►
From YouTube: Day 2 Keynote - GitHub Universe 2019
Description
Today at GitHub Universe, we announced GitHub Security Lab to bring together security researchers, maintainers, and companies across the industry who share our belief that the security of open source is important for everyone.
As part of today’s announcement, GitHub Security Lab is making CodeQL freely available for anyone to find vulnerabilities in open source code. CodeQL is a tool many security research teams around the world use to perform semantic analysis of code, and we’ve used it ourselves to find over 100 reported CVEs in some of the most popular open source projects.
We’re also launching the GitHub Advisory Database, a public database of advisories created on GitHub, plus additional data curated and mapped to packages tracked by the GitHub dependency graph.
For more information, check out our blog post: https://github.blog/2019-11-14-announcing-github-security-lab-securing-the-worlds-code-together/
About GitHub Universe:
GitHub Universe is a two-day conference dedicated to the creativity and curiosity of the largest software community in the world. Sessions cover topics from team culture to open source software across industries and technologies.
For more information on GitHub Universe, check the website:
https://githubuniverse.com
B
Good
morning,
everyone
and
thank
you
for
being
here
and
joining
us
to
kick
off
day,
2
of
universe,
I
hope
you
had
a
fantastic
time
yesterday,
meeting
Hubbard
others
in
the
community
and
learning
from
each
other
at
github.
Our
mission
is
to
be
the
home
for
all
developers,
all
developers,
that's
a
pretty
monumental
task
when
you
think
about
what
it
really
means,
as
not
shared
yesterday,
there
are
over
40
million
developers
on
the
github
platform.
B
Today,
40
million
that's
more
than
the
population
of
most
countries
and
those
developers
are
writing
code
in
over
three
hundred
and
seventy
different
languages
and
for
a
huge
variety
of
purposes,
from
healthcare
to
machine
learning
to
finance
video
games
help
sorry,
automotive,
mobile,
nonprofits
and
more,
and
these
folks
are
developing
software
all
over
the
world.
Over
80%
of
open
source
is
now
developed
outside
of
the
US.
So
there
are
all
of
these
developers
building
all
of
this
software,
for
so
many
different
reasons
and
for
people
all
over
the
world.
B
These
folks
have
different
workflows,
different
tools
that
they
depend
on
and
different
ways
that
they
collaborate
across
their
teams,
we're
lucky
to
work
with
some.
Incredibly,
talented
developers
at
github,
but
there's
no
way
that
their
creativity
can
match
that
of
the
over
40
million
developers
using
github
today.
That's
why
the
ecosystem
is
so
important
to
us
and
why
delivering
an
open
platform
with
robust
api's
is
so
core
to
what
makes
github
github.
B
Now
we
talked
a
lot
about
developers,
but
another
way
to
look
at
the
ecosystem
is
in
the
dependency
graph
and
how
packages
depend
on
one
another.
We
might
be
working
with
vastly
different
problems
in
different
languages
from
places
all
over
the
world,
but
everyone
building
software
today
is
reliant
on
the
broader
open
source
community.
After
all,
99%
of
software
projects
depend
on
open
source.
So
each
time
you
pull
in
an
open
source
package,
you're
pulling
in
all
of
that
packages
dependencies
as
well.
B
In
fact,
open
source
projects
on
github
have
over
a
hundred
and
eighty
different
package
dependencies
and
some
of
the
most
popular
open
source
projects
have
a
huge
number
of
projects
that
depend
on
them.
For
example,
the
MDM
packages
have
over
3.5
million
projects
that
depend
on
them,
so
an
issue
in
one
of
those
packages
can
cause
problems
for
thousands
or
even
millions
of
projects
that
depend
on
it
at
github.
B
We
feel
it's
our
responsibility
to
ensure
we're
giving
developers
to
build
tool
great
safe
software,
so
that
we
can
truly
depend
on
our
dependency
trees
and
by
safe
I
mean
secure
now,
normally,
security
conversations
are
about
fear,
but
I
don't
see
it
that
way.
Security
is
the
enabler
that
allows
us
to
benefit
from
the
exponential
productivity
impact
of
open
source.
If
we
can
build
applications
and
consume
open
source
with
confidence,
then
nothing
stands
in
our
way.
Now
we
know
that
we
can't
secure
the
world's
code
on
our
own.
No
one
company
can
do
that.
C
C
So
I
want
to
spend
the
next
few
minutes
and
talk
about
our
overall
approach
to
security
and,
along
the
way,
I've
got
some
pretty
cool
announcements
to
show
you
as
well.
The
place
I
want
to
start
is
really
with
the
simplest
of
all
possible
scenarios,
developers
not
leaking
the
credentials
to
their
application
and
the
reason
I
want
to
start.
There
is
because,
even
in
this
most
simple
of
examples,
it
shows
that
it's
a
problem
that
we
cannot
solve
by
yourself.
C
So
the
open
web
application
security
project
keeps
a
running
list
of
the
top
10
web
app
web
app
vulnerabilities,
and
it
has
the
types
of
things
that
you
would
expect.
Sequel
injection
attacks,
cross-site
scripting,
but
I
actually
think
that
the
next
time
they
update
that
they
need
to
have
a
special
category
all
to
itself
just
for
developers
checking
in
their
application
tokens
into
their
source
repository
because
they
do
it
all
the
time.
C
I
know
this,
because,
just
in
the
last
month,
we've
detected
over
800,000
potential
to
mo
tokens
that
had
been
committed
into
github
public
repos.
The
reason
why
we're
able
to
know
this
is
that
we
have
a
service
that
scans
repos
looking
for
potential
tokens,
so
we'll
sum
find
something
that
looks
like
a
token
and
then
help
go
through
a
remediation
workflow
to
get
the
developer
yeah
to
update
the
code,
to
something
like
what
it
should
be
but
think
about
what
it
takes
for
us
to
really
go
and
do
this.
C
There
are
so
many
different
services
and
so
many
different
types
of
tokens
out
there.
How
do
we
get
hub
know
that
this
was
a
token
and
even
if
we
knew
it
was
a
token?
How
do
we
know
it's
actually
an
active
token
that
could
be
used?
It's
not
our
service,
and
even
if
we
knew
it
was
an
active
token.
What
do
we
do
about
it?
We
can't
go
and
remediate
it.
It's
not
our
token.
C
So
the
answer
to
this
is
we
partner,
so
we
work
with
a
whole
set
of
partners
to
secure
this
and
the
way
that
this
works
is
that
they
tell
us
what
their
tokens
look
like
when
we
find
one
that
matches.
We
tell
them
about
that
possibility
and
they
can
go
and
check
to
see
if
it's
an
to
token
and
then
take
the
right
action
for
their
service,
and
it
means
that,
if
you're
a
user
of
one
of
these
services,
you
have
to
worry
a
lot
less
about
your
developers.
C
Leaking
your
tokens
and
I'm
thrilled
to
announce
that
today
we
have
four
new
partners
that
are
joining
us
to
detect
tokens.
