Find me:
Twitter
LinkedIn
GitHub
zricezrice[at]gmail[dot]com
Currently managing the Truffle Security Co. community, including the TruffleHog Discord, Slack, and GitHub. Introduced an optimization that cut average scan times by 50%. Lead community events like the TruffleHog Detector Compeition which resulted in over 80 community PRs, active Discord, Slack, and GitHub discussions, and landed TruffleHog on the GitHub Trending page for over a month. Participation in weekly All Hands meetings by presenting on community updates.
Founded Gitleaks LLC, a bootstrapped company that provided commercial support for Gitleaks and a paid version of Gitleaks-Action. Authored and maintained the Gitleaks open source project, a SAST tool for detecting secrets in git repos. Met with customers to discuss their needs and provide support. Customers included Fortune 500 companies, government agencies, and startups. Automated all the business logic with Stripe, Zapier, KeyGen, and GitHub Actions. Created content for the Gitleaks blog, Twitter, and LinkedIn account. Operational costs kept below $200/month. Solid side hustle.
Note: I continue to maintain Gitleaks as an open source project and made Gitleaks-Action free, but no longer provide commercial support.
Specialized in Static Analysis at GitLab, contributing significantly to the development and enhancement of Static Application Security Testing (SAST), Secret Detection powered by Gitleaks, and Code Quality solutions for software repositories.
Role involved rigorous management and updates of dependencies in GitLab's SAST and Secret Detection features, leveraging open source software for optimal performance and security compliance.
Expertise in GitLab's Product Development Flow instrumental in efficiently delivering software, managing issues spanning analyzers, vendored templates, and GitLab's Rails monolith. Creator of Gitleaks, a key component in GitLab's Secret Detection product, significantly contributing to the closing of major deals and addressing unplanned work including community contributions
Developed and maintained a robust testing pipeline for Gannett's Fastly services using Golang and Terraform, enhancing CDN performance for the extensive USA TODAY NETWORK. Implemented in-house Golang APIs and Slackbots for efficient Fastly purging, alongside writing complex VCL logic to support other teams in Fastly service development.
Oversaw one of the largest Fastly services, fronting over 100 websites within the USA TODAY NETWORK, showcasing expertise in CDN optimization and management