Zach Rice

@siliconvalleymm @thsottiaux that ship has sailed

The OpenAI insider @thsottiaux has a warning for everyone offloading their thinking to agents.

not to be predictably cynical but this feels somewhat hopeless. we have the means to ameliorate suffering broadly yet we haven’t — and maybe can’t— not in the global south not even in san francisco . ai might make this easier in theory but the fundamental problem remains

@obscaries Hey I'm the author of Gitleaks. Thanks for the shout out! Just fyi, I'm working on a new project for secrets scanning called betterleaks github.com/betterleaks/be… it's better

Gitleaks, a really solid open-source secret scanning tool for detecting accidentally exposed credentials in repositories and CI/CD workflows. It can help identify: • API keys • AWS credentials • GitHub tokens • database passwords • private keys • OAuth secrets One leaked secret can sometimes lead to full infrastructure compromise, which is why tools like this are heavily used in modern AppSec and DevSecOps pipelines. Definitely worth checking out for source code review and security automation workflows. Source: github.com/gitleaks/gitle… #CyberSecurity #BugBounty #AppSec #DevSecOps #InfoSec #GitHub #Recon #SecretScanning

@yohira_dev Hey I'm the author of Gitleaks. Thanks for the shout out! Just fyi, I'm working on a new project for secrets scanning called betterleaks github.com/betterleaks/be… it's better

【実開発でAIを安全に活用するためのハーネスエンジニアリングロードマップ】 Lv1. APIキーや鍵などをすべてgitコミットから分離し、環境変数に切り出す. gitleaks導入してAPIキーなどの誤コミットを防止する Lv2. Claudeのsetting.jsonでhook設定する。rm系は deny あるいは ask にしておく。git rm だけは allowしておくとgitの管理下のものは削除してくれる（git resetで元に戻せる）のでおすすめ。これらの設定をバージョン管理に含める。 Lv.3 playwright mcpを導入して Claude でブラウザを操作できるようにしておく Lv.4 サーバーサイド、フロントエンドの各レイヤー階層について単体テストを書く。テスティングライブラリの整備さえしておけば具体のテストはAIに書かせても良い。各種テストについてはCIでも実行できるように設定する。 Lv.5 コードスタイルを統一するためのlinterを導入する。修正の後に自動で走るようhookに追加するか、あるいはCLAUDE.md で指示する。 Lv.6 AIによるコードレビューを導入する。/reviewを用いても良いが、codex や cursor などを巻き込んで合議制にするskillを作っておくとさらに効果が増す。github上でもClaudeに質問にこたられるように設定しておくとgood Lv.7 人間の承認が必要なクリティカルな設定はaskに設定するか、readonly な権限を作っておく。業務的に重要なものとそうでないものを分け、重要でないものにはAIの権限広めに。 Lv.8 Let's /goal さて、正直専門的なツイートは伸びない昨今だけどこれ伸びるかな

@gdb more satisfying

trying to remember what it was like to code before codex

@thdxr tried using libgit2 and go-git for gitleaks once upon a time but `git log -p` beat em every time

had OpenCode run some benchmarks comparing - git cli - libgit2 - gitoxide - isomorphic-git even with process spawning overhead, git cli usually won everything that said i was on linux, overhead on windows probably kills it

Supply chain attacks and OSS sustainability go hand in hand. I've semi-seriously joked for years that OSS upstreams should periodically purposely inject full vulns into their code and let downstreams fuck around and find out. Downstreams can pay to get the non-FAFO version. The not joke part is simply that OSS maintainers aren't a supply chain. OSS maintainers are not responsible for monitoring CVEs (because, they are not a supply chain). OSS maintainers are not at fault when bad shit happens to downstreams, because basically every OSS license (MIT, Apache, GPL, etc.) literally says: the software is provided "as-is, without warranty." You get what you pay for (that is to say: absolutely nothing!) Now, the joke part is that I do believe there is an ethical obligation to try to prevent harm downstream. But "try" is the key word. So, this isn't a serious proposal. But, if you're using OSS code and you're not paying for a license with a contract that promises some kind of warranty, you have no supply chain. You (the downstream user of an OSS lib) ARE the supply chain. To use a metaphor: physical goods have a real supply chain. Car manufacturers, chips, clothes, toys, etc. You have a signed commercial agreement with all your suppliers that promises quantity AND quality and blowback if either are missed. Thats a supply chain. If someone puts some chips on the side of the road with a "FREE" sign, then you integrate those into a product, then find out those chips are hacking customers, its your fault, not the person who dropped them on the side of the road.

