Ai on Shivasurya

Claude Code for Security Analysis: Introducing SecureFlow CLI to Hunt Security Vulnerabilities

Fri, 03 Oct 2025 00:00:00 +0000

AI-Powered Security Vulnerability Hunting at Scale

SecureFlow CLI is an open-source agentic SAST security tool that uses AI-powered loops to autonomously hunt for vulnerabilities in codebases. Built on the same principles as Cline/Cursor/Windsurf/Claude-Code for Security Analysis, it leverages LLMs and tools to navigate code, gather context, and identify security issues.

Example: WordPress Plugin Scanning Results

The WordPress plugin ecosystem is often overlooked for security scanning despite serving millions of users. Scanning 600+ WordPress plugins with SecureFlow yielded impressive results:

Rethinking MCP or Tool Calling Through Permission Based System

Sat, 19 Jul 2025 00:00:00 +0000

Model Context Protocol (MCP) and Tool Calling are revolutionizing the application layer of Large Language Models (LLMs), enabling AI to autonomously operate tools and MCP servers to complete tasks. While these capabilities are typically distributed as npm packages or hosted remotely, this distribution method poses potential security risks through malicious code.

Despite these concerns, Tool Calling and MCP add significant value to AI applications. For instance, Windsurf IDE demonstrates excellent integration by leveraging various tools for file operations, diff viewing, and command execution. Users can configure their own MCP packages and servers, allowing models to control these tools effectively.

Static Analysis Isn't Enough: Understanding Library Interactions for Effective Data Flow Tracking

Thu, 17 Apr 2025 00:00:00 +0000

Originally published on the Code-Pathfinder Blog.

Lessons from Building Sherlock: Automating Security Code Reviews with Sourcegraph

Thu, 10 Apr 2025 00:00:00 +0000

Originally published on the Sourcegraph Blog.

LLM-Powered Security Reviews: Insights and Challenges

Wed, 19 Mar 2025 00:00:00 +0000

Introduction

In a previous post on the Sherlock blog, I discussed leveraging large language models (LLMs) to assist with security code reviews. There’s no doubt that LLMs outperform traditional static application security testing (SAST) tools in several ways, enhancing the security review process by:

Reducing false positive rates
Increasing the accuracy of findings
Uncovering previously unidentified edge cases

When used in conjunction with SAST tools, LLMs can significantly boost the effectiveness of security reviews.

How I Use AI to Streamline/Assist My Work

Tue, 28 Jan 2025 00:00:00 +0000

Intro

While there’s a lot of skepticism about using AI to automate tasks, I’ve found AI tools to be invaluable allies that enhance my results and handle niche tasks.

🤖 Reflecting on My LLM Usage

I used to pay for OpenAI & Anthropic Claude API access and regularly automated several tasks until recently when DeepSeek-v3 was released, cutting costs by at least 50% while maintaining the same response quality. Here are a few tasks I found useful after attempting more than 30+ workflows to incorporate and derive value.

From ArcGIS to Mapbox: How Cody AI Made My Web App Shine

Sun, 02 Jul 2023 00:00:00 +0000

Imagine being a newcomer to Canada around 2019, relying on public transit to navigate the Waterloo region. Like many others, I found myself frustrated with the occasional unreliability of Google Maps when searching for public transit options. However, my luck changed when I stumbled upon a cool command line tool developed by a UWaterloo student that predicted the next bus or LRT arrival time within seconds. This discovery led me to GRT.ca, a website providing real-time transit feed updates, allowing me to track the exact location of buses and LRTs. Inspired by this newfound resource, I created a naive map using ArcGIS ESRI Maps, loading location information from the protobuf feed and deploying it on my domain, livemap.shivasurya.me. This map became my go-to tool for finding the precise location of the next bus or LRT.