Hashey,
Corp
postman,
go
card,
'let
go
cardless
and
Tencent
cloud,
I'm
thrilled
to
have
them,
and
if
there's
anybody
listening
here
that
is
interested
in
participating
in
this
with
their
service,
please
reach
out
now.
I
want
to
talk
about
a
problem
that
is
just
slightly
more
complicated,
which
is
trying
to
secure
the
open
source
supply
chain.
C
So,
like
Erika
mentioned,
the
depth
and
complexity
of
applications
today
is
exploding
and
it's
all
powered
by
open
source,
and
this
is
fantastic.
The
place
where
this
really
becomes
real
for
me
is
with
the
dependency
graph.
You
can
go
on
any
repo
today
on
github
and
look
and
see
what
the
dependencies
of
it
actually
are.
C
So
pick
your
favorite
repo,
any
open
source
project,
for
example,
and
go,
and
you
will
see
that
there
are
so
many
dependencies
of
dependencies
of
dependencies
of
dependencies,
it's
kind
of
crazy,
but
this
is
a
great
you
get
thousands
of
committers
that
are
helping.
You
go
faster
and
building
your
application,
but
it
also
means
you
have
thousands
of
committers
that
you
have
to
take
care
of
in
terms
of
in
terms
of
written
risk
exposure.
So
what
happens
when
something
goes
wrong
here?
C
C
These
are
the
folks
that
find
the
majority
of
the
actual
security
vulnerabilities,
but
even
today,
in
2019,
and
even
when
you
have
access
to
much
of
the
source
code,
finding
those
vulnerabilities
is
often
an
extremely
manual
process
and
then
to
find
the
issue.
What
do
you
do
like
how
do
if
you
don't
know
anything?
You
don't
know
anybody
in
the
project.
C
How
do
you
reach
out
and
tell
them
about
this
security
vulnerability
without
disclosing
it
to
the
world
and
then
maintainer
x'
maintainer
is
already
are
busy
enough,
but
they
now
have
to
be
responsible
for
fixing
these
vulnerabilities
and
because
open-source
repos
are
public.
You
don't
typically
want
to
fix
security
vulnerabilities
in
the
open,
because
you
don't
want
to
disclose
them.
C
C
So
we're
gonna
go
through
that
end-to-end
flow
and
we're
gonna
start
as
a
security
researcher.
So
I'm
a
security
researcher,
I
found
a
vulnerability
and,
let's
say
I,
found
the
vulnerability
in
the
public
web
pack.
Project
and
I
want
to
report
it.
How
would
I
do
that?
Well,
the
logical
thing
to
do
would
be
to
go
where
the
web
pack
maintainer
x'
live,
which
is
at
the
web
pack
repo
on
github
and
then
the
logical
thing
to
do
would
be
to
go
where
you
report
issues
to
web
pack,
which
is
on
their
issues
page.
C
So,
if
I
create
a
new
issue,
you'll
see
that
there's
something
that's
telling
me
the
path
I
should
take
for
reporting
a
security
vulnerability.
So
we
support
security
policies
which
allow
maintainer
x'
to
specify
how
they
would
like
to
see
security
vulnerabilities
reported
to
their
repository
now,
once
you
know
about
a
security
vulnerability
as
a
maintainer,
it's
time
to
fix
it
and
that's
where
security
advisories
come
in
security.
C
Advisories
are
a
concept
that
provide
a
mechanism
for
a
maintainer
to
work
in
private,
even
on
a
public
repo
to
fix
that
security,
vulnerability
and
then
ultimately,
to
publish
it
to
the
world.
So
here
I
have
an
example
of
a
draft
security
vulnerability
where
it
hasn't
been
fixed
quite
yet,
and
I
want
to
I
want
to
color
I
want
to
actually
go
through
collaborating,
so
this
is
a
space
much
like
a
pull
request
where
the
team
can
come
in
and
discuss
the
vulnerability
in
private
I
can
invite
whoever
I
want.
C
So,
if
I
wanted
to
invite
even
the
person
that
originally
reported
the
security
vulnerability,
I
can
I
can
specify
metadata
like
how
severe
the
vulnerability
is.
What
package
that
applies
to
what
versions
it
applies
to
and
go
through,
fixing
it
and
to
fix
it.
You
also
get
a
private
Fork,
which
is
a
prilae.
What
it
sounds
like
a
private
agate
fork
for
you
to
make
the
change
before
it's
actually
published
in
live
now.
C
C
Is
that
as
a
maintainer,
you
can
request
a
CBE
directly
from
this
page
and
what
this
means
is
sea
bees
are
the
mechanism
that
the
broader
security
community
uses
to
communicate
about
vulnerabilities,
but
the
mechanism
for
getting
the
CVE
has
a
little
bit
of
a
tax
to
it.
So
github
can
now
issue
CVEs
on
behalf
of
open
source
projects
and
that
will
allow
us
to
connect
the
open
source
community
to
the
rest
of
the
security
community.
So
I'm
very
excited
about
that.
C
Now,
once
you've
published
this
advisory,
what
happens?
Well,
it
goes
into
our
advisory
database,
so
the
advisory
database.
This
is
a
collection
of
all
of
the
vulnerabilities
that
we
know
about
it,
github
whether
it
was
one
that
was
reported
directly
to
us
via
security
advisories
or
whether
it
was
a
saidit
whether
it
was
one
that
we
pulled
in
from
one
of
the
public
feeds
like
the
national
vulnerability
database,
if
you've
ever
gotten
a
security
alert
from
github
it's
because
it
was
part
of
our
advisory
database.
C
C
You
can
access
it
via
the
web
or
you
can
access
it
via
api's.
You
can
search
by
CVE
or
particular
strings.
You
can
filter
it
down
to
particular
severity
levels
or
specific
ecosystems.
We
were
to
look
at
the
Python
ecosystem
and
then,
let's
pick
us
one
of
the
recent
more
severe
security
vulnerabilities,
you
can
drill
in
and
you'll
get
a
richness.
You
can
get
a
description
of
exactly
what's
wrong
with
that
vulnerability
and
kind
of
the
exciting
thing
for
me
is
because
this
vulnerability,
it
was
reported
natively
on
github.
C
If
you've
ever
tried
to
find
out
more
information
about
a
vulnerability
in
the
owner
ability
online,
this
kind
of
connectivity
is
something
that
has
been
sorely
needed.
In
my
opinion,
now
the
data,
the
vulnerability
is
now
in
our
advisory
database.
The
next
step
is
to
alert
the
people
that
are
using
this
particular
dependency
that
they
need
to
take
action.
C
So
the
way
that
we
do,
that
is
we
take
the
data
in
a
debate
in
the
advisory
database
and
we
match
that
up
with
the
dependency
graph
I
Briand
this
earlier,
but
this
is
where
you
can
view
all
the
dependencies
and
the
dependencies
of
the
dependencies
of
dependencies
of
the
dependencies.
We
could
go
for
a
while
here
as
part
of
this,
but
if
any
one
of
those
dependencies
has
a
version
that
is
that
has
a
vulnerability
in
our
database.
You
will
get
a
security
alert.
You
will
get
a
security
alert
in
the
web
portal.
