►
Description
Blog: https://everyonecancontribute.com/post/2021-06-09-cafe-33-cloud-native-security-snyk/
Website: https://snyk.io/
Twitter thread: https://twitter.com/dnsmichi/status/1401945459510415367
A
And
we
are
back
this
week
for
our
number
33
of
the
everyone
can
contribute
cafe
and
today
it
is
my
pleasure
to
welcome
matt
from
sneak.
So
we
are
talking
about
security.
We
are
talking
about
cloud
native.
We
are
talking
about
kubernetes
all
the
magic
things
which
we've
learned
in
the
past
few
weeks
and
I'm
honest.
I
know
about
sneak
a
little,
but
I
haven't
tried
it
myself
and
I'm
totally
looking
forward
into
like
turning
the
conversation
seeing
a
little
bit
of
an
introduction,
what
it
can
do,
how
it
integrates
and
so
on.
A
So
without
further
ado,
I
would
just
say:
hi
matt
kick
us
off:
let's
do
some
magic.
B
Thank
you
for
that.
Intro,
michael,
I'm,
not
sure
it'd
be
magic,
but
we'll
see
so
I
guess
I'm
trying
to
avoid
as
most
of
us
in
developer
advocacy
do
we
spend
our
lives,
giving
slide
decks
and
I'd
much
rather
kind
of
have
a
have
a
conversation
about
this
stuff
than
bombard
folks
or
slides.
But
I
guess
the
starting
point
for
me
really
is
is
like
you
know
why.
B
Why
is
security
different
in
the
cloud
native
world
right
and
and-
and
I
think
this
it
explains
in
a
sense
why
we
need
a
new
focus
on
how
we
do
security.
You
know
I
I've
got
plenty
of
gray
hair.
You
know
I've
been
around
the
computing
industry
for
a
pretty
long
time,
and
you
know
when
I
started
it
was
all
actual
hardware
right
and
and
big
machines
and
and
all
the
rest
of
it-
and
you
know
you
kind
of
didn't
change
much.
B
You
know
that
was
the
aim
of
of
of
corporate
I.t
type
environments
was
never
change
anything
unless
you
absolutely
have
to-
and
you
know
we're
in
a
very
different
space
now
where
we
want
to
change
all
the
time
and
when
we
combine
that
idea.
This
change
all
the
time
like
continuous
delivery,
continuous
integration
and
we
combine
that
with
what
are
developers
responsible
for
now,
as
opposed
to
let's
say
10
years
ago.
B
You
know-
and
I
think
I
mean-
maybe
I
will
just
stick
one
quick
slide
up
here,
because
I
think
this
is
a
kind
of
useful
picture.
Let's
just.
C
C
Over
here,
where
are
we
spare
me
one?
Second?
B
You
folks,
hopefully
you're
seeing
that
that
slide
there
right.
So
you
know
for
those
of
us
who've
been
around
for
a
long
time
and
I'm
I'm
sure
this
will
be.
This
will
be
familiar
to
to
quite
a
few
people
on
this
call.
You
know
the
the
the
piece
of
developers
were
responsible
for
was
really
just
this
tiny
bit
at
the
top
and
the
rest
of
the
rest
of
it.
You
know
virtual
machines,
all
the
hardware,
the
networking
you
know,
all
of
that
stuff
was
kind
of
in
somebody
else's
domain.
B
You
know
you
had
specialist
teams
who
just
did
that
and
you
know
so.
The
implementation
of
security
in
that
world
was
like
well
for
a
start,
we
don't
change
very
often,
and
secondly,
that
means
that
we're
just
going
to
do
security
right
at
the
end.
So
you
know
our
our
developer
develops
it.
They
ask
for
a
storage
loan
from
the
storage
guy.
B
They
ask
for,
like
a
network
connection,
they
ask
for
a
virtual
machine
and
this
whole
process
takes
months
and
and
so
right
at
the
end,
you
know
the
security
team
are
like
right
now
we're
going
to
check
it.
All
and
you
know
it's
kind
of
worked
okay,
but
you
know
this
world
that
we've
that
we've
moved
into
now
is
that
our
infrastructure
and
our
workload,
our
application-
are
almost
completely
tied
together
right.
B
So
if
we,
if
we
we
consider
how
much
of
our
production
workloads
now
are
are
deployed
in
containers,
you
know
we
just
did
a
a
survey
at
sneak
over
the
last
three
four
months
and
you
know
even
in
big
enterprises.
Now
you
know
people
were
talking
about
having
50
60
of
their
production
workloads
in
containers,
and
you
know
how
do
you
separate
out
the
application
from
the
container
right
from
the
container
image
and
lots
of
times?
B
It's
not
just
the
container
image,
it's
the
kubernetes
configuration
that
makes
that
all
work
and
in
lots
of
organizations
this
might
be
the
same
team
developing
this
stuff.
So
now,
we've
gone
from
this
place
where
we
had
the
developers
just
responsible
for
this
small
bit
at
the
top
to
the
developers
now
responsible
for
almost
all
of
the
stack-
and
you
know
that's
a
a
a
much
bigger
kind
of
responsibility
space
for
developers
to
have
to
think
about.
You
know
they're
on
one.
On
the
one
hand,
we've
got
this
big
pressure
to
deliver.
B
B
Because
that
comes
that's
what
it
comes
down
to
about
businesses
who
are
successful,
that
really
rapid
iteration,
so
developers
have
got
that
kind
of
pressure
on
them,
and
now
they
own,
you
know
by
almost
by
accident,
in
a
sense
most
of
the
stack
because
they're
responsible
for
this,
this
piece
that
effectively
defines
the
the
compute
infrastructure
and
and
the
configuration
for
that
compute
infrastructure,
and
so
you
know
it's
kind
of
it's
kind
of
becomes
the
the
much
more
the
developer
problem
about.
B
You
know
security
issues
because
now
that's
all
under
their
purview.
You
know
they've
got
the
the
the
container
image,
they've
got
their
own
application
code
and
and
the
application
itself
has,
you
know,
perhaps
pulling
in
third
party
open
source
dependencies,
and
you
know
these
responsibilities
have
all
kind
of
ended
up
up
with
with
developers
and
that
that's.
B
B
I
think
for
security
in
the
cloud
native
space
that
that
that
wasn't
there
five
or
ten
years
ago-
and
this
is
why
we're
seeing
a
lot
of
new
approaches
to
to
how
we
do
security
in
the
in
the
cloud
native
space,
and
this
is
where
this
idea
of
devsecops
that
lots
of
people
talk
about
kind
of
comes
into
play
where
you
know
like
we
merged
development
and
operations.
