top of page

Bill Reyor

Workshop: Introduction to DevSecOps Workshop


Bill Reyor - Bill is Director of Security Consulting at Modus Create and leads a department of individuals who specialize in Cloud Security, DevSecOps, Penetration Testing and Security Operations. He is an organizer at BSides CT and a contributor to Modus thought leadership team on AI and AI security.


Introduction to DevSecOps Workshop provides BSides PR participants with an introduction to DevSecOps using GitHub and open source tools.

Attendees will learn about setting up a local development environment including pre-commit hooks and other preventative measures. Students will then progress into building out a simple CI/CD pipeline that uses free and open source tooling.

A Short Description:

Introduction (15 mins)

Discussing the purpose of shifting left and security in software development

Pre-setup Phase

Students will be guided through:

● Setting up a GitHub user account

● Fork and Clone the example code repository

Security within the IDE (30 mins)

Attendees will learn to integrate security measure into their local development environment to

act as a preventative mechanism:

● Setting up pre-commit hooks will be explored. This includes tools such as Talisman.

● Git ignores. Git ignore files are a useful mechanism for preventing config files containing

secrets, or other files such as .zips being committed to a repository.

Scanning the Repository (60 mins)

Students will build a simple CI/CD pipeline which demonstrates techniques such as secrets

scanning and vulnerability detection:

● The first topic covered is how to enable branch protection rules and PR gating

mechanisms in GitHub. These can then be integrated with CI/CD tools to create a gating

mechanism. .

● Next a demonstration of how secret scanning can be performed in the source code will

be presented. This includes examples from GitHub and then open source Horusec tool.

● Students are then introduced to the concept of detecting security vulnerabilities (CVEs) in

the source code repository. Horusec and CodeQL will be used to demonstrate these


● Finally the subject of dependency analysis and SBOMs will be covered. GitHub’s

dependabot provides a mechanism for analyzing software dependencies associated with

a code base and understanding if they contain CVEs. Here we wrap up with a

walkthrough of dependabot and an overview of SBOMs

Wrap-up (15 mins)

● Recap of what we’ve learned

● Q&A

Setup Information:

Download TXT • 2KB

Bill Reyor
bottom of page