Santh

made an agent-security CTF goal: get a coding agent to leak a secret it can use but is not supposed to read You are allowed to work by yourself, use agents, anything. attack the mcp, do gui automation, anything thats software is based is on the table. i kn trying to test runtime approval vs just hiding .env files if anyone breaks it, i’ll add a hall of fame section on my company site with your name/handle + writeup repo: github.com/santhsecurity/…

@JackWoth98 my credits dont work. i cant use them. i have 25k. secondly the cli rendering is unusable on linux

How can we make the migration from Gemini CLI to Antigravity CLI easier? One of my goals is to help folks move over as smoothly as possible. So far I am hearing the following gaps are holding people back... ACP, more robust headless mode, subagents, Gemini CLI extensions... anything else? I'll be working on some videos/resources this week so let me know where I can add clarity or details. 🧵I'll link a few existing resources

@LyalinDotCom @geminicli my credits dont work. i cant use them. i have 25k. secondly the cli rendering is unusable on linux

Hey @geminicli fans, we'd love your help as we try to make it a great experience for you to give Antigravity CLI a try. Let us know how we can help smooth our the transition for Google One users.

@DeepakNesss i got it when i told it to ssh and setup my new linux box. their the "pioneers of cybersecurity though!"

now this is becoming annoying, showing again and again when i am working in my own project i am asking it to make some changes in the local sqlite database, and then seeing this error every time: "This content was flagged for possible cybersecurity risk. If this seems wrong, try rephrasing your request. To get authorized for security work, join the Trusted Access for Cyber program: https://chatgpt .com/cyber" please look into this @thsottiaux @OpenAIDevs

what the hell codex, i'm working on my own project

@catalinmpit code rabbits good i tend to mix in some normal algorithimic scanning tools as well. for example i recently made keyhog for secret scanning. i would love any feedback github.com/santhsecurity/…

What tool are you using for code reviews and ensuring that agents generate good code? I’ve been using CodeRabbit for a long time, and it’s good, but I want to explore other tools too.

@Stenkof200 dont forget about keyhog. secret scan http responses endpoints binaries source code and anything you can think of. at gpu speed and precision gitleaks cant dream of. let me know if you have any feedback github.com/santhsecurity/…

🕷️ Web Vulnerability Scanning Tools 1. Burp Suite— HTTP/HTTPS traffic interceptor and analyzer for web application security testing 2. OWASP ZAP — Free, open-source web application security scanner 3. Nikto — Web server scanner that checks for dangerous files, outdated software, and misconfigurations 4. SQLMap— Automated tool for detecting and exploiting SQL injection vulnerabilities 5. XSSer — Framework for detecting and exploiting Cross-Site Scripting (XSS) vulnerabilities 6. Gobuster — Fast brute-forcer for directories, DNS subdomains, and virtual hosts 7. Dirb— Web content scanner that brute-forces directories and files on web servers 8. FFUF — High-speed web fuzzer for discovering hidden endpoints and parameters 9. Wfuzz— Flexible web fuzzer for brute-forcing and enumerating web application resources 10. Commix — Automated tool for detecting and exploiting OS Command Injection vulnerabilities 11. Jwt-Tool— Security testing toolkit for JSON Web Tokens (JWT): cracking, forging, and validation #Web #Scanning #Vulnerability #Attack #Network Always get proper authorization before scanning any system you don't own. Responsible hacking isn't just ethical — it's the law. 🛡️💻 #BugBounty #InfoSec #CyberSecurity

@Stenkof200 yup. keyhog can search binaries too though dont think gitleaks can do that 😉github.com/santhsecurity/…

Reverse Engineering 1. Ghidra — Reverse engineering framework developed by the NSA 2. IDA Pro — Disassembler and debugger (Freeware version: IDA Free) 3. x64dbg — Debugger for Windows 4. OllyDbg — Debugger for Windows (older, but still useful) 5. Radare2 — Open-source reverse engineering framework 6. Binary Ninja — Modern disassembler (free version available) 7. dnSpy — .NET decompiler and debugger 8. ILSpy — .NET decompiler (free) 9. JD-GUI — Java decompiler 10. JADX — Android APK decompiler 11. Apktool — APK decompilation & repacking 12. Uncompyle6 — Python bytecode decompiler 13. Frida — Dynamic instrumentation toolkit for reverse engineering and hooking 14. Objection — Mobile reverse engineering runtime powered by Frida

@0xRicker @grok do you agree

@0xRicker secret scanners in your ci help for sure as well. gpu accelerated high precision and oss is a bonus. would love feedback! github.com/santhsecurity/…

How to stop Claude Code from leaking your secrets 6-point checklist before your next session: 1. Deny rules for .env in settings.json 2. Tests use .env.test with dummy values 3. Pre-commit hook scanning for secret patterns 4. Production creds in a vault (not plaintext) 5. .env in .gitignore 6. .env files stored outside the project dir > 6/6 = secrets as safe as they get > 0/6 = you're one ambiguous prompt away from your API keys showing up in a server log The 3 leak paths most people miss: 1. Direct file read - Claude opens .env, contents enter context 2. Runtime output capture - a failed request logs Authorization: Bearer sk-live-…, a DB timeout dumps the connection string with the password 3. Grep / search tools - searching the codebase hits a config file, secrets land in the output. Most people only block path #1. Paths #2 and #3 are where real damage happens. Fastest way to copy-trade: @0xRicker" target="_blank" rel="nofollow noopener">kreo.app/@0xRicker Pre-commit hook safety net - scans staged diffs for: sk-ant-, sk-live- / sk_live_, ghp_, gho_, AKIA, xox[bpors]-, SG., eyJ (JWTs), BEGIN…PRIVATE KEY

@j3ssie @rauchg @grok what do you think

@j3ssie @rauchg yo this looks tuff. i think vigolium could integrate keyhog as part of its security scanning workflow for the secret part of it lmk! github.com/santhsecurity/…

Show me the thing you’ve built with AI you’re most proud of. Reply with a working product URL and what model / agent you primarily used.