B
B
That
what
kind
of
now
needs
to
happen
is
that
you
merge
that
security
into
that
development
workflow
as
well
and
there's
lots
of
you
know,
there's
lots
of
terminology
around
this
people
talk
about
shifting
left
right,
which
is
basically
like
you
know
where.
Where
do
we
need
to
think
about
security
in
our
in
our
development
workflow?
And
then
you
know,
the
the
our
belief
at
snake
is
that
we
really
need
to
build
that
in
all
the
way
through
the
pipeline.
B
So
you
know
at
every
stage
what
that
we're
that
we're
automating
in
our
in
our
in
our
ci
cd.
We
need
to
be
be
able
to
put
security
checks
in
there
and
also
to
make
it
super
easy
for
developers
to
use
those
tools
right.
We.
C
C
B
The
there's
there's
no
way
that
our
developers
are
gonna
become
security
experts.
So
if
you
present
developers
would
like
a
huge
list
of
cbes,
you
know
that
people
are
just
going
to
sit
there
and
go
well.
What
am
I
supposed
to
do
with
this
right?
So
it's
got
to
be
about
about
presenting
the
information
in
the
right
way
that
developers
can
consume
it
and
also
providing
them
actionable
ways
of
of
moving
forward
and
and
dealing
with
those
issues
and
at
snake
we
kind
of
focus
on
on.
I
guess
four.
B
Four
key
areas
used
to
be
b3,
but
but
now,
for
you
know,
the
the
the
first
area
is
open
source
packages.
Right
I
mean
you
know
you
look
at
the
patterns
of
of
of
how
applications
are
developed.
Now
you
know
your
typical
application
has
a
really
small
amount
of
home
run
code
and
then
a
ton
of
open
source
packages
in
it,
and
you
know
that
might
be
node.
It
could
be
go.
B
It
could
be
python,
it
could
be
whatever
right,
but
that's
how
we
write
applications
these
days
and
so
you've
got
this
big
chunk
of
code.
That's
this
kind
of
outside
of
your
responsibility.
You
know
you're
not
maintaining
it.
How
are
you
supposed
to
know
what
version
to
use
whether
it's
got
vulnerabilities
in
it?
So
that's
the
the
first
thing.
The
second
thing
is
around
container
images
and
looking
at
vulnerabilities
in
in
container
images
and
then
the
the
two
kind
of
most
recent
ones
are:
our
infrastructure
is
code
and
and
by
infrastructures
code.
B
We
include
kubernetes,
we
include
terraform,
you
know
all
those
kind
of
that
that
that
stuff
that
creates
our
things,
helm,
charts
and
and
all
that
stuff
and
then
we've
we've
just
launched
a
static
application
security
testing
feature
as
well
called
sneak
code,
which
is
about
testing
your
homegrown
code
for
actual
coding
mistakes.
You
know
whether
that
might
be
you
know,
unsanitized
inputs
or
whatever
that's
gonna
pick,
those
things
out.
So,
let's
let
me
just
show
you
what
that
what
that
looks
like
so.
B
Okay,
you
folks
all
see
in
my
see
in
my
browser
here,
so
this
is
the
the
snake
dashboard,
the
kind
of
high
level
a
view
of
what's
going
on
in,
in
my
sneak
account
this.
B
This
kind
of
first
page
really
just
gives
me
an
overview
of
all
the
things
that
are
going
on
across
all
the
projects
that
I've
imported
into
my
into
my
sneak
account,
and
if
we
go
to
projects,
it's
probably
an
interesting
place
to
start,
there
are
a
bunch
of
different
ways
that
we
can
interact
with
with
with
code.
You
know
we
can
integrate
with
a
whole
bunch
of
source
code
management,
stuff
and
and
with
cicd
tools
and
I'll
show
you
the
cli
and
things
like
that
in
a
minute.
B
But
you
know
this
is
this
is
probably
the
the
place
that
most
people
you
know
are
going
to
interact
with
with
their
source
code,
and
you
know
we've
got.
I
I've
connected
my
sneak
to
my
github
repository,
and
so
you
know
it's
going
to
read
in
all
the
repos
that
I
have
there
and
I
can
just
click
things
and
import
them
straight
in
into
my
into
my
sneak
account.
B
If
we
look
at
the
the
set
of
integrations
that
we
can
kind
of
work
with,
you
know,
git
lab,
obviously
bitbucket.
You
know
most
of
the
container
registries
that
are
out
there.
Kubernetes
I'll
talk
about
it
in
a
second
loads
of
ci
stuff
and
then
we'll
also
look
at
some
of
the
ide
plugins,
but
once
we've
got
our
code
in
there
sneak's
going
to
start
scanning
that
for
a
first
scan
and
then
it's
going
to
scan
it
on
an
ongoing
basis.
B
So
if
we
take
a
look
at
one
of
these
projects,
snake
has
looked
in
that
repository
and
found
a
a
bunch
of
of
stuff.
That's
interesting
to
it.
You
know
we
talked
about
the
open
source
packages,
so
this
is
a.
This
is
a
node
application.
It's
deliberately
vulnerable.
It's
got
loads
of
vulnerabilities
in
it,
in
fact,
and
the
way
that
snake
works
with
most
of
the
language
support.
B
That
is
via
the
package
manager,
so
it's
going
to
look
at
what's
been
defined
in
that
in
that
file
it
might
be
requirements.txt
for
python
in
in
node's
case,
it's
it's
the
package.json
and
it's
found
a
whole
bunch
of
of
issues
of
vulnerable
dependencies
that
we're
bringing
into
to
this
application.
But
the
important
thing
to
to
to
think
about
when
we
think
about
dependencies
is
that
the
we
are
declaring
dependencies
in
our
applications,
but
those
dependencies
have
dependencies
right
and
sometimes
that
dependency
tree
can
be
gigantic.
B
I
I
mean
anybody,
who's
who's
ever
done
anything
with
node
and
I'm
not
a
node
programmer
but,
like
you
know,
node
can
end
up
bringing
in
just
millions
of
packages
and
what
what
what
snake
does
is
build
the
whole
dependency
tree.
B
So
for
everything
that's
been
defined,
it's
going
to
go
and
and
look
at
what
each
of
those
packages
that
are
being
brought
in
there
and
so
looking
at
dependency
vulnerabilities
all
the
way
down
the
down
that
tree
and
you
can
see
you
know
we
found
a
whole
bunch
of
of
various
severity
kind
of
vulnerabilities
in
those
packages.
