
Code Quality Tools: Why They Miss Security Bugs (And What to Add)
Code quality tools enforce style and catch bugs, but they miss security vulnerabilities. Learn where quality tools fall short and how to close the gap.
Insights, tutorials, and best practices for secure development

Code quality tools enforce style and catch bugs, but they miss security vulnerabilities. Learn where quality tools fall short and how to close the gap.

Compare secret scanning tools — Gitleaks, TruffleHog, detect-secrets, and git-secrets — for finding leaked API keys: detection methods, speed, and pre-commit fit.

An application security solution should catch vulnerabilities in code, dependencies, and secrets without slowing you down. Rafter delivers all three.

Best vulnerability scanner tools catch security flaws before production. Learn what separates good scanners from great ones and how to pick the right fit.

Pre-commit hooks catch leaked API keys before they enter git history. Step-by-step setup for betterleaks, detect-secrets, and TruffleHog with real config examples.

Leaked OpenAI API keys get exploited within minutes, racking up thousands in charges. Learn the risks, how to recover, and how to prevent exposure.

Leaked API keys get exploited within minutes. Step-by-step emergency response to revoke, rotate, audit, and prevent future credential leaks.

GitHub secret scanning detects 200+ token formats automatically. But it misses custom secrets, env files, and git history. Here is what it covers and where gaps remain.

Leaked API keys caused $4.2B in cloud breaches last year. Learn how to detect, prevent, and respond to credential leaks across your entire development lifecycle.

MCP ships with minimal security defaults. This checklist operationalizes defense across seven control domains—trust tiers, localhost hardening, output sanitization, rate limiting, audit logging, multi-tenant isolation, and incident response—with concrete implementation examples and verification tests.

MCP's security lives entirely in the application layer—no injection detection, no audit trail, no behavioral monitoring, no per-tool access scoping. This post defines what a production security layer must provide, how to architect it across five components, and three deployment patterns with tradeoffs.

MCP audit logging is optional, inconsistent, and leak-prone. For SOC 2, HIPAA, and PCI-DSS compliance, that's not inconvenient—it's a blocker.
Showing 121–132 of 199 posts