今日已更新 386 条资讯 | 累计 20358 条内容
关于我们

The problem with security scanners isn't the scanning

wael matoussi 2026年05月29日 08:51 5 次阅读 来源:Dev.to

At a previous job I worked at as a Dev we had someone who ran Semgrep on our codebase for the first time. It came back with 180 findings. We had no security engineer. The developer who ran it looked at the output, closed the terminal, and we never ran it again. That's not a story about a careless team. That's a story about a tool that produced output most teams in small companies with no expertise knew what to do with. I've seen this exact moment happen more times than I can count working with small dev teams. And it's the reason I spent the last year building SecOpsium. But before I get to that let me explain the actual problem, because I think it's misunderstood. The problem isn't the scanning Semgrep and Gitleaks are excellent tools. They're free, actively maintained, and genuinely powerful. If you're not using them you should be. The problem is what happens 10 minutes after you run them. You get 200 findings. Some are critical. Some are test files. Some are commented-out code from 2021. Some are legitimate secrets. Some are variable names that pattern match against a rule but contain nothing sensitive. They all look the same in the output. Now you're a developer who also does DevOps, also reviews PRs, also handles incidents, and you're staring at 200 items with no clear indication of which three actually matter this week. So you close the terminal. Or you create a Jira ticket labeled "security findings" that lives in the backlog forever. Or you spend two days triaging manually and burn out before you fix anything. This is the real problem. The scanning was never the hard part. Why rule based scanners produce so much noise It helps to understand technically why this happens. Semgrep and Gitleaks are rule-based. They match patterns. A variable named api_key_example in a test file flags the same way as a live Stripe key in an active production config. Gitleaks scans for entropy and known credential patterns but can't distinguish between a key that was rotated and r

本文内容来源于互联网,版权归原作者所有
查看原文