 Good morning, everyone. My name is Loris De Giovanni, I'm CTO and founder of CISDIG. CISDIG is the leader in container, Kubernetes and cloud security. I'm also the original creator and one of the maintainers of FALCO. FALCO is the CNCF runtime security tool and it's essentially the de facto component for runtime security in Kubernetes and for containers. Today we're going to talk about GitHub. In general, if I were to ask you the following question in your job, what is your most valuable asset? Other than people, of course. Probably many of you would answer my source code and probably many of you, I guess the majority of you have your source code in GitHub or in general in some kind of Git repositories. So my question at this point is, are your repositories safe? This is the place where your most important thing is. This is also a prime target typically for attacks. So there are several areas, several categories of threats that your source code repositories are subject to. Examples, pushing secrets in a GitHub repository. This is something that happens routinely despite the checks that we put in place to prevent it and countless major breaches, including recent ones, like there was a Toyota one last week, are caused by something members just committing a secret, a password, a key or something on a repository. Another example is running GitHub actions with miners. This is something that is becoming more and more of an issue. GitHub is giving us more and more flexibility to complement our code repositories and events that can happen on these code repositories with actions that are actually executed on a computing pool that is offered to us by GitHub. Of course, whenever there's a computing pool where you can execute arbitrary actions and code, then there's a risk for somebody internal or external to abuse that and use it for things that it wasn't designed for, like, for example, running GitHub miners, which is something pretty common and it's been abused in a public visible way multiple times. Another example is mistakenly publishing a private repository, you know, that feeling when you discover that somebody published the wrong repository and your code maybe with secrets inside is publicly available online. Yes, GitHub asks you to confirm to type the name of the repository when you take an action like that and yes, this still happens. For example, it happened to me a few years ago and I tell you, it's not a pleasant feeling. So, how can we detect and protect from threats like this? One possible approach that I am going to talk about in these few minutes that I have is using Falco. As I was mentioning, Falco is what I often describe as the security camera for modern applications. Falco typically listens on your containerized Kubernetes-based endpoints. It captures a bunch of signals, for example, system calls, and it has a detection engine that is able to give you alerts. So, it detects bad stuff and gives you alerts. Falco traditionally has been designed to protect containers and pods and namespaces and services on Kubernetes, but recently we have released a GitHub plugin so that you can have the same type of real-time runtime security that Falco is based on, but for GitHub. Let's see how it works. So, I actually have a virtual machine here where I'm just going to run my local copy of Falco and I run it configured essentially to connect to my test GitHub repository. I can see that immediately Falco tells me that it's connected to the repository. In fact, if I go to my repository, I can see that now Falco automatically under the hood has created a web book to collect data from this repository. Now, if I go in the repository, and for example, I have this minor action, which is just running X and Rig, a well-known minor, and what I'm going to do is I'm just going to run this action manually in my repository, the action is started, and I can see that right away Falco was able to listen essentially to what was happening in that repository, repository and tell me that an action with crypto miners was executed and tell me the name of the repository, the name of the file and all of the information that they need. Another example is I have a little piece of source code in this repository, so let me uncomment, I'm just committing AWS hash in this repository, and then let me just push it to the repository, and again here you see, one or more secrets are pushed into private repository. It's telling me the file, it's telling me the line, I can even go and if I want browse and go take a look exactly where that line was committed in my repository. Falco is essentially able to dynamically do this for me, and as you can see, I get a reaction immediately in real time, in a matter of few seconds, so that's the beauty of a runtime security tool like Falco. We are used to deploy this kind of runtime security tools to detect that somebody spawns a shell inside one of my pods in Kubernetes, but as you can see, the process is applicable to other stuff as well, and Falco has many plugins that can interface with the different tools of your ecosystem to do these kinds of detections. Falco is based on a simple rule engine, so I can actually, these are the rules, for example, this is what's the rule that Falco used to detect miners, so it's just a YAML file that I can go, I can edit, I can modify, I can add my own rules. For example, in this file I customized it, with just a simple rule that the condition detects when a GitHub action of type star has been created, so essentially this is when somebody starred my repository, so if I go here and they start my repository, as you can see, immediately Falco is able to detect that and show me in real time that I got a star from user Eldejo. So as you can see, very easy, very simple, a rule is nothing else than a condition, and the output that they want to see when that condition is met. So creating GitHub rules for your needs is going to be very easy. In general Falco is free, it's open source, it's CNCF. We are looking hopefully to graduate the tool in the next few months, so I recommend that everybody takes a look, it can really be helpful for this kind of scenario. Just one last thing, we are having a Falco party tonight. It's the Firebird table, not far from here, so if you want to come, meet Falco developers, learn more, or just socialize and have a nice drink with friends, please join us tonight. Also, this afternoon we'll have, I think starting at 1 pm, a session with the Falco developers, where you can go and ask questions and ask their help, or learn the roadmap and so on. So come see us, come meet with us, we're really here and we're really eager to meet with you. Thank you very much, have a great day, and have a great KubeCon, and I will see you around. There's one question. 1 pm, where is the 1 pm event? Which room? Everybody's looking, I will let you know in a second. Thank you very much.