 And let me give y'all a little intro and off we'll go. Thank you everyone for joining us. Welcome to today's CNCF live webinar, Cloud Native DevOps Security. I'm Libby Schultz and I'll be moderating today's webinar. I'm going to read our code of conduct and then hand it over to Sebastian Straub and Simon Molot, Solutions Architects with Prisma Cloud by Palo Alto Networks. A few housekeeping items before we get started. During the webinar, you're not able to speak as an attendee. There's a Q&A box at the bottom of your screen. Please feel free. Sorry on the right hand side of your screen. Please feel free to drop your questions in there and we'll get to as many as we can at the end. This is an official webinar of the CNCF and as such a subject to the CNCF code of conduct. Please do not add anything to the chat or questions that would be in violation of that code of conduct and please be respectful of all of your fellow participants and our presenters. Please also note that the recording and slides will be posted later today to the CNCF online programs page at community.cncf.io under online programs. And they will also be available via your registration link and on our online programs YouTube playlist. With that, I will hand it over to Sebastian and Simon to kick off today's presentation. Take your way. Thank you Libby for your introduction. Thank you everyone for joining our webinar today. My name is Sebastian Straube and I'm the Cloud Solutions Architect in Palo Alto Networks. Here I'm sitting in Zurich-Sützerland and I also want to introduce you Simon Millot. He's also a Cloud Solutions Architect. Hello Simon. Hello Sebastian. Thank you Libby for the introduction and indeed I'm a Cloud Solutions Architect at Palo Alto Networks. So basically mainly focusing on Prisma Cloud product and yeah, I'm happy to be here. I prepared like a nice demo and I will be jumping into the demo after the presentation of Sebastian. So yeah, over to you Sebastian. Thank you Simon. So I'm super happy Simon joined today. He's our demo god. So we all pray to him. So all good. So let's quickly start with our presentation. I prepared a couple of slides for us today here to grasp a little bit around what Checkoff is and why Checkoff has something to do with cloud native DevOps security. So first thing we looked at in our quick research we did. We looked at public repositories in the Terraform registry and in the JIPAP open source code. And we found a pretty interesting result here and we scanned these repositories, these open source repositories and we found that a lot of them were insecure or misconfigured. Misconfiguration is one of our biggest challenges in public cloud environments and also in general application development life cycle security in which we need to think around how we can secure our code, how we can secure our infrastructure. So we take this away and say, OK, is security checked in by default or how do we think around security? And I want to present you quickly what Checkoff is. So for the people who don't know actually what it is, Checkoff is an open source statistic analysis tool. So it enables us to scan infrastructure as code in a methodology that is called policy as code in which we can actually then automatically scan code and introduce this as scan code into visibility in which we see vulnerabilities, compliance problems and best practice problems in our infrastructure's code templates. In Checkoff we pre-built hundreds of policies over our compliance and best practices across all the public cloud provider. So when we create an infrastructure's code template for AWS, Azure, Google and also Kubernetes templates like Helm charts, etc. We actually can use them and scan them with Checkoff and then this can show us the vulnerability and compliance issues inside this code. In the moment we have around 2 million downloads with Checkoff. So it's a very popular infrastructure's code scanner in the moment on the market. We are natively supporting, as I said before, also Kubernetes manifest but also Terraform CloudFormation, the ARM and others. And also what I want to highlight here is that Checkoff is written in Python. So it's fully extensible if you want to use the source code and want to extend some functions. If you're a Python Pro you absolutely are in the way to do so. So it's a very simple, flexible tool where we actually can control policies and enforce that we can use our code. So as we said before, Simon is actually doing the demo after he showed a couple of slides. In the meantime, if you want to check out, you can go to this URL and can check the code. But I just want to give you a couple of more context around this product. When you have checked your software development lifecycle and, you know, we need to check every corner of your code and of your infrastructure's code templates, etc. So our approach is that we actually try to find these vulnerabilities and compliance issues. You want to fix them so we can fix them directly in the either. Like for example, this is to the code. We have plugins for all the major development environments in the market. And we also want to prevent that these problems are going into production environments, but we can also fix problems inside production environments. So we can fix problems also at build time. So that means we can integrate our scans into the build time and into the runtime. So in production in running environments and in our CSED pipeline. As we said before, it's an open source product. And we also, for example, can merge pull request and we can detect and transform misconfigurations. It's a very important point. And also we