Hacker News: jostkolegahttps://news.ycombinator.com/user?id=jostkolegaHacker News RSShttps://hnrss.org/hnrss v2.1.1Thu, 23 Apr 2026 07:28:29 +0000<![CDATA[New comment by jostkolega in "Ask HN: What are you working on? (February 2026)"]]>Nice! Working in a similar space - will be publishing here also soon. How are you handling finding issues beyond pattern matching where deep code understanding is required?

]]>Tue, 10 Feb 2026 18:36:53 +0000https://news.ycombinator.com/item?id=46964661jostkolegahttps://news.ycombinator.com/item?id=46964661https://news.ycombinator.com/item?id=46964661<![CDATA[New comment by jostkolega in "Ask HN: What are you working on? (February 2026)"]]>Running security audits on open source repos with a tool we've built and reporting what I find to maintainers. Mostly infrastructure stuff — vector databases, LLM tooling, secrets managers. Been doing responsible disclosure and submitting fixes which are all autogenerated. Surprisingly high acceptance rate so far, which is encouraging. Working on automating more of the test process...

]]>Tue, 10 Feb 2026 18:29:07 +0000https://news.ycombinator.com/item?id=46964503jostkolegahttps://news.ycombinator.com/item?id=46964503https://news.ycombinator.com/item?id=46964503<![CDATA[New comment by jostkolega in "Yikes – Security scanner for AI-generated code"]]>Semgrep's a solid choice for this. The stuff you're catching - secrets, SQLi, weak hashing- is where pattern matching shines.

The tricky part with LLM-generated code is when it's syntactically fine but semantically broken. Stuff like:

- auth logic that checks user.role but also has a `req.query.admin === 'true'` fallback because the model left debug code in

- JWT validation that calls verify() but passes `algorithms: ['none']` or disables signature checking — the code looks right

- async TOCTOU bugs where permission check and action aren't atomic because the LLM wrote it like sync code

None of these match simple patterns. You need dataflow analysis to catch them reliably.

Curious if you're thinking about that for the paid tier, or keeping it pattern-based to stay fast?

]]>Tue, 03 Feb 2026 12:15:22 +0000https://news.ycombinator.com/item?id=46870029jostkolegahttps://news.ycombinator.com/item?id=46870029https://news.ycombinator.com/item?id=46870029<![CDATA[New comment by jostkolega in "Show HN: Kekkai – Interactive security triage in the terminal"]]>+1 on triage being the real problem. Question, when Semgrep surfaces something ambiguous, lets say a SQL query that looks parameterized but the ORDER BY is built elsewhere, what does reviewing that actually look like? I'm wondering how much context you get before needing to jump out to the codebase.

]]>Tue, 03 Feb 2026 11:35:49 +0000https://news.ycombinator.com/item?id=46869665jostkolegahttps://news.ycombinator.com/item?id=46869665https://news.ycombinator.com/item?id=46869665