This is super helpful! I'm planning to make some projects open-source, but I wanted to make sure the model hasn't revealed any keys in the code and git history, so your timing is incredible. Definitely going to look into TruffleHog.
I've also noticed that when the LLM needs to edit the .gitignore, it will sometimes accidentally remove the .env or (some other local files) from .gitignore and not mention it at all.
hahah that is awesome. there are some improvement for sure, its odd how some security aspects it is adament on and others... it just lets slide unless you bring it up!
I am currently working on a suite of tools, one being a website security scanning tool based on OWASP and NIST. I will share that in an upcoming article in a month or so.
Worth taking a look at. Marcus has a tool that helps with this exact problem. If your going to base tools for scanning on anything, OWASP is a top tier way to do so.
Great article, again! Ran gitleaks on my repos after reading it, all clean. Already had API keys in env vars rather than hardcoded but hadn’t thought about git history scanning or pre-commit hooks. Both now sorted do all future builds.
Also worth discussing .mcp.json files? Anyone using MCP servers with Claude Code is putting API keys in a local config file. I think that these should be chmod 600 and excluded from any backup or sync service.
SO VALUABLE, thank you. As a (very "vibe") coder, I'll paste this into my AI to explain like I'm five and then go to my husband and sound super smart and tell him look what I learned and what advice I'll listen to! :D
One of a set of 3 aimed at vibe coding pitfalls!
I think everyone should feel empowered by all these new AI tools, and start building the things you've always wanted to!
Just make sure you know what to look for.
Action-Solution based. Avoid these and push to prod!
Great recs. Also, there is now “betterleaks” which is helpful.
aaaah this is a great recommendation. i’ve collected a few and will have to update the article soon.
thanks! 🔥🔥🔥
Here to contribute to the cause. Also heavily thinking on this article these days:
https://phrack.org/issues/71/17_md#article
Thoughts around Veilid from cDc then? Or much in that realm?
This is super helpful! I'm planning to make some projects open-source, but I wanted to make sure the model hasn't revealed any keys in the code and git history, so your timing is incredible. Definitely going to look into TruffleHog.
I've also noticed that when the LLM needs to edit the .gitignore, it will sometimes accidentally remove the .env or (some other local files) from .gitignore and not mention it at all.
Really glad to hear it! TruffleHog is legit.
and yes, thats classic LLM behavior, and I talk about it on my 3rd post in this series actually!
basically if a security control gets in the way, they don't think "this is here for a reason" they think "lets work around this, or remove it!"
it's funny and terrifying at scale lol.
I feel like at least 1/4 times I look at what the model did, and it's just "solved" a problem by deleting or bypassing something🫠
yes! even my agent on claude 4.6 does this. even with patterns and instructions against it.
“oops!”
Great article as always! Either it’s less technical, or I’m finally catching up with all the tech jargon 🙂
Hey that’s honestly super great to hear! I’d place this at the intermediate level, so i think it’s more your catching up! Something to be proud of!
Claude wont let me paste... .env files... when I say "just fucking use these" it says no no no... it is probably smarter than me
hahah that is awesome. there are some improvement for sure, its odd how some security aspects it is adament on and others... it just lets slide unless you bring it up!
I created a tool to find and remove this very thing! Great article!
Thanks!
This is awesome! feel free to share it here, or PM me and i can advertise it =-)
It is a manual process but works never the less :)
It is part of my tools repository on cyberlifecoach.pro
https://cyberlifecoach.pro/tools/git-secrets-scanner
Much appreciated.
I am currently working on a suite of tools, one being a website security scanning tool based on OWASP and NIST. I will share that in an upcoming article in a month or so.
Sincerely
Marcus
Worth taking a look at. Marcus has a tool that helps with this exact problem. If your going to base tools for scanning on anything, OWASP is a top tier way to do so.
Thanks Marcus!
Much appreciated brother!
Great article, again! Ran gitleaks on my repos after reading it, all clean. Already had API keys in env vars rather than hardcoded but hadn’t thought about git history scanning or pre-commit hooks. Both now sorted do all future builds.
Also worth discussing .mcp.json files? Anyone using MCP servers with Claude Code is putting API keys in a local config file. I think that these should be chmod 600 and excluded from any backup or sync service.
Awesome stuff Sam! I'm doing 2 more, 1 for slopsquating and another for patterns. But with your red team skill you are way ahead of the curve!
gitleaks is awesome to have hooked up.
Any you are 100% correct! amazing man, i love seeing the security guy in you haha!
Thanks again for reading and supporting my friend.
Always man. Genuinely learn so much from your posts and writing. 🙏
SO VALUABLE, thank you. As a (very "vibe") coder, I'll paste this into my AI to explain like I'm five and then go to my husband and sound super smart and tell him look what I learned and what advice I'll listen to! :D
Thank you Chris :) as always, super useful info!
Thanks so much Mia! i have 2 more on the basics to vibe securely. this is the one that will save people cash by not giving out their API key!
Appreciate it!