B
This
is
a
fairly
common
one.
This
does
js
one
it's
high
severity
and
we're
gonna
provide
in-depth
information
about
about
each
of
the
the
vulnerabilities
that
have
been
found
in
that
code
in
that
code
base,
and
this
isn't
just
based
around
you
know,
one
of
the
issues
around
around
vulnerabilities
is
always.
How
do
I
prioritize
what
I
fix
right,
because
we
can't
fix
everything
you
know.
No.
B
Software
has
zero
vulnerabilities
unless
it's
like
you
know
something,
that's
that's
that's
very
small
and,
and
you
know
some
things
may
may
not
be
be
appropriate
for
your
environment
or
whatever.
So
what
we
build
is
a
whole
set
of
scoring
that's
based,
not
just
on
the
cvss
score,
which
is
the
the
the
the
standard
for
vulnerability
scoring,
but
it's
also
on
things
like.
Is
there
a
mature
exploit
for
that
particular
thing?
B
And
you
know
the
the
the
thing
that's
going
to
push
it
up
to
highest
priority
is:
is
there
a
fix
because
you
know
in
in
some
ways
it's
a
no-brainer
to
say?
Well,
if
there's
something
that
I
can
get
a
fix
out
of
just
by
upgrading
a
package,
then
I
I
should
fix
it
right
because
there's
nothing.
That's
stopping
me
from
doing
that.
B
So
there's
a
whole
bunch
of
of
filtering
here,
as
you
would
expect.
You
know
you
might
want
to
filter
out
things
where
there
are
no
fixes
available.
You
know.
Sometimes
people
are
interested
in
that,
but
you
know
often
it's
like
well
there's
no
action
that
I
can
take
from
that,
and
you
know,
as
I
said
earlier,
what
what
sneak
is
really
about
is
about
action
for
developers
to
be
able
to
to
action
things.
B
It's
not
the
key
point
of
it
is
we
want
people
to
be
able
to
fix
things
and
not
have
to
really
dig
down
very
deeply
into
what
each
of
these
things
are
doing.
B
So
one
of
the
other
things
that
I
can
do
from
here
is
actually
just
raise
prs
directly
against
this,
this
this
repo
in
github-
and
I
can
do
that
automate
it
on
an
automated
basis,
where
I
can
just
say
well
any
fixed
pr
anything
that
is
fixable
make
a
fixed
pr
in
a
lot
of
cases.
These
fixed
pr's
will
just
be
a
you
know,
upgrade
upgrade
the
the
package
version
in
the
in
the
package
management,
sometimes
we'll
actually
patch
provide
patches
for
a
particular
application.
B
If
that's
a,
if
that's
a
serious
issue
that
there
isn't
a
fixed
pr
for
yet-
and
you
can
see
you
know
this
is
going
to.
If
we
look
at
what's
changed
here,
we
can
see
it's
just
bumped
the
the
version
of
that
adm
zip
to
to.
B
So
that
was
the
that's
a
kind
of
you
know
the
very
quick
look
at
the
the
open
source
packages
thing
and
that'll
work
in
a
very
similar
way,
whether
we
were
looking
at
python
repository
or
a
java
repository
or
you
know
any
of
the
languages
that
sneak
supports,
but
we'll
have
found
a
bunch
of
other
stuff
in
this.
In
this
repository
as
well.
Obviously,
there's
some
there's
some
there's
some
kubernetes
manifests
in
here
and
we've
also
been
scanned.
B
Those
kubernetes
manifests
for
obvious
security
issues,
so
here
we're
going
to
be
looking
at
you
know:
do
we
have
resource
limits
set?
Do
we
have
the
correct
security
context
settings
set
and
just
providing
that
information
to
the
developer
about
what
things
they
may
want
to
to
change
in
in
that
stuff?.
B
And
then
there
is
a
dockerfile
here,
so
we'll
have
tested
the
docker
file
as
well
and
based
on
what
was
in
the
dockerfile.
This
is
this.
This,
I
think,
is
based
on
note
6.
So
it's
got
very
old,
node
version.
It's
got
a
lot
of
vulnerabilities
in
the
base
image
which
I
I've
got.
B
A
feeling
is
based
on
on
debian
from
what
I
remember,
but
what
we
do
when
we
get
provided
with
the
dockerfile
is
actually
go
and
look
in
our
database
about
what
other
base
image
recommendations
may
be.
B
May
help
to
reduce
the
vulnerability
count
if
you
were
to
switch
your
base
image
from
that
base
image
with
a
very
high
vulnerability
count.
You
know,
most
of
most
vulnerabilities
in
in
container
images
are
in
the
base
image.
That's
been
imported
into
that
docker
file,
so
you
know
by
upgrading
your
base
image.
You
know
you're
likely
to
to
immediately
solve
a
lot
of
problems.
B
You
know
you,
you
need
to
fix
things
upstream
that
are
coming
to
you
downstream
and
you
sort
of
do
have
to
at
some
point
trust
that
upstream
provider
who
you're
using
in
your
dockerfile
in
that
in
that
from
statement
it's
you
know
it's
very
easy
to
suddenly
become
the
maintainer
of
your
entire
base,
image,
which
you
know
no
one
really
wants
in
the
in
the
in
the
container
world,
because
that's
that's
just
not
a
good
use
of
your
time.
B
You
know
you're
much
better
off,
saying
I'm
going
to
trust
whether
that's,
whether
that's
a
debian
image
or
a
particular
packaged
image.
You
know
we
could
talk
a
lot
more
about
the
the
the
kind
of
slim
distributor
scratch
all
that
kind
of
stuff.
But
there
probably
isn't
isn't
time
today,
but
perhaps
we
can
talk
about
that
a
bit
later
and
then
the
the
final
thing
that
we've
picked
up
in
here
is
our
is
analyzing
the
the
the
homegrown
code
that
was
in
here.
B
So
this
is
code
that
wasn't
they
didn't
come
from
an
open
source
package
and
the
sneak
code
has
actually
analyzed
what
what
security
issues
there
are
within
the
code
itself
and
what's
cool
about
sneak
code?
Is
that
like
it's
basically
like
a
machine
learning
framework?
And
it's
super
fast?
So
it's
now,
I
don't
know
whether
anybody's
used
a
lot
of
these
sas
tools
in
the
past.
You
know,
certainly
when
I
was
in
development.
B
They
took
a
very
long
time
to
run,
especially
if
you
run
them
over
big
code
bases
and
snake
code
is
now
fast
enough,
where
you
can
use
it
in
an
ide
and
I'll
show.
