KeyLeak Blog
Field notes on leaks that static tools miss
Runtime secret scanning, exposed API keys, and BaaS (Supabase/Firebase) security — researched, sourced, and written for people who ship.
RUNTIME SECURITY
The Key Your Scanner Swore Wasn't There
I built KeyLeak Detector after watching a live Stripe sk_live_ secret key get pulled out of an app whose GitLeaks, TruffleHog, and GitHub scans were all green — because none of those scanners were ever built to look at the running app.
BAAS SECURITY
The Public Key Was Never the Problem: Why Vibe-Coded Apps Leak
I kept watching AI-built apps ship with the database door wide open, so I started probing RLS before every deploy instead of trusting the config — here's the pattern and how I check for it.