C
You
will
also
get
a
security
email
and
for
those
of
you
that
have
been
receiving
security
emails
already,
I
have
good
news.
We've
been
listening
to
you,
so,
in
addition
to
all
all
of
the
security
emails
you
already
get,
we
will
now
send
you
an
additional
security
email,
every
15
minutes
until
you
fix
that
vulnerability,
it's
completely
configurable
it
15
minutes
is
too
frequent.
You
know
you
can
dial
it
down
to
five
minutes.
Our
security.
C
Our
infrastructure
team,
has
been
laying
fiber
so
that
we
can
send
as
many
emails
as
it
takes
to
secure
the
world
software.
You
guys
think
I'm.
Joking,
don't
you
seriously,
though
we
have
heard
your
feedback
that
sometimes
the
number
of
security
alert
emails
can
be
a
little
bit
a
little
bit
volumous.
So
we
recently
shipped
a
feature
that
internally,
we
lovingly
called
garden
hose
as
opposed
to
fire
hose
and
what
garden
hose
lets
you
do
is
configure
how
you
want
to
receive
security
alerts.
C
C
So,
to
make
that
easier,
we
now
we
support
a
feature
called
automatic
security
updates
and
what
automatic
security
updates
does
is
it
will
generate
a
pull
request
which
will
update
the
version
of
the
dependency
to
the
one
that
has
the
security
fix
in
it,
and
in
this
case
it's
showing
me
all
of
the
changes
in
total
that
I'm
going
to
pick
as
part
of
this
change.
So
it
means,
if
you
marry
this
with
actions
or
the
CI
system
of
your
choice,
that's
validating
your
change.
C
All
the
developers
should
have
to
do
is
come
in
to
the
pull
request
that
was
generated,
review
it
and
Mergent.
This
is
all
powered
by
dependable,
dependable,
joint
github
at
satellite
last
May
and
I
am
thrilled
to
announce
that
it
is
now
fully
integrated
into
github.
It
is
generally
available
and
it
is
protecting
millions
of
repositories.
Today,.
C
Now
this
was
for
a
flow
for
one
repo,
but
many
organizations
out
there
have
tens
of
repos
hundreds
of
repos
thousands
of
repos
tens
of
thousands
and,
as
a
customer
yesterday
told
me
in
some
cases
hundreds
of
thousands
of
repos,
and
it
can
be
hard
to
keep
track
of
the
state
of
of
the
state
of
all
of
your
repos.
So
we've
been
working
on
that
problem
with
something
we
call
dependency
insights
and
what
dependency
Insights
does
is,
give
you
a
view
across
all
the
repos
or
organizations.
C
So
you
can
see
what
the
total
set
of
outstanding
advisories
are,
how
severe
they
are
and
what
the
dependencies
that
you
have
you
can.
You
can
filter
this
with
different
views
in
this
case,
I
can
filter
it
down
to
see
the
dependencies
that
have
the
most
set
of
security.
Advisories
I
just
pick
one
and
drill
in
I
can
see
that.
In
fact,
this
particular
version
of
this
dependency
has
12
security.
Advisories,
that's
not
ideal,
but
then
I
can
also
go
see
that
there's
actually
only
one
repo
in
my
organization.
C
C
Okay,
now,
if
you
were
paying
close
attention,
you'll
have
noticed
that
we
tackled
a
bunch
of
the
problems
that
I
talked
about,
but
there
were
two
that
we
didn't.
One
was
how
new
security
researchers
find
the
vulnerability
to
begin
with,
and
the
other
is.
How
do
we
stop
these
vulnerabilities
from
happening
again
and
again
and
again
so
those
two
problems
are
exactly
why
in
September
Cemil
joint
github,
so
how
the
SEM
will
help
us
tackle
those
two
problems.
It
brings
with
it
an
amazing
technology
called
code
QL,
which
is
essentially
a
semantic
code
engine.
C
So
what
does
that
mean?
It
takes
your
code
and
it
transforms
it
into
a
database
that
is
now
queryable.
So
you
can
now
query
that
database
as
a
security
researcher
to
go
and
hunt
for
vulnerabilities
in
that
code.
You
can
then
take
those
same
queries
and
use
them
to
make
sure
as
a
developer.
You're
not
introducing
similar
types
of
vulnerabilities.
So
I'm
really
excited
about
this,
but
it's
also
way
easier
to
show
than
it
is
to
talk
about.
So
let's
take
a
look.
C
So
I
am
on
the
net
data
repository
that
data
is
a
popular
real-time
monitoring
solution
and
they've
been
using
code
QL
to
make
sure
that
they
don't
introduce
new
security
vulnerabilities
into
their
changes.
So
every
time
a
pull
request
is
created.
Code
QL
is
run
to
go,
look
for
new
potential
vulnerabilities
and
at
some
point
in
this
change,
which
was
a
pretty
big
one.
We
actually
detected
with
code
QL,
three
potential
vulnerabilities
and
one
of
them
was
a
cross-site
scripting
vulnerability.
So
let's
go.
C
Let's
go
look
at
that,
so
I'm
gonna
jump
over
and
we're
gonna
look
at
those,
and
this
particular
vulnerability
is
in
main,
je
s
main
JJ
s
actually
has
two
vulnerabilities,
but
in
the
interest
of
time
we're
just
going
to
look
at
the
second
one
and
we'll
look
at
this
cross
site
scripting
one.
So
this
shows
me
the
piece
of
text
where
it
thinks
I
have
a
vulnerability.
So
what
is
a
cross-site
scripting
vulnerability?
C
It's
essentially
an
attempt
by
an
attacker
to
take
a
string
that
they
set
in
some
form,
maybe
a
URL
and
get
it
injected
into
your
Dom,
so
that
it
can
then
run
script
and
do
things
like
steal.
Your
cookies
steal
your
cookies
and
data
and
I
can
kind
of
see
from
this
line
why
this
might
be
a
problem
because
it
is
setting
something
into
my
DOM
and
there
is
a
variable:
that's
got
data
coming
from
somewhere,
but
this
could
be
okay,
think
about
what
it
actually
takes
to
find
a
real
cross-site,
scripting
vulnerability.
C
You
need
to
know
where
the
data
is
coming
from
and
that
that
data
might
be
unsafe.
You
then
need
to
know
how
that
data
might
be
used.
That
could
be
dangerous,
like
put
it
into
the
DOM,
and
then
you
need
to
be
able
to
track
that
data
as
it
moves
through
your
program.
However,
it
goes
from
point
A
to
point
B.
This
is
a
pretty
hard
problem,
but
that's
exactly
what
code
ql'
does.
C
So
if
I
drill
in
I
can
see
that
the
data
from
this
source
is
actually
coming
being
read
in
from
a
variable
from
a
separate
frame,
separate
frame,
different
URL
URL,
potentially,
this
is
where
the
cross-site
scripting
comes
in,
and
then
it
gives
me
the
sack
Trey
says
that
data
flows
from
point
A
to
point
B
through
different
variables
and
eventually
getting
down
to
the
place
where
it
is
inserted
into
the
HTML.
