Posts
A couple of days ago I came across an article with a great title: “DevSecOps for 20 milli…
October 21, 2025 at 8:13 PM•Max Knyazev is typing…Telegram mirror
A couple of days ago I came across an article with a great title:“DevSecOps for 20 million? I made my own scanner and posted it for free". The author is a former security professional who decided to build his own vulnerability scanner and release it to the public. Sounds nice. A free analogue of expensive commercial solutions, with support for SAST, SCA and IaC. Just upload the file, press the button and get a report. Minimalistic interface, no registration, no SMS, no purchases or paperwork. In theory, this is an ideal story for anyone who is tired of tenders and bureaucracy🤩
But you know me - your hands were itching to check it out yourself😉
I took several of my test projects, and then specially using GPT-5 to generate a demo project with obvious vulnerabilities, so that I would have exactly what to look for. I ran it through the scanner from the article (Bylinkyou can check it out for yourself), and then throughSemgrep- and then things got interesting. Semgrep found 25 vulnerabilities, of which five were critical. But the hero of today’s post, SecCoder, didn’t find anything at all. Judging by the output, it uses Trivy and Dependency-Check, which in my case just silently passed by. Perhaps a bug, perhaps a mismatch of formats, but so far the result looks, to put it mildly, unstable. It’s especially strange that you can scan only one file at a time, and not the entire project🧐
I ran other projects for scanning, and SecCoder either found something or was silent again. I can’t draw any conclusions here from the “why is this happening?” I still don't know the answer😏
What the author writes about the difficulty of setting up tools like Semgrep or Trivy is a half-truth. Both are placed in a pair of teams and work without dancing with a tambourine. Yes, commercial solutions like PT AI really cost a fortune (and it’s really more difficult to turn around), but there are many free open source alternatives that are quite accurate and convenient for real work. Therefore, the “but it’s free” argument doesn’t help here - it’s more important that the tool be reliable🧠
However, I don't want to sound too critical. The very fact that a person took and made his own scanner, even in the form of a beta that does not always work, is already cool (at least it's cool). Here you feel the motivation not to whine, but to try to make it simpler and clearer. The interface turned out to be neat, easy and pleasant - the author definitely likes it. I think if we add support for scanning repositories, normalize the output and improve the tool as a whole, something more interesting might turn out. Although the question of value remains open🥳
But for now it’s more of a cool pet project than a working tool for production security. Look at it - yes, use it on real projects - not yet. My test results (comparison with Semgrep) I attached in the comments under the post🥂
#information_security
Open original post on TelegramBut you know me - your hands were itching to check it out yourself
I took several of my test projects, and then specially using GPT-5 to generate a demo project with obvious vulnerabilities, so that I would have exactly what to look for. I ran it through the scanner from the article (Bylinkyou can check it out for yourself), and then throughSemgrep- and then things got interesting. Semgrep found 25 vulnerabilities, of which five were critical. But the hero of today’s post, SecCoder, didn’t find anything at all. Judging by the output, it uses Trivy and Dependency-Check, which in my case just silently passed by. Perhaps a bug, perhaps a mismatch of formats, but so far the result looks, to put it mildly, unstable. It’s especially strange that you can scan only one file at a time, and not the entire project
I ran other projects for scanning, and SecCoder either found something or was silent again. I can’t draw any conclusions here from the “why is this happening?” I still don't know the answer
What the author writes about the difficulty of setting up tools like Semgrep or Trivy is a half-truth. Both are placed in a pair of teams and work without dancing with a tambourine. Yes, commercial solutions like PT AI really cost a fortune (and it’s really more difficult to turn around), but there are many free open source alternatives that are quite accurate and convenient for real work. Therefore, the “but it’s free” argument doesn’t help here - it’s more important that the tool be reliable
However, I don't want to sound too critical. The very fact that a person took and made his own scanner, even in the form of a beta that does not always work, is already cool (at least it's cool). Here you feel the motivation not to whine, but to try to make it simpler and clearer. The interface turned out to be neat, easy and pleasant - the author definitely likes it. I think if we add support for scanning repositories, normalize the output and improve the tool as a whole, something more interesting might turn out. Although the question of value remains open
But for now it’s more of a cool pet project than a working tool for production security. Look at it - yes, use it on real projects - not yet. My test results (comparison with Semgrep) I attached in the comments under the post
#information_security
Discussion
Comments
Comments are available only to confirmed email subscribers. No separate registration or password is required: a magic link opens a comment session.
Join the discussion
Enter the same email that you already used for your site subscription. We will send you a magic link to open comments on this device.
There are no approved comments here yet.