You
in
a
second
that
actually
running
in
in
inside
vs
code
in
a
plugin
just
before
we
before
we
move
on
to
the
cli
stuff.
We
can
just
see,
let's
add
a
project
for
a
container
project
from
docker
hub,
just
to
show
you
how
that
that
part
of
it
works.
B
So
again,
I've
connected
my
my
sneak
account
to
my
docker
hub
account,
and
now
I
can
see
all
of
the
image
container
images
that
I
have
in
docker
hub
and
to
import
any
of
those
is
as
simple
as
just
clicking
the
the
button
there
and
they'll
start
being
scanned
on
a
regular
basis
in
sneak,
and
you
see
very
similar
things
to
what
we
saw
when
we
looked
at
the
dockerfile.
B
B
D
C
B
A
B
Cool
yeah
yeah
right.
So
so,
let's
look
at
so
what
we're
just
the
the
one
piece
that
I
was
just
gonna
touch
on
before
we
move
on
to
looking
at
that
in
vs
code
was
a
container
image
imported
from
the
container
registry
will
still
pick
up
all
of
the
the
problems
that
are
in
the
base
image,
but
when
it
becomes
really
powerful
is
when
you
link
that
to
the
dockerfile.
B
So
we
can,
as
you
can
see
this
one's
suggesting
to
me,
that
I
go
into
the
settings
and
point
to
the
dockerfile
in
my
git
repo,
so
that
it
kind
of
connects
the
two
things
together
and
that's
when
we
start
to
be
able
to
suggest
alternative
base
images
for
you
to
use
right,
let's
go
and
I'm
just
keeping
on
time
here.
B
Let's
go
and
have
a
quick
look
at
vs
code,
and
you
can
see
some
of
this
stuff
running
in
the
ide,
because
the
the
really
the
most
the
the
first,
the
first
point
of
call
for
all
of
this
stuff,
where
it's
the
easiest
place
to
fix.
B
It
is
right
at
developer,
eyeballs
right
so
ids
and
clis
to
give
developers
that
that
insight
and
the
those
the
ability
to
action
security
stuff
right
in
your
code
before
it's
even
checked
in
it's
really
the
most,
the
the
most
cost
effective
way
of
dealing
with
security
vulnerabilities
because
you're
not
having
to
to
fix
things
upstream
in
the
pipeline.
B
So
if
we
go
and
look
at,
let's
look
at
this
one.
B
So
this
is
the
code
for
that
vulnerable,
node
application.
I've
actually
got
two
sneak
plugins
running
here:
one's
called
vol
cost
and
the
other
one's
the
snake,
vulnerability
scanner,
and
if
we
just
look
at
the
the
packages
to
start
with,
this
is
the
the
von
kost
plugin.
You
can
see
that
it's
that
it's
picking
out
straight
away
as
soon
as
I
as
soon
as
I,
if
I
was
to
add
this
package.json,
I
need
to
include
another
package.
It's
going
to
scan
that
straight
away.
B
So
it's
already
telling
me
that
there
are.
You
know
in
this
particular
in
this
particular
package.
There's
three
one
high
and
three
medium
vulnerabilities,
and
I
can
just
click
on
on
quick
fix
here
and
that's
going
to
tell
me
what
I
need
to
do
to
fix.
It
is
just
to
upgrade
to
change
that
1.0.0
to
3.1.6
and
that's
going
to
fix
all
of
those
vulnerabilities
that
are
in
that
particular
package.
B
B
I
can.
I
can
find
lots
of
information
about
what
that
that
particular
problem
is,
and
I've
got
the
links
to
the
actual
vulnerability
in
sneak's
vulnerability
database
right
in
my
ide,
so
I
don't
need
to
move
outside
of
anything.
B
It's
just
happening
right
there
in
my
ide
and
then
what's
also
happened
here
is
because
I've
got
the
the
the
sneak
code
plugin
running
here
is
that
my
my
code's
been
scanned
for
programming
issues
and
we
can
see
there's
a
bunch
of
things
that
have
appeared
down
here,
which
are
showing
me
issues
in
my
own
code
that
need
to
be
fixed
and
what's
cool
about.
This
is
not
just
saying
this
is
a
particular
a
problem
of
this
particular
type.
B
It's
also
actually
showing
me
the
problem
flowed
through
that
particular
function.
So
you
know
from
unsanitized
input
in
the
in
the
http
request
body,
I'm
able
to
go
right
through
that
function
showing
where
it's
flowing
into
find
and
then,
if
I
click
on
it
over
here,
I
not
only
get
full
kind
of
details
about
what's
happened
in
that
particular
piece
of
code,
but
I
also
get
these
examples
from
other
open
source
projects
about
how
other
people
have
fixed
it.
B
So
it
really
shows
you
straight
away,
like
you
know,
here's
how
here's,
what
the
the
problem
is
and
here's
how
to
fix
it.
So
you
know
here:
I've
got
I've,
got
three
open
source
projects
that
that
have
been
indexed
as
part
of
the
the
sneak
code
back
end
and
it's
gonna
give
me
examples
of
exactly
fixing
that
exact
kind
of
kind
of
a
problem.
B
So
that's
the
that's
the
ide
stuff,
which
is
all
super
cool
right
where
you
need
it
in
terms
of
of
developers
and
let's
take
a
quick
look
at
the
at
the
cli
as
well.
C
Where
are
we
there's
my
terminal
gone
too
many
windows
yeah?
Let's
get
that
one!
C
B
So
I
can
do
all
of
this
stuff
straight
from
the
straight
from
the
cli
as
well.
B
So
this
is
the
the
the
repository
check
out
the
repository
with
the
with
the
kubernetes
and
and
terraform
in
it,
and
I
could
just
do
sneak
iac
test
and
that's
going
to
test
all
of
the
the
files
it
finds
in
that
repository
that
are
either
terraform
kubernetes
whatever,
and
it's
going
to
report
to
me
all
of
those
things
that
we
saw
in
the
ui
about
you
know
what
what's
wrong
with
that,
that
those
those
particular
kubernetes
configurations
from
a
security
perspective.
B
C
B
Into
that
node
application
again,
I
can
do
sneak
test
which
is
going
to
test
those
those
open
source
package
dependencies,
and
you
can
see
all
that
same
information.
It's
obviously
not
quite
as
nicely
formatted
as
it
is
in
the
in
the
ui.
But
what's
nice
is
you
can
use
the
sneak
wizard,
which
will
kind
of
do
the
same?