Aikido Intel is your earliest warning for supply chain threats. Our engine detects malware and vulnerabilities in open-source ecosystems within minutes. Built by our team of security researchers & AI engineers. Bookmark it: intel.aikido.dev

@rwayne github.com/betterleaks/be… spread the word <3

@rwayne Thanks for the shout out! I'm the creator of Gitleaks. I'm shifting my focus to working on Betterleaks now, which is a drop-in replacement for Betterleaks but comes with a bunch new features

代码仓库里手打了一个 API Key 图方便，push 完才想起改密钥、查日志、通知团队，这一套处理流程比写代码本身还费时间。 我用了 gitleaks 扫了一遍现有项目，27k Star 的密钥检测工具，专门找 git 历史和目录里的硬编码密码、Token、私钥。 GitHub： github.com/gitleaks/gitle… 扫描 git 仓库完整提交历史，不只看当前文件 自定义 regex 规则，三种检测模式：git/dir/stdin 按需选 Pre-commit hook 直接拦截提交，GitHub Actions 接入 CI 流水线 基线对比模式，只追踪新出现的泄露，不刷旧告警 base64/hex 编码过的密钥也能识别，归档文件递归扫描 你们现在上 pre-commit hook 还是只靠 CI 阶段扫 漏掉过几次线上密钥泄露？

Mini Shai-Hulud hit again earlier this week, stealing CI credentials from misconfigured GitHub Actions workflows and using them to publish malicious package versions. Mistral AI, UiPath, TanStack, and Squawk were among the victims. The entry points are the same ones we keep seeing across the Shai-Hulud series, like pull_request_target, cache poisoning, and overprivileged tokens. We put together a checklist to prevent these attacks for anyone using GHA for their CI/CD. C‍hecklist: aikido.dev/blog/checklist…

@SRRfP99 the SUV entering the frame on beat 0:13-0:14 is chefs kiss. too perfect

これが無編集という奇跡

@kevinkern @DenLoginoff Of course! I'll be putting out some more content (docs, videos, etc) on how users can take full advantage of the new features. But it also works as a drop in replacement for Gitleaks rn

@lookatcomputer @DenLoginoff thanks for the update on this. 🙏

after these supply-chain incidents, I summarized some basic repo hardening checks into a skill. It checks the repo for - pnpm 11+ package manager policy - release-age gates and lockfile hardening - risky dependency specs like latest, git, http, file: - unreviewed dependency lifecycle scripts - unsafe CI install, cache, publish, and secret patterns - optional npm supply-chain incident practical first pass for finding common repo hardening gaps. I ran it with GPT-5.5 High.

@ponceto91 Thanks for the shout out! I'm shifting my focus from Gitleaks to Betterleaks now github.com/betterleaks/be…

Gitleaks est un projet open-source sous licence MIT, permettant de détecter les secrets comme les mots de passe, clés API et tokens dans des dépôts Git, fichiers ou flux d'entrée standard. Facile à ajouter à vos pipeline d'intégration continue ⬇️ github.com/gitleaks/gitle…

@kevinkern @DenLoginoff Hey! Appreciate you using Gitleaks. I wrote the thing. I'm working on Betterleaks now. It's like Gitleaks, just a tad better github.com/betterleaks/be…

@DenLoginoff thanks for this, added it to the stack. I also use gitleaks, trivy and lefthook (for prechecks)

@danakowalski @fjzeit @slimjimmy @simonbrown @devabram Hey I wrote gitleaks. Thanks for the shout out. Just wanna let you know I'm not really focused on the project anymore. Working on betterleaks now betterleaks.com github.com/betterleaks/be…

I recently did a software review tool for vendor submissions. I have it doing a bunch of deterministic scanners first (semgrep, syft, gitleaks etc), then I have the llm leverage context7 to assess the code. Verify pass, rack & stack and make a pretty report. Works well, found a couple pci issues that I confirmed.