enforce our policies in your workflow. So how does it work actually? This is the challenge actually with our code because today we have the topic shift left. That is very important to us because we want to automate our code and our security of the code in our development environment and not in production environment. Because here on this slide, we see that for example, we have one misconfiguration and vulnerable code into our build pipeline. And then we deploy this template maybe 100 times or more. And then we create actually in runtime a lot of security alerts in production environment. And all this whole shift left topic is around reducing the security alerts in production environments. This out creating, you know, tickets in JIRA, pager due to your service now. And then actually need to come back into the build process change and then deploy again. So we want to fix the problem in the beginning. And how do we handle this? So let's handle this like pros and we want to show you how this works. So what we do is actually when we do some code commit, we want to fix and prevent in the development environment and pull request and build blocks that some vulnerabilities are going into the test environment, for example. And then also in the deployment operation state we monitor and we can remediate in the stage. And what we also do before we actually commit this code, we scan these infrastructure templates and also make sure that this configuration meets the requirements of your department. And what we also do is we then show some compliance reports, policy engines and show also some notifications around this topic. So we can integrate in your whole CSD pipeline in your workflow that you work every day and we make it easy for you to integrate on scan this whole different repositories and templates. So what do we integrate? It's a very important question because we don't want to write this integration by ourselves, right? So you see a lot of logos. I don't need to describe every logo. I think you all know what they are and where they're coming from. But what I want to highlight here is that we support all the major cloud provider, including Kubernetes here. And then also integrate with the typical development environment, including JetApp Actions, JetLab, and also Jenkins, including also instant messaging alerts and communications. And also you also integrate in infrastructure code frameworks like Terraform and Helm. So this is absolutely a great starting point for you. What's the benefit very quickly? So actually over time when you're using these kind of methodology in the check off tool, you lower the remediation time. This is really interesting because at the end you don't want to fix the problems in production, right? And then you want to decrease the high severity events. That means that we find vulnerability problems inside the app and reduce the attack surface from the beginning. We simplify the compliance by checking compliance inside the template already. And then at the end what we do is with all this combined together, we are minimizing the attack surface. So what are actually the requirements when we look at how to achieve these benefits and these requirements are that we need actually these infrastructures code security tool where we implement some guardrails. We need drift detection. Drift detection means that we automate the deployment of the code with the template. We check the template before deploying. And then when we change something inside the cloud, some resources are changed inside the cloud. We detect this change and then we notify on this change and also scan this change. Then for example what you also need to implement is in secret scanning. So we want to make sure that we don't deploy or commit secrets into our production stage or into other stages. That's something we really want to avoid. And then for sure what's very important is the least privilege in identity access management. So that means you don't want to overprivilege some user that have access to environments. So we also check this one. So one thing I wanted to show you is the box ticker. So check off is an upstream tool. So there's also a downstream tool for enterprise environments. And maybe later you can check out what kind of functionality you need. But if you need some specific functionality, then you can also check out the downstream tool. So before we go into the demo, I just want to give you a glimpse around our approach and how we tackle today's security situations. What is actually the situation? We are not only looking at our security of the code, but the security of our whole environment. And that includes a lot of different aspects. And when we look at these different aspects, we actually see that, for example, Gartner give us some trends and strategic technologies which customers are looking at. And we want to understand in which way we, for example, understand cyber security measures and how we can do hyper automation on the right side here. And we also want to understand how to do data loss prevention, data classification and also looking at worker protection, security, posture management, all this kind of topics to come then together in the dashboard to have a centralized policy and posture management. So we emphasize here for customers that they actually introducing some kind of cloud native application platform approach. And this CNEP enables IT leader actually to laser focus on shift left. So bringing or removing the problems out of the production environment, bringing, solving the problems inside the development life cycle, then also optimizing the deployment time and integrating