Postmates uses GitHub Advanced Security as a core part of its application security program to keep customers, merchants, and couriers safe both in the app and behind the scenes. A small, specialized security team is split into Application Security (AppSec) and Platform Security: - **Platform Security** manages areas like network security policies. - **AppSec** runs security reviews and the bug bounty program. On top of this structure, GitHub Advanced Security provides: - **CodeQL static analysis** to automatically surface vulnerabilities in the codebase before attackers can exploit them. - **Dependabot** to identify and help update vulnerable open source dependencies. - **Secret scanning** to detect hard-coded credentials and other sensitive information. Postmates runs CodeQL scans on code pushes to the main branch and on a weekly schedule. This helps engineers find and fix issues early in the development cycle, rather than discovering them late when they’re more time-consuming to remediate. The result is a more consistent, automated way to identify vulnerabilities across their buyer, merchant, and courier applications, even with a lean security team.

Postmates evaluated other static analysis tools, including SonarQube and Veracode, but ultimately chose CodeQL as part of GitHub Advanced Security for several reasons: 1. **Language coverage that matched their stack** Postmates needed support for **Python, JavaScript, Java, TypeScript, and Go**. Many tools they looked at either lacked coverage for these languages or didn’t meet their expectations in those ecosystems. CodeQL met this language requirement. 2. **Transparency and control instead of a “black box”** Some tools felt like black boxes: you run a scan and get results that may or may not be useful, with limited insight into how they were produced. With **CodeQL**, Postmates can **write and customize their own queries**, which gives the team more control over what they detect and how. 3. **Variant analysis and data flow tracking** CodeQL can **track data from source to sink**, which is particularly useful for issues like cross-site scripting (XSS). When a single vulnerability is found, CodeQL helps uncover **variants of the same issue** across multiple services and apps (for example, from the buyer app into the merchant and courier apps). This turns what used to be a tedious, manual search into an automated process. 4. **Growing open source query ecosystem** CodeQL ships with an **open source repository of thousands of queries**, and that library continues to expand through contributions from GitHub and other companies. Postmates sees this as a way to continually improve their static analysis coverage without starting from scratch. Overall, CodeQL lets Postmates reimagine static analysis as something they can tune to their environment, rather than a one-size-fits-all scanner.

Postmates has built an automated security pipeline around GitHub Advanced Security to make the most of a lean security team and reduce manual work for engineers. Key elements of their automation include: 1. **Automated scanning in the development workflow** - Using **GitHub Actions**, Postmates runs CodeQL scans **whenever code is pushed to the main branch** and **at least once a week**. - This “shift left” approach helps developers catch issues as they write code, instead of at the end of a release cycle. 2. **Dependabot and secret scanning everywhere** - **Dependabot** and **secret scanning** are enabled on **every repository**, including newly created ones. - This has surfaced “a ton of important things to address,” especially around vulnerable dependencies and exposed secrets. - Automated pull requests and alerts help teams understand and update open source components more frequently, which Postmates views as a healthy sign that vulnerabilities are being found and fixed. 3. **Centralized triage and tracking with Jira and ZenGRC** - Postmates uses the **GitHub API** to pull in issues identified by CodeQL and automatically create **Jira tickets**. - These tickets are then synced into **ZenGRC**, which manages compliance tasks and automatically pings developers to follow up. - ZenGRC also aggregates issues from **secret scanning** and **dependency graph/Dependabot**, giving the team a single place to track repository updates and vulnerable dependencies. 4. **Focus on low false positives and developer experience** - Low false positive rates are important so engineers don’t waste time on non-issues. - The security team positions itself as a partner to developers—“we’re here to help, not slow them down”—and uses automation to remove friction rather than add it. By combining GitHub Advanced Security, CodeQL, Dependabot, secret scanning, and integrations with Jira and ZenGRC, Postmates has rethought its security operations from report to remediation, making it easier to find, track, and fix vulnerabilities on an ongoing basis.