Notes from the platform.
Engineering deep-dives, security research, and product updates.
From Encore to Fastify: rebuilding our scanner on plain TypeScript
We tried Encore.ts. It got us moving. Then we hit deployment limits and vendor-lock concerns and migrated to Fastify + Zod + Supabase in six weeks. The migration plan, the three things that broke at cutover, and what we'd do exactly the same again.
What we found scanning our own codebase on day one
Before we let anyone else point Dockier at their repo, we pointed it at ours. 47 findings, 3 real, 1 embarrassing. The CVEs, the false positives, and the rule we wrote that night.
Detecting sensitive data without an LLM
A 320-line schema parser beats GPT-4o on PII classification — 12× faster, zero per-scan cost, no hallucinated labels. We still ship the model as a tie-breaker. Here's the breakdown of when each one wins.
OSV.dev: the dependency scanner you already have
Google's open vulnerability database covers more ecosystems than Snyk's free tier, ships under Apache 2.0, and needs no API key. A tour of the OSV ecosystem and the four sharp edges we hit integrating it.
The AI-fix PR is the wrong primitive
Auto-generated fix PRs demo beautifully and pile up unread in production. After three months of watching them go stale, we replaced them with something more boring — and saw remediation rates triple.