HackerTrans
TopNewTrendsCommentsPastAskShowJobs

asadeddin

162 karmajoined 12 ปีที่แล้ว
Founder of Corgea - corgea.com Twitter: asadeddin

Submissions

[untitled]

1 points·by asadeddin·เมื่อวานซืน·0 comments

Show HN: Sighthound - open-source vulnerability scanner for source code

github.com
19 points·by asadeddin·เมื่อวานซืน·0 comments

[untitled]

1 points·by asadeddin·5 วันที่ผ่านมา·0 comments

[untitled]

1 points·by asadeddin·24 วันที่ผ่านมา·0 comments

[untitled]

1 points·by asadeddin·เดือนที่แล้ว·0 comments

[untitled]

1 points·by asadeddin·เดือนที่แล้ว·0 comments

Mythos: Given Enough Inference, All Bugs Are Shallow

corgea.com
4 points·by asadeddin·2 เดือนที่ผ่านมา·0 comments

GitHub Actions Security Checklist for Supply Chain Attacks

corgea.com
12 points·by asadeddin·2 เดือนที่ผ่านมา·1 comments

Securing MCP Servers

corgea.com
1 points·by asadeddin·10 เดือนที่ผ่านมา·0 comments

comments

asadeddin
·เมื่อวานซืน·discuss
We're open-sourcing Sighthound today, our rules-based static security scanner. What makes it special is that it's coded in rust and uses tree-sitter as it's AST making it very fast and easily extensible.

Why build another scanner in 2026? We wanted to improve some of our detection outcomes but noticed the current open source scanners like Semgrep/Opengrep we're capped by a bunch of adoption limitations such as being written in OCaml, requiring a lot of work to add a language parser, and the rulesets were licensed differently and required paid offerings. It also felt that licensing was moving backwards rather than forward.

We wanted something that was very fast, was easily extensible and had a great set of rules that we could use. This led us to using Rust and Tree-sitter since they are both fast and have great community adoption making extending Sighthound natural.

We wanted it to focus on source-code vulnerability classes like Sql Injection, and Xss. We haven't yet done any secrets scanning as there are a lot of great options in the market at the moment. Right now, Sighthound supports Python, JS/TS, Java, Go, C#, HTML, PHP and Ruby.

We still have a lot of work to do so, we'd love for your feedback, and contributions in however they come from adding new languages, new rules or bug fixes.
asadeddin
·19 วันที่ผ่านมา·discuss
OpenAI building security tooling is the natural next step after AI-powered code generation, if AI writes the code, AI will need to find and fix the bugs in it too. The interesting question is whether this stays infra-focused or moves toward application-layer security.

We wrote a paper about it: https://corgea.com/blog/given-enough-inference-all-bugs-all-...
asadeddin
·20 วันที่ผ่านมา·discuss
Full disclosure, Ahmad, CEO at Corgea.

Interesting approach, catching vulns at commit time before CI runs saves cycles. The challenge is always false positive rate at that stage and the AI inference time. How fast is the review? I saw the demo video and it seems you cut to the results.
asadeddin
·20 วันที่ผ่านมา·discuss
Delaying vulnerability disclosure for political reasons undermines the entire coordinated disclosure model. If researchers learn that findings get buried when inconvenient, they stop reporting through official channels.
asadeddin
·21 วันที่ผ่านมา·discuss
[dead]
asadeddin
·21 วันที่ผ่านมา·discuss
[flagged]
asadeddin
·22 วันที่ผ่านมา·discuss
[dead]
asadeddin
·24 วันที่ผ่านมา·discuss
The Corgea team has found a High vulnerability in Axios using our security research agent. This 0-day affects millions of globally. The cost of finding this vulnerability was <$10 and 15 mins of time. It didn't use Mythos or Fable but rather GPT-5.4 which is a fraction of the cost of these systems.
asadeddin
·9 เดือนที่ผ่านมา·discuss
Hi there, I'm Ahmad, CEO at Corgea, and the author of the white paper. We do actually use LLMs to find the vulnerabilities AND triage findings. For the majority of our scanning, we don't use traditional static analysis. At the core of our engine is the LLM reading the line of code to find CWEs in them.
asadeddin
·10 เดือนที่ผ่านมา·discuss
Very interesting. Thanks for sharing the insights!

Would've it made more sense to separate this testing out to a different instance of your product? This would've probably helped distinguish between real and bounty users.