惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

月光博客
月光博客
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
N
Netflix TechBlog - Medium
大猫的无限游戏
大猫的无限游戏
爱范儿
爱范儿
Martin Fowler
Martin Fowler
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
The Register - Security
The Register - Security
IT之家
IT之家
博客园_首页
Microsoft Security Blog
Microsoft Security Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
博客园 - 三生石上(FineUI控件)
I
InfoQ
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Jina AI
Jina AI
Apple Machine Learning Research
Apple Machine Learning Research
M
MIT News - Artificial intelligence
博客园 - Franky
C
Check Point Blog
T
The Blog of Author Tim Ferriss
V
Visual Studio Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
T
Tailwind CSS Blog
Recent Announcements
Recent Announcements
云风的 BLOG
云风的 BLOG
美团技术团队
The Cloudflare Blog
Y
Y Combinator Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
MyScale Blog
MyScale Blog
The GitHub Blog
The GitHub Blog
D
DataBreaches.Net
Google DeepMind News
Google DeepMind News
V
V2EX
aimingoo的专栏
aimingoo的专栏
GbyAI
GbyAI
G
Google Developers Blog
S
SegmentFault 最新的问题
Hugging Face - Blog
Hugging Face - Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
U
Unit 42
罗磊的独立博客
量子位
MongoDB | Blog
MongoDB | Blog
Last Week in AI
Last Week in AI
Stack Overflow Blog
Stack Overflow Blog
小众软件
小众软件
D
Docker
人人都是产品经理
人人都是产品经理

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
The problem with security scanners isn't the scanning
wael matoussi · 2026-05-29 · via DEV Community

At a previous job I worked at as a Dev we had someone who ran Semgrep on our codebase for the first time. It came back with 180 findings. We had no security engineer. The developer who ran it looked at the output, closed the terminal, and we never ran it again.

That's not a story about a careless team. That's a story about a tool that produced output most teams in small companies with no expertise knew what to do with.

I've seen this exact moment happen more times than I can count working with small dev teams. And it's the reason I spent the last year building SecOpsium. But before I get to that let me explain the actual problem, because I think it's misunderstood.


The problem isn't the scanning

Semgrep and Gitleaks are excellent tools. They're free, actively maintained, and genuinely powerful. If you're not using them you should be.

The problem is what happens 10 minutes after you run them.

You get 200 findings. Some are critical. Some are test files. Some are commented-out code from 2021. Some are legitimate secrets. Some are variable names that pattern match against a rule but contain nothing sensitive. They all look the same in the output.

Now you're a developer who also does DevOps, also reviews PRs, also handles incidents, and you're staring at 200 items with no clear indication of which three actually matter this week.

So you close the terminal. Or you create a Jira ticket labeled "security findings" that lives in the backlog forever. Or you spend two days triaging manually and burn out before you fix anything.

This is the real problem. The scanning was never the hard part.


Why rule based scanners produce so much noise

It helps to understand technically why this happens.

Semgrep and Gitleaks are rule-based. They match patterns. A variable named api_key_example in a test file flags the same way as a live Stripe key in an active production config. Gitleaks scans for entropy and known credential patterns but can't distinguish between a key that was rotated and revoked six months ago and one that's live right now. Neither tool understands your codebase they treat a commented out credential the same as an active one sitting in a file that gets loaded on every request.

The result is a signal to noise ratio that makes the output nearly unusable for anyone who isn't already a security engineer. And the cruel irony is that developers learn to ignore it. Which is worse than not scanning at all, because now you have false confidence on top of real exposure.


Why this got significantly worse in the last 12 months

The noise problem existed before AI coding tools. What's changed is the volume and the nature of how secrets end up in code.

When a developer writes code manually and commits a secret, there's usually a story they were testing something, they forgot to move it to .env, they copied from a tutorial. The mistake has a human fingerprint and a human pace.

AI agents work differently.

A developer using Cursor, Copilot, or any agentic tool describes what they want and the agent writes it. Thousands of lines at a time. The agent's job is to complete the task "integrate Stripe payments," "add AWS S3 uploads," "connect to the database." It does that. And sometimes completing the task means pulling in a credential from wherever it can find one because that's what makes the code run.

Two patterns I've been seeing more frequently:

The unfilled placeholder that ships.
Agents generate credential placeholders YOUR_API_KEY_HERE, sk_test_REPLACE_ME, INSERT_DB_PASSWORD. These are meant to be replaced. Sometimes they don't get replaced. The developer sees everything working locally because their .env overrides it and doesn't notice the placeholder made it to the committed config file.

The forgotten context.
A developer pastes an error message into their AI tool to debug something. The error message contains a connection string with credentials. The agent uses that connection string in the fix it generates. The fix gets committed. Nobody noticed because the code worked and the PR was 47 files long.

