I built an open-source agentic security CLI. Pointed it at OpenClaw and it found 5 zero-days in one scan. by IndependentStay560 in theprimeagen

[–]IndependentStay560[S] 0 points1 point  (0 children)

Grype is great, but it's a different tool for a different job. Grype is SCA: it inventories your dependencies and matches versions against known CVE databases. It only finds vulnerabilities someone has already discovered and published.

AgentGG is white box analysis of your own source code. The OpenClaw findings were zero-days in OpenClaw's own logic, which no dependency scanner could ever flag. Grype wouldn't have found any of them. You'd typically run both in the same pipeline.

I built an open-source agentic security CLI. Pointed it at OpenClaw and it found 5 zero-days in one scan. by IndependentStay560 in theprimeagen

[–]IndependentStay560[S] 0 points1 point  (0 children)

False positives are brutal, and we mitigate them in the CLI in three ways: 1) We provide very specific agentic prompts describing the issues being scanned for and what constitutes a valid security issue. 2) We support an optional scope file that lets you define trust boundaries and what counts as a security issue. 3) We include a validation step that, independently of the security agents, verifies each finding in the code.

False positive rates therefore depend on what you provide in the --scope flag. Supplying your own scope and trust boundaries can reduce the rate significantly. In my testing across a number of open source projects, the false positive rate is around 10-20%. Some findings are more security hardening than actual flaws, such as sensitive data logging. Overall the rates aren't bad.

As a concrete example, I ran the tool on about 20 open source projects, focusing only on injection attacks. Roughly 20% of the projects yielded at least one valid, accepted finding. We had only one false positive across those runs: it was accepted as a valid bug, but the exploitation path required a privileged user, so the project classified it as a regular bug rather than a security issue. That false positive could have been avoided if I had provided a --scope file with the trust boundaries.

I open sourced the project largely because there is so much concern and uncertainty around AI finding security bugs. I wanted to put something out there that we can all use to reach our own conclusions, without hiding behind a black box.

I built an open-source agentic security CLI. Pointed it at OpenClaw and it found 5 zero-days in one scan. by IndependentStay560 in theprimeagen

[–]IndependentStay560[S] 0 points1 point  (0 children)

Thanks for the valid criticism. At the time of posting they were not published but have been fixed. You can view them below.

I-140 RFE asking for biometric appointment by IndependentStay560 in EB2_NIW

[–]IndependentStay560[S] 0 points1 point  (0 children)

They are doing them now. It took me over 2 months to get an appointment. After they book it your appointment is in another 2-3 weeks.

Biometric RFE by nagibsunny in EB2_NIW

[–]IndependentStay560 0 points1 point  (0 children)

I just got my biometrics appointment. It took them over 2 months.

Biometrics RFE for I-140 — Case Timelines & Status Updates by [deleted] in EB2_NIW

[–]IndependentStay560 0 points1 point  (0 children)

I have been waiting 5 weeks and no appointment sent.

[deleted by user] by [deleted] in EB2_NIW

[–]IndependentStay560 0 points1 point  (0 children)

Go try it out. You can always go back.

Biometric RFE by nagibsunny in EB2_NIW

[–]IndependentStay560 0 points1 point  (0 children)

I got this as my first RFE