There's
the
same
idea
as
as
behind
the
automated
fixed
pr's,
in
that
it
makes
it
super
easy
to
fix
it.
B
So
the
sneak
wizard's
going
to
do
make
those
suggestions
to
you
about
which
files
should
be
updated
and
to
which
package
versions
and
from
the
cli.
You
can
also
do
sneak
monitor,
which
is
actually
going
to
add
that
project
into
the
into
your
sneak
organization
and
then
monitor
it
on
a
regular
basis.
So,
once
once
a
project
is
actually
imported
into
sneak,
it's
not
only
tested
on.
B
First,
import
is
tested
every
configurable
time
period,
so
you're
picking
up
changes
there
all
of
the
time,
and
I
think
we
can
also
do
sneak
code
test
here,
which
is
going
to
do
the
the
sneak
code
magic
and
it's
going
to
find
those
those
issues
in
in
our
homegrown
code
and
then
the
the
sneak
container
cli.
I
can
test
things
directly
from
from
my
docker
hub
or
I
can
test
things
that
are
running
in
my
local
docker.
B
So
we
do
something
like
sneak
container
test
is
going
to
go
off
and
and
go
to
docker
hub
and
look
at
that
that
image
in
my
docker
repository.
B
It's
going
to
take
a
little
minute
to
run
that
one,
but
what
what's
you
can
also
do
all
the
container
scanning
stuff
directly
in
the
docker
cli,
so
there's
new
docker
scan
commands
that
are
in
directly
in
docker
and
that's
basically
using
sneak
on
the
back
end.
So
you
can
you
can
do
you
know
all
that
all
the
security
scanning
stuff
without
leaving
the
the
the
docker
cli?
B
C
A
Thanks
for
the
details,
I
was
wondering
so
like
checking,
checking
a
docker
container
checking
the
container
files
before
they
actually
being
deployed.
If,
if
I
have
like
a
a
current
deployment
of
a
kubernetes
cluster,
how
would
I
be
using
sneak
if
I
don't
have
access
to
anything
before
that,
so
I'm
like
maybe
taking
over.
B
B
What
would
that
look
like,
so
the
the
the
kubernetes
plug-in
for
sneak
is,
it
is
a
it's.
It
sits
inside
the
kubernetes
cluster
and
what
it's
doing
is
going
to
scan
any
new
container
images
that
are
being
spawned
in
your
cluster
and.
C
B
B
I
haven't
got
a
kubernetes
cluster
with
it
running
in
at
the
minute,
but
you
could
just
tick
which
images
which
container
images
you
want
to
scan
that
are
running
in
your
cluster
and
then
it
will
also
automatically
pick
up
new
images
that
are
being
deployed.
B
I
mean
typically
for
a
workload
like
that
for
a
workflow
like
that,
your
I
guess
the
best
pattern
would
be
that
when
you're
developing
your
container
image
that
you're
scanning
it
at
that
point
before
you've
deployed
it
for
a
start,
so
you
know
I
mean
if
I,
if
I
I'm,
building
a
a
docker
image,
you
know
whether
I
use
docker
scan
or
whether
I
use
sneak
when
it's
in
my
local
docker
before
I've
put
it
anywhere.
B
You
know
scanning
it
there
is,
is
the
the
kind
of
recommended
best
way?
But
you
know
almost
everybody
now
has
the
option
to
do
container
image
scanning
in
your
registry
as
well.
Right-
and
I
mean
you
know
whether
that's
sneak
or
not,
you
know
the
the
best
practice
for
everybody
really
would
be
also
to
turn
on
whatever
image
scanning
your
container,
your
your
registry
of
choice
has
turn
it
on
right.
B
A
It's
like
I'm,
looking
from
the
monitoring
inventory
side
like
if
you
cannot
migrate,
everything
to
the
best
like
death,
cyclops
lifecycle,
but
you
want
to
introduce
sneak
in
your
current
system
and
you
have
some
whatever
ci
cd
tooling
and
you
don't
have
really
have
control
over
it.
But
if
you
get
inventory
like
of
the
kubernetes
cluster
or
maybe
like
a
different
cluster
system,
and
then
you
have
like
the
possibility
to
say
hey,
I
want
to
scan
this
and
this
and
this
I
think
this
is
a
greater.
A
That's
great,
I'm
a
little
overwhelmed
to
be
honest,
but
if
are
there
black
from
the
from
the
others
in
the
session?
Please
questions
thoughts
or
are
you
trying
it
out
now
directly.
D
I
have
a
question
so
I'm
really
curious
about
how
the
priority
store
is
calculated.
So.
B
Yes,
yeah,
let's,
let's
just
go
back
to
to
that,
and
I
can
we
can
just
make
sure
everybody
knows
what
we're
talking
about.
So
you
we're
talking
about
like
if
I
was
to
go
here
right
so.
B
Yeah,
so
every
every
cve
will
have
a
standard,
cvss
score
right
and
cvss
is
a
standard
scoring
mechanism
for
how
serious
the
vulnerability
is.
It's
based
on
a
whole
range
of
different
of
different
things.
Can
we
actually
look
at
one
here
yeah?
So
it's
based
on
a
kind
of
built
up
out
of
all
of
these,
these
these
different
things
from
the
calculator
like
you
know
how
complex
it
would
an
attack
would
need
to
be.
You
know
what
the
what
the
vectors
are,
etcetera,
etcetera.
B
So
you
know
I
mean
a
physical
attack
vector
is
probably
less
serious,
for
example,
than
a
network
attack
vector
because
it's
less
likely
that
somebody's
going
to
have
physical
access
to
the
machine,
but
they're
sort
of
built
up
by
out
of
all
of
these
different
things.
But
what
this?
What
the
sneak
database
does
is
enrich
that
with
particularly
with
this
stuff
about.
Is
there
a
mature
exploit
available
for
it,
and
is
there
a
fix
available,
because
you
know
again,
with
this
world
view
that
we
we're
really
about
empowering
developers
to
fix
things?
B
We
want
to
be
able
to
have
things
that
are
actionable
so
being
having
a
fix
available,
really
makes
you
know
it
should
push
something
right
to
the
top
of
your
priority
list,
because
it's
easy
to
fix.
You
know
so,
and
that
becomes
a
fairly
key
part
of
the
scoring
for
for
for
how
they're
prioritized
in
the
sneak
ui.
E
Have
two
questions
one
would
be
regarding
the
terraform
feature
which,
if
I
want
to
sit
correctly,
is
still
in
beta.