The vibe coding reality and this isn't a criticism, it's just accurate is that when an AI is writing thousands of lines you stop reading every line. You read the diff at a high level, you check that it works, you ship it. The security review that might have caught a hardcoded key in 50 lines of handwritten code doesn't scale to 500 lines of generated code.

The scanners weren't designed for this. They were designed for humans making human speed mistakes. The false positive rate that was already a problem at human commit velocity becomes genuinely unmanageable when an agent is committing 10x the code per day.


What actually separates signal from noise

This is the part that rule based scanners don't answer and it's the part that actually matters.

Is it reachable?
A secret in a file that's never loaded in your production environment is a different risk from one in an active config that runs on every request.

Is it live?
A rotated, revoked key sitting in git history is noise. An active key with valid permissions is a fire. These look identical to a pattern based scanner.

Is it exposed?
A secret in server side code is a different exposure level from one baked into a frontend JavaScript bundle that gets served to every browser that visits your site. Most developers don't know that environment variables prefixed with REACT_APP_ or VITE_ get compiled directly into your frontend build output they're not server side secrets at that point, they're public.

What's the blast radius?
An exposed read only analytics API key is a different conversation from an AWS key with admin permissions or a Stripe live secret key. Treating them the same in a findings list is how developers learn to ignore findings lists.

None of the free scanning tools answer these questions. They find. They don't evaluate.


The SME reality that nobody in enterprise security talks about

I used to work at an SME. The security tools that existed were built for companies with dedicated security teams, six figure budgets, and months of onboarding time. They required professional services to implement. They assumed someone on your team already spoke the language.

We didn't have any of that. We had developers who cared about doing things right but had no practical path from "we should be more secure" to "here are three specific things to fix this week."

The gap between those two states is where most small teams live permanently. The tooling exists. The knowledge of what to do with the output doesn't.

What a small team actually needs isn't more findings. It's:

  • What is genuinely dangerous right now
  • What is probably noise
  • What to fix first and why
  • Explained in plain English without assuming security expertise

That's the gap I've been trying to close.


What I built and why it's still not perfect

SecOpsium uses Semgrep and Gitleaks under the hood I'm not reinventing scanning. What I built is the layer that sits between the raw scanner output and the developer who has to act on it.

The ML validation layer is trained and I'll keep improving it to reduce false positives based on context that rule based scanners ignore file type, variable naming patterns, whether the value has the entropy profile of a real credential, whether the file is in a test directory, and a dozen other signals. It doesn't eliminate false positives. It reduces them significantly enough that the output becomes actionable. The model is still being improved and I'm honest about that.

The priority queue ranks findings based on severity, exposure level, and fixability. Not everything flagged is equal. The output tells you what to look at first and gives you enough context to understand why without needing a security background to interpret it.

JS exposure scanning catches credentials that end up in frontend bundles a pattern that's genuinely underappreciated and one that's getting more common as AI agents write full stack code without distinguishing between what's server-side and what ends up in the browser.

Config auditing goes beyond secrets looking at configuration patterns that create risk even when no credential is directly exposed.

Scheduled and automated scans mean you don't have to remember to run it. For a small team that's not thinking about security every day, this matters more than any feature.

What it doesn't do yet: it won't catch everything. The ML layer has blind spots I'm still mapping. Some finding categories need more work. There are parts of the interface that aren't ready to be shown yet. This is an alpha and I'm treating it as one shipping it early, watching what real usage surfaces, and fixing things fast.


The commands worth running right now regardless

If you don't use any tooling and want to check a few things manually:

Check if a .env file was ever committed even if it's not there now:

git log --all --full-history -- .env

Find TODO comments referencing credentials that might have shipped:

grep -r "TODO.*key\|TODO.*token\|TODO.*secret" --include="*.js" --include="*.py" .

Check old branches for sensitive files:

git branch -r | xargs -I {} git log {} --all -- .env

Inspect Docker image layer history for secrets baked in during build:

docker history --no-trunc <image-name>

Check if secrets are in your frontend build output:

grep -r "sk_live\|AKIA\|ghp_" ./dist ./build 2>/dev/null

None of this requires a paid tool. It takes 20 minutes and you might find something that's been sitting there for months.


Where this is going

The pattern I keep seeing is that security gets treated as something to sort out later after the product works, after there are users, after there's funding. By then the habits are set and the exposure has been sitting there for a year.

I don't think small teams are careless. I think the tools made it too hard and too noisy to act on. That's what I'm trying to fix.

SecOpsium alpha is live at secopsium.com free pro access until July 31st, no credit card required. The scanning CLI is fully open source at github.com/secopsium/secopsium-cli if you want to look at how the scanning layer works.

If you run it and the prioritization feels wrong, or you're getting too many false positives in a specific category, I want to know. That feedback is more valuable to me right now than anything else.


Wael Matoussi — Founder, SecOpsium