security in the DevOps processes, reducing the application downtime for break fix procedures, reducing security alerts and false positives and socks also very important, because it takes a lot of money and time to solve them in production environments. And we also increase the agility and resilience, and also we enable centralized management and dashboards and consolidate the tool landscape. So this CNEP approach is something we really can recommend. But now let's focus on the demo. So, Simon, I would like to take over my screen. Thank you Sebastian for the presentation. And let me hide this one. So yeah, basically what I want to show you like today is how to get started also with a check off. The first stuff that you need to do that you need to do is like install a check off on your laptop computer or whatever. So just by doing like a P3 install check off, and that would be sufficient to get like a check off on your computer. And then as of that, you can run this kind of comments, check off minus L just to list all the policy that we have like embedded inside check off. And then you are if you want to scan a specific file, you can just minus F Docker file from Apple, it will scan Docker file. And here on the on the right side of the screen, you can see like the fact that I scan a directory which contains a couple of like Terraform template whatsoever. But that's the output you will get with the CLI. So if you want to do this, you have the common language is here is minus D like directory and you have to specify the directory here is like the current one. And of course, there was sometimes like a policy that could be like not very interesting for you in your situation. So it's cool for what we could call like a false positive. For example, you want to publish an AWS S3 bucket on internet and yeah, you need it's normal that is publicly available. So you don't want to get you don't want to fail by paying because of that. So you can skip some check off course. And the other solution is to check if you do dash dash check that will specify only the check that you want to do. So for example, now if we go back if we go to the demo here I'm in a directory where I have like a small Python application I hope is big enough for you guys or maybe I can zoom it a bit. So, and this I have like a Python application was like a requirement to stay here, and I have a Dockerfile. So for example, if I do like check off, minus F Dockerfile the command that we just saw in the slide, it will scan the Dockerfile and will give you like some kind of recommendation. So for example, here, you have the CKV this policy from check off, which is ensure that that the user for the container has been created. If it's not the case because here it was not the case. But then that means you need to do some extra to add a user inside your Dockerfile for example, or to for example, this one at the nail check. For example, what I could do is like skip check. And just to make it correct. So let's do like that and then comma CKV Dockerfile. You don't need to put a space here. And if that will give you only the correct, the check which was correct before and that would assume that those two check, they are failing, but you assume that is like false positive for your opponent. Before to continue, there was also like a comment which is like check off minus L that will list all the policy that we have. And for example, here, you can see that for example, with this kind of check off policy will check all the AWS access key. So for example, if we find inside the file AWS access key, it will create an alert and for example, it could block the pipeline and and this kind of stuff. So you could really try to limit the fact that the access keys is published publicly or this kind of stuff. That's a bit the idea. Then, and I think I don't know if I do something like that, I get, I think we have had it like last week or like something about look for G or J. Yeah, that was miscalculation, exclamation mark here. So yeah, so for example, last week we have added like two policies for the log for J, a penalty that has been discovered. And basically this one is just ensure that was a prevent message look up in log for G. So it's related to the CV that has been released. So and for example, here we can see that this one is for cloud formation. So the type of the policy is for cloud formation. And this one is for Terraform. So we have like two policies, which are checking the template for cloud formation and making sure that log for G is enabled on a web application. Firewall of AWS. All right. So that's kind of stuff we can do. And then of course, if I do like check off minus D and current directory, it will scan all all the current directory and doing some recommendation on the fire here in DCI in this principle. So but here we have like a Docker file, but for example, I had also in my repository, some two minutes definition like this one was to deploy the Python application. I just show you. And for example, you should minimize admission of food containers and stuff like that. So we will. And of course, each time you have like some recommendation that you have here and the guide also to help you. So if you click on it, you get like a documentation with all the sake of the ID. And we have also the bridge room, but we are talking about check off. And here you get like what you should do in your quantities definition to deploy this application and to make sure that can run as non-root should be equal to true. This kind of stuff. And then it's like much easier to fix your, your, your different configuration ties. All right. So that's about like