SECURE YOUR
OPEN-
SOURCE
PROJECTS
(For Free!)
Davide Benvegnu
DevOps Lead & YouTuber

DevOps & Infra Lead @ PlayStudios
Former DevOps Architect @ Microsoft + GitHub
Former MMA Fighter
Davide Benvegnu
@DavideBenvegnu
github.com/n3wt0n
linkedin.com/in/davidebenvegnu
coderdave.io

Allegedly Famous YouTuber
CoderDave

Security is
important

Continuous Security

Shift Left

Shift Left Tools (for today)
GitHub Advanced Security
Software security suite with Code Scanning, Secret Scanning,
and Dependency Vulnerability prevention
Datree
Automated policy and best-practices checks for Kubernetes,
Helm, and ArgoCD

Shift Left

GitHub
Advanced
Security

The 3 flavors of Advanced Security
Dependency Management
Code Scanning Secret Scanning
Scans projects for dependency
vulnerabilities and know issues.
Sends Dependabot alerts when detects
vulnerabilities affecting your repository
Create automatic PRs to upgrade
dependencies to a non-vulnerable version
(or to keep them updated)
Analyze the code in a GitHub repository
to find code vulnerabilities and issues.
Based on CodeQL, inherited from Semmle
and LGTM.
Integrated into GitHub, interoperable
with third-party code scanning tools that
output Static Analysis Results Interchange
Format (SARIF) data
Scans the entire Git history on all
branches in your repository for secrets.
Scans for passwords, secrets, tokens, API
keys, and custom patterns.
Works wit 150+ 3rd party services and
cloud providers to automatically
disable/rotate keys

Code Scanning
Supported Languages
Code Scanning / CodeQL supports both compiled and interpreted
languages
• C/C++
• C#
• Go
• Java
• JavaScript/TypeScript
• Python
• Ruby
Quality of Results
• Fairly low false positive ration
• Can catch issues other tools may not
Customizable
• Based on CodeQL queries, regularly updated,
• Open source: https://github.com/github/codeql
• Write your own queries
• Publish a CodeQL query pack (beta) to GHCR (self-
contained)
• Create a QL pack in a repository
Configurable
• Default config is usually “good enough”
• Custom config file
• Disabled default queries
• Specifying CodeQL query packs
• Specifying additional queries

Datree

Datree
Supports kubectl manifests, Helm charts, and ArgoCD
Prevents misconfigurations to reach your deployment
targets by enforcing policies and best practices.
Performs YAML validation, k8s schema validation, and
policy check

Let’s see them
in action

Conclusions

Is it perfect?
No, but…
• Code Scanning: Low false positive rate
• Code Scanning: New languages added regularly
• Code Scanning: SARIF compatibility
• GHAS: Good all-around tool
• Datree: Integrated in the workflow
• Datree: great support
• Datree: super easy to use and customize

Recap: GitHub Advanced Security
• Extensible framework for code scanning
• Integrated within the developer workflow
• Backed by industry-leading CodeQL engine
• Customizable and Configurable
• Integrated with GitHub features
Product Synergy

Recap: Datree
• Policy and Best Practices enforcement
• Integrated within the developer workflow
• Customizable and Configurable
• Policy-as-Code support
• Validates “anything Kubernetes”
No more misconfiguration

Videos

THANK YOU!
coderdave.io/join