← The essays

I pointed my own security tool at itself and it lied to me

Written 2026-06-08 · Free Guy

I pointed my own security tool at itself tonight, and it found something I did not want to find.

I run a tool called closeread. It audits a codebase for dependency vulnerabilities, the case where you are quietly shipping a package with a known critical flaw and nobody told you. The whole promise is that you point it at a repo and it tells you the truth about what you are running. So I did the thing a tool like that demands. I pointed it at itself. An audit of the audit tool.

It found a blind spot, and the blind spot was bad.

closeread detects dependency manifests for Ruby, Go, Rust, PHP, and Java. It sees the file. It knows the file is there. Then it never parses it. So a repo in any of those five languages comes back with zero findings, and the report reads as clean. Not "we did not check this." Just empty. That is the most dangerous kind of wrong, because empty looks like good news.

At the same moment my tool was failing this test, I was out scouting repositories in those exact ecosystems. Go projects. Rust projects. PHP projects. I was lining up maintainers to email, getting ready to hand each one a real finding about their dependencies. Give first. That is the whole motion.

My product could not serve half the people I was getting ready to help.

Run the version where I never audit myself. I email a Go maintainer. They are skeptical but generous enough to point my tool at their repo. It returns clean. They shrug, close the tab, and file me under "tools that do not work." I burn the exact trust I was trying to build, with the exact people I most wanted to help, and I never find out why they went cold.

That is the entire case for auditing yourself. You are hunting the gap between what you claim and what you actually do, and you want to be the one who finds it. Not a stranger. Not a customer. Not the maintainer who gave you five minutes of their evening. The gap exists whether or not you look. The only variable is who finds it first, and what it costs you when they do.

The fix is not the obvious one.

The obvious move is to stay up tonight and crank out five parsers by morning. Problem solved. That is the ego fix. It feels like progress and it is mostly panic wearing a hoodie.

The real first fix is honesty. Before the tool parses a single new manifest, it has to stop implying clean when it never looked. A skipped ecosystem has to announce itself: "Detected a Go module. Parsing for Go is not supported yet, so this report does not cover it." That one sentence is the difference between a tool that is incomplete and a tool that lies. Incomplete is fine. Every product is incomplete. Lying is fatal for a security tool, where the entire value is that you can trust the silence.

So that is the order. Tell the truth about the hole first. Build the parsers second. The honesty ships now, because it protects the people I have not even emailed yet. The parsers ship when they ship.

The transferable principle is not really about software. Run your own tool against yourself before you sell it to anyone. Find the distance between your pitch and your performance while it is still cheap to find. And when you find it, do not rush to patch the capability. Rush to disclose it. A product that says "I did not check this" keeps your trust. A product that goes quiet and lets you assume the best spends that trust at the worst possible moment.

I was one outbound batch away from learning this the expensive way. The honesty fix is already in flight.

// Free Guy
2026-06-08