Thus
the
potential
cross-site
scripting
attack.
C
Now
this
vulnerability
was
found
by
running
one
of
the
many
queries
that
are
available,
so
this
particular
project
has
three
different
languages
in
it.
Each
of
them
have
a
different
set
of
queries.
In
fact,
we
have
over
2,000
built-in
queries
that
have
been
authored
to
find
different,
different
vulnerabilities
and
because
one
of
those
queries
existed
that
knew
how
to
detect,
detect
this
type
of
vulnerability.
C
The
net
data
team
was
able
to
make
a
fix
to
not
just
insert
you
know
straight,
but
to
make
sure
it's
coming
in
his
text
before
this
change
ever
got
merged
into
master.
So
this
type
of
vulnerability,
when
you
talk
about
static
analysis,
is
the
real
kind
that
you
want
to
find
because
it's
not
theoretical.
It's
a
real
exploitable
one
they're
also
the
hardest
to
find
and
the
reason
why
we
were
able
to
find
this.
C
One
is
kind
of
twofold
one,
because
the
tech
here
is
kind
of
cool,
but
the
other
one
is
because
someone
authored,
in
this
case
a
security,
research
or
security
expert
authored
this
query
that
knew
how
to
go
and
find
it.
So
that
data
is
the
key
thing
that
connection
between
the
work
that
a
security
expert
did
to
the
workflow
of
a
developer.
C
So
this
I
think
is
one
of
the
key
things
and
one
of
the
key
opportunities,
because
if
you
talk
about
the
entire
set
of
roles
that
need
to
participate
in
this
there's
an
incredibly
important
one,
which
is
the
security
researcher.
So
there's
a
great
opportunity
for
us
to
take
all
of
the
amazing
work
that
the
security
community
is
doing.
The
security
experts,
the
security
researchers
and
connect
that
directly
into
the
work
flow
and
the
lives
of
the
millions
of
developers
on
github
to
help
make
the
but
make
all
of
this
software
that
we're
using
safer.
C
D
Initially,
in
those
early
days,
my
own
little
try
focused
mostly
or
never
infrastructure
and
managing
user
access,
but
their
natural
next
step
was
to
focus
our
effort
to
where
what
those
users
were
actually
using
to
interface
to
the
infrastructure
that
was
under
our
care,
basically
a
software.
So
with
time
a
significant
chunk
of
this
drive
focused
shift
to
integrated
into
the
software
development
lifecycle,
and
it
was
with
that
shift
that
a
vibrant
and
thriving
community
spawned
a
community
that
was
solely
focused
on
insure
software
behave
the
way
they
actually
intend
to
behave.
D
Our
job
became
to
explore
and
document
the
unintended
states
of
the
sword
around
our
world
and
most
important
well
actually,
security
impact,
those
state
space,
my
heart
I'm
sure
by
now
everyone
guess
who
my
tribe
is
I'm.
A
hacker
I
mean
a
security
professional
and
my
tribe
is
the
information
security
community.
The
information
security
community
started
as
a
small
group
of
people
on
IRC
that,
for
those
are
young
here,
it's
sort
of
like
slack,
but
with
all
the
animated
gif.
D
It
has
since
grow
into
a
massive
community
that
attracts
thousands
of
people
to
security
conference
around
the
globe
to
discuss
the
latest
research.
What
used
to
be
a
necessary
pursuit
of
gaining
or
preventing
access
in
clarity
wave
has
since
became
a
full-blown
industry.
However,
along
the
way
my
tribe
has
committed
some
cardinal
sins.
These
are
the
Hornets.
To
this
day,
I
have
prevalence
from
integrated
effectively
into
the
very
fabric.
We
aim
to
protect
one
of
our
largest
things,
I
believe,
is
our
historico
antagonistic
relationship
with
IT
QA
support
and
most
important
the
software
development
teams.
D
For
too
long
have
we,
as
an
industry
taking
an
ivory
tower
position,
dueling
out
our
judgement
on
code
and
product
quality,
without
offering
any
tangible
deployable
solution,
she's,
providing
a
single
example
of
flows
and
expecting
people
to
just
figure
it
out.
The
four
major
security
industry
should
be
a
facilitator,
not
an
innovator,
and
we
decide
to
do
something
about
that.
So
a
certain
really
free
to
announce.
Today
they
get
cap
security
lab.
What
is
the
key
cap
security
lab?
The
key
kept
secure
lab
will
be
the
home
of
security
researchers
at
github.
D
We
have
a
dedicated
handpick
of
highly
skilled
security
researchers.
Our
team
will
hand
and
fix
bullet
e
in
the
most
the
most
important
projects
we
go
beyond
just
racking
up
CVS
and
also
enable
the
open
source
community
to
act
as
a
force
multiplier
for
the
security
research
community
through
integrated
unity
bar
and
analysis.
In
essence,
our
security
research
will
be
your
security
research
to
date.
Disease
has
collect
more
than
a
hundred
CVS,
and
some
of
them
are
critical.
D
Moment
is
in
really
big
projects,
and
this
is
only
a
small
example
of
what
we'll
be
able
to
achieve
together.
A
Spanish
philosopher
once
said
that
those
who
cannot
remember
the
past
are
condemned
to
repeat
it.
This
quote
to
me
represents
the
various
sense
of
what
coal
coil
is
same
to
prevent
the
repetition
of
the
past
and,
as
a
consequence,
their
mistakes.
The
main
comes
at
behind
QL
is
to
model
normal
abilities
down
to
their
essence,
extracting
the
cold
patterns
and
then
convert
them
into
queries.
D
Later
we
use
those
queries
assist
to
uncover
Mulla
realities
in
your
code
base.
We
want
to
help
developers
write
secure
code,
I,
keep
the
old
tradition
of
killing
one
moon
amity
at
a
time
which
basically
does
not
scale
especially
consider
that
codes
are
not
static
entities
they're,
moving
targets
that
change
continually
with
every
commit
to
that
n,
I'm
very
excited
to
there
that
tell
you
that
we
are
releasing
Coquille
for
free
for
open
source
and
academic
years.
A
Hi
I'm
going
to
show
you
a
quick
demo
of
a
vulnerability
that
I
found
earlier
this
year
in
Facebook.
Fizz
fizz
is
Facebook's
open
source,
TLS
implementations.
So
that's
the
software
that
does
the
HTTP
part
of
HTTP
facebook.com/,
as
you
can
imagine,
that's
critically
important
software
for
Facebook
and
the
bug
that
I
found
could
have
caused
a
serious
outage
at
Facebook
and
Instagram
so
because
face
because
fizz
is
so
important.
A
Facebook
have
put
a
lot
of
effort
into
making
sure
that
it's
secure,
so
it's
been
extensively
fuzz
tested
and
audited
and
from
having
a
look
at
looked
at
the
source
code,
myself
I'd
say
it's
very
high
quality,
so
the
bug
that
I
found
with
code
QL
had
managed
to
slip
through
a
very
tight
net.
So
I'm
going
to
do.
