π Crypto π SecOps builder Β· SBOM intelligence Β· Low-level, failure-obsessed
- π― Current focus:
AI-BOM Inspectorβ AI-powered SBOM risk & license scanner - π Drawn to: firmware, reverse engineering, weird edge cases, failure paths
- π§ Style: think like the attacker, build like the defender
- π‘ Open to: collabs on security tooling, SBOM workflows, CI/CD security
Iβve seen the wrong side of security. Now I use that perspective to build tools that keep the blast radius small.
From raw SBOMs to clear risk intel: vulnerable dependencies, license traps, and what to fix first.
| π AI-BOM Inspector | Details |
|---|---|
| π§Ύ Input | CycloneDX / SPDX SBOMs |
| π§ Output | AI-ranked risk, reasoning, and prioritized recommendations (WIP) |
| π‘ Use Case | Supply-chain security, SecOps, CI/CD gating |
| 𧩠Roadmap | GitHub Action · CI/CD blocking · dashboard |
| π Repo | π AI-BOM-Inspector |
- π§ͺ AI-BOM Inspector β AI x SBOM risk analysis & license inspection
- π° Low-level / firmware lab β system internals, boot/OS experiments, failure hunting
- βοΈ Clean utility β smaller but fully documented tool with tests (discipline over hype)
- 𧱠Security toolkit skeleton β reusable template for future tools
graph TD;
A[SBOM: CycloneDX/SPDX] --> B[Parse & Normalize];
B --> C[Risk Engine];
B --> D[License Intel];
C --> E[Score: Critical Β· High Β· Medium Β· Low];
C --> F[Explain: CVEs Β· Maintenance Β· Exposure];
D --> G[Detect: License Conflicts Β· Copyleft Issues];
E --> H[CI/CD Gating];
F --> I[Reports];
G --> I;
H --> J[GitHub Action / Pipelines];
- Granular risk scoring (CVSS, maintenance, license risk, popularity, ecosystem health)
- Explain every flag (CVE, abandonware, license conflict)
- Remediation ideas and safer alternatives (where it matters)
- GitHub Action to post risk intel directly on pull requests
- CI/CD mode to block builds above a configurable risk threshold
- Lightweight dashboard / TUI for dependency health over time
π§ͺ Languages
- Python β security tooling, CLIs, end-to-end workflows
- Rust β performance and safety when I need both
- C β where abstractions drop and the real behavior shows
π‘ Security / Domain
- SBOMs (CycloneDX / SPDX) and supply-chain analysis
- Dependency intelligence: risk, licenses, maintenance, ecosystem signals
- CI/CD security hooks, GitHub Actions, risk-based gating
- Applying an attacker mindset to build stronger defenses
βοΈ Ecosystem
- Linux as the main lab
- Docker for reproducible environments
- GitHub Actions for continuous checks & automation
- Issues / Discussions as live feedback loops
- I donβt sanitize the story; I choose where the line is now.
- I care about how systems really fail, not just how theyβre supposed to work.
- Curiosity fuels tools that reduce blast radius.
- Iβd rather ship one tool that actually protects people than a dozen forgettable scripts.
- Aware of the dark, committed to pointing it in the right direction.
- β Initial release of AI-BOM Inspector CLI
- β SBOM parsing + base risk highlighting
- β First external review integrated into roadmap (scoring, explainability, integrations)
- π GitHub Action: auto-comment risk insights on PRs
- π CI/CD risk threshold mode: fail builds when the dependency tree gets sketchy
Timeline
- 2025-11 β AI-BOM Inspector tested by external users; workflow + feature ideas captured
- 2025-11 β GitHub profile refocused around AI x security, supply-chain defense, low-level work
- 2025-11 β Roadmap shaped: granular risk, explanations, remediation, GH Action, CI/CD
- 2025-12+ β Focus: integrations, more real SBOMs, polished UX for teams
- LICENSE β clear, explicit (MIT / Apache-2.0 / etc.)
- SECURITY.md β reported issues responsibly
- CONTRIBUTING.md β open issues / PRs without wasting time
- CODE_OF_CONDUCT.md β standard, but running a serious project
- GitHub Actions workflow (tests / lint) + CI badge in README
- Security tooling
- SBOM workflows / supply-chain security
- AI x SecOps
β¦I paired attacker perspective with disciplined defensive engineering.