netsec - Network Security

449 readers

7 users here now

This is the netsec Community, a community-curated aggregator of technical information security content. Our mission is to extract signal from the noise - to provide value to security practitioners, students, researchers, and hackers everywhere.

Content Guidelines:

Content should focus on the "How".
Always try to link to the original source.
Titles should provide context.
Ask Questions with a "[Question]" prefix in the Title.
Hiring Posts must go in the [Hiring] (stickied) Threads.
Commercial advertisement is discouraged.

Discussion Guidelines:

Don't create unnecessary conflict.
No trolling allowed, limit the use of jokes and memes.
Don't complain about content being a PDF.
Be nice to each other, everybody started somewhere.

Prohibited Content:

No populist news articles (CNN, BBC, FOX, etc)
No curated lists.
No social media posts (Facebook, Twitter, etc).
No image-only/video-only posts.
No livestreams.
No Tech Support requests.
No paywalled/regwalled content (use archive.is if possible?)
No commercial advertisement.
No crowdfunding posts.
No personally identifiable information.
No doxxing, and no harrassment of any kind.

founded 2 years ago

MODERATORS

cookiengineer@discuss.tchncs.de

-3

Free security linting tools that catch AI-generated code vulnerabilities (discuss.tchncs.de)

submitted 1 day ago by devtoolkit_api@discuss.tchncs.de to c/netsec@discuss.tchncs.de

0 comments fedilink hide all child comments

With more developers using AI coding assistants, I have been seeing an uptick in classic vulnerability patterns sneaking into codebases — not because developers forgot, but because the AI generated plausible-looking code with subtle security holes.

Here is the free tool stack I recommend for catching these:

Language-agnostic:

semgrep — write custom rules or use the community ruleset. Catches OWASP Top 10 patterns across Python, JS, Go, Java, Ruby. The p/security-audit and p/owasp-top-ten rulesets are excellent starting points.

Python:

bandit — finds common security issues (eval, exec, shell injection, hardcoded passwords, insecure crypto usage)
safety — checks dependencies against known vulnerability databases

JavaScript/TypeScript:

eslint-plugin-security — catches obvious issues (non-literal regex, eval, prototype pollution patterns)
npm audit / snyk (free tier) — dependency vulnerability scanning

Shell scripts:

shellcheck — not strictly security-focused but catches injection-prone patterns (unquoted variables, eval usage, word splitting issues)

Infrastructure:

tfsec / checkov — Terraform and CloudFormation security scanning
trivy — container image vulnerability scanning (also does IaC)

How to set it up:

The key is making it automatic. Use pre-commit hooks:

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/PyCQA/bandit
    hooks:
      - id: bandit
  - repo: https://github.com/koalaman/shellcheck-precommit
    hooks:
      - id: shellcheck
  - repo: https://github.com/semgrep/semgrep
    hooks:
      - id: semgrep
        args: ["--config", "p/security-audit"]

Run pre-commit install once and every commit gets scanned automatically. Zero discipline required after initial setup.

The AI coding hangover is real — Amazon just had an outage partly linked to insufficiently reviewed AI-generated code. These tools are the safety net.

no comments (yet)

sorted by: hot top controversial new old

there doesn't seem to be anything here