Santh

made an agent-security CTF goal: get a coding agent to leak a secret it can use but is not supposed to read You are allowed to work by yourself, use agents, anything. attack the mcp, do gui automation, anything thats software is based is on the table. i kn trying to test runtime approval vs just hiding .env files if anyone breaks it, i’ll add a hall of fame section on my company site with your name/handle + writeup repo: github.com/santhsecurity/…

@DeepakNesss i got it when i told it to ssh and setup my new linux box. their the "pioneers of cybersecurity though!"

now this is becoming annoying, showing again and again when i am working in my own project i am asking it to make some changes in the local sqlite database, and then seeing this error every time: "This content was flagged for possible cybersecurity risk. If this seems wrong, try rephrasing your request. To get authorized for security work, join the Trusted Access for Cyber program: https://chatgpt .com/cyber" please look into this @thsottiaux @OpenAIDevs

what the hell codex, i'm working on my own project

@catalinmpit code rabbits good i tend to mix in some normal algorithimic scanning tools as well. for example i recently made keyhog for secret scanning. i would love any feedback github.com/santhsecurity/…

@Stenkof200 dont forget about keyhog. secret scan http responses endpoints binaries source code and anything you can think of. at gpu speed and precision gitleaks cant dream of. let me know if you have any feedback github.com/santhsecurity/…

🕷️ Web Vulnerability Scanning Tools 1. Burp Suite— HTTP/HTTPS traffic interceptor and analyzer for web application security testing 2. OWASP ZAP — Free, open-source web application security scanner 3. Nikto — Web server scanner that checks for dangerous files, outdated software, and misconfigurations 4. SQLMap— Automated tool for detecting and exploiting SQL injection vulnerabilities 5. XSSer — Framework for detecting and exploiting Cross-Site Scripting (XSS) vulnerabilities 6. Gobuster — Fast brute-forcer for directories, DNS subdomains, and virtual hosts 7. Dirb— Web content scanner that brute-forces directories and files on web servers 8. FFUF — High-speed web fuzzer for discovering hidden endpoints and parameters 9. Wfuzz— Flexible web fuzzer for brute-forcing and enumerating web application resources 10. Commix — Automated tool for detecting and exploiting OS Command Injection vulnerabilities 11. Jwt-Tool— Security testing toolkit for JSON Web Tokens (JWT): cracking, forging, and validation #Web #Scanning #Vulnerability #Attack #Network Always get proper authorization before scanning any system you don't own. Responsible hacking isn't just ethical — it's the law. 🛡️💻 #BugBounty #InfoSec #CyberSecurity

@Stenkof200 yup. keyhog can search binaries too though dont think gitleaks can do that 😉github.com/santhsecurity/…

Reverse Engineering 1. Ghidra — Reverse engineering framework developed by the NSA 2. IDA Pro — Disassembler and debugger (Freeware version: IDA Free) 3. x64dbg — Debugger for Windows 4. OllyDbg — Debugger for Windows (older, but still useful) 5. Radare2 — Open-source reverse engineering framework 6. Binary Ninja — Modern disassembler (free version available) 7. dnSpy — .NET decompiler and debugger 8. ILSpy — .NET decompiler (free) 9. JD-GUI — Java decompiler 10. JADX — Android APK decompiler 11. Apktool — APK decompilation & repacking 12. Uncompyle6 — Python bytecode decompiler 13. Frida — Dynamic instrumentation toolkit for reverse engineering and hooking 14. Objection — Mobile reverse engineering runtime powered by Frida

@0xRicker @grok do you agree

@0xRicker secret scanners in your ci help for sure as well. gpu accelerated high precision and oss is a bonus. would love feedback! github.com/santhsecurity/…

