
welcome
great
Baker,
great.
E
E
E
Code
scanning
and
code
QL
run
on
actions,
so
I
need
to
set
up
a
workflow
file,
everything's
pre-populated
for
me
and,
as
you
can
see,
code
scanning
is
going
to
run
on
every
push
and
on
a
schedule
which
is
Saturdays
at
2:00
a.m.
I
love.
That
actions
has
this
mouse
over
I,
always
forget
the
crontab
syntax.
E
Let's
go
ahead
and
commit
that
I'm
gonna
put
it
straight
on
master,
it's
a
little
bit
naughty
but
hey.
This
is
just
a
demo
if
you
were
counting
that
was
just
four
clicks
to
set
up
code
scanning
it'll
now
run
on
every
push
to
this
repository
and
if
I
click
over
to
the
actions
tab,
I
can
see
that
the
first
analysis
has
already
started.
It's
gonna
take
about
three
minutes
to
finish
so.
E
Here's
one
I
made
earlier
and,
as
you
can
see,
code
scanning
has
already
run
on
my
master
branch
and
it's
also
run
on
a
feature
branch
I've
created
to
add
some
new
functionality.
Let's
take
a
look
at
some
results
from
code
scanning
in
the
pull
request.
I
can
click
through
and
immediately
see
that
code
scanning
has
found
a
vulnerability
in
the
code
that
I
was
planning
to
add.
If
I
click
across
to
the
deer
I
can
see
more
details
here,
it
looks
like
code.
E
Ql
thinks
that
I
have
a
database
query
built
from
user
controlled
sources.
How
did
it
know
that
this
bit
is
seriously
cool
I?
Can
click
in
and
see
how
the
data
flows
through
my
application,
from
the
point
where
the
user
inputs
it
right
way
through
to
where
it's
used
in
the
database,
and
if
you
were
paying
attention
there
was
no
sanitization
along
the
way.
This
is
a
real
vulnerability.
E
In
fact,
the
pull
request
that
I
just
showed
you
was
a
recreation
of
a
real
commit
on
an
open
source
project,
the
Flint
CMS
JavaScript
project.
It
caused
a
real
vulnerability,
three
months
later,
when
this
was
discovered,
the
maintainer
patched
it
and
had
a
critical
severity
CVE
issued,
but
that
vulnerability
could
have
been
prevented
entirely
if
code
scanning
had
been
available
when
that
commit
was
made-
and
it's
not
just
database
vulnerabilities
like
this
one
that
ko
QL
can
find
I'm
going
to
show
you
a
bunch
of
other
CVS
that
code
scanning
could
have
prevented.
E
In
each
case,
the
maintainer
has
given
us
permission
to
show
their
repository.
There
were
no
zero
days
being
dropped
here,
but
in
each
case
code
QL
could
have
prevented
this
from
ever
entering
production.
First
up,
let's
take
a
look
at
this
code
injection
vulnerability
in
Express.
This
was
issued
a
CVE
in
2019.
It
was
critical
severity
and
the
maintainer
followed
a
totally
best-practice
process.
They
had
their
CVA
issued
through
github.
E
This
vulnerability
could
have
been
prevented
by
code
scanning
next
up.
Let's
take
a
look
at
a
completely
different
kind
of
vulnerability.
Prototype
pollution
in
JavaScript
prototype,
Volusia
pollution
is
an
instance
of
modification
of
what
should
be
immutable.
In
this
case,
the
immutable
object
should
be
the
object.
Prototype
object
in
JavaScript.
If
an
attacker
can
change
that,
because
that
gets
inherited
in
so
many
places
they
can
normally
escalate
to
remote
code,
execution
or
cross-site.
Scripting
vulnerabilities,
Koki
well,
founded
in
the
same
way
it
traced,
through
from
where
the
user
could
input
the
data
to
the
place.
E
E
He's
a
vulnerability
in
go
code.
In
this
case.
It's
an
open
redirect
for
mobility,
open
redirects
happen
when
an
attacker
can
provide
a
redirect
URL
that
takes
you
not
to
the
site.
You
think
it's
going,
but
to
a
second
redirect
beyond
that
and
they're
particularly
dangerous
in
both
applications,
which
is
what
o
auth
to
proxy
is.
They
could
have
allowed
an
attacker
to
harvest
the
credentials
of
users
who
were
clicking
through
on
Google,
github
or
any
other
awards
provider.
E
The
vulnerability
that
we
found
in
github
code
itself,
as
we
were
alpha
testing
code
scanning.
This
is
in
our
Learning
Lab
application
and
again
it's
a
completely
different
kind
of
vulnerability.
In
this
case,
Koki
well
has
identified
that
we
had
a
root
that
didn't
have
any
kind
of
rate
limiting,
but
was
performing
file
system
access,
doing
that
could
have
opened
it
up
up
to
a
denial-of-service
attack
because
filesystem
access
is
a
resource
intensive
operation.
This
was
caught
in
a
pull
request.
It
never
made
it
onto
master,
so
code
scanning
did
prevent
this
vulnerability.
E
Okay,
one
more
example,
because
you
get
the
idea
in
this
case
we're
looking
at
a
Java
vulnerability.
It's
in
the
micronaut
framework,
which
the
framework
developed
by
the
co-creator
of
Grails
somebody
who
knows
exactly
what
they're
doing
on
security.
Everybody
can
make
these
mistakes,
but
in
this
case
I
don't
want
to
talk
you
through
the
result.
