►
Description
Blog: https://everyonecancontribute.com/post/2021-06-09-cafe-33-cloud-native-security-snyk/
Website: https://snyk.io/
Twitter thread: https://twitter.com/dnsmichi/status/1401945459510415367
A
And
we
are
back
this
week
for
our
number
33
of
the
everyone
can
contribute
cafe
and
today
it
is
my
pleasure
to
welcome
matt
from
sneak.
So
we
are
talking
about
security.
We
are
talking
about
cloud
native.
We
are
talking
about
kubernetes
all
the
magic
things
which
we've
learned
in
the
past
few
weeks
and
I'm
honest.
I
know
about
sneak
a
little,
but
I
haven't
tried
it
myself
and
I'm
totally
looking
forward
into
like
turning
the
conversation
seeing
a
little
bit
of
an
introduction,
what
it
can
do,
how
it
integrates
and
so
on.
B
Thank
you
for
that.
Intro,
michael,
I'm,
not
sure
it'd
be
magic,
but
we'll
see
so
I
guess
I'm
trying
to
avoid
as
most
of
us
in
developer
advocacy
do
we
spend
our
lives,
giving
slide
decks
and
I'd
much
rather
kind
of
have
a
have
a
conversation
about
this
stuff
than
bombard
folks
or
slides.
But
I
guess
the
starting
point
for
me
really
is
is
like
you
know
why.
B
Why
is
security
different
in
the
cloud
native
world
right
and
and-
and
I
think
this
it
explains
in
a
sense
why
we
need
a
new
focus
on
how
we
do
security.
You
know
I
I've
got
plenty
of
gray
hair.
You
know
I've
been
around
the
computing
industry
for
a
pretty
long
time,
and
you
know
when
I
started
it
was
all
actual
hardware
right
and
and
big
machines
and
and
all
the
rest
of
it-
and
you
know
you
kind
of
didn't
change
much.
B
You
know
that
was
the
aim
of
of
of
corporate
I.t
type
environments
was
never
change
anything
unless
you
absolutely
have
to-
and
you
know
we're
in
a
very
different
space
now
where
we
want
to
change
all
the
time
and
when
we
combine
that
idea.
This
change
all
the
time
like
continuous
delivery,
continuous
integration
and
we
combine
that
with
what
are
developers
responsible
for
now,
as
opposed
to
let's
say
10
years
ago.
B
C
B
You
folks,
hopefully
you're
seeing
that
that
slide
there
right.
So
you
know
for
those
of
us
who've
been
around
for
a
long
time
and
I'm
I'm
sure
this
will
be.
This
will
be
familiar
to
to
quite
a
few
people
on
this
call.
You
know
the
the
the
piece
of
developers
were
responsible
for
was
really
just
this
tiny
bit
at
the
top
and
the
rest
of
the
rest
of
it.
You
know
virtual
machines,
all
the
hardware,
the
networking
you
know,
all
of
that
stuff
was
kind
of
in
somebody
else's
domain.
B
You
know
you
had
specialist
teams
who
just
did
that
and
you
know
so.
The
implementation
of
security
in
that
world
was
like
well
for
a
start,
we
don't
change
very
often,
and
secondly,
that
means
that
we're
just
going
to
do
security
right
at
the
end.
So
you
know
our
our
developer
develops
it.
They
ask
for
a
storage
loan
from
the
storage
guy.
B
They
ask
for,
like
a
network
connection,
they
ask
for
a
virtual
machine
and
this
whole
process
takes
months
and
and
so
right
at
the
end,
you
know
the
security
team
are
like
right
now
we're
going
to
check
it.
All
and
you
know
it's
kind
of
worked
okay,
but
you
know
this
world
that
we've
that
we've
moved
into
now
is
that
our
infrastructure
and
our
workload,
our
application-
are
almost
completely
tied
together
right.
B
So
if
we,
if
we
we
consider
how
much
of
our
production
workloads
now
are
are
deployed
in
containers,
you
know
we
just
did
a
a
survey
at
sneak
over
the
last
three
four
months
and
you
know
even
in
big
enterprises.
Now
you
know
people
were
talking
about
having
50
60
of
their
production
workloads
in
containers,
and
you
know
how
do
you
separate
out
the
application
from
the
container
right
from
the
container
image
and
lots
of
times?
B
It's
not
just
the
container
image,
it's
the
kubernetes
configuration
that
makes
that
all
work
and
in
lots
of
organizations
this
might
be
the
same
team
developing
this
stuff.