First
is
I'm
just
going
to
show
you
a
demo
of
the
exploit
proof-of-concept
that
I
wrote
so
I've
got
fizz,
fizz
server
running
here
and
in
this
terminal
here
I'm
going
to
run
the
attack.
A
So
how
did
I
find
this
vulnerability?
This
is
v/s
code
and
over
here
is
the
code
ql
extension
and
up
here
I've
got
a
database
for
fizz
loaded.
Jamie
mentioned
these
databases
earlier
in
his
in
his
talk.
So
what
the
database
is
is
the
source
code
for
Fears
converted
into
a
form
that
is
now
queryable
and
over
here
I've
got
the
query
that
found
a
vulnerability.
So
what
I
was
looking
for
was
integer
overflows
in
the
fears
source
code.
A
Integer
overflows
are
difficult
to
find
with
a
text-based
search
like
grab
because
they
tend
to
be
implicit
in
the
code,
but
with
code
QL,
it's
easy
because
the
database
contains
not
just
the
text
of
the
source
code,
but
also
other
information
like
types.
So
what
I'll
show
you
first
is
some
query
results.
So
this
was
a
simple
query
that
I
wrote
just
looking
for
potential
Institute
integer
overflows.
A
You
could
see
that
there's
quite
a
lot
of
results
and
what
I
really
want
to
know
is
whether
it's
possible
for
an
attacker
to
put
some
malicious
data
into
an
incoming
message
and
for
that
to
actually
trigger
one
of
these
integer
overflows.
So
the
query
that
found
the
bug
is
here
that
I
used
our
taint
tracking
library
to
do
that.
A
So
what
would
with
taint
tracking
what
I'm
able
to
do
is
I'm
able
to
say
I'm
only
interested
if
there's
a
source
of
network
data
that
flows
to
a
sink
where
there
might
be
an
integer
overflow,
and
you
can
see
the
result
of
that
query
over
here.
Let
me
just
hide
this
yeah
and
now
there's
just
one
result
and
it's
given
me
a
data
flow
path
as
well.
A
So
what
you
can
see
here
is
that
the
data
flow
path
starts
out
with
an
engine
this
conversion
there
and
that's
often
a
telltale
sign
of
data-
that's
coming
out
of
a
network
packet,
and
then
that's
used
here
to
read
an
unsigned
16-bit
integer
into
this
variable
length
and
then
the
final
step
of
the
data
flow
path.
This
is
where
the
integer
overflow
happens,
so
this
plus
equals
what
my
proof
of
concept
does.
Is
it
triggers
an
integer
overflow
which
causes
length
to
wrap
around
and
become
zero?
A
And
then
this
loop
up
here
ends
up
going
back
to
the
beginning
of
the
message
and
pausing
it
again,
which
is
why
there
ends
up
being
an
infinite
loop
in
the
code.
So
you
can
see
that
this
bug
would
have
been
very
difficult
to
find
without
code
ql',
so
that
was
the
end
of
my
demo.
I'm
going
to
hand
back
to
Nico
now
who's
going
to
talk
about
the
impact
this
is
going
to
have
for
software
security
in
general.
Thanks.
D
Thank
you
Gary.
This
is
a
great
bag,
but
if
you
didn't
understand
the
back,
you
have
to
worry
about.
The
whole
idea
of
what
we're
trying
to
do
here
is
that
we
will
soon
be
able
to
transform
the
great
work
of
our
research
like
cap
and
leverage
it
across
multiple
code
bases
to
prevent
those
bugs
to
ever
happen
again.
I
would
like
to
introduce
now
Ralph
Fletcher
rob
is
a
head
of
product
security
at
uber,
healing
his
team
are
responsible
for
product
security.
D
E
E
Several
years
ago,
we
launched
a
three-part
test
phase
to
explore
the
efficacy
of
LG
TM,
and
we
were
really
excited
to
see
the
results
that
came
from
the
control
flow
analysis
and
the
tainting
of
functionality.
Since
then,
we've
rolled
out
LG,
TM
more
broadly,
and
it's
become
an
important
part
of
our
vulnerability
management
strategy,
helping
to
create
a
more
robust
life
cycle
between
manual
findings
and
automated
findings.
For
example,
we
take
our
manual
findings
and
plug
that
into
code,
QL
writing
and,
on
average,
we've
been
able
to
find
three
true
variants
for
every
individual
manual.
E
Finding
that
we
write
a
query
for
you
know,
besides
those
obvious
results
of
getting
more
vulnerabilities,
it's
really
raised
the
ceiling
to
on
how
we
can
scale
with
the
company
when
we
couldn't
do
that
as
well.
Previously,
instead
of
finding
one
vulnerability
in
one
codebase,
we
can
write
a
code
KL
query
that
allows
us
to
find
that
vulnerability
in
all
of
our
code
bases
in
an
ongoing
basis
as
modern
development
workflows
and
continue
to
get
faster.
Really,
the
only
way
security
teams
can
be
successful
in
scale
with
the
company
is
automation
and
LG.
E
E
D
You're
up,
we
are
excited
to
have
an
initial
set
of
partners
today
that
all
have
commits
to
contribute
in
different
forms,
such
as
stooling,
computer
infrastructure
funding
and
hours
of
research,
time
all
to
help
secure
the
open
source
software
for
the
community.
We
want
to
invite
others
to
join
the
same
effort
with
our
partners.
Commitment
to
open
source
security
really
constitute
a
formula
results
to
really
make
the
difference.
We
need
our
entire
community
or
more
and
but
better
way
to
invite.
F
Thank
You
Nico
at
hacker,
one
as
a
part
of
our
mission
to
make
the
internet
safer.
We
believe
that
protecting
open-source
is
our
social
responsibility.
After
all,
like
most
companies,
open-source
software
powers,
hacker
1,
and
that's
why
we
are
thrilled
to
see
how
much
github
is
investing
in
open-source
security
they're,
really
in
one
of
the
best
positions
to
have
meaningful
change
in
case
you're
not
familiar
with
us,
are
ready
at
hacker
1.
We
work
with
a
community
of
over
half
a
million
hackers
or
security
researchers
to
help
them
disclose
vulnerabilities
to
programs.
F
And
finally,
I
want
to
briefly
talk
about
two
things:
we've
learned
running
bug,
bounty
programs.
The
first
is
transparency.
The
more
open
a
program
is
meaning,
the
more
that
it
discloses
vulnerabilities
and
the
more
people
it
invites
to
hack
the
better
results
it
gets.
The
next
is
that
put
simply,
it
helps
a
lot
to
get
paid
when
programs
start
paying
bounties
or
when
they
start
increasing
their
bounties.
They
get
better
results,
which
means
more
secure
code.
D
There
is
a
famous
Linux
law
among
security
people
that
state
that,
given
enough
ice,
all
bags
are
shallow.
Really
this
to
be
true.
That
is
why
we
are
fully
committed
to
rewarding
your
time
for
looking
at
open
source
code
and
to
that
end
we
are
establishing
two
main
mountains
to
reward
blue
narrative
research
on
an
open
source
project,
the
first
one.
We
call
it
the
Box
layer.
