Arpit Jain
Security Researcher | Open Source Advocate
Tokyo, Japan
Actions
Supply-chain security researcher. Over 320 security fixes merged across 75 open-source organizations including apache, google, kubernetes-sigs, prometheus, vuejs, eslint, OWASP, NASA, and NIST. Five private vulnerability disclosures (expression injection, pwn requests) to projects including a top Apache project and US federal repositories. Builds open-source mitigation-aware CI/CD vulnerability scanners. Active contributor to CNCF, sigstore/SLSA, OpenSSF, and US federal government projects.
Area of Expertise
Topics
Secrets in Public Git Repos: Why It Keeps Happening and How to Fix It
Every day, thousands of API keys, credentials, and tokens are accidentally leaked into public Git repositories, putting users and organizations at massive risk. In this lightning talk, I'll quickly break down why secret sprawl happens despite increasing awareness. I’ll highlight real-world cases like Trufflehog's recent discovery of over 12,000 live API keys inside DeepSeek's AI model training data, demonstrating how leaked secrets can silently persist and escalate risks. I'll demonstrate how simple open source tools like Gitleaks, Trufflehog, and Git pre-commit hooks can detect and prevent exposures. Attendees will leave with immediate, practical steps to stop secret leaks in their repositories — before attackers find them.
Securing Open Source Code: From AI Vulnerabilities to Supply Chain Defense
Open source security faces growing risks from dependency vulnerabilities, leaked secrets, insecure AI-generated code, and supply chain attacks. In this talk, I will demonstrate how to use open source tools like Trivy, Grype, Gitleaks, and Trufflehog to scan dependencies and detect exposed secrets.
I will explain how to build and maintain a Software Bill of Materials (SBOM) to protect codebases and organizational assets. Using real-world case studies—Trufflehog’s discovery of 12,000+ live API keys in AI training data, the Rabbit R1 credential exposure, and supply chain incidents in the US and Japan—I will show the impact of poor code security practices.
Live demo will highlight how AI models trained on insecure code can propagate vulnerabilities. Attendees will leave with practical techniques for scanning codebases, securing their development pipelines, and preventing the next generation of supply chain threats.
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top