So
now,
we've
gone
from
this
place
where
we
had
the
developers
just
responsible
for
this
small
bit
at
the
top
to
the
developers
now
responsible
for
almost
all
of
the
stack-
and
you
know
that's
a
a
a
much
bigger
kind
of
responsibility
space
for
developers
to
have
to
think
about.
You
know
they're
on
one.
On
the
one
hand,
we've
got
this
big
pressure
to
deliver.
B
B
You
know
security
issues
because
now
that's
all
under
their
purview.
You
know
they've
got
the
the
the
container
image,
they've
got
their
own
application
code
and
and
the
application
itself
has,
you
know,
perhaps
pulling
in
third
party
open
source
dependencies,
and
you
know
these
responsibilities
have
all
kind
of
ended
up
up
with
with
developers
and
that
that's.
B
B
That
what
kind
of
now
needs
to
happen
is
that
you
merge
that
security
into
that
development
workflow
as
well
and
there's
lots
of
you
know,
there's
lots
of
terminology
around
this
people
talk
about
shifting
left
right,
which
is
basically
like
you
know
where.
Where
do
we
need
to
think
about
security
in
our
in
our
development
workflow?
And
then
you
know,
the
the
our
belief
at
snake
is
that
we
really
need
to
build
that
in
all
the
way
through
the
pipeline.
B
C
C
B
The
there's
there's
no
way
that
our
developers
are
gonna
become
security
experts.
So
if
you
present
developers
would
like
a
huge
list
of
cbes,
you
know
that
people
are
just
going
to
sit
there
and
go
well.
What
am
I
supposed
to
do
with
this
right?
So
it's
got
to
be
about
about
presenting
the
information
in
the
right
way
that
developers
can
consume
it
and
also
providing
them
actionable
ways
of
of
moving
forward
and
and
dealing
with
those
issues
and
at
snake
we
kind
of
focus
on
on.
I
guess
four.
B
Four
key
areas
used
to
be
b3,
but
but
now,
for
you
know,
the
the
the
first
area
is
open
source
packages.
Right
I
mean
you
know
you
look
at
the
patterns
of
of
of
how
applications
are
developed.
Now
you
know
your
typical
application
has
a
really
small
amount
of
home
run
code
and
then
a
ton
of
open
source
packages
in
it,
and
you
know
that
might
be
node.
It
could
be
go.
B
It
could
be
python,
it
could
be
whatever
right,
but
that's
how
we
write
applications
these
days
and
so
you've
got
this
big
chunk
of
code.
That's
this
kind
of
outside
of
your
responsibility.
You
know
you're
not
maintaining
it.
How
are
you
supposed
to
know
what
version
to
use
whether
it's
got
vulnerabilities
in
it?
So
that's
the
the
first
thing.
The
second
thing
is
around
container
images
and
looking
at
vulnerabilities
in
in
container
images
and
then
the
the
two
kind
of
most
recent
ones
are:
our
infrastructure
is
code
and
and
by
infrastructures
code.
B
We
include
kubernetes,
we
include
terraform,
you
know
all
those
kind
of
that
that
that
stuff
that
creates
our
things,
helm,
charts
and
and
all
that
stuff
and
then
we've
we've
just
launched
a
static
application
security
testing
feature
as
well
called
sneak
code,
which
is
about
testing
your
homegrown
code
for
actual
coding
mistakes.
You
know
whether
that
might
be
you
know,
unsanitized
inputs
or
whatever
that's
gonna
pick,
those
things
out.
So,
let's
let
me
just
show
you
what
that
what
that
looks
like
so.
B
This
kind
of
first
page
really
just
gives
me
an
overview
of
all
the
things
that
are
going
on
across
all
the
projects
that
I've
imported
into
my
into
my
sneak
account,
and
if
we
go
to
projects,
it's
probably
an
interesting
place
to
start,
there
are
a
bunch
of
different
ways
that
we
can
interact
with
with
with
code.
You
know
we
can
integrate
with
a
whole
bunch
of
source
code
management,
stuff
and
and
with
cicd
tools
and
I'll
show
you
the
cli
and
things
like
that
in
a
minute.
B
But
you
know
this
is
this
is
probably
the
the
place
that
most
people
you
know
are
going
to
interact
with
with
their
source
code,
and
you
know
we've
got.
I
I've
connected
my
sneak
to
my
github
repository,
and
so
you
know
it's
going
to
read
in
all
the
repos
that
I
have
there
and
I
can
just
click
things
and
import
them
straight
in
into
my
into
my
sneak
account.
B
If
we
look
at
the
the
set
of
integrations
that
we
can
kind
of
work
with,
you
know,
git
lab,
obviously
bitbucket.
You
know
most
of
the
container
registries
that
are
out
there.
