AI Security
OpenAI API Key Leakage on GitHub at Scale
A senior engineer's view of OpenAI API key leakage on GitHub at scale, why automated secret scanning misses so many, and what actually stops the bleeding.
Apr 1, 20267 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
A senior engineer's view of OpenAI API key leakage on GitHub at scale, why automated secret scanning misses so many, and what actually stops the bleeding.
A technical comparison of Safeguard.sh and GitHub Advanced Security in 2026 across scanning depth, secret detection, container coverage, and cost.
GitLab and GitHub both ship with defaults that prioritize usability. A head-to-head on the specific hardening steps each platform needs before it is safe for enterprise use.
Slack disclosed a stolen-token incident over the 2022 holidays and a related GitHub repository access event; the operational lessons apply broadly.
In 2023, attackers used stolen GitHub personal access tokens to push malicious commits masquerading as Dependabot; a short-sharp incident with lasting lessons.
Dropbox's 2022 GitHub phishing incident began with a developer-targeted CircleCI lookalike campaign; the supply chain lessons centered on CI tokens and code.
A comprehensive look at GitHub's evolving supply chain security toolkit, from Dependabot to code scanning, and how these features are reshaping how developers manage dependency risk.
A step-by-step tutorial for turning on GitHub Dependency Review, enforcing license and severity policies, and getting fast feedback on every pull request.
Dependabot has become the default for dependency updates, but its limitations highlight why automated scanning alone isn't enough for supply chain security.
Weekly insights on software supply chain security, delivered to your inbox.