Run Security Analysis using Gemini CLI locally and on GitHub
Key Takeaways
Runs security analysis using Gemini CLI locally and on GitHub
Full Transcript
[music] >> The speed and volume of code getting written today has increased many fold with the use of AI. To keep up with code reviews, especially from a security perspective, we benefit from tapping into the power of AI. >> [music] >> Gemini CLI has an open-source Google built extension for running security analysis. The security extension offers a range of vulnerability scanning capabilities, including secrets management, insecure data handling, injection vulnerabilities, authentication, and LLM safety. Most recently, it has also added dependency scanning using the Google-based OSV or open-source vulnerabilities database. Many Google-owned repos have already started using the security extension to review pull requests. Let's look at some quick examples. This one from Gemini CLI is about arbitrary file read. This one, also from Gemini CLI, is about bypassing the environment reduction logic. From Project Chip, this one is for a path traversal vulnerability. From Flutter, this one calls out using timestamps as hash codes. >> [music] >> Now, we will look at how to use the security extension locally and how to use it to review PRs on GitHub through GitHub actions. >> [music] >> To use it locally, we first install the extension. After it's installed, we open Gemini in a project. Use the slash command security to bring up the custom commands in the extension and choose a custom command to run. You can customize the command with natural language. Scan all my HTML files. I turn on Yolo mode with control Y because the extension does read-only operations. It creates a to-do list first to define the audit scope. Then, it analyzes the files in scope, checking off tasks as it goes. Finally, it produces a summary of its findings. Running this kind of local analysis is a good practice for an individual code contributor, especially before committing code publicly. But, if you manage a team or a GitHub repository with multiple contributors, integrating the security extension as part of your CI/CD will make sure everyone's contributions pass the same bar, even if some of us forget to run it locally first. To set up, copy the example workflow from the official security extension repo into your repo. Then, create these actions variables by running a shell script that configures authentication from GitHub to Google Cloud using workload identity federation. When the workflow is ready, a new PR will trigger the workflow and call on the security extension to conduct a security review. For existing PRs, you can type @GeminiCLI/review to start a review. >> [music] >> With the security extension today, we have the ability to identify and fix security flaws immediately, shifting security down. Because the security extension is designed with an extensible architecture, we have confidence in its future expansion when more advanced security analysis techniques are available as tools. >> [music] >> We just introduced you to the security extension [music] and showed you how to use it locally and on GitHub. We are excited to have you try it in your code [music] base and experiment with more creative ways to include it in your CI/CD workflow. Check out this code lab with free Google Cloud credits >> [music] >> to take the Gemini CLI security extension for a spin and let us know how it goes. >> [music]
Original Description
Codelab → https://goo.gle/4rJxXoh
Whether you are working on a solo project or as part of a team, doing regular security checks is a good security practice. The Gemini CLI Security Extension team has built out tools that scan your code for a variety of security risks. In this video, we will see how to use it in your day to day.
🔔 Subscribe to Google Cloud Tech → https://goo.gle/GoogleCloudTech
#Gemini #GoogleCloud
Speakers: Tianzi Cai
Products Mentioned: Gemini CLI Security Extension
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
More on: LLMOps
View skill →Related AI Lessons
⚡
⚡
⚡
⚡
Building HITL Feedback RAG: Embeddings, Retrieval, and Reranking
Medium · AI
Building HITL Feedback RAG: Embeddings, Retrieval, and Reranking
Medium · LLM
The 2026 AI Model Release Race: Every Major LLM Launch You Need to Know
Dev.to AI
Call GPT, Claude, and Gemini from one API key — a 3-step setup
Dev.to AI
🎓
Tutor Explanation
DeepCamp AI