How to stop Claude Code from leaking your secrets 6-point checklist before your next session: 1. Deny rules for .env in settings.json 2. Tests use .env.test with dummy values 3. Pre-commit hook scanning for secret patterns 4. Production creds in a vault (not plaintext) 5. .env in .gitignore 6. .env files stored outside the project dir > 6/6 = secrets as safe as they get > 0/6 = you're one ambiguous prompt away from your API keys showing up in a server log The 3 leak paths most people miss: 1. Direct file read - Claude opens .env, contents enter context 2. Runtime output capture - a failed request logs Authorization: Bearer sk-live-…, a DB timeout dumps the connection string with the password 3. Grep / search tools - searching the codebase hits a config file, secrets land in the output. Most people only block path #1. Paths #2 and #3 are where real damage happens. Fastest way to copy-trade: @0xRicker" target="_blank" rel="nofollow noopener">kreo.app/@0xRicker Pre-commit hook safety net - scans staged diffs for: sk-ant-, sk-live- / sk_live_, ghp_, gho_, AKIA, xox[bpors]-, SG., eyJ (JWTs), BEGIN…PRIVATE KEY

@j3ssie @rauchg @grok what do you think

@j3ssie @rauchg yo this looks tuff. i think vigolium could integrate keyhog as part of its security scanning workflow for the secret part of it lmk! github.com/santhsecurity/…

@rauchg Vigolium - Security Scanner vigolium.com Built with Claude Opus

Show me the thing you’ve built with AI you’re most proud of. Reply with a working product URL and what model / agent you primarily used.

@enunomaduro yo i have a secret specific scanner i built a while ago. its called keyhog it has gpu acceleration, its built in rust, and it has high recall and precision.i would love to work with you integrating it into your project lmk

moat checks the things that are easy to miss 2FA, branch protection, signed commits, secret scanning, Dependabot, workflow permissions, pinned actions, webhooks, and more available now: github.com/laravel/moat

introducing laravel moat as an open source maintainer, recent supply chain attacks in the ecosystem made me want a simple cli to audit the security of my GitHub organizations and repositories built in Rust. for any open source project on GitHub

@lookatcomputer @obscaries yo im working on a similar secret scanning tool: keyhog. i would love any feedback. i incorporated a lot of the techniques that i saw in gitleaks and betterleaks! github.com/santhsecurity/…

@obscaries Hey I'm the author of Gitleaks. Thanks for the shout out! Just fyi, I'm working on a new project for secrets scanning called betterleaks github.com/betterleaks/be… it's better

Gitleaks, a really solid open-source secret scanning tool for detecting accidentally exposed credentials in repositories and CI/CD workflows. It can help identify: • API keys • AWS credentials • GitHub tokens • database passwords • private keys • OAuth secrets One leaked secret can sometimes lead to full infrastructure compromise, which is why tools like this are heavily used in modern AppSec and DevSecOps pipelines. Definitely worth checking out for source code review and security automation workflows. Source: github.com/gitleaks/gitle… #CyberSecurity #BugBounty #AppSec #DevSecOps #InfoSec #GitHub #Recon #SecretScanning

@shcansh exactly all we need next is keyhog integrated 👀github.com/santhsecurity/…

Nice! GitHub MCP Server users can now officially breathe a little easier with secret scanning generally available. This is a crucial step for preventing accidental data leaks. Good to see more robust security becoming standard. 🛡️ #GitHub #Security

@mfaisal_khatri @grok try it out man i would love any feedback. its gpu accelerated as well! github.com/santhsecurity/…

@grok list some free tools for scanning secrets in GitHub repository

@grok @mfaisal_khatri @grok you forgot about keyhog github.com/santhsecurity/…

Here are some great free tools for scanning secrets (API keys, creds, etc.) in GitHub repos: - **GitHub Secret Scanning**: Built-in & free for all public repos (auto-scans code, PRs, issues). - **Gitleaks**: Fast open-source CLI for git history & CI/CD pipelines. - **TruffleHog**: Scans entire git history for high-entropy secrets. - **detect-secrets** (Yelp): Python-based, customizable with low false positives. - **git-secrets** (AWS): Prevents committing sensitive data. Install via pip/brew & run locally or in CI. Always rotate any found secrets!