Kubernetes
I'll
talk
about
it
in
a
second
loads
of
ci
stuff
and
then
we'll
also
look
at
some
of
the
ide
plugins,
but
once
we've
got
our
code
in
there
sneak's
going
to
start
scanning
that
for
a
first
scan
and
then
it's
going
to
scan
it
on
an
ongoing
basis.
B
So
if
we
take
a
look
at
one
of
these
projects,
snake
has
looked
in
that
repository
and
found
a
a
bunch
of
of
stuff.
That's
interesting
to
it.
You
know
we
talked
about
the
open
source
packages,
so
this
is
a.
This
is
a
node
application.
It's
deliberately
vulnerable.
It's
got
loads
of
vulnerabilities
in
it,
in
fact,
and
the
way
that
snake
works
with
most
of
the
language
support.
B
That
is
via
the
package
manager,
so
it's
going
to
look
at
what's
been
defined
in
that
in
that
file
it
might
be
requirements.txt
for
python
in
in
node's
case,
it's
it's
the
package.json
and
it's
found
a
whole
bunch
of
of
issues
of
vulnerable
dependencies
that
we're
bringing
into
to
this
application.
But
the
important
thing
to
to
to
think
about
when
we
think
about
dependencies
is
that
the
we
are
declaring
dependencies
in
our
applications,
but
those
dependencies
have
dependencies
right
and
sometimes
that
dependency
tree
can
be
gigantic.
B
This
is
a
fairly
common
one.
This
does
js
one
it's
high
severity
and
we're
gonna
provide
in-depth
information
about
about
each
of
the
the
vulnerabilities
that
have
been
found
in
that
code
in
that
code
base,
and
this
isn't
just
based
around
you
know,
one
of
the
issues
around
around
vulnerabilities
is
always.
How
do
I
prioritize
what
I
fix
right,
because
we
can't
fix
everything
you
know.
No.
B
Software
has
zero
vulnerabilities
unless
it's
like
you
know
something,
that's
that's
that's
very
small
and,
and
you
know
some
things
may
may
not
be
be
appropriate
for
your
environment
or
whatever.
So
what
we
build
is
a
whole
set
of
scoring
that's
based,
not
just
on
the
cvss
score,
which
is
the
the
the
the
standard
for
vulnerability
scoring,
but
it's
also
on
things
like.
Is
there
a
mature
exploit
for
that
particular
thing?
B
And
you
know
the
the
the
thing
that's
going
to
push
it
up
to
highest
priority
is:
is
there
a
fix
because
you
know
in
in
some
ways
it's
a
no-brainer
to
say?
Well,
if
there's
something
that
I
can
get
a
fix
out
of
just
by
upgrading
a
package,
then
I
I
should
fix
it
right
because
there's
nothing.
That's
stopping
me
from
doing
that.
B
So
there's
a
whole
bunch
of
of
filtering
here,
as
you
would
expect.
You
know
you
might
want
to
filter
out
things
where
there
are
no
fixes
available.
You
know.
Sometimes
people
are
interested
in
that,
but
you
know
often
it's
like
well
there's
no
action
that
I
can
take
from
that,
and
you
know,
as
I
said
earlier,
what
what
sneak
is
really
about
is
about
action
for
developers
to
be
able
to
to
action
things.
B
So
one
of
the
other
things
that
I
can
do
from
here
is
actually
just
raise
prs
directly
against
this,
this
this
repo
in
github-
and
I
can
do
that
automate
it
on
an
automated
basis,
where
I
can
just
say
well
any
fixed
pr
anything
that
is
fixable
make
a
fixed
pr
in
a
lot
of
cases.
These
fixed
pr's
will
just
be
a
you
know,
upgrade
upgrade
the
the
package
version
in
the
in
the
package
management,
sometimes
we'll
actually
patch
provide
patches
for
a
particular
application.
B
B
So
that
was
the
that's
a
kind
of
you
know
the
very
quick
look
at
the
the
open
source
packages
thing
and
that'll
work
in
a
very
similar
way,
whether
we
were
looking
at
python
repository
or
a
java
repository
or
you
know
any
of
the
languages
that
sneak
supports,
but
we'll
have
found
a
bunch
of
other
stuff
in
this.
In
this
repository
as
well.
Obviously,
there's
some
there's
some
there's
some
kubernetes
manifests
in
here
and
we've
also
been
scanned.
B
Those
kubernetes
manifests
for
obvious
security
issues,
so
here
we're
going
to
be
looking
at
you
know:
do
we
have
resource
limits
set?
Do
we
have
the
correct
security
context
settings
set
and
just
providing
that
information
to
the
developer
about
what
things
they
may
want
to
to
change
in
in
that
stuff?.