a check off and itself for the policies and so on. And I remember if you want to test it, it's like like open source, of course. And if you want to test it is like as simple as this set of command. It's really quick. And of course you have a help for that dash dash help that will provide like all the help in regards of the CLI of check off that you can use. Then if you want to integrate this in a CI CD pipeline, there is already, maybe first step is install the check off extension into VS code or MTV J. There is, and then I will show you in this demo, like an Azure DevOps pipeline where I do a validation. So I will scan first the external module of that I'm using in a Terraform template. Then I will scan the Terraform template itself, which is deploying a tremendous cluster and virtual machine on Azure. And then the, I will publish the report in a G unit format inside Azure DevOps. And I do that I can do the same kind of inside Azure DevOps, this CLI output, but with the G unit is much like cleaner and easy to browse. If not everybody is like technical to go in the, in a different step of Azure DevOps pipeline, then it's like better published. And I will show you that also. And then we have like the second stage of the pipeline will be a plan. And then there we will do a Terraform plan command. And we will output the format into like a main.json, like a json file. And then with check off, we will verify the plan in json. So that's the idea is that you can have a different here. I do it everything in once, but the idea is that you can have a different pipeline that generate a json file and then the json is sent to a different pipeline. And then I have a stage which is like, yeah, I'll prove the change or I don't approve. And then we applied the configuration. So we do Terraform apply and it executes the Terraform template against Azure and it creates like the Kubernetes cluster. The container registry and virtual machine that we need. And in bonus, but I'm not sure we have the time where you see how it goes the demo and Sebastian put enough pressure on me as a god of demo, but we'll see how it goes. But that's the idea. Then I have also some example in regards of the GitHub action. So, yeah, but basically can everywhere you can run Python, you can run check off. That's the idea. So that means you can integrate more or less everywhere that you want. It's just that for example, GitHub action, we have like a super easy integration. Azure DevOps is a bit less easy. But yeah, you'll see I will go through all that during the demo. All right. So now I will change up terminal. I'm here in Azure DevOps in my repository. And here I have a couple of five. Let me zoom in a bit. So I have my Azure pipeline. We'll go through it like in a second phase. And then I have like here and a case of five that I'm using, which is to deploy the Azure Kubernetes services on Azure. And here I have also the module.tf, which is using an external module. And I will scan the external model with check off. So for example, here, if I do like, like we did before, check off minus D current directory. It will scan the directory and give you the everything which is not non compliant to the policy that we have. And if I go up, we have like a six check which are failed to it that we skipped. And basically that's a way of avoiding the fact that we want to like false positive. So we skip some check inside the inside the code. I will show you that later. And we have to check that has passed. So if we go through them, for example, we will see that on the access file. There is some ensure that AKS enable private cluster. And I will go back. I will go to the to the escort. And here I have the extension, which is a check off. So let me grab it for you. I forget. Okay. So this is the check off extension. We just search for it. You install it and that would be sufficient to run. So once it is installed, it integrates super smoothly inside, inside the escort. So the ID. Let me remove it. Maybe I can zoom it a bit. That's better. And here what you have is basically when I use here, I will change some configuration. I will hit save button and you see that check off is running already to scan the different resources of this fight. So now you see that here I'm creating a container registry. Here I'm creating a communities cluster, a community cluster. And here I do the whole assignment for the, to give the permission of communities cluster to pull container images from the container registry. Of course. And here you can see that this one is in red. And that means check off discover some misconfiguration there. And for example, here we can see that ensure that it gets enabled private cluster. What we just saw in the CLI. So it's exactly the same. It's exactly the same output that we see. Once you, you see that then you, you have a button which is here, which is quick fixed. What you can do there is either you apply a skip, you generate a skip comment to avoid to move to, to mention is the fact that it's like a false positive for example. And for what we could do is also, for example, ensure that it gets as an API server authorized and here if I go to the quick fix for that one, I don't have something like apply fix which is out of the box from the VS code extension, it will provide me like a suggestion. So I can only generate a skip comment. I don't want that. I want to fix that issue because I want to have a range IP that I want and I want to allow only this range IP to access my communities cluster. So what you should do is you click on the link. And once you are here, you will see that you should just add this, this one. So