🃏 Crypto 🃏 SecOps builder · SBOM intelligence · Low-level, failure-obsessed
- 🎯 Current focus:
AI-BOM Inspector– AI-powered SBOM risk & license scanner - 🔎 Drawn to: firmware, reverse engineering, weird edge cases, failure paths
- 🧠 Style: think like the attacker, build like the defender
- 📡 Open to: collabs on security tooling, SBOM workflows, CI/CD security
I’ve seen the wrong side of security. Now I use that perspective to build tools that keep the blast radius small.
From raw SBOMs to clear risk intel: vulnerable dependencies, license traps, and what to fix first.
| 🔍 AI-BOM Inspector | Details |
|---|---|
| 🧾 Input | CycloneDX / SPDX SBOMs |
| 🧠 Output | AI-ranked risk, reasoning, and prioritized recommendations (WIP) |
| 🛡 Use Case | Supply-chain security, SecOps, CI/CD gating |
| 🧩 Roadmap | GitHub Action · CI/CD blocking · dashboard |
| 📂 Repo | 👉 AI-BOM-Inspector |
- 🧪 AI-BOM Inspector – AI x SBOM risk analysis & license inspection
- 🛰 Low-level / firmware lab – system internals, boot/OS experiments, failure hunting
- ⚙️ Clean utility – smaller but fully documented tool with tests (discipline over hype)
- 🧱 Security toolkit skeleton – reusable template for future tools
graph TD; A[SBOM: CycloneDX/SPDX] --> B[Parse & Normalize]; B --> C[Risk Engine]; B --> D[License Intel]; C --> E[Score: Critical · High · Medium · Low]; C --> F[Explain: CVEs · Maintenance · Exposure]; D --> G[Detect: License Conflicts · Copyleft Issues]; E --> H[CI/CD Gating]; F --> I[Reports]; G --> I; H --> J[GitHub Action / Pipelines]; - Granular risk scoring (CVSS, maintenance, license risk, popularity, ecosystem health)
- Explain every flag (CVE, abandonware, license conflict)
- Remediation ideas and safer alternatives (where it matters)
- GitHub Action to post risk intel directly on pull requests
- CI/CD mode to block builds above a configurable risk threshold
- Lightweight dashboard / TUI for dependency health over time
🧪 Languages
- Python – security tooling, CLIs, end-to-end workflows
- Rust – performance and safety when I need both
- C – where abstractions drop and the real behavior shows
🛡 Security / Domain
- SBOMs (CycloneDX / SPDX) and supply-chain analysis
- Dependency intelligence: risk, licenses, maintenance, ecosystem signals
- CI/CD security hooks, GitHub Actions, risk-based gating
- Applying an attacker mindset to build stronger defenses
⚙️ Ecosystem
- Linux as the main lab
- Docker for reproducible environments
- GitHub Actions for continuous checks & automation
- Issues / Discussions as live feedback loops
- I don’t sanitize the story; I choose where the line is now.
- I care about how systems really fail, not just how they’re supposed to work.
- Curiosity fuels tools that reduce blast radius.
- I’d rather ship one tool that actually protects people than a dozen forgettable scripts.
- Aware of the dark, committed to pointing it in the right direction.
- ✅ Initial release of AI-BOM Inspector CLI
- ✅ SBOM parsing + base risk highlighting
- ✅ First external review integrated into roadmap (scoring, explainability, integrations)
- 🔜 GitHub Action: auto-comment risk insights on PRs
- 🔜 CI/CD risk threshold mode: fail builds when the dependency tree gets sketchy
Timeline
- 2025-11 – AI-BOM Inspector tested by external users; workflow + feature ideas captured
- 2025-11 – GitHub profile refocused around AI x security, supply-chain defense, low-level work
- 2025-11 – Roadmap shaped: granular risk, explanations, remediation, GH Action, CI/CD
- 2025-12+ – Focus: integrations, more real SBOMs, polished UX for teams
- LICENSE – clear, explicit (MIT / Apache-2.0 / etc.)
- SECURITY.md – reported issues responsibly
- CONTRIBUTING.md – open issues / PRs without wasting time
- CODE_OF_CONDUCT.md – standard, but running a serious project
- GitHub Actions workflow (tests / lint) + CI badge in README
- Security tooling
- SBOM workflows / supply-chain security
- AI x SecOps
…I paired attacker perspective with disciplined defensive engineering.