B
B
May
help
to
reduce
the
vulnerability
count
if
you
were
to
switch
your
base
image
from
that
base
image
with
a
very
high
vulnerability
count.
You
know,
most
of
most
vulnerabilities
in
in
container
images
are
in
the
base
image.
That's
been
imported
into
that
docker
file,
so
you
know
by
upgrading
your
base
image.
You
know
you're
likely
to
to
immediately
solve
a
lot
of
problems.
B
You
know
you're
much
better
off,
saying
I'm
going
to
trust
whether
that's,
whether
that's
a
debian
image
or
a
particular
packaged
image.
You
know
we
could
talk
a
lot
more
about
the
the
the
kind
of
slim
distributor
scratch
all
that
kind
of
stuff.
But
there
probably
isn't
isn't
time
today,
but
perhaps
we
can
talk
about
that
a
bit
later
and
then
the
the
final
thing
that
we've
picked
up
in
here
is
our
is
analyzing
the
the
the
homegrown
code
that
was
in
here.
B
So
this
is
code
that
wasn't
they
didn't
come
from
an
open
source
package
and
the
sneak
code
has
actually
analyzed
what
what
security
issues
there
are
within
the
code
itself
and
what's
cool
about
sneak
code?
Is
that
like
it's
basically
like
a
machine
learning
framework?
And
it's
super
fast?
So
it's
now,
I
don't
know
whether
anybody's
used
a
lot
of
these
sas
tools
in
the
past.
You
know,
certainly
when
I
was
in
development.
B
They
took
a
very
long
time
to
run,
especially
if
you
run
them
over
big
code
bases
and
snake
code
is
now
fast
enough,
where
you
can
use
it
in
an
ide
and
I'll
show.
You
in
a
second
that
actually
running
in
in
inside
vs
code
in
a
plugin
just
before
we
before
we
move
on
to
the
cli
stuff.
We
can
just
see,
let's
add
a
project
for
a
container
project
from
docker
hub,
just
to
show
you
how
that
that
part
of
it
works.
B
D
C
A
B
Cool
yeah
yeah
right.
So
so,
let's
look
at
so
what
we're
just
the
the
one
piece
that
I
was
just
gonna
touch
on
before
we
move
on
to
looking
at
that
in
vs
code
was
a
container
image
imported
from
the
container
registry
will
still
pick
up
all
of
the
the
problems
that
are
in
the
base
image,
but
when
it
becomes
really
powerful
is
when
you
link
that
to
the
dockerfile.
B
So
this
is
the
code
for
that
vulnerable,
node
application.
I've
actually
got
two
sneak
plugins
running
here:
one's
called
vol
cost
and
the
other
one's
the
snake,
vulnerability
scanner,
and
if
we
just
look
at
the
the
packages
to
start
with,
this
is
the
the
von
kost
plugin.
You
can
see
that
it's
that
it's
picking
out
straight
away
as
soon
as
I
as
soon
as
I,
if
I
was
to
add
this
package.json,
I
need
to
include
another
package.
It's
going
to
scan
that
straight
away.
B
So
it's
already
telling
me
that
there
are.
You
know
in
this
particular
in
this
particular
package.
There's
three
one
high
and
three
medium
vulnerabilities,
and
I
can
just
click
on
on
quick
fix
here
and
that's
going
to
tell
me
what
I
need
to
do
to
fix.
It
is
just
to
upgrade
to
change
that
1.0.0
to
3.1.6
and
that's
going
to
fix
all
of
those
vulnerabilities
that
are
in
that
particular
package.
B
B
B
It's
just
happening
right
there
in
my
ide
and
then
what's
also
happened
here
is
because
I've
got
the
the
the
sneak
code
plugin
running
here
is
that
my
my
code's
been
scanned
for
programming
issues
and
we
can
see
there's
a
bunch
of
things
that
have
appeared
down
here,
which
are
showing
me
issues
in
my
own
code
that
need
to
be
fixed
and
what's
cool
about.
This
is
not
just
saying
this
is
a
particular
a
problem
of
this
particular
type.
B
It's
also
actually
showing
me
the
problem
flowed
through
that
particular
function.
So
you
know
from
unsanitized
input
in
the
in
the
http
request
body,
I'm
able
to
go
right
through
that
function
showing
where
it's
flowing
into
find
and
then,
if
I
click
on
it
over
here,
I
not
only
get
full
kind
of
details
about
what's
happened
in
that
particular
piece
of
code,
but
I
also
get
these
examples
from
other
open
source
projects
about
how
other
people
have
fixed
it.
