Postmates uses GitHub Advanced Security to automatically surface vulnerabilities before hackers do.

When Postmates needed a way to scale application security across hundreds of repositories, it deployed GitHub Advanced Security in Azure. Get the story to see how the company's lean security team and developers benefited from automating vulnerability detection and embedding security into developer workflows-uncovering hidden issue variants more easily and improving consistency and efficiency.

View FAQs

Frequently Asked Questions

How does Postmates use GitHub Advanced Security to find vulnerabilities early?

Postmates uses GitHub Advanced Security as a core part of its application security program to spot issues early and reduce manual work for a lean security team. Here’s how it fits into their setup:

Two security focus areas:
- Platform Security handles network security policies and broader infrastructure controls.
- AppSec runs security reviews and manages the bug bounty program.
Static analysis with CodeQL: Advanced Security’s CodeQL engine performs static analysis on the codebase to systematically find bugs and vulnerabilities across multiple languages (including Python, JavaScript, Java, TypeScript, and Go).
Automation in the development workflow: Using GitHub Actions, Postmates scans code whenever there’s a push to the main branch and also on a weekly schedule. This “shift-left” approach lets engineers catch issues as they code, instead of at the end of a release cycle.
Variant detection: When a single issue is found (for example, in the buyer app), CodeQL helps uncover similar variants in related codebases, such as the merchant and courier apps. This turns one finding into a broader clean-up across products.

By combining policy, automation, and GitHub Advanced Security, Postmates is able to keep a large, multi-app ecosystem safer with a relatively small security team.

Why did Postmates choose CodeQL over other static analysis tools?

Postmates evaluated several static analysis tools and ultimately chose CodeQL as part of GitHub Advanced Security because it better matched their technical and operational needs. Key reasons:

Language coverage: They needed strong support for Python, JavaScript, Java, TypeScript, and Go. Many tools they tested either didn’t support all of these languages or didn’t meet expectations on quality of results.
Custom queries instead of a “black box”: Earlier tools felt like black boxes: you run a scan and hope the results are useful. With CodeQL, Postmates can write their own queries, tailoring detection to their codebase, patterns, and risk profile.
Variant analysis: CodeQL can track data from source to sink, which is particularly useful for issues like cross-site scripting. When a third-party researcher or internal review finds one issue, CodeQL helps locate similar variants across other services and apps—something that would otherwise be a tedious, manual process.
Growing query ecosystem: Out of the box, CodeQL ships with an open source repository containing thousands of queries. That library continues to expand through contributions from GitHub and other companies, which increases the value of their static analysis over time.
Better collaboration with developers: Query results highlight patterns such as hard-coded passwords or disabled certificate validation. Security can then show teams where these practices appear and coach them on better approaches, improving both security and code quality.

In practice, CodeQL helps Postmates reimagine static analysis from a one-off scanning activity into a customizable, automated system that scales with their engineering organization.

How does Postmates combine GitHub tools to manage security at scale?

Postmates uses a combination of GitHub capabilities and internal tooling to manage security across a large, fast-moving codebase. Here’s how the pieces work together:

Dependabot and dependency graph:
- Dependabot is enabled on every repository, including new ones.
- It surfaces vulnerabilities in open source dependencies and creates automated pull requests to update them.
- This aligns with their view that “for modern startups, everything is open source,” and that frequently updating dependencies is a good problem to have because it means vulnerabilities are being found and fixed.
Secret scanning:
- GitHub’s secret scanning helps catch issues like exposed credentials early.
- Findings are pulled into the same tracking pipeline as other security issues.
Centralized triage and tracking:
- Using the GitHub API, Postmates aggregates issues identified by CodeQL and other scanners.
- These are turned into Jira tickets for engineering teams to work on.
- Tickets are then synced into ZenGRC, which manages compliance tasks and automatically pings developers as needed.
Low false positives and developer experience:
- They emphasize low false positive rates so engineers aren’t overwhelmed with noise.
- This supports their goal of being seen as partners to developers—“we’re here to help, not slow them down.”

By integrating GitHub Advanced Security, Dependabot, secret scanning, Actions, and APIs into a single pipeline, Postmates has rethought how a small security team can oversee many repositories, keep dependencies current, and move from detection to remediation in a structured, trackable way.

The full experience is only one step away!

Análise IT Soluções em Tecnologia e Informática LTDA is ready to help!

Please confirm your email address!