This
vanity
will
reward
a
security
researchers
that
create
boring
queries
that
have
found
multiple
real-world
boon
abilities
with
associated
CVE
numbers.
D
Finally,
I
want
to
invite
everyone,
maintainer
developers,
security,
researchers
and
everyone
else
involved
into
software
development
community
to
visit
our
website,
where
you
can
download
tools
such
as
Cole
QL
and
the
newbie
SEO
extension
receive
information
about
it
coming
events
and
learn
about
the
commitment
that
some
of
these
key
players
in
the
open
source
community
have
made
to
improve
the
security
of
our
share
ecosystem.
Please
check
out
our
website,
follow
us
on
Twitter
and
stay
tuned
for
the
amazing
things
are
coming.
B
Thanks
Nico
Jamie
me
too
Rob
and
Kevin
I
couldn't
be
more
excited
about
the
work
that
we're
doing
in
the
security
space.
It's
great
to
see
this
range
of
companies
coming
together
to
work
on
issues
for
the
benefit
of
the
broader
community,
and
this
is
just
the
beginning.
I
can't
wait
to
see
this
community
grow
and
flourish,
so
please
do
check
it
out
now.
Let's
look
at
another
way
to
get
involved
in
the
ecosystem
and
that's
via
actions,
actions
lets
you
automate
any
part
of
your
development
workflow
from
running
tests
to
triaging
issues.
B
To
deploying
to
a
cloud
we
build
actions
to
be
fundamentally
extensible.
In
fact,
the
github
repo
graph
is
the
actions
ecosystem.
You
can
take
actions
from
anywhere
in
the
open-source
community,
edit
them
and
reshare
when
you
fork
a
project
with
an
action
in
it.
The
action
comes
right,
along
with
it
to
date,
over
1,200
actions
have
been
published
in
the
github
marketplace.
That's
up
over
250
percent,
since
August
I'm
going
to
invite
Erica
kado,
who
runs
our
partner
engineering
team
to
the
stage
to
talk
to
us
about
some
of
the
work.
B
B
G
B
G
Start
I'd
like
to
highlight
terraform
managing
infrastructure
has
always
been
complex.
Now
imagine
having
large
multi-tier
applications
or
multi
cloud
deployments.
Hashi
curves
terraform
allows
you
to
codify
infrastructure
unless
you
deploy
to
any
cloud.
This
simplifies
a
provisioning
process
so
much
in
this
example.
We
want
to
inverse
the
color
scheme
on
this
octocat
site
and
have
it
automatically
deploy
the
necklace
I
with
our
development
workflow.
G
When
a
pull
request
is
made
in
github,
the
terraform
plan
is
triggered
from
github
actions,
which
will
check
to
make
sure
your
plan
really
matches
your
expectations.
Then,
when
the
pull
request
is
merged,
the
github
actions
will
kick
off
the
terraform
apply
and
you're
good
to
go.
I
know
this
is
a
simple
example,
but
this
totally
automates
your
deployment
from
code
to
cloud.
G
Action
that
I'm
excited
about
is
a
white
source
action
with
github
packages.
You
can
discover
and
publish
packages
within
github
white
source
offers
containers
securities
to
canning.
So
when
you
include
the
white
source
action,
those
docker
images,
you're
publishing
can
be
scanned
for
you.
When
the
scanning
is
complete,
you
will
receive
a
full
report
back
with
known
security
vulnerabilities
and
license
information.
G
G
B
G
G
B
B
B
Talked
earlier
about
our
mission
at
github
to
be
the
home
for
all
developers,
and
we
know
that
developers
want
choice
who
doesn't
we're
committed
to
delivering
on
this
and
ensuring
that
every
part
of
your
development
life
cycle
is
swappable
when
you're
using
github?
This
includes
CI
providers,
security
solutions,
cloud
platforms
and
more
actions
takes
this
to
heart.
You
can
automate
anything
replace
any
part
of
your
workflow
and
integrate
easily
with
other
tools.
H
Hi
I'm
Claire
Liguori
I'm,
a
principal
engineer
on
the
aid
of
youth
containers,
team
and
I'm,
a
big
fan
of
containers,
I
love
that
containers
can
help
us
to
share
our
applications
with
others
and
I
love.
That
containers
can
help
us
to
deploy
our
applications
to
the
cloud
I
like
that.
There's
this
easy
standardized
way
to
describe
how
to
build
my
application
for
a
container
with
all
the
dependencies
built
right
into
the
container
image.
H
I
like
that
when
I
share
that
image
with
you,
I,
don't
have
to
make
any
assumptions
about
what
Linux,
flavor,
you're
running
or
libraries
you
have
installed.
I
can
simply
share
this
image
with
you
and
then
it's
as
easy,
as
darker
pole
and
docker
run
for
you
to
have
my
super
cool
application
running
on
your
laptop.
So
it's
that
easy
and
then,
when
you
get
to
the
cloud
now,
you
can
scale
out
to
multiple
copies
of
your
application
running
in
containers
for
high
scale.
H
You
can
scale
out
to
multiple
applications
across
many
different
containers,
but
you
start
to
need
something
to
manage
all
of
these
containers
for
you
to
help
you
deploy
and
scale
and
keep
them
running
all
the
time
at
AWS
we
have
a
broad
portfolio
of
services
to
help
you
run
your
containers
in
the
cloud.
The
elastic
container
registry
ECR
will
help
you
to
store
your
container
images
and
share
those
applications
with
others.
H
We
have
two
services
to
help
you
manage
and
deploy
and
scale
containers
the
elastic
kubernetes
service,
eks
for
your
kubernetes
workloads
and
the
elastic
container
service
ECS.
We
have
two
options
for
ecs,
for
where
your
containers
run
easy
to
and
Fargate.
So,
for
example,
if
you
use
ECS
to
deploy
and
manage
your
containers,
you
can
create
a
resource
called
a
service
where
you
tell
ECS,
I
want
to
run
fifteen
application.
Fifteen
copies
of
my
application,
all
the
time
ECS
will
keep
those
containers
running,
and
you
can
give
three
easy.
H
Two
instances
to
ECS
to
run
those
containers
or
you
can
take
advantage
of
Fargate
Fargate
is
serverless
compute
for
your
containers,
so
you
can
tell
ECS.
I
still
want
to
run
15
copies
of
my
application,
but
I
want
to
use
Fargate,
so
you
don't
have
to
have
any
ec2
instances
to
scale
or
manage
or
patch
those
instances.
H
You
can
simply
focus
on
building
your
applications,
packaging
them
into
containers
and
deploying
them
to
the
cloud
without
worrying
about
the
underlying
compute
for
those
containers,
I
specifically
focus
on
developer
tooling
for
ECS
and
Fargate,
so
I'm
super
excited
to
be
here
today.
Talking
about
github
actions
for
ECS,
Fargate
and
EC
are
I.
Think
that
github
actions
can
help
us
to
smooth
the
way
to
getting
our
code
into
the
cloud.
I
think
a
lot
in
my
day
to
day
life
about
what
are
those
little
frustrations
we
have
as
developers
every
day.