let's do something like that. Let's copy this, that rule or we put it in front of the tag. And here we have something and let's say that my IP is a public IP. So 117, 82, something and slash 24. Let's, let's say, and again, check office running. So this, this check should be like, okay, I know. Okay. So we just have seen that. Okay. Let me remove it again. I will save it again. And once it's done, I will show you also another way to do it. So here we have the, the check off that has several fade options. So if I go here in the quick fix, oh, yeah, sorry. You can also apply the fix directly from the CLI. So here is like ensure logging Azure maintaining is configured. And then it will add this profile stuff. So then we can fix the other option just by doing this quick fix, generate and skip comments. Yeah, let me, yeah, this one, I will add this one. Like this. All right. And I will generate the other command just to make sure that it goes. Okay. And then I will push the change into the pipeline and we'll see how it goes over there. So now I have like a Kubernetes command. And here I can use the quick fix to apply the fix for the airbag for example. And this will add the back as well. And I will take this like that. Oh, I will check quickly if the integration. So, and now I can also like a quick fix. And show that in a birth private cluster for example. And then we have all that, which is fine. All right. And then I will, I will add also the last one. And I should be all right. And this is like the skip comment. And if you have like a skip comment, you can use file you have to use this, this impact, which is like a check off. And then skip equal the check off ID. And that you have it of course everywhere. Like for example, this is the check off ID. And then basically you just add like a double point and then you put whatever comment you want for, it could be like anything. So, and for my part, I will. Azure policy. Oh, sorry. This one. Yeah. Quick fix. I think this is the one I didn't enable yet. So, okay. Okay. I have to generate. So now check off is winning again for the last comment. And I lost. Like Windows V somewhere. Yeah, I do. Okay. So I have this. I don't profile is twice. So I can remove this one. And this is what check off does is really giving you like recommendation on the, on the developer seat. What you should do to improve your, your code before pushing it in production. So now check off is running. And we'll see how it goes. If we have a green mark, that means check off the does not have any recommendation anymore. Then we can push the change to the pipeline. So in regards of the pipeline, what we do here, and I will come back to that. So we'll trigger the pipeline. And this is for Azure DevOps, of course, but we'll trigger the pipeline on the master branch. And then, yeah, we are using open to. So we will install. Check off by doing by doing this command. So check off. And then we will initialize the terraform and we'll give like a couple of information in regard of the back end. So the back end is safe on the Azure site. And then we will validate the configuration of the terraform. And then we'll check here with check off the current directory or the set module. So we'll, we'll skip also all the check, which, which is in regard of Docker. And the output will be sent to, with the format of a geo knit XML. And it will be sent to a specific file. Then that I will use that file to publish inside Azure DevOps. That's a big idea. And then once the module are okay, we will verify the main file. So, so the terraform template, which is the AKS terraform and all the file that we have seen before. And then we'll publish also those results. And then we have the plan. And the plan is also has to initialize because it's like a different machine, a different stage. So we have to install again the check off. Then we have to initialize the terraform template. And then we have to execute the plan. And here in the plan, you can see that now we are, we will show the plan and will output inside a main. Jason that will be scan with the check off dash F command. And then we will also output that, that, that command. Yeah, the output will geo knit XML as well. And then we will send the output in that specific file. And then of course, here we have all the parameters to, to go against the, the Azure environment that we have. And here we have the published test results. So we will, we will publish the check off plan report that you can see here. All right. And then we have to approve stage and we have to apply the apply. Again, we have to initialize and then just execute the terraform apply auto approve command. All right. So I think that would be it in regard of the explanation. And then let me first check all. If I don't have any exception anymore in my file here, I see that SSH, okay. So I have like, yeah, that's one of the module I'm using inside the module.tf. And it, it tells me ensure that SSH access is restricted from the internet. So I should either deny the access, either add a specific port for a specific wrench. So what I will do, and there it is. This is the module.tf. I will just deny this action. I don't want to allow SSH from directly from all the internet to my, to my inverter machine. Let's do a check off minus D again. It's checking everything. And so we have like, you know, skip check one, but we don't have any fail checks. So now I'm safe to push. So I will push the, the change I have made fix. Check off. It's not an issue. It's recommendation. Okay. Let's push it like that. And now that should have trigger like a pipeline on Azure DevOps. And this is my pipeline, which