B
So
it
really
shows
you
straight
away,
like
you
know,
here's
how
here's,
what
the
the
problem
is
and
here's
how
to
fix
it.
So
you
know
here:
I've
got
I've,
got
three
open
source
projects
that
that
have
been
indexed
as
part
of
the
the
sneak
code
back
end
and
it's
gonna
give
me
examples
of
exactly
fixing
that
exact
kind
of
kind
of
a
problem.
C
B
C
B
Into
that
node
application
again,
I
can
do
sneak
test
which
is
going
to
test
those
those
open
source
package
dependencies,
and
you
can
see
all
that
same
information.
It's
obviously
not
quite
as
nicely
formatted
as
it
is
in
the
in
the
ui.
But
what's
nice
is
you
can
use
the
sneak
wizard,
which
will
kind
of
do
the
same?
There's
the
same
idea
as
as
behind
the
automated
fixed
pr's,
in
that
it
makes
it
super
easy
to
fix
it.
B
So
the
sneak
wizard's
going
to
do
make
those
suggestions
to
you
about
which
files
should
be
updated
and
to
which
package
versions
and
from
the
cli.
You
can
also
do
sneak
monitor,
which
is
actually
going
to
add
that
project
into
the
into
your
sneak
organization
and
then
monitor
it
on
a
regular
basis.
So,
once
once
a
project
is
actually
imported
into
sneak,
it's
not
only
tested
on.
B
First,
import
is
tested
every
configurable
time
period,
so
you're
picking
up
changes
there
all
of
the
time,
and
I
think
we
can
also
do
sneak
code
test
here,
which
is
going
to
do
the
the
sneak
code
magic
and
it's
going
to
find
those
those
issues
in
in
our
homegrown
code
and
then
the
the
sneak
container
cli.
I
can
test
things
directly
from
from
my
docker
hub
or
I
can
test
things
that
are
running
in
my
local
docker.
B
It's
going
to
take
a
little
minute
to
run
that
one,
but
what
what's
you
can
also
do
all
the
container
scanning
stuff
directly
in
the
docker
cli,
so
there's
new
docker
scan
commands
that
are
in
directly
in
docker
and
that's
basically
using
sneak
on
the
back
end.
So
you
can
you
can
do
you
know
all
that
all
the
security
scanning
stuff
without
leaving
the
the
the
docker
cli?
B
C
A
Thanks
for
the
details,
I
was
wondering
so
like
checking,
checking
a
docker
container
checking
the
container
files
before
they
actually
being
deployed.
If,
if
I
have
like
a
a
current
deployment
of
a
kubernetes
cluster,
how
would
I
be
using
sneak
if
I
don't
have
access
to
anything
before
that,
so
I'm
like
maybe
taking
over.
B
B
C
B
B
You
know
scanning
it
there
is,
is
the
the
kind
of
recommended
best
way?
But
you
know
almost
everybody
now
has
the
option
to
do
container
image
scanning
in
your
registry
as
well.
Right-
and
I
mean
you
know
whether
that's
sneak
or
not,
you
know
the
the
best
practice
for
everybody
really
would
be
also
to
turn
on
whatever
image
scanning
your
container,
your
your
registry
of
choice
has
turn
it
on
right.
A
It's
like
I'm,
looking
from
the
monitoring
inventory
side
like
if
you
cannot
migrate,
everything
to
the
best
like
death,
cyclops
lifecycle,
but
you
want
to
introduce
sneak
in
your
current
system
and
you
have
some
whatever
ci
cd
tooling
and
you
don't
have
really
have
control
over
it.
But
if
you
get
inventory
like
of
the
kubernetes
cluster
or
maybe
like
a
different
cluster
system,
and
then
you
have
like
the
possibility
to
say
hey,
I
want
to
scan
this
and
this
and
this
I
think
this
is
a
greater.
A
B
B
Yeah,
so
every
every
cve
will
have
a
standard,
cvss
score
right
and
cvss
is
a
standard
scoring
mechanism
for
how
serious
the
vulnerability
is.
It's
based
on
a
whole
range
of
different
of
different
things.
Can
we
actually
look
at
one
here
yeah?
So
it's
based
on
a
kind
of
built
up
out
of
all
of
these,
these
these
different
things
from
the
calculator
like
you
know
how
complex
it
would
an
attack
would
need
to
be.
You
know
what
the
what
the
vectors
are,
etcetera,
etcetera.
B
So
you
know
I
mean
a
physical
attack
vector
is
probably
less
serious,
for
example,
than
a
network
attack
vector
because
it's
less
likely
that
somebody's
going
to
have
physical
access
to
the
machine,
but
they're
sort
of
built
up
by
out
of
all
of
these
different
things.