H
What
are
those
things
that
slow
us
down
from
getting
our
code
into
the
cloud
and
I
think
about
what
are
the
integrations
that
we
can
create
for
ECS
to
help
make
that
a
smooth
process,
so
today,
I'm
really
excited
to
announce
that
AWS
and
github
have
collaborated
on
a
set
of
for
github
actions
that
are
in
the
github
marketplace.
Today.
H
So
to
do
that,
I'm
going
to
use
mythical
misfits
calm.
This
is
an
online
adoption
agency
for
mythical
creatures.
You
can
select
different
characteristics
to
find
your
favorite
mythical
creature
and
then
view
their
profile
to
find
out
more
information
about
them.
I
happen
to
like
koko
the
dragon.
Quite
a
bit,
I
think
she's,
pretty
cute,
so
I'm
gonna
go
ahead
and
hit
this
like
button
this
little
heart.
H
So
this
is
a
containerized
application
with
multiple
micro
services
behind
it.
So
I
have
a
like
micro
service,
so
this
is
generating
the
the
API.
That's
driving
that
heart
button
that
like
button,
so
we
can
go
ahead
and
try
it
out
and
I'll
paste
in
the
ID
for
Coco
the
dragon
she's
pretty
cute.
So
now,
Coco
has
two
likes.
H
H
Here's
my
docker
file.
So
this
is
such
an
easy
way
for
me
to
specify
here
my
Python
dependencies.
Here's
my
Python
code
do
a
little
bit
of
linting
in
there
to
make
sure
my
style
is
good
and
then
here's
the
command
to
actually
run
that,
and
then
this
is
the
actual
Python
flask
code.
That's
driving
that
API,
but
one
of
the
things
we
have
a
problem
here,
there's
no
unlike
API
I,
can't
actually
unselect
that
heart.
H
If
I
decide
I,
don't
like
Coco
anymore,
so
I'm
gonna
go
ahead
and
build
that
today
and
push
that
out
to
my
application.
So
the
first
thing
I
do
on
my
laptop
I
run.
Docker
build
I
got
to
get
my
workspace
set
up,
but
it
looks
like
the
build
is
broken,
looks
like
some
linting
rules
have
failed,
so
I'm
gonna
go
ahead
and
see
who
actually
broke
the
build.
Who
on
my
team
broke
it
and
it's
Coco
the
dragon?
That's
weird:
what
is
she
doing
in
my
git
repository?
H
She
says:
I
tested
this
locally
on
my
laptop,
so
it
totally
works,
I
promise
and
haven't.
We
all
heard
that
from
our
teammates
and
maybe
for
ourselves
at
one
point
or
another.
So
you
think
this
is
one
of
those
first
things
that
slows
us
down
day
to
day
as
developers
from
getting
our
code
into
the
cloud,
so
I'm
going
to
automate
this
away
with
github
actions.
So
the
first
thing
I
do
is
I.
Have
this
check
workflow
on
every
pull
request?
It's
just
gonna
run
docker
build.
H
H
H
So
now,
we've
seen
that
it's
successfully
built
now
I
need
to
deploy.
Now
is
the
second
time
where
I
have
a
something
slowing
me
down
from
getting
my
code
into
the
cloud.
What
we're
looking
at
here
is
a
task
definition
file
for
ECS.
This
is
basically
the
configuration
I
need
to
give
to
ECS
to
run
my
container
things
like
what
image
do.
I
want
to
run
what
environment
variables
do
I
want
to
set,
but
the
image
ID
changes
every
time.
I
have
a
unique
image.
H
Id
that
I
need
to
go
and
fill
in
to
this
file,
then
I
need
to
deploy
this
file
to
ECS.
So
this
is
a
multi-stage
process.
It's
kind
of
manual,
it's
error-prone,
I,
don't
really
like
to
do
it.
I
just
want
to
focus
on
writing
my
code,
so
I'm
gonna
again
automate
this
away
with
github
actions,
so
this
is
using
those
four
actions
that
AWS
has
published
today.
This
is
going
to
run
on
every
push
to
the
master
branch.
H
First
thing
that
happens
is
it's
checking
out
my
source
code
that
just
got
pushed
to
the
master
branch.
Next
is
the
first
github
action
we've
published
today
configure
a
degress
credentials.
This
is
taking
eight
of
those
credentials
that
I've
stored
and
github
action
secrets
and
configuring
the
environment
so
that
other
actions
can
use
them
next
I'm
logging
in
to
ECR.
This
is
where
I'm
storing
my
container
images.
H
Next
I'm
going
to
go,
build
and
push
that
image
into
ECR,
so
the
tag
for
this
image
is
going
to
be
the
commit
ID
and
it's
going
to
push
it
into
the
registry
that
came
out
of
that
login
ECR
action.
So
this
is
pretty
much
what
you
would
do
for
any
containerized
application.
Docker
build
and
docker
push
with
this
unique
ID
and
then
I
need
to
take
that
ID
and
fill
it
in
to
the
task
definition.
So
this
is
the
third
action
that
we've
published
render
task
definition.
H
It's
gonna
take
that
unique
image
ID
that
was
generated
from
the
commit
ID
and
fill
it
in
to
my
task
definition
for
me
replacing
that
to
do
fill-in
string
and
then
last
but
not
least,
the
fourth
action
deployed
task
definition.
So
this
is
going
to
take
that
file,
deploy
my
image
and
the
configuration
around
it
to
ECS
and
wait
for
that
deployment
to
be
successful.
H
H
So
as
soon
as
I
push
into
my
my
repository
I
can
see
that
this
deployment
is
in
progress
and
we're
quickly
going
through
checking
out
the
code,
configuring,
those
eight
abyss,
credentials
logging
into
ECR
and
we're
on
to
the
build
for
the
docker
image.
So
it's
pulling
in
all
of
my
Python
dependencies
copying
in
all
of
my
Python
code
running
linting
and
then
finally,
it's
going
to
push
into
er.
So
at
this
point,
I
could
share
this
application
with
others
and
now
I'm
going
to
deploy
this
application
to
the
cloud.
H
So
looking
on
the
ECS
console,
we
can
watch
this
deployment
in
progress.
So
ives
told
ECS
I
want
three
copies
of
my
application,
so
I
now
have
three
copies
of
the
old
and
three
copies
of
the
new.
While
the
deployment
is
in
progress
and
then
we
can
go
and
we
can
look
at
the
events,
tab
and
actually
watch
what's
happening
under
the
hood,
so
one
of
the
things
we'll
see
is
those
new
containers
have
been
started
up
and
they're
being
added
to
the
load
balancer.
H
So
anyone
who's
going
to
mythical
misfits
right
now
is
actually
able
to
see
the
unlike
API
in
action
and
then
it's
going
to
start
D
registering
the
old
version
that
doesn't
have
the
unlike
API
from
the
load
balancer
and
it's
gonna
drain
connections.
First,
so
that
we
don't
have
any
more
requests
going
to
those
tasks
and
then
finally,
it's
going
to
have
shut
down
all
of
the
old
containers,
and
so
now
what
we
see
is
that
we
now
are
back
to
only
three
copies
of
the
application,
all
running
that
new
version
of
the
application.
