Find vulns in your code before they find you
Security vulnerabilities don’t wait for you to find them — and as developers we are often unknowingly introducing them through the open source packages we depend on. In this episode, Chris is joined by DeveloperSteve Coochin, Developer Advocate at Snyk, to explore the real-world scale of the problem and what developers can do about it without slowing down.
Steve shares findings from his research into vulnerabilities in the PHP ecosystem — some of the results are genuinely surprising — and explains the core challenge: developers are not introducing vulnerabilities maliciously or carelessly, they are simply unaware of what is hiding inside their transitive dependencies. The solution is not to stop using open source (that ship has sailed), but to automate detection and remediation as close to the developer as possible.
Key topics covered:
- The scale and reality of open source dependency vulnerabilities across popular ecosystems including PHP and npm
- Why developers unknowingly ship insecure dependencies — and why traditional security processes fail to catch them early
- Using Snyk to scan code and dependencies for known CVEs as part of local development and CI/CD pipelines
- Integrating automated vulnerability scanning into GitHub workflows to enforce security gates without blocking productivity
- The difference between finding a vulnerability and knowing what to do about it: actionable fix suggestions vs noise
- A developer-first philosophy for security: make it easy to fix, not just easy to detect
This episode makes a practical case for shifting security left — not as a compliance checkbox, but as a day-to-day engineering discipline that keeps teams shipping with confidence.
Related Content
Discussing the Cloud with Chris GitHub Actions Usage
Cloud with ChrisChris is joined by Karl Cooke (IrishTechie) for a live deep-dive into the GitHub Actions workflows powering CloudWithChris.com. They explore why GitHub was chosen over Azure DevOps, walk through a real-world CI/CD pipeline for a Hugo static site deployed to Azure Blob Storage with CDN purging, and examine how to manage secrets and approvals using GitHub Environments. The session also covers linting Markdown with GitHub Super Linter, early thinking on Playwright-based UI tests, the security considerations around third-party actions from the marketplace, and building a custom .NET GitHub Action for content cross-posting.
V024 - Weekly Technology Vlog #24
Recorded on a Monday morning after a sunny weekend, vlog #24 delivers the week's Azure, Azure DevOps, and GitHub news — covering Azure Virtual Desktop's rebrand, enterprise-scale landing zones for AKS, Azure Migrate private endpoint support, and GitHub supply chain security updates. Chris also recaps recent Cloud with Chris sessions on GitHub Actions, Azure Arc for apps, hybrid cloud, and the Geode pattern, then previews the upcoming Azure VMware Solution session with Shannon Keane and John Lund's cloud journey.
V023 - Weekly Technology Vlog #23
Chris rounds up the week's Azure, Azure DevOps, and GitHub news — including the rebrand of Windows Virtual Desktop to Azure Virtual Desktop, Azure FHIR healthcare API updates, SAP on Azure, and a preview of the Azure Arc hybrid and multi-cloud digital event. On the GitHub side, supply chain security takes the spotlight with package registry credential scanning, Dependabot enhancements, and GitHub's Blacktocat fifth anniversary celebrating Black voices in tech. Cloud with Chris recaps include Carl Cook on GitHub Actions, Azure Arc for apps (Event Grid), Sarah Lean on hybrid cloud and DevRel life, and Will Esprit demonstrating the Geode pattern hands-on.