But
what
this?
What
the
sneak
database
does
is
enrich
that
with
particularly
with
this
stuff
about.
Is
there
a
mature
exploit
available
for
it,
and
is
there
a
fix
available,
because
you
know
again,
with
this
world
view
that
we
we're
really
about
empowering
developers
to
fix
things?
B
We
want
to
be
able
to
have
things
that
are
actionable
so
being
having
a
fix
available,
really
makes
you
know
it
should
push
something
right
to
the
top
of
your
priority
list,
because
it's
easy
to
fix.
You
know
so,
and
that
becomes
a
fairly
key
part
of
the
scoring
for
for
for
how
they're
prioritized
in
the
sneak
ui.
E
Have
two
questions
one
would
be
regarding
the
terraform
feature
which,
if
I
want
to
sit
correctly,
is
still
in
beta.
I
tested
it
out
on
the
sneak
dashboard
that
you
have
some
kind
like
integrate
your
github
repository.
You
have
some
kind
of
terraform
code,
then
you
receive
some
kind
of
information
like
in
my
case.
I
had
one
regarding
having
a
sql
database
with
public
ip,
which
is
like
an
understandable.
B
That's
okay,
when
you've
got
the
when
you're
connected
to
the
to
the
git
repository,
but
sending
them
all
from
the
cli
could
take
forever
so
that
that's
one
of
the
things.
That's
that's
that's
become
a
lot
faster
recently,
but
they
use
exactly
the
same
rule
set,
so
it
all
uses
rhaego
in
the
back
end
that
comes
from
open
policy
agents.
So
it's
a
set
of
of
it's
a
kind
of
rules-based
language.
The
rule
sets
are
massively
growing
at
the
minute.
B
B
E
E
B
Noise
yeah,
the
problem
is,
I
have
to
admit,
like
I,
I
hey,
I
am
not
a
I.
I
would
not
describe
myself
as
a
programmer,
I'm
a
systems
systems
architect
so
and
b.
I
am
old
and
so
I'm
not
used
to
using
vs
code.
You
know
my
normal
programming
environment
is
bi,
so
I
am
sure
there
are.
There
are
lots
of
configuration
options
and
I
can
certainly
find
out
for
you.
If
that's
something,
that's
that's
of
interest,
so
ping
me
ping
me
afterwards
and
I
can
find
out
but
yeah.
B
B
Yeah,
I
should
have
mentioned
that
as
well,
that
one
of
the
one
of
the
key
features
of
the
sneak
stuff
is
about
license
compliance
so
for
each
every
single
one
of
those
open
source
packages,
that's
being
picked
up
in
the
scans
you
you
also
get
all
of
the
the
licenses
and
it's
configurable,
which
you
know
you
can
say.
Well,
I
don't
want,
you
know
x,
license
to
be
allowed,
and
but
all
of
these
ones
that
are
that
are
that
are
permissive
or
all
fine
and
yeah.
B
B
So
people
are
releasing
things
that
that
have
names
that
are
similar
to
other
things,
to
poison
the
package
repository,
and
so
we
built
this
thing
called
advisor,
which
we've
just
kind
of
been
bringing
out.
This
is
entirely
free
kind
of
tool,
and
what
advisor
allows
you
to
do
at
the
minute
across
three
ecosystems
is
to
search
for
packages.
You
can
kind
of
think
of
it
like
booking.com
for
open
source
packages.
Right
so
say.
B
If
I
want
like
you
know,
if
I
let's
go
to
to
python-
and
you
know
if
I
do
like
requests
so
advisor-
combines
the
security
information
for
that
that
particular
package
with
the
community
data
for
like
how
healthy
that
ecosystem
is
to
form
this
overall
score
for
like
why
you
might
want
to
choose
this
particular
package.
So
you
know
it's
going
to
show
you
how
many,
how
many
things
times
has
this
thing
downloaded?
B
How
often
is
it
committed
to
how
big
is
the
contribution
community
around
it?
Does
it
have
contributing
documentation,
code
of
conduct
and
are
there?
You
know
big
security
issues
in
that
in
that
project,
and
so
it
really
gives
you
this.
This
thing
that's
never
really
existed
before,
which
is
a
way
of
being
able
to
decide
whether
you
should
use
x,
package
or
y
package
without
actually
just
going,
and
you
know
randomly
looking
at
source
code,
so
we're
we're
building
going
to
build
lots
more
ecosystems
into
advisors.
B
You
know
for
doing,
http
and
python.
I
mean
this
is
a
fairly
obvious
one,
because
I
think
requests
is
pretty
much
the
standard
there,
but
there
are
in
other
ecosystems,
particularly
like
in
in
in
node
and
in
java.