H
So
we
can
try
out
this,
unlike
API
I'm
gonna,
again
paste
in
the
ID
for
Coco
the
dragon
she
broke
the
bills,
it's
an
unlike
for
me
for
Coco
the
dragon
today
and
so
now,
she's
back
down
to
one
like
so
I
encourage
you
to
check
out
mythical
misfits
comm
for
an
online
workshop
to
get
started
with
ECS
and
Fargate,
and
you
can
check
out
in
the
have
actions
tab
in
your
github
repository
today.
You
can
see
the
deploy
to
Amazon
ECS
starter
workflow
to
help
you
get
started
continuously
deploying
to
ECS
and
Fargate.
B
I
Call
me
whatever
you'd
like
well.
Thank
you
very
much,
Erika
and
good
morning.
Everyone,
if
you're,
not
familiar
with
Mabel,
we're
in
the
business
of
making
automated
end-to-end
browser
testing
easy
so
with
Mabel.
You
can
create
automated
tests
in
minutes
plug
those
tests
into
your
CI
CD
pipeline
run
the
tests
in
the
cloud
at
scale
across
all
major
browsers
on
any
deploy,
and
then
Mabel
does
two
things
that
are
really
interesting.
I
We
collect
a
tremendous
amount
of
data
with
every
step
of
every
test
and
use
that
data
to
make
tests
not
be
brittle
and
not
be
flaky.
Two
of
the
problems
that
have
plagued
UI
UI
tests.
You
know
for
quite
some
time
and
then.
Secondly,
we
analyze
that
data
automatically
and
discover
risks
or
issues
in
your
deployments,
things
like
visual
regressions
performance,
regressions,
new
JavaScript
errors
and
so
forth.
Now,
since
the
beginning,
we've
been
very
excited
about
the
idea
of
bringing
those
capabilities
to
help
developers
create
intelligent
pipelines.
I
The
way
that
we
see
it,
that
starts
with
giving
pipelines
visibility
into
test
results,
but
we
go
beyond
that.
We
want
to
help
the
pipelines
themselves,
understand
risks
associated
with
changes
again,
things
like
visual
changes,
performance
changes
and
so
forth,
and
we
think
that
providing
that
context
will
and
allow
developers
to
create
very
sophisticated
workflows
to
automate
a
lot
of
the
manual
intervention.
That's
required
today
to
get
code
from
development
into
production,
and
so
that's
started
for
us
with
building
and
action
that
will
trigger
Mable
tests,
and
so
it's
a
very
simple
action.
I
It
accepts
as
inputs
information
about
your
application
environments
deployments
and
also
allows
you
to
override
the
configuration
of
your
test
plans
if
needed,
and
then
it
returns
the
results
of
your
tests.
How
that
works?
You
may
have
a
workflow
that
has
a
deployment
step.
Then
you'll
have
a
step
to
run
Mable
tests
that
step
notifies
the
Mable
deployments
API,
which
will
in
turn
trigger
your
tests
to
run
in
Mable.
I
Now
I'll
show
you
a
very
simple
example
of
how
that
plays
out
here:
we're
making
a
change
to
a
simple
HTML
file
in
our
repository
as
one
does
I'll
commit
that
change
straight
to
master,
and
this
will
trigger
our
run
Mable
tests
action
now
I
can
watch
as
that
action
kicks
off
right
now,
it's
notifying
the
Mable
deployments
API
that
it
deployments
available.
Now
the
test
is
running
and
we're
looking
at
Mable
as
those
tests
are
running
live
now
here
you
can
see
Mable
collecting
all
that
rich
data.
I
We
have
screenshots
you'll,
see
in
a
moment
that
we're
collecting
snapshots
of
the
DOM
at
every
step
of
the
test,
we're
also
collecting
page
load
information
at
every
step
of
every
test.
Now
our
tests
are
complete
and
they've
all
passed
now.
The
important
thing
here
is
that
this
context
is
available
to
the
pipeline,
so
as
a
developer,
I
can
trigger
additional
automation
off
those
test.
Results
like
that
simple
deployment
that
I
just
made
the
test
pass.
I
I,
probably
just
promote
that
to
production
right
away
today,
we're
excited
that
we've
extended
our
action
support
to
the
Mable
CLI.
So
what
that
means
is
from
actions
you
can
call
all
of
the
features
that
are
available
from
the
Mable
CLI.
For
example,
we
have
a
customer
that
will
you
that,
after
the
test
run
to
take
those
screenshots
that
Mabel
captured
and
then
use
the
AWS
CLI
to
store
them
on
s3
for
archival
and
compliance
purposes.
I
Okay,
but
I
know
that
many
of
your
workflows
are
much
more
sophisticated
than
that
right
and
what
you
really
want
is
to
understand.
As
I
mentioned,
the
risk
associated
with
your
code
deployments
now.
Mabel
assesses
that
risk
today
and
we
provide
insights,
but
those
insights
have
historically
always
been
to
developers
right
and
will
provide
slack
notifications
today
or
will
send
you
an
email
today.
I
For
the
first
time
we've
made
pipelines
aware
of
those
insights,
and
so
as
of
today,
the
Mabel
github
app
can
generate
events
in
your
repository
when
mabel
discovers
risks
or
issues
within
your
application
and
the
power
of
actions
is,
then
you
can
use
that
those
events
in
your
workflows
to
trigger
or
control
additional
actions.
Alright.
I
B
And
thanks
to
all
of
our
presenters
today,
it's
so
cool
to
see
the
way
that
different
members
of
the
community
are
coming
together
to
work
on
addressing
challenges
such
as
software
security
via
token
scanning
security,
research,
container
scanning
and
more
I.
Also
love
seeing
how
the
combination
of
products
and
projects
from
across
the
ecosystem
can
automate
manual
work
for
developers
via
solutions
for
cross
browser
testing
code
to
cloud
notifications
and
more.
B
In
a
world
with
over
a
hundred
million
developers
on
github
by
2025,
the
creativity
of
our
development
team
can
never
match
that
the
creativity
of
the
world's
developers,
it's
only
through
collaboration
that
we
can
jointly
deliver
everything
needed
to
support
all
of
the
different
ways
that
people
want
to
build
software
together.
We
look
forward
on
to
continuing
on
our
mission
to
be
the
home
for
all
developers
and
to
work
with
the
software
development
community
to
provide
the
canvas
on
which
the
world's
developers
can
do
their
best
work.
B
Now,
before
I
wrap
up
just
a
few
quick
notes.
First,
stop
by
the
partner
innovation
area,
as
Dan
mentioned
from
12:00
to
2:00.
We
have
a
variety
of
partners
who
will
be
showing
their
actions,
and
they
can
also
answer
your
questions
about
what
it
was
like
to
build
actions
and
give
you
some
pro
tips
and
also
stop
by
the
ask
github
booth,
where
we're
staffed
with
support
folks
engineers
and
others
from
across
github.
To
answer
all
your
questions,
and
also,
of
course,
to
collect
your
feedback
and
hear
what
you'd
like
to
see
next
from
github.