I
tested
it
out
on
the
sneak
dashboard
that
you
have
some
kind
like
integrate
your
github
repository.
You
have
some
kind
of
terraform
code,
then
you
receive
some
kind
of
information
like
in
my
case.
I
had
one
regarding
having
a
sql
database
with
public
ip,
which
is
like
an
understandable.
E
Like
is
a
similar
scope
of
checks
that
it
provide,
or
will
be
doing
like,
like
what
exactly
is
the
command
line,
checking
for
the
terraform
yeah,
so
the.
B
Rule
sets
are
the
rule
set's
identical
you're,
going
to
get
exactly
the
same
results
back
from
the
clr,
as
you
will
from
the
from
the
from
the
github
repository.
B
B
That's
okay,
when
you've
got
the
when
you're
connected
to
the
to
the
git
repository,
but
sending
them
all
from
the
cli
could
take
forever
so
that
that's
one
of
the
things.
That's
that's
that's
become
a
lot
faster
recently,
but
they
use
exactly
the
same
rule
set,
so
it
all
uses
rhaego
in
the
back
end
that
comes
from
open
policy
agents.
So
it's
a
set
of
of
it's
a
kind
of
rules-based
language.
The
rule
sets
are
massively
growing
at
the
minute.
B
I
have
to
admit
I'm
not
completely
up
to
speed
with,
with
all
of
the
things
that
it's
detecting.
I
know
we
had
several
hundred
every
month
at
the
minute.
I
know
one
of
the
one
of
the
other
things.
B
That's
really
exciting
for
me
that
I
haven't
tried
out
yet
is
that
we
have
just
done
where
we
scan
the
plan
output
and
not
the
static
files,
because
in
practice,
obviously
a
lot
of
people
are
going
to
be
doing
things
like
interpolated
variables
and
things
that
at
instantiation
time,
and
so
that
makes
iec
scanning
quite
tricky
in
a
sense
right,
because
if
you
haven't
got
variables
in
there,
how
do
you
ever
know
whether
it's
insecure
or
not?
B
So
you
can
only
do
that
once
the
whole,
once
the
terraform
plan
has
been
built
and-
and
I
know
that
that
iac
is
is,
does
support
or
is
about
to
support
that.
I
think
it's
in
beta
that
feature,
but
again
things
are
moving
so
quickly.
On
the
iac
front,
I
I
slightly
lose
track.
E
E
Is
there
a
way
to
like
mute?
The
output
like
on
your
example,
you
had
like
a
lot
of
highlighting
for
your
code
that
there's
something
false
or
alarming,
and
a
lot
of.
B
Noise
yeah,
the
problem
is,
I
have
to
admit,
like
I,
I
hey,
I
am
not
a
I.
I
would
not
describe
myself
as
a
programmer,
I'm
a
systems
systems
architect
so
and
b.
I
am
old
and
so
I'm
not
used
to
using
vs
code.
You
know
my
normal
programming
environment
is
bi,
so
I
am
sure
there
are.
There
are
lots
of
configuration
options
and
I
can
certainly
find
out
for
you.
If
that's
something,
that's
that's
of
interest,
so
ping
me
ping
me
afterwards
and
I
can
find
out
but
yeah.
B
I
know
we're
working
quite
heavily
on
the
the
vs
code
plugins
at
the
minute,
particularly
the
the
sneak
code
and
the
the
sneak
oss
stuff,
but
the
snake
code
stuff's
super
cool
for
me
because
it
just
it
just
it's
so
fast
compared
to
what
sas
scanning
you
know
that
kind
of
scanning
used
to
be
where
they
used
to
take
you'd
run
that
stuff
overnight
because
like
it
took
so
long
to
to,
and
it
would
throw
up
loads
of
false
positives
and
things,
whereas
it's
it's
fast
enough
to
to
work
on
real
time.
B
So
it's
it's
pretty
cool
and
I
really
like
all
the
the
where
the,
where
it
will
show
you
those
examples
from
other
open
source
projects
who
fix
the
exact
same
problem.
That
has
just
been
that
it's
just
found
in
your
code.
D
So,
as
example,
I
have
a
simple
application
and
for
compliance
reasons,
my
security
offer
comes
to
me
and
says:
okay,
I
have
now
developed
the
application
and
you
need
also
to
provide
all
the
chrome
licenses
that
you're
currently
using
are
probably
also
stopping
me
so
that
I
not
allowed
to
use
some
of
the
licenses.
B
Yeah,
I
should
have
mentioned
that
as
well,
that
one
of
the
one
of
the
key
features
of
the
sneak
stuff
is
about
license
compliance
so
for
each
every
single
one
of
those
open
source
packages,
that's
being
picked
up
in
the
scans
you
you
also
get
all
of
the
the
licenses
and
it's
configurable,
which
you
know
you
can
say.
Well,
I
don't
want,
you
know
x,
license
to
be
allowed,
and
but
all
of
these
ones
that
are
that
are
that
are
permissive
or
all
fine
and
yeah.
B
B
One
of
the
other
things
that
I
did
want
to
show
you
that
we've
kind
of
which
I
I
guess
falls
into
that
that
space,
that
the
around
compliance
and
things
is
that
there's
been
a
lot
of
talk
recently
about
this
supply
chain,
security,
stuff,
right,
typo,
squatting
and
all
these
things
where
you
know
stuff's
getting
into
open
source
projects.
B
So
people
are
releasing
things
that
that
have
names
that
are
similar
to
other
things,
to
poison
the
package
repository,
and
so
we
built
this
thing
called
advisor,
which
we've
just
kind
of
been
bringing
out.
This
is
entirely
free
kind
of
tool,
and
what
advisor
allows
you
to
do
at
the
minute
across
three
ecosystems
is
to
search
for
packages.
You
can
kind
of
think
of
it
like
booking.com
for
open
source
packages.
Right
so
say.
B
If
I
want
like
you
know,
if
I
let's
go
to
to
python-
and
you
know
if
I
do
like
requests
so
advisor-
combines
the
security
information
for
that
that
particular
package
with
the
community
data
for
like
how
healthy
that
ecosystem
is
to
form
this
overall
score
for
like
why
you
might
want
to
choose
this
particular
package.
So
you
know
it's
going
to
show
you
how
many,
how
many
things
times
has
this
thing
downloaded?
B
How
often
is
it
committed
to
how
big
is
the
contribution
community
around
it?
Does
it
have
contributing
documentation,
code
of
conduct
and
are
there?
You
know
big
security
issues
in
that
in
that
project,
and
so
it
really
gives
you
this.
