5 Photos and videos
🚨Seqra just open-sourced a security analyzer that your agents will love to work with.
It's called OpenTaint.
The open source taint analysis engine for the AI era.
github.com/seqra/opentaint
Here is why you need it:
1
754
50 ⭐️ Thank you! 🙏
github.com/seqra/opentaint
star-history.com/?repos=seqr…
#starhistory #GitHub #OpenSource via @StarHistoryHQ
53
🌱 Introducing an in-browser taint-flow viewer for OpenTaint — the most thorough taint analysis engine for Spring app security.
Live demo, built from our open-source Java Kotlin Spring Boot demo app:
viewer.opentaint.org/
1
1
43
The demo surfaces 13 findings:
• XSS across Spring controllers
• Server-side template injection
• SSRF through Kotlin coroutines
Click any finding, walk the flow end-to-end from untrusted input to the dangerous method call, and read the rule that fired alongside the code.
1
29
Engine CLI: github.com/seqra/opentaint
Viewer: github.com/seqra/opentaint-v…
The viewer can produce a self-contained, offline HTML report for your own project.
Open source. Stars, issues, and rule PRs welcome.
28
🚀 OpenTaint v0.3.0 is out — the most thorough taint analysis for Spring apps security!
A release focused on detection precision: content-type-aware XSS rule with type-argument matching and analyzer precision fixes.
🌟 Star the repo: github.com/seqra/opentaint
#Java #Spring #SAST
1
84
🚀 OpenTaint 0.2.0 is out — the most thorough taint analysis engine for Spring apps.
A release focused on day-1 experience, safe concurrency, and a faster analysis core.
Star the repo to follow along: github.com/seqra/opentaint/
#appsec #java #spring #sast #opensource
1
96
Full notes: github.com/seqra/opentaint/r…
How to get it 👇
1/ curl:
curl -fsSL opentaint.org/install.sh | bash
2/ brew:
brew install --cask seqra/tap/opentaint
3/ upgrade anytime:
opentaint update
64
Meanwhile, static taint analysis costs nothing, runs on the CPU in minutes, and works deterministically.
$20,000 to scan one codebase
that's what anthropic says it cost Mythos to find those zero days.
per repo.
except API tokens are currently sold at a LOSS. That "$20,000 scan" probably cost closer to $100,000 in real gpu time
ffmpeg couldn't afford the subsidized price let alone the real one...
if the cost doesn't come down by a huge factor this just doesn't make sense.
It's Anthropic's marketing week 💀
108
We build an open-source taint analyser for the AI era to make lean application security a reality.
Discovering a vulnerability is only half the problem. Doing it at scale, without waste, is the other half.
And for that, we need advanced formal methods more than ever.
Apr 7
Introducing Project Glasswing: an urgent initiative to help secure the world’s most critical software.
It’s powered by our newest frontier model, Claude Mythos Preview, which can find software vulnerabilities better than all but the most skilled humans.
anthropic.com/glasswing
1
111
52
AI generates production code faster than today's security tooling can keep up with. The more AI writes code, the more you need formal methods underneath.
vibe coding is officially dead
I had to say it. we thought AI would let us relax and code "on chill", but instead it turned us into architectural bureaucrats. we write strict laws, define rules, limits, and principles.
if you don't obsessively review the code agent writes, your project will mutate into a massive landfill of tech debt within a month.
1
113
OpenTaint retweeted
Apr 3
Blog: ZAP Updates for March:
zaproxy.org/blog/2026-04-03-…
ZAP was started 9.5 MILLION times .. and we announced significant collaborations with other open source projects
Cc @javamuffinztx @seqradev @pentestkit
#zaproxy #appsec
1
9
23
1,376
I doubt LLM scanners scale for large codebases well. Not to mention the costs and unpredictability of results.
Use LLMs to write rules for SAST to find new kinds of vulnerabilities and to do so precisely. Use SAST tools that allow for this.
llm-sast-scanner - github.com/SunWeb3Sec/llm-sa…
A general-purpose Static Application Security Testing (SAST) skill for LLM-based code vulnerability analysis. Designed to be loaded by AI coding agents (Claude Code, OpenAI Codex, etc.) to perform structured source-to-sink taint analysis across 34 vulnerability classes.
168