Open source security faces growing risks from dependency vulnerabilities, leaked secrets, insecure AI-generated code, and supply chain attacks. In this talk, I will demonstrate how to use open source tools like Trivy, Grype, Gitleaks, and Trufflehog to scan dependencies and detect exposed secrets.

I will explain how to build and maintain a Software Bill of Materials (SBOM) to protect codebases and organizational assets. Using real-world case studies—Trufflehog’s discovery of 12,000+ live API keys in AI training data, the Rabbit R1 credential exposure, and supply chain incidents in the US and Japan—I will show the impact of poor code security practices.

Live demo will highlight how AI models trained on insecure code can propagate vulnerabilities. Attendees will leave with practical techniques for scanning codebases, securing their development pipelines, and preventing the next generation of supply chain threats.