Run Security Analysis using Gemini CLI locally and on GitHub

Google Cloud Tech · Intermediate ·🧠 Large Language Models ·2mo ago

Key Takeaways

Runs security analysis using Gemini CLI locally and on GitHub

Full Transcript

[music] >> The speed and volume of code getting written today has increased many fold with the use of AI. To keep up with code reviews, especially from a security perspective, we benefit from tapping into the power of AI. >> [music] >> Gemini CLI has an open-source Google built extension for running security analysis. The security extension offers a range of vulnerability scanning capabilities, including secrets management, insecure data handling, injection vulnerabilities, authentication, and LLM safety. Most recently, it has also added dependency scanning using the Google-based OSV or open-source vulnerabilities database. Many Google-owned repos have already started using the security extension to review pull requests. Let's look at some quick examples. This one from Gemini CLI is about arbitrary file read. This one, also from Gemini CLI, is about bypassing the environment reduction logic. From Project Chip, this one is for a path traversal vulnerability. From Flutter, this one calls out using timestamps as hash codes. >> [music] >> Now, we will look at how to use the security extension locally and how to use it to review PRs on GitHub through GitHub actions. >> [music] >> To use it locally, we first install the extension. After it's installed, we open Gemini in a project. Use the slash command security to bring up the custom commands in the extension and choose a custom command to run. You can customize the command with natural language. Scan all my HTML files. I turn on Yolo mode with control Y because the extension does read-only operations. It creates a to-do list first to define the audit scope. Then, it analyzes the files in scope, checking off tasks as it goes. Finally, it produces a summary of its findings. Running this kind of local analysis is a good practice for an individual code contributor, especially before committing code publicly. But, if you manage a team or a GitHub repository with multiple contributors, integrating the security extension as part of your CI/CD will make sure everyone's contributions pass the same bar, even if some of us forget to run it locally first. To set up, copy the example workflow from the official security extension repo into your repo. Then, create these actions variables by running a shell script that configures authentication from GitHub to Google Cloud using workload identity federation. When the workflow is ready, a new PR will trigger the workflow and call on the security extension to conduct a security review. For existing PRs, you can type @GeminiCLI/review to start a review. >> [music] >> With the security extension today, we have the ability to identify and fix security flaws immediately, shifting security down. Because the security extension is designed with an extensible architecture, we have confidence in its future expansion when more advanced security analysis techniques are available as tools. >> [music] >> We just introduced you to the security extension [music] and showed you how to use it locally and on GitHub. We are excited to have you try it in your code [music] base and experiment with more creative ways to include it in your CI/CD workflow. Check out this code lab with free Google Cloud credits >> [music] >> to take the Gemini CLI security extension for a spin and let us know how it goes. >> [music]

Original Description

Codelab → https://goo.gle/4rJxXoh Whether you are working on a solo project or as part of a team, doing regular security checks is a good security practice. The Gemini CLI Security Extension team has built out tools that scan your code for a variety of security risks. In this video, we will see how to use it in your day to day. 🔔 Subscribe to Google Cloud Tech → https://goo.gle/GoogleCloudTech #Gemini #GoogleCloud Speakers: Tianzi Cai Products Mentioned: Gemini CLI Security Extension
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Related AI Lessons

Building HITL Feedback RAG: Embeddings, Retrieval, and Reranking
Learn to build a Human-in-the-Loop (HITL) Feedback RAG system using embeddings, retrieval, and reranking to improve model performance
Medium · AI
Building HITL Feedback RAG: Embeddings, Retrieval, and Reranking
Learn to build a Human-in-the-Loop (HITL) Feedback RAG system using embeddings, retrieval, and reranking to improve LLM performance
Medium · LLM
The 2026 AI Model Release Race: Every Major LLM Launch You Need to Know
Stay updated on the 2026 AI model release race, including major LLM launches like Claude Sonnet 5 and GPT-5.6, to leverage the latest advancements in AI technology
Dev.to AI
Call GPT, Claude, and Gemini from one API key — a 3-step setup
Access GPT, Claude, and Gemini through one API key with a 3-step setup using Modelishub
Dev.to AI
Up next
5 Levels of AI Agents - From Simple LLM Calls to Multi-Agent Systems
Dave Ebbelaar (LLM Eng)
Watch →