is not filling yet. Yep. This is the one. So it's running here. And it will go to the different stage. I just explained. So we have the validate, the plan, the wait for approval and the apply. So job is pending. Let's see how it goes here. So it will install the check off with the pipe, pipe three installed check off. And then yeah, check off should be installed at the end. So successfully date. It will initialize the terraform. So in check also with the, oh, that's not good. What's going on? In it fade code one. Yeah. I did config publish. Hi, Stephen. Can you maybe zoom in a little bit? So it takes us very small. But wait, here I have like an invalid character on a cast line 38. I think it's the recognition from here. It should be like something. All right. So fixing typo. We'll fix the, I think this is 938. Okay. So let's push the change again. Check off recommendation V1. Yeah. Is it okay now for you guys? Yeah. Thank you. Okay. Thank you. Okay. So let's go back to the validate option. So we have to wait again. So if that. So sign node for me is to fix this. You should be like a double code and not simple code. In the, in the, in the documentation. So let's wait a bit. So it's willing, like again, installing check off. Then we initial terraform validate the configuration of the terraform template. And then it will check the modules because I have one module and I didn't show you that much yet. But this is how to create the network. So it's provided by Asia and the, to create a Vnet providing like a couple of names and, and doing some fire type file center for CNCF. This is something you guys. Okay. So my config is still not valid. So validate thing. Exit code one. So let's validate fate with exit code one. Yeah. If anybody see the error, just hit me. Otherwise I need, I will, I will do something else. Just for the sake of remote to be able to, to go to the, to the end, I will save this configuration. I will see. And here I have the feeling. And then I will quick fix and I will generate a skip command for that. So demo fee because of you. So let's save like that. I will push the change. Fix issue API. All right. So let's push it like that. And now we go back to the pipeline for those, for the last time, I hope. And then it should be all right. Let's see how it goes now. Yeah. Of course we have to go through that, hold that again. But it's going to take like a couple of seconds. All right. But I wonder like, yeah. Yeah. For the time being, let me go back to that because I'm not sure to understand why the mistake was failed. And appropriate. Yeah. I see it's like, it needs like an array. So yeah, we might instead of, of this. Okay. But anyway, we can fix it later. I'm sure. So here we have the validate option and yeah, not the validation goes through. And you can see that I've checked the module, which are okay. And now I have the main file, which is exiting with one and finishing, blah, blah, blah. So it failed the pipeline. And now we can go here in the pipeline. We see on the last instance here, and we can go in test. And here we have the full report, which is ensure that a case add on cluster, blah, blah, blah, blah, ensure that a case uses Azure policies, add on Azure and communities cluster, I guess. So we can see like which pipeline has failed, which action has failed. And we can also see all the past actions. Or if I clear all that, then you have a list of all the policies that have been checked and which one has been failing. So for example, here I have the Sikave, this one, which is failing. So, and here I can go, when I go to this file, I will go to that website and see what is the recommendation from where to. And here basically they just said that I should enable this. I thought I have done it, but let's go back here. And add on profile, OMS, Azure policy, yeah, I should basically add just this here. Okay, so let's, that will take some time. Enable equal to and then I can remove this. All right, so let's do like this. And yeah, I have something like that. So let's fix the Terraform format. Yeah, yeah, that seems all right to me. And now we can push the change with Azure policy, which is enabled. Enable Azure policy. And that's a bit what we are, what I was wanting to show you, it was also we can fail the pipeline in regards of the configuration that we have done. And then now I'm running a new pipeline with a change I just committed. So let's go here for the last pipeline. Let's wait a bit for the, the fact that he installed a check off and initialize the Terraform. Yeah, this is always a bit painful to wait for the all those that to be applied, but yeah, that's the life demo, right? We need to be a bit patient. And so now the different steps are successful. I know I will go to the plan. And I, like I mentioned before inside the pipeline in the plan. So we will generate here the Terraform plan. We will output the configuration to a specific test plan file, which is domain. And then we'll use that file with the check off CLI here. Basically, we'll show the season first we'll compare the test plan in Gison and then we scan the Gison file with the check off. Okay. And that's what we do over here. So initialize Terraform again and then it should go through, which is kind of, yeah, which could be interesting as well is that you have like some, like a lot of information here in the test plan. When you go to the ones, I think, and I will open it in different top and I will show you that just right after. But, oh, I can show you. And that's where is the one. Yeah. We don't have anything. So if you double click here, you have also this kind of a diagram and you know