There
can
be
lots
and
lots
of
packages
that
do
basically
the
same
thing.
So
how
do
you
decide
which
one
to
use
right?
What
what
fact?
B
What
what
factors
should
you
use-
and
you
know
it's
quite
surprising-
often
that
people
don't
perhaps
understand
that
the
community
health
of
that
project
is
equally
as
important
as
what
it
does,
because
you
know
what's
going
to
happen
in
a
year's
time
when
you've
based
your
application
on
this
thing
that
had
one
person
developing
it
who's
now
disappeared
or
infected
your
code
with
some
remote
background,
so
yeah
so
I'll.
Advise
this
really
cool.
I'm
trying
to
talk
a
bit
more
about
that
at
conferences
and
things
so.
D
B
So
I
know
they
are
on
the
road
map
so
go
go.
Support
in
sneak
generally
is
is
yeah.
I
think
we
do.
Support
go
now
goes
obviously
a
little
bit
more
difficult
because
the
compiled
language,
so
you
know,
go
and
see,
and
things
like
that
are
much
more
complex
for
any
vulnerability
dependency
thing
right,
because
you
don't
have
like
a
package.json
or
anything.
B
I
know
the
development
team
did
a
lot
of
quite
cool
work
about
sort
of
disassembling
the
go
binary
to
find
out
which
modules
had
been
in
it,
but
we
definitely
we
support,
go
from
the
source
code
management
side.
You
know
where,
obviously,
you've
got
your
modules
defined
and
stuff.
At
that
stage,
I
I
think
rest
is
super
cool.
B
But
like
it's
it's
one
of
those
things
when
you
said
the
the
the
the
development
team
are
like
going
100
miles
an
hour,
because
we've
got
so
many
ecosystems
that
we
want
to
cover
and
like
it
tends
to
be
the
ones
that
are
sort
of
less
interesting,
but
they've
got
more
developers
in
them
that
end
up
first
in
the
queue.
So
it's
like
dot,
net
and
php,
which
is
like
really
there's
still,
people
writing
stuff
with
php.
But
there's
millions
of
people
writing
stuff
in
php.
C
B
A
B
A
A
I
want
to
build
it
myself,
so
potentially
we
want
to
build
something
in
gitlab
and
integrate
with
sneak.
This
could
be
a
potential
idea,
but
also
like
you're
running
ci,
cd
and
you're,
using
curl
or
whatever,
like
a
python
implementation,
to
query
something
I
want
to
automate
things-
and
I
was
just
talking
to
you
to
kenny
johnston
in
in
our
slack-
and
I
said
manual.
Work
is
a
bug
for
me.
A
I'm
automatic
everything,
so
I
want
to
have
like
a
consumable
rest,
api
and
really
rest
and
not
like
soap
or
whatever,
so
that
I
can
like
check
and
throw
something
at
it,
and
I
think
it
doesn't
need
to
be
super
complex
and
super
over
engineered.
It
should
just
be
like.
I
want
to
search
for
something
and
I
get
a
json
result
which
I
can
pass,
which
could
be
the
first,
the
minimum
minimum
viable
change
or
the
first
iteration
of
it.
A
That's
a
great
idea,
so
not
not
pushing
pushing
hard
on
that.
It's
just
like
if
you
have
upfront
and
add
a
rest
api
to
it,
and
maybe
some
examples
to
how
to
interact
using
curl
or
maybe
python,
whatever
you're,
confident
in
and
ask
not
only
me,
but
also
other
developers
or
other
users
who,
like
regularly
need
to
evaluate
which
package
to
use
because
I've.
A
In
my
experience,
you're
sitting
in
front
of
the
screen
and
then
you're
like
checking
this
php
package
or
this
like
c
plus
plus
project
or
something
else
and
like
should.
I
should
I
be
using
that
okay,
the
license
works.
I
have
no
idea
about
the
security,
because
there
is
my
history
about
this
and,
if
like
having,
that
puts,
puts
out
a
huge
effort,
and
I
could
also
imagine
that
it
helps
your
thought,
leadership
and
messaging
in
a
way
of
saying:
hey,
we're
doing
something
good
for
open
source.
B
Yeah,
no,
I
like
it,
I
like
it.
I
I
our
whole
focus.
You
know
over
the
next
year
or
so
is
apis
around
all
of
our
services.
You
know
the
the
the
kind
of
I
think
where,
where
we
see
ourselves
going,
is,
is
moving
towards
being
a
a
cloud
native
security
platform.
You
know
where
we
do
start
to
have
all
these
things
in
that,
so
I
I.