@enunomaduro yo i have a secret specific scanner i built a while ago. its called keyhog it has gpu acceleration, its built in rust, and it has high recall and precision.i would love to work with you integrating it into your project lmk

moat checks the things that are easy to miss 2FA, branch protection, signed commits, secret scanning, Dependabot, workflow permissions, pinned actions, webhooks, and more available now: github.com/laravel/moat

introducing laravel moat as an open source maintainer, recent supply chain attacks in the ecosystem made me want a simple cli to audit the security of my GitHub organizations and repositories built in Rust. for any open source project on GitHub

@lookatcomputer @obscaries yo im working on a similar secret scanning tool: keyhog. i would love any feedback. i incorporated a lot of the techniques that i saw in gitleaks and betterleaks! github.com/santhsecurity/…

@obscaries Hey I'm the author of Gitleaks. Thanks for the shout out! Just fyi, I'm working on a new project for secrets scanning called betterleaks github.com/betterleaks/be… it's better

Gitleaks, a really solid open-source secret scanning tool for detecting accidentally exposed credentials in repositories and CI/CD workflows. It can help identify: • API keys • AWS credentials • GitHub tokens • database passwords • private keys • OAuth secrets One leaked secret can sometimes lead to full infrastructure compromise, which is why tools like this are heavily used in modern AppSec and DevSecOps pipelines. Definitely worth checking out for source code review and security automation workflows. Source: github.com/gitleaks/gitle… #CyberSecurity #BugBounty #AppSec #DevSecOps #InfoSec #GitHub #Recon #SecretScanning

@shcansh exactly all we need next is keyhog integrated 👀github.com/santhsecurity/…

Nice! GitHub MCP Server users can now officially breathe a little easier with secret scanning generally available. This is a crucial step for preventing accidental data leaks. Good to see more robust security becoming standard. 🛡️ #GitHub #Security

@mfaisal_khatri @grok try it out man i would love any feedback. its gpu accelerated as well! github.com/santhsecurity/…

@grok list some free tools for scanning secrets in GitHub repository

@grok @mfaisal_khatri @grok you forgot about keyhog github.com/santhsecurity/…

Here are some great free tools for scanning secrets (API keys, creds, etc.) in GitHub repos: - **GitHub Secret Scanning**: Built-in & free for all public repos (auto-scans code, PRs, issues). - **Gitleaks**: Fast open-source CLI for git history & CI/CD pipelines. - **TruffleHog**: Scans entire git history for high-entropy secrets. - **detect-secrets** (Yelp): Python-based, customizable with low false positives. - **git-secrets** (AWS): Prevents committing sensitive data. Install via pip/brew & run locally or in CI. Always rotate any found secrets!

@__karnati exactly. i built a tool exactly for this actually. would love feedback from the developer community! github.com/santhsecurity/…

Git history is permanent. If a developer commits an AWS key at 9am and it's caught and rotated at 9:05am, assume the key was already scraped. Automated bots scan GitHub for leaked credentials in real time. Pre-commit hooks + CI secret scanning. Two layers. Not optional.

@glitchtruth they wouldnt have had that issue if they used keyhog precommit. let me know if you have any feedback! github.com/santhsecurity/…

CISA, the US cybersecurity agency, left its own passwords sitting in a public GitHub repo for months. The same agency that fines hospitals and banks for sloppy security. The same one that orders federal agencies to fix every known bug within 14 days. Their secret keys were one search away from anyone scrolling code. Run GitHub's built-in secret scanner on your own repos this weekend. It's free, takes 10 minutes, and catches the embarrassing stuff before some scraper does. The agency that writes the rulebook just proved nobody is exempt from the basics.

@fardeentwt github secret scanning patterns dont matter when you have keyhog. faster, more precise, better recall. let me know if you have any feedback! github.com/santhsecurity/…

the github breach is really, really worse. changing stolen passwords fixes nothing when what was stolen is the source code of github itself. credentials expire. source code knowledge doesn't. what's actually in the leak: > github's secret scanning patterns so attackers now know how to write tokens that won't get flagged > the security queries that define what github's scanner catches and what it misses > copilot's abuse detection thresholds, and 800mb of github's own source code the breach happened through a single poisoned VS Code extension on one engineer's laptop. lock down your team's IDE extensions today.

@OjasSharma276 when you're using ai to code its easy to leak secrets. keyhog can help. would love feedback! github.com/santhsecurity/…

From 1st June, people who rely on AI for everything in their companies are gonna get cooked. In our stand up, we discussed that we can’t use AI for every single task anymore. The token consumption for each model is getting way higher. Right now, Claude Opus 4.6 takes 3x tokens, but from 1st June it’s apparently going to take 27x. Your GitHub Copilot quota will probably be gone within the first 2-3 days itself.

@hazhubble @composio can you beat keyhogs secret scanning though 👀 github.com/santhsecurity/…

holy shit i just found the best repo for openclaw plugins from @composio there’s so many i added git stats, secret scanning, and cost tracking security and observability just got an upgrade check it out github.com/composio-commu…