Hi HN,<p>I'm Guillaume, the founder of Bearer, an Open Source code security scanning tool. Despite the buzz around generative AI (which, as a reader of HN, you've likely encountered), we've also heard concerns from security teams.<p>When using OpenAI’s developer APIs (and other LLMs), considering how Generative AI model works, essentially the more you give, the better you receive, we essentially open the door to “overshare” information. For example, If you are building an AI assistant into your travel booking app, sending sensitive data as customer information becomes highly probable. Though, as with any shared data, this does present important security and privacy risks that we can’t overlook, hence the fear of security teams.<p>To address these risks, we must have explicit policies and a culture of privacy and security within the organization. We should treat generative AI models like any other third-party dependency, assessing them for vulnerabilities and safeguarding customer data. Of course, having appropriate tooling also helps.<p>That's why we've added a new set of rules to Bearer CLI, our open-source static analyzer, that explicitly checks for OpenAI usage. Combined with our sensitive data detection capability, this feature can alert you and your team if your code is sending sensitive data it shouldn't be.<p>You can find a link to Bearer CLI and the specific OpenAI ruleset in the following URLs:<p>Bearer CLI: https://github.com/bearer/bearer
OpenAI's rule for JavaScript: https://docs.bearer.com/reference/rules/javascript_third_parties_openai/<p>Please feel free to test it with your code and share any feedback with us below. We welcome contributions to improve detection and add new rules to further enhance the security of your code.