I
definitely
think
that
would
be
an
interesting
thing
for
advisor.
B
A
B
A
A
B
Yeah,
so
in
the
iac
scanning
there
is,
there
is
obviously
secrets
inside
things
like
terraform
and
kubernetes
ammo
and
that
kind
of
stuff
I
mean
secret
secrets.
Detection
in
general
is
quite
a
hard
thing
to
to
do.
You
know
because
you've
got
so
many
potential
patterns
that
things
could
be,
whether
is
it
a
secret
or
not
right,
unless
it's
in
a
in
a
a
setting
that
defines
itself
as
a
secret
but
yeah
we're
doing
a
lot
of
work
around
that
at
the
minute.
A
So
this
might
be
a
question
you
might
not
be
able
to
answer,
but
are
you
using
any
open
source
cameras
in
in
your
product
or
how
is
the
engine
being
built
like
because
I
think
for
secret
scanning
we're
using?
I
have
no
idea,
I
need
to
look
it
up
myself.
It's
an
open
source
can
engine
which
has
certain
patterns
predefined,
so
yeah.
A
B
C
A
Okay
yeah.
This
was
basically
my
question
because,
when
when
it
comes
to
machine
learning
and
other
things,
I'm
like
learning
myself
and
gitlab
acquired
unreview
for
machine
learning
and
code
suggestions,
and
I
I
believe
this
goes
into
like
the
same
direction,
with
having
having
data
available
and
training
the
models
and
doing
more
stuff
in
that
direction.
To
make.
B
It
we
just
acquired
a
company
called
foss
id.
Have
you
come
across
those
then
before,
where
they
look
for
snippets
of
open
source
code
that
might
have
been
included
accidentally
in
your
in
your
own
application,
I.e,
someone's
copied
and
pasted
stuff
from
another
project
and
that's
a
similar
kind
of
problem
space.
You
know
very
large
databases
and-
and
you
know
fast
pattern
matching
across
huge
amounts
of
back
end.
A
And
this
kind
of
reminds
me
of
my
studies,
where
they
didn't
have
any
robots
to
check
whether
we
copy
paste
the
source
code
from
a
colleague
or
not
to
pass
the
exam
but
yeah.
I
know
it's
a
huge
problem
if
you
copy
it
just
from
from
github
or
from
gitlab
or
from
anywhere
else,
and
there
is
no
license
and
no
copyright
assigned
am
I
legally
allowed
to
edit
to
my
code
base,
no
I'm
not,
but
how
to
detect
that.
So
if.
C
A
B
A
Else
so
you
need
to
reach
out
to
the
author
and
and
ask
if
they
can
add
a
permissive
license,
and
sometimes
this
works.
So
I
remember
like
having
a
shell
script,
for
I
think
it
was
for
notification,
something
in
bash
and
I'm
not
really
keen
on
bash
programming,
and
but
there
was
no
license
on
that
code
snippet
and
if
you
can
reach
the
order
and
make
it
happen,
it's
it's
good.
But
on
the
other
side,
detecting
that
and
keeping
companies
code
safe
from
any
legal
actions.
A
Potentially,
I
think
is,
is
one
of
the
things
the
other
one
is
like
checking
if
the
licenses
are
compatible
with
so
like
license
scanning
in
a
sense
of,
is
there
any
hpl
inside
because
it's
not
compatible
with
gpl
or
apache,
and
this
is
currently
potentially
a
problem
with
many
projects,
shifting
away
from
apache
and
installing
something
which
is
yeah,
I
don't
know
more
safe
but
yet
generally
a
little
bit
less
permissive
than,
and
this
puts
companies
and
environments
at
risk
and
preventing.
That
is
a
good
idea.
A
C
C
A
B
So
sneak
is,
it
has
a
whole
free
tier,
so
the
the
only
there
are
some
features
that
are
paid
tiers
only,
but
the
free
tier,
almost
all,
of
the
the
things
that
that
we
looked
at
in
demos
today
are
available
on
the
free
tier.
The
only
limit
is
around
the
number
of
scans.
You
can
do
within
a
time
period
in
general
is
normally
how
how
things
our
our
whole
kind
of
go
to
market
is
really
about
that
freemium.
A
C
B
A
So
we
ex
we
extended
the
session
a
little
bit.
I
was
like
missing
time
thanks
thanks
for
the
the
great
session
and
the
great
insights,
I
will
share
a
blog
post
with
all
the
insights
later
on
and
yeah
other
than
that.
I
would
encourage
everyone
to
try
out,
sneak
and
all
the
integrations
into
ci
cd,
docker,
kubernetes
and
stuff
and
say
bye,
bye
on
youtube.