Skip to content

Instantly share code, notes, and snippets.

View Himan10's full-sized avatar
🎧
The Armored Entity

Himan10

🎧
The Armored Entity
28 followers · 46 following
View GitHub Profile
@Himan10
Himan10 / bedrock-pb.md
Last active April 21, 2026 19:28
Bedrock Permission Boundary

What do we need to control or features we need permission boundary for:

  1. Short lived and Long lived API keys in bedrock
    1. so long lived API keys always create an IAM user, which means during the time of investigation, we could check those users in IAM and find out if any API key has been created or not.
    2. User or malicious actor can add these API keys to their local running claude agent or codex or anything that supports bedrock
  2. Playground
    1. user can communicate with higher cost LLM models, can send images, generate code or communicate in such a way that'd incur a huge cost on the organisation.
    2. The models from "Model catalogue" opens up in the play ground for communication as well.
  3. Knowledge base
  4. Build Agents
  5. Guardrails
@Himan10
Himan10 / supply-chain-security.md
Created April 20, 2026 03:22
Supply Chain Security for npm & PyPI on GitLab

Supply Chain Security for npm & PyPI on GitLab

1. Threat Model

Supply chain attacks hit at four distinct points:

[1] Package manifest       — typosquatting, unpinned versions
@Himan10
Himan10 / kyverno-notation-eks.md
Last active March 23, 2026 03:41
Kyvenro EKS

Kyverno + AWS Notation: Enforcing Signed Container Images in EKS

Overview

This guide demonstrates how to enforce signed container image verification in an Amazon EKS cluster using:

  • Kyverno – Kubernetes policy engine
  • AWS Notation (kyverno-notation-aws) – signature verification
  • AWS Signer – image signing
  • IRSA (IAM Roles for Service Accounts) – secure AWS access
@Himan10
Himan10 / claude.md
Created March 2, 2026 05:56
publicly found references for claude

HOWTO

write plans/reviews/architecture for claude, below are the examples found on Github

Anti-Patterns to Avoid

  1. Don't delete session.json without checking if session is active
  2. Don't modify git state while an agent is running
  3. Don't retry billing/quota errors (they're not retryable)
  4. Don't ignore PentestError type - it indicates the error category
  5. Don't make random changes hoping something works
@Himan10
Himan10 / windsurf.md
Last active September 15, 2025 14:19
this rule is used to provide context and set of instructions to Windsurf AI coding assistant.

Purpose

Generate Nuclei security templates from OpenAPI (Swagger) specifications using AI-assisted scripting.
Manual: @create_nuclei.
glob: *.yaml, *.yml, *.json, .yml, .yaml, .json

  • Always create a Changelog.md to keep track of changes made to the codebase.
  • Changelog.md should also include the changes made to Windsurf's workspace rules.

EXECUTION

  • CREATE or MODIFY Changelog.md.
@Himan10
Himan10 / template.yaml
Created April 15, 2025 16:45
akto test template
id: REMOVE_TOKENS
info:
name: "Broken Authentication by removing auth token"
description: "API doesn't validate the authenticity of token. Attacker can remove the auth token and access the endpoint."
details: >
"The endpoint appears to be vulnerable to broken authentication attack. The original request was replayed by removing victim's <b>auth</b> token. The server responded with 2XX success codes.<br>"
"<b>Background:</b> Authentication is the process of attempting to verify the digital identity of the sender of a communication. Testing the authentication schema means understanding how the authentication process works and using that information to
circumvent the authentication mechanism. While most applications require authentication to gain access to private information or to execute tasks, not every authentication method is able to provide adequate security. Negligence, ignorance, or simple
understatement of security threats often result in authentication schemes that can be bypassed
@Himan10
Himan10 / feeds.opml
Created April 9, 2025 20:51
<?xml version="1.0" encoding="UTF-8"?>
<opml version="1.0">
<head>
<title>Engineering Blogs</title>
</head>
<body>
<outline text="Engineering Blogs" title="Engineering Blogs">
<outline type="rss" text="8th Light" title="8th Light" xmlUrl="https://8thlight.com/insights/feed/rss.xml" htmlUrl="https://8thlight.com/blog/"/>
<outline type="rss" text="AdRoll" title="AdRoll" xmlUrl="http://tech.adroll.com/feed.xml" htmlUrl="http://tech.adroll.com/blog/"/>
<outline type="rss" text="Advanced Web Machinery" title="Advanced Web Machinery" xmlUrl="https://advancedweb.hu/atom.xml" htmlUrl="https://advancedweb.hu/"/>
@Himan10
Himan10 / secure_code_review.md
Last active August 28, 2024 08:44

Secure Code Review

Semgrep

Commands: (Only works in Linux or similar distributions)

  1. Installation:
    • Create a virtual environment: python3 -m venv “my_env”
    • Activate the created virtual environment:
      • Windows: source “my_env”/Scripts/Activate
      • Linux: source “my_env”/bin/activate
      • Once activated, use “pip” to download the semgrep library: pip install semgrep
        Semgrep can also be installed directly without creating any virtual environment but it’s always recommended to have a virtual environment set-up in case things go wrong, you can switch back to your normal environment and work with it.
@Himan10
Himan10 / jobs_model.py
Created March 17, 2024 13:35
User model
class User(models.Model):
"""
Represents a user profile with related details.
This class defines the attributes associated with a user profile.
This class has two foreign keys that point to Job and Company table
"""
def media_upload_path(instance, filename):
return f"user_{instance.user_id}/data/{filename}"
@Himan10
Himan10 / missing_functionalities_in_jobAPI.md
Created October 21, 2023 10:50

Missing functionalities in API (Jobs)

  1. Jobs
    1. Industry
    2. Job Type
    3. Salary
    4. Qualification
    5. Vacency position
    6. Total applyed (we already have a number of applicants for this)
    7. About the Job: