HackerTrans
TopNewTrendsCommentsPastAskShowJobs

asadeddin

162 karmajoined vor 12 Jahren
Founder of Corgea - corgea.com Twitter: asadeddin

Submissions

[untitled]

1 points·by asadeddin·vorgestern·0 comments

Show HN: Sighthound - open-source vulnerability scanner for source code

github.com
19 points·by asadeddin·vorgestern·0 comments

[untitled]

1 points·by asadeddin·vor 5 Tagen·0 comments

[untitled]

1 points·by asadeddin·vor 24 Tagen·0 comments

[untitled]

1 points·by asadeddin·letzten Monat·0 comments

[untitled]

1 points·by asadeddin·letzten Monat·0 comments

Mythos: Given Enough Inference, All Bugs Are Shallow

corgea.com
4 points·by asadeddin·vor 2 Monaten·0 comments

GitHub Actions Security Checklist for Supply Chain Attacks

corgea.com
12 points·by asadeddin·vor 2 Monaten·1 comments

Securing MCP Servers

corgea.com
1 points·by asadeddin·vor 10 Monaten·0 comments

comments

asadeddin
·vorgestern·discuss
We're open-sourcing Sighthound today, our rules-based static security scanner. What makes it special is that it's coded in rust and uses tree-sitter as it's AST making it very fast and easily extensible.

Why build another scanner in 2026? We wanted to improve some of our detection outcomes but noticed the current open source scanners like Semgrep/Opengrep we're capped by a bunch of adoption limitations such as being written in OCaml, requiring a lot of work to add a language parser, and the rulesets were licensed differently and required paid offerings. It also felt that licensing was moving backwards rather than forward.

We wanted something that was very fast, was easily extensible and had a great set of rules that we could use. This led us to using Rust and Tree-sitter since they are both fast and have great community adoption making extending Sighthound natural.

We wanted it to focus on source-code vulnerability classes like Sql Injection, and Xss. We haven't yet done any secrets scanning as there are a lot of great options in the market at the moment. Right now, Sighthound supports Python, JS/TS, Java, Go, C#, HTML, PHP and Ruby.

We still have a lot of work to do so, we'd love for your feedback, and contributions in however they come from adding new languages, new rules or bug fixes.
asadeddin
·vor 19 Tagen·discuss
OpenAI building security tooling is the natural next step after AI-powered code generation, if AI writes the code, AI will need to find and fix the bugs in it too. The interesting question is whether this stays infra-focused or moves toward application-layer security.

We wrote a paper about it: https://corgea.com/blog/given-enough-inference-all-bugs-all-...
asadeddin
·vor 20 Tagen·discuss
Full disclosure, Ahmad, CEO at Corgea.

Interesting approach, catching vulns at commit time before CI runs saves cycles. The challenge is always false positive rate at that stage and the AI inference time. How fast is the review? I saw the demo video and it seems you cut to the results.
asadeddin
·vor 20 Tagen·discuss
Delaying vulnerability disclosure for political reasons undermines the entire coordinated disclosure model. If researchers learn that findings get buried when inconvenient, they stop reporting through official channels.
asadeddin
·vor 21 Tagen·discuss
[dead]
asadeddin
·vor 21 Tagen·discuss
[flagged]
asadeddin
·vor 22 Tagen·discuss
[dead]
asadeddin
·vor 24 Tagen·discuss
The Corgea team has found a High vulnerability in Axios using our security research agent. This 0-day affects millions of globally. The cost of finding this vulnerability was <$10 and 15 mins of time. It didn't use Mythos or Fable but rather GPT-5.4 which is a fraction of the cost of these systems.
asadeddin
·vor 9 Monaten·discuss
Hi there, I'm Ahmad, CEO at Corgea, and the author of the white paper. We do actually use LLMs to find the vulnerabilities AND triage findings. For the majority of our scanning, we don't use traditional static analysis. At the core of our engine is the LLM reading the line of code to find CWEs in them.
asadeddin
·vor 10 Monaten·discuss
Very interesting. Thanks for sharing the insights!

Would've it made more sense to separate this testing out to a different instance of your product? This would've probably helped distinguish between real and bounty users.