This
thing
that's
never
really
existed
before,
which
is
a
way
of
being
able
to
decide
whether
you
should
use
x,
package
or
y
package
without
actually
just
going,
and
you
know
randomly
looking
at
source
code,
so
we're
we're
building
going
to
build
lots
more
ecosystems
into
advisors.
B
So
it
kind
of
gives
you
this
window
of
of
how
do
I
choose
which
open
source
package
to
use-
and
this
is
that's
a
hard
problem
for
a
lot
of
people
right
I
mean
I've
been
around
open
source
software,
for
you
know,
25
plus
years,
and
you
know
how
do
you
ever
find
out
what
the
best
things
are
to
use
really
only
from
being
around
things
for
a
long
time,
but
the
more
and
more
people
start
using
open
source
software,
the
kind
of
harder
those
choices
are
like
what
what
should
I
use?
B
You
know
for
doing,
http
and
python.
I
mean
this
is
a
fairly
obvious
one,
because
I
think
requests
is
pretty
much
the
standard
there,
but
there
are
in
other
ecosystems,
particularly
like
in
in
in
node
and
in
java.
There
can
be
lots
and
lots
of
packages
that
do
basically
the
same
thing.
So
how
do
you
decide
which
one
to
use
right?
What
what
fact?
B
What
what
factors
should
you
use-
and
you
know
it's
quite
surprising-
often
that
people
don't
perhaps
understand
that
the
community
health
of
that
project
is
equally
as
important
as
what
it
does,
because
you
know
what's
going
to
happen
in
a
year's
time
when
you've
based
your
application
on
this
thing
that
had
one
person
developing
it
who's
now
disappeared
or
infected
your
code
with
some
remote
background,
so
yeah
so
I'll.
Advise
this
really
cool.
I'm
trying
to
talk
a
bit
more
about
that
at
conferences
and
things
so.
D
B
So
I
know
they
are
on
the
road
map
so
go
go.
Support
in
sneak
generally
is
is
yeah.
I
think
we
do.
Support
go
now
goes
obviously
a
little
bit
more
difficult
because
the
compiled
language,
so
you
know,
go
and
see,
and
things
like
that
are
much
more
complex
for
any
vulnerability
dependency
thing
right,
because
you
don't
have
like
a
package.json
or
anything.
B
So
you
know
we
have
to
get
into
like
sort
of
reading
the
headers
from
the
go
binaries
and
stuff
to
work
out
what
what
modules
have
been
included.
B
I
know
the
development
team
did
a
lot
of
quite
cool
work
about
sort
of
disassembling
the
go
binary
to
find
out
which
modules
had
been
in
it,
but
we
definitely
we
support,
go
from
the
source
code
management
side.
You
know
where,
obviously,
you've
got
your
modules
defined
and
stuff.
At
that
stage,
I
I
think
rest
is
super
cool.
B
But
like
it's
it's
one
of
those
things
when
you
said
the
the
the
the
development
team
are
like
going
100
miles
an
hour,
because
we've
got
so
many
ecosystems
that
we
want
to
cover
and
like
it
tends
to
be
the
ones
that
are
sort
of
less
interesting,
but
they've
got
more
developers
in
them
that
end
up
first
in
the
queue.
So
it's
like
dot,
net
and
php,
which
is
like
really
there's
still,
people
writing
stuff
with
php.
But
there's
millions
of
people
writing
stuff
in
php.
C
B
A
You
go
who
knew
I
was.
I
was
wondering
if
so,
I'm
I
have
the
advisor
website
open
now
and
I
really
love
what
you're
doing,
because
I
think
this
solves
like
a
decade
of
problems
of
mine
like
finding
the
right
package,
and
maybe
it's
maybe
the
license-
is
not
compatible
with
our
security
issues.
B
A
Yeah
the
thing
is
oftentimes,
maybe
I
have
an
idea
and
I'm
like
in
a
user
on
the
cli,
as
you
mentioned,
or
maybe
I'm
using
the
ide,
I'm
looking
for
building
integrations
and
sometimes
I'm
saying
okay.
This
could
be
something
as
an
as
a
suggestion
like
what
to
use.
A
I
want
to
build
it
myself,
so
potentially
we
want
to
build
something
in
gitlab
and
integrate
with
sneak.
This
could
be
a
potential
idea,
but
also
like
you're
running
ci,
cd
and
you're,
using
curl
or
whatever,
like
a
python
implementation,
to
query
something
I
want
to
automate
things-
and
I
was
just
talking
to
you
to
kenny
johnston
in
in
our
slack-
and
I
said
manual.
Work
is
a
bug
for
me.
A
I'm
automatic
everything,
so
I
want
to
have
like
a
consumable
rest,
api
and
really
rest
and
not
like
soap
or
whatever,
so
that
I
can
like
check
and
throw
something
at
it,
and
I
think
it
doesn't
need
to
be
super
complex
and
super
over
engineered.
It
should
just
be
like.
I
want
to
search
for
something
and
I
get
a
json
result
which
I
can
pass,
which
could
be
the
first,
the
minimum
minimum
viable
change
or
the
first
iteration
of
it.
A
That's
a
great
idea,
so
not
not
pushing
pushing
hard
on
that.
It's
just
like
if
you
have
upfront
and
add
a
rest
api
to
it,
and
maybe
some
examples
to
how
to
interact
using
curl
or
maybe
python,
whatever
you're,
confident
in
and
ask
not
only
me,
but
also
other
developers
or
other
users
who,
like
regularly
need
to
evaluate
which
package
to
use
because
I've.
A
In
my
experience,
you're
sitting
in
front
of
the
screen
and
then
you're
like
checking
this
php
package
or
this
like
c
plus
plus
project
or
something
else
and
like
should.
I
should
I
be
using
that
okay,
the
license
works.
I
have
no
idea
about
the
security,
because
there
is
my
history
about
this
and,
if
like
having,
that
puts,
puts
out
a
huge
effort,
and
I
could
also
imagine
that
it
helps
your
thought,
leadership
and
messaging
in
a
way
of
saying:
hey,
we're
doing
something
good
for
open
source.
B
Yeah,
no,
I
like
it,
I
like
it.
I
I
our
whole
focus.
You
know
over
the
next
year
or
so
is
apis
around
all
of
our
services.
You
know
the
the
the
kind
of
I
think
where,
where
we
see
ourselves
going,
is,
is
moving
towards
being
a
a
cloud
native
security
platform.
You
know
where
we
do
start
to
have
all
these
things
in
that,
so
I
I.