@__karnati exactly. i built a tool exactly for this actually. would love feedback from the developer community! github.com/santhsecurity/…

Git history is permanent. If a developer commits an AWS key at 9am and it's caught and rotated at 9:05am, assume the key was already scraped. Automated bots scan GitHub for leaked credentials in real time. Pre-commit hooks + CI secret scanning. Two layers. Not optional.

@glitchtruth they wouldnt have had that issue if they used keyhog precommit. let me know if you have any feedback! github.com/santhsecurity/…

CISA, the US cybersecurity agency, left its own passwords sitting in a public GitHub repo for months. The same agency that fines hospitals and banks for sloppy security. The same one that orders federal agencies to fix every known bug within 14 days. Their secret keys were one search away from anyone scrolling code. Run GitHub's built-in secret scanner on your own repos this weekend. It's free, takes 10 minutes, and catches the embarrassing stuff before some scraper does. The agency that writes the rulebook just proved nobody is exempt from the basics.

@fardeentwt github secret scanning patterns dont matter when you have keyhog. faster, more precise, better recall. let me know if you have any feedback! github.com/santhsecurity/…

the github breach is really, really worse. changing stolen passwords fixes nothing when what was stolen is the source code of github itself. credentials expire. source code knowledge doesn't. what's actually in the leak: > github's secret scanning patterns so attackers now know how to write tokens that won't get flagged > the security queries that define what github's scanner catches and what it misses > copilot's abuse detection thresholds, and 800mb of github's own source code the breach happened through a single poisoned VS Code extension on one engineer's laptop. lock down your team's IDE extensions today.

@OjasSharma276 when you're using ai to code its easy to leak secrets. keyhog can help. would love feedback! github.com/santhsecurity/…

From 1st June, people who rely on AI for everything in their companies are gonna get cooked. In our stand up, we discussed that we can’t use AI for every single task anymore. The token consumption for each model is getting way higher. Right now, Claude Opus 4.6 takes 3x tokens, but from 1st June it’s apparently going to take 27x. Your GitHub Copilot quota will probably be gone within the first 2-3 days itself.

@hazhubble @composio can you beat keyhogs secret scanning though 👀 github.com/santhsecurity/…

holy shit i just found the best repo for openclaw plugins from @composio there’s so many i added git stats, secret scanning, and cost tracking security and observability just got an upgrade check it out github.com/composio-commu…

@4A4556494C llms cant but keyhog can. gpu accelerated. faster, more precision, more recall, any format. github.com/santhsecurity/…

CISA reportedly tested whether LLM-based secret scanning tools could flag their own leaked AWS GovCloud keys. The tools missed them. Let that sit for a second. The single most pattern-matchable class of credential — AWS access keys, which have a known prefix format, known length, known entropy profile — and the AI tools deployed specifically to catch this class of leak returned clean. This isn't a hard problem. Regex catches this. grep catches this. GitHub's own non-AI secret scanning catches this with high reliability. AWS access keys starting with AKIA followed by 16 alphanumeric characters is one of the most well-documented credential patterns in existence. So what happened? Best guess: the tools weren't scanning the right context. GovCloud keys in commit metadata, in environment files pushed as part of config directories, in paths the scanner wasn't pointed at. The failure isn't pattern matching — it's scoping. The AI was looking where it was told to look, which wasn't where the keys were. But here's the part that matters for anyone deploying these tools: nobody knew it missed them until a human found them. The tool didn't say "I wasn't able to scan these files." It didn't flag an incomplete scan. It returned results that looked like a complete, successful sweep. Green checkmarks. Clean bill of health. We replaced a tool that fails loudly with a tool that fails silently and called it an upgrade.

@liquidtrading whatever you say boss

Congratulations if you can read this. Tomorrow, 9:30 AM EST. Reply if you're in. Notifications on.