Claude seems to like my alternative view of AI augmented software development... 😉 (spoiler: it's not SDD and AI code generation)

@RoFerreiraDev @sergiomarquezp_ Hey I wrote gitleaks. Thanks for the shout out. Just wanna let you know I'm not really focused on the project anymore. Working on betterleaks now betterleaks.com

@sergiomarquezp_ Pre-commit hook con gitleaks o trufflehog. Lo dejo en CI también por las dudas.

🧵 Con Claude Code vi un .env pegado en README y un token de Pinecone en un script de prueba, en la misma sesión. GitHub MCP ya tiene secret scanning GA. Cómo cerrarlo en el loop del agente, antes del push 👇

@therealadedami Hey I wrote gitleaks. Thanks for including it in your project. Just wanna let you know I'm not really focused on the project anymore. Working on betterleaks now github.com/betterleaks/be…

Inherited a small project with zero security scanning in CI/CD. Implemented: • Gitleaks for secrets detection • Semgrep for SAST • Trivy for container & dependency scanning First pipeline run immediately exposed a CRITICAL CVE buried deep in nested dependencies 👀 Remediation: • Upgraded the base image • Patched vulnerable packages • Blocked risky builds before production Now every commit is automatically scanned. This what shifting security left looks like.

@GweiExchange Hey I wrote gitleaks. Not really focused on the project anymore. Working on betterleaks now github.com/betterleaks/be…

Gwei Weekly Rundown – Week #30 Achievements: Security hardening and incident recovery week. Shipped bcrypt-hashed admin auth with full audit logging, completed the tracked-secrets audit with gitleaks pipeline and .env cleanup, and documented credential rotation as the explicit Phase 1 launch prerequisite. Recovered from a compose recreate that reverted the container to a base image. Engagement rates climbed on both X accounts: @GweiExchange at 3% (+26%) with profile visits up 57%, @GweiIntern at 2.5% (+19%). Challenges: Discord communicators hit 3 (-25%), near all-time low. Community engagement needs a reset. Only 1 new Discord member again. Growth is stalled. Next Move: Re-activate the Gwei Interns in Discord to kickstart outreach and community activity. Highlights: → Admin auth hardened: bcrypt (cost 12), audit_log on every attempt with IP + user agent → Tracked-secrets audit Phase 2: .env untracked, .example templates shipped, gitleaks wired → Credential rotation (deployer key, SSH, VPS, JWT, QuickNode, Grafana) documented as Phase 1 launch prerequisite → Trending tab crash fix (price.toFixed on string inputs) → Container crashloop diagnosed and restored after compose recreate → Founder LinkedIn account +300 followers in one week Lowlights: → Reposts: 1 on both accounts → Likes: @GweiExchange 93 (-15%), @GweiIntern 166 (-22%) → Communicators: 3 (-25%) → New members: 1 Key Metrics: → @GweiExchange: 2.1K followers (558 verified) / 10.1K impressions / 3% ER (+26%) / 96 profile visits (+57%) → @GweiIntern: 215 followers (99 verified) / 13.8K impressions / 2.5% ER (+19%) / 50 profile visits → Discord: 64 visitors (+3.2%) / 3 communicators (-25%) / 1 new member / 40% retention This Week's Focus: → Re-engage Gwei Interns in Discord for outreach and awareness activities → Plan and schedule Discord community events → Cull inactive interns

I changed it again. I'm so sorry