<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>KeyLeak Detector Blog</title><link>https://keyleakdetector.com/blog</link><atom:link href="https://keyleakdetector.com/feed.xml" rel="self" type="application/rss+xml"/><description>Runtime secret scanning, API key leaks, and BaaS (Supabase/Firebase) security.</description><language>en-us</language><lastBuildDate>Fri, 29 May 2026 09:00:00 +0000</lastBuildDate><item><title>The Key Your Scanner Swore Wasn&#x27;t There</title><link>https://keyleakdetector.com/blog/why-runtime-secret-scanning-matters</link><guid isPermaLink="true">https://keyleakdetector.com/blog/why-runtime-secret-scanning-matters</guid><pubDate>Fri, 29 May 2026 09:00:00 +0000</pubDate><description>I built KeyLeak Detector after watching a live Stripe sk_live_ secret key get pulled out of an app whose GitLeaks, TruffleHog, and GitHub scans were all green — because none of those scanners were ever built to look at the running app.</description></item><item><title>The Public Key Was Never the Problem: Why Vibe-Coded Apps Leak</title><link>https://keyleakdetector.com/blog/baas-security-risks-vibecoded-apps</link><guid isPermaLink="true">https://keyleakdetector.com/blog/baas-security-risks-vibecoded-apps</guid><pubDate>Fri, 29 May 2026 09:00:00 +0000</pubDate><description>I kept watching AI-built apps ship with the database door wide open, so I started probing RLS before every deploy instead of trusting the config — here&#x27;s the pattern and how I check for it.</description></item></channel></rss>