I
want
to
talk
you
through
the
query,
because
every
default
code,
ql
query,
is
open
source.
So
I
can
click
through
and
see
details
of
that
query.
E
It's
not
a
complicated
query.
It's
just
40
lines
in
this
file
and
in
this
case
the
query
was
completed
by
a
member
of
the
Gradle
security
team,
Jonathan
lightship
and
in
fact,
Jonathan
went
further
than
just
submitting
this
query
and
open-sourcing
it.
He
also
opened
1,600
pull
requests
for
instances
of
this
vulnerability.
He
found
in
open
source
projects-
and
this
is
a
great
example
of
the
transformative
approach
of
code
scanning
and
Kokua.
E
It
means
everyone
can
benefit
from
the
expertise
of
leading
security
researchers
and
that
those
researchers
can
help
prevent
vulnerabilities
and
start
to
eliminate
entire
bug
classes
forever.
It
makes
security
research
scale,
it
makes
security,
research
collaborative
and
it
brings
security
review
natively
into
the
developer.
Workflow
code
scanning
is
going
to
change
the
way
you
think
about
security
and
software
development.
Thanks
Matt
back
to
you.
A
Thanks
gray,
as
you
can
see,
code
QL
is
just
incredibly
powerful
and
the
power
of
combining
that,
with
all
these
community-created
queries
and
be
able
to
run
those
across
all
of
open
source,
is
a
huge
deal.
Now.
Everything
you
just
saw
is
free
for
open
source.
In
fact,
it's
expensive
to
run
a
lot
of
this
stuff
react,
as
you
saw
from
Gray's
demo.
We
actually
run
all
this
code.
A
Ql
analysis
on
top
of
actions,
and
so,
if
you
want
to
integrate
it
into
your
project,
all
the
functionality
is
free
and
we
will
pay
for
the
compute.
It
will
cost
github
millions
of
dollars
to
pay
for
the
compute
to
run,
could
ql
analysis
across
all
of
open
source,
but
we
will
gladly
do
it
because
it
is
the
right
thing
to
do
so.
A
Just
to
quickly
summarize.
Some
of
what
you
just
saw
you
see.
Code
scanning
is
a
capability,
that's
natively
integrated
into
github
workflows,
and
it
makes
it
super
easy
to
find
these
security
issues
and
then
fix
them,
and
even
to
learn
from
the
from
the
vulnerability
information
about
these
types
of
security
patterns
that
you
might
want
to
avoid.
A
In
the
future,
so
it's
educational,
also
it's
powered
by
code
QL
and
we
have
over
1,700
community
submitted
code,
QL
queries
that
are
available
and
we've
created
the
github
security
lab
as
an
organization
that
Nico
Wiseman
leads
at
github.
It's
a
collaboration
between
github
employees
and
employees
of
lots
of
different
tech
companies
who
are
basically
all
writing
code.
Ql
queries.
Our
goal
is
that
for
every
CVE
in
open
source
that
gets
found
that
could
be
generalized.
A
We
create
code
QL
query
that
would
cover
that
so
that
instead
of
manually
and
sort
of
artisanally
finding
and
fixing
bugs
one
by
one,
we
can
eradicate
whole
categories
of
vulnerabilities
across
software.
You
should
also
know
that
code
scanning
supports
a
pluggable
architecture.
So
if
you
want
to
use
something
other
than
code
QL
or
used
to
QL
and
something
else
you
can
plug
in
third-party
static
security
tools,
buzzing
tools,
dynamic
tools,
whatever
you
want
and
they
can
show
up
in
the
same
user
experience.
A
You
can
also
try
code
scanning
for
private
repos
as
well
too,
and
we've
just
launched
secret
scanning
for
private
repos
as
well.
We've
been
doing
secret
scanning
for
a
number
of
years
in
public
repos
and
we're
now
trying
that
out
in
private
repos.
So
if
you
accidentally
commit
your
Cloud
tokens
or
passwords
to
private
repos,
we
can
use
the
code
scanning
interface
to
help
you
find
those
as
well.
Okay,
that's
pretty
much
what
we
have
for
today.
Let's
recap
what
we
announced.
A
And
finally,
with
code
scanning
and
code
QL
we're
enabling
the
developer
community
to
make
software
secure
now
I
was
asked
I
want.
You
should
know
that
this
stuff
doesn't
come
easy.
There
are
thousands
of
people
at
github
and
in
the
villa's
code,
team
who've
worked
incredibly
hard
to
make
the
last
35
minutes
of
stuff.
A
You
saw
possible,
and
so
I
have
been
asked
to
blow
this
ceremonial
kazoo
in
their
honor,
so
to
all
the
hovers
to
all
the
vias
code
developers
to
everyone,
who's
made
all
this
possible
I
do
this
for
you
and
see
if
this
works
I
said
that
up
myself,
I
just
want
to
say
alright.
So
thank
you
to
everyone
who,
for
all
the
hard
work
that
made
all
the
sudden
how
it's
been
possible.
A
We've
got
a
really
exciting
day
ahead:
github
satellite
of
hands-on
demos
there's
product
deep
dives,
but
you
can
hear
from
some
of
the
best
github
users
and
customers
in
the
world.
How
are
they
dealing
with
remote
work
right
now?
How
are
they
implementing
DevOps
in
their
organization?
All
those
things
are
available
throughout
the
day
or
you
could
spend
the
day
in
our
play
track.
So
if
you
like
the
live
coding
and
music
that
you
heard
earlier,
we
have
a
lot
more
of
that.