that you have eight check which are passed for that they've not been executed. So that means those are the different check from check off I did and the one that I passed. The one I skipped basically. Okay. So now if I go back to the pipeline, yeah, okay, still doing the Terraform plan and that's Terraform taking some time for that. But otherwise, yeah, I think we'll go like maybe I can show you like very quickly on the Terraform via the check off website here that you can visit. I share the link in the chat. So you can also go there and create some custom policies if you want to. And otherwise just to show you like a couple of lines all to do the integration with Github Action and here if I have my Terraform basically that's how you should do. So you should set up Python 3.h and then you can with the check off action you can just pass couple of parameters that one and here you have the different option that we have seen into the CLI. You have them also. It's very sorry. Can you zoom in again please? Yeah. It's hard to read. No problem. To be screened for me. Yeah, so basically what I think is like we set up the 3.8 Python environment and then we can use the check off action which is out of the box but you can just use like this and then you give like couple of parameters to skip some check if you don't want to skip some check and you can use white card here, right? So you can for example if you don't want to scan to check anything which is AWS you can do CTV underscore AWS star and it will skip all that. Then you have the quite option you have the soft face so for example if you want to make sure that the pipeline goes all fine goes okay. Even if you have like fade check it through and it will allow and it will return a zero to the command instead of one in case of failure. Then you have to specify the framework that you are using and the output that you want and so on. And then we can in that way we can also in GitHub if I come back here in action. Simon just a quick reminder we have five minutes left. Thank you. Yeah, sure. I'm almost done. And here we have like also this kind of repo that you have which are a bit less sexy than Azure DevOps so that's why I spend most of my time on Azure DevOps. But yeah, basically that's all I wanted to show you and if I come back here on the check off here I have the branch and here you have the test and this is what I wanted to show you today. So yeah, if there is any question please use the chat that you have in the bottom right of the screen if I remember correctly and yeah, I don't know if there is any question. Yeah, we had a couple of questions. I tried to answer them already so we had some questions around the documentation where we can find learning learning content then we had some questions around how we create this check off policies I answered them by using the open source pull requests to create new content and also it's managed by the product management so when we see new vulnerabilities coming up then we integrate them into the latest version and yeah maybe Simon from your perspective when we look at the demo and what we can achieve with great results including them in the CACD pipeline what is the best starting point that you see for someone who's new to check off what did you Yeah, it's like for me and that's what I did when I discovered check off just install the CLI then go inside the like a directory that I used to have and then improve my Terraform template I'm a big fan of Terraform so yeah and I was like really happy to see how fast I can go like improving my Terraform template and how to better secure because the problem also like you explained if you have like a Terraform template the idea behind it is to reuse it and reuse it and then you might end up with a lot of if you need to fix if you discover that you have like a misconfiguration inside Terraform template that you have been using I don't know for like 100 times then you have to fix like a 100 protection issue and that could be like a lot of issues that's a bit I was like really impressed by all the recommendations and how to improve the security before to before to push the configuration and so on. Okay, thank you. We have one question, one new question from Lorenzo he's asking how the bitch group pricing plan works we are actually counting in the pricing plan the number of code blocks and we have something that is called credits so we you buy licenses through credits and then we count the code blocks against the number of credits and for example 50 resources would divide 50 by 3 and then you have the number of credits we are using. Any other questions? Maybe as additional information we don't count execution of scans we just count how many number of resources we are scanning, not the number of scans. So for example here in my Terraform community cluster we have a container registry we have an Azure community cluster and here we have a role assignment that would be like 3 resources that would count as like one credit in terms of Christmas Cloud but check off is free I mean it's free to use, it's open source so you can use check off without the bridge core program platform. So do we have any other question? Thank you to Bruno to give me the solution to fix my error with the IP I should have copy paste I'm not quite sure. Okay cool So then from my point of view it's thank you very much for your attention and for joining our webinar today I would like to close the webinar for a couple of minutes giving you back and Simon thank you very much for being the god today and enjoy your day enjoy your evening thank you, bye bye Bye guys, thank you very much for your time