I
definitely
think
that
would
be
an
interesting
thing
for
advisor.
B
A
Yeah
and
if
it
makes
sense
to
just
connect
us
and
we
have
a
cover,
chat
and
yeah,
do
it
then
do
it
in
a
separate
session.
A
B
A
A
I'm
not
sure
if
it's
already
there,
but
we
should
like
kick
off
alliances
and
partnerships,
probably
yeah.
What
else
can
we
try?
Is
there
a
sort
of
thinking
of
like
what
what
gitlab
security
scanning
uses?
Is
there
something
like
secrets,
detection
in
there
as
well?
I
would
guess
so
right.
B
Yeah,
so
in
the
iac
scanning
there
is,
there
is
obviously
secrets
inside
things
like
terraform
and
kubernetes
ammo
and
that
kind
of
stuff
I
mean
secret
secrets.
Detection
in
general
is
quite
a
hard
thing
to
to
do.
You
know
because
you've
got
so
many
potential
patterns
that
things
could
be,
whether
is
it
a
secret
or
not
right,
unless
it's
in
a
in
a
a
setting
that
defines
itself
as
a
secret
but
yeah
we're
doing
a
lot
of
work
around
that
at
the
minute.
A
So
this
might
be
a
question
you
might
not
be
able
to
answer,
but
are
you
using
any
open
source
cameras
in
in
your
product
or
how
is
the
engine
being
built
like
because
I
think
for
secret
scanning
we're
using?
I
have
no
idea,
I
need
to
look
it
up
myself.
It's
an
open
source
can
engine
which
has
certain
patterns
predefined,
so
yeah.
A
Okay,
but
yet
I
don't
know
where
you're
coming
from
like
detecting
an
aws
key,
is
probably
easy,
but
detecting
it
detecting
specific
credentials
which
could
look
like.
A
Yeah,
you
need
to
learn
from
from
mistakes,
so
you
need
to
learn
and
adopt
and
and
have
something
which
is
like
shared
amongst
everyone.
So
yeah
interesting,
since
you
mentioned,
like
machine
learning,
for
the
suggestions.
A
How
how
is
this
built
or
what
is
the?
How
huge
is
the
backend
being
designed.
B
So
it
is
so.
This
sneak
code
is
based
on
a
on
a
technology
from
a
company.
We
acquired
called
deep
code
and
deep
code
had
a
have
a
very
large
back-end
database
of
open
source
code
from.
C
A
Okay
yeah.
This
was
basically
my
question
because,
when
when
it
comes
to
machine
learning
and
other
things,
I'm
like
learning
myself
and
gitlab
acquired
unreview
for
machine
learning
and
code
suggestions,
and
I
I
believe
this
goes
into
like
the
same
direction,
with
having
having
data
available
and
training
the
models
and
doing
more
stuff
in
that
direction.
To
make.
B
It
we
just
acquired
a
company
called
foss
id.
Have
you
come
across
those
then
before,
where
they
look
for
snippets
of
open
source
code
that
might
have
been
included
accidentally
in
your
in
your
own
application,
I.e,
someone's
copied
and
pasted
stuff
from
another
project
and
that's
a
similar
kind
of
problem
space.
You
know
very
large
databases
and-
and
you
know
fast
pattern
matching
across
huge
amounts
of
back
end.
A
And
this
kind
of
reminds
me
of
my
studies,
where
they
didn't
have
any
robots
to
check
whether
we
copy
paste
the
source
code
from
a
colleague
or
not
to
pass
the
exam
but
yeah.
I
know
it's
a
huge
problem
if
you
copy
it
just
from
from
github
or
from
gitlab
or
from
anywhere
else,
and
there
is
no
license
and
no
copyright
assigned
am
I
legally
allowed
to
edit
to
my
code
base,
no
I'm
not,
but
how
to
detect
that.
So
if.
C
A
B
A
Else
so
you
need
to
reach
out
to
the
author
and
and
ask
if
they
can
add
a
permissive
license,
and
sometimes
this
works.
So
I
remember
like
having
a
shell
script,
for
I
think
it
was
for
notification,
something
in
bash
and
I'm
not
really
keen
on
bash
programming,
and
but
there
was
no
license
on
that
code
snippet
and
if
you
can
reach
the
order
and
make
it
happen,
it's
it's
good.
But
on
the
other
side,
detecting
that
and
keeping
companies
code
safe
from
any
legal
actions.
A
Potentially,
I
think
is,
is
one
of
the
things
the
other
one
is
like
checking
if
the
licenses
are
compatible
with
so
like
license
scanning
in
a
sense
of,
is
there
any
hpl
inside
because
it's
not
compatible
with
gpl
or
apache,
and
this
is
currently
potentially
a
problem
with
many
projects,
shifting
away
from
apache
and
installing
something
which
is
yeah,
I
don't
know
more
safe
but
yet
generally
a
little
bit
less
permissive
than,
and
this
puts
companies
and
environments
at
risk
and
preventing.
That
is
a
good
idea.
A
E
I
think
gitlab
is
not
not
supported.
It's
like
stigma
or
at
the
moment.
C
B
No,
it
is
supported,
I've
never
actually
used
it
so,
but
not
on
the
free
tier
could
be
right,
possibly
not
in
the
free
tier.
C
A
B
So
sneak
is,
it
has
a
whole
free
tier,
so
the
the
only
there
are
some
features
that
are
paid
tiers
only,
but
the
free
tier,
almost
all,
of
the
the
things
that
that
we
looked
at
in
demos
today
are
available
on
the
free
tier.
The
only
limit
is
around
the
number
of
scans.
You
can
do
within
a
time
period
in
general
is
normally
how
how
things
our
our
whole
kind
of
go
to
market
is
really
about
that
freemium.
B
A
Okay,
yeah.
I
need
to
check
it
out.
I
have
a
like
an
old
webcast
repository
where
I
was
doing
a
ci
security
webcast,
and
this
holds
some
vulnerable
code,
I'm
just
not
so
super
fast
with
clicking
around
in
the
sneak
interface.
B
A
So
we
ex
we
extended
the
session
a
little
bit.
I
was
like
missing
time
thanks
thanks
for
the
the
great
session
and
the
great
insights,
I
will
share
a
blog
post
with
all
the
insights
later
on
and
yeah
other
than
that.
I
would
encourage
everyone
to
try
out,
sneak
and
all
the
integrations
into
ci
cd,
docker,
kubernetes
and
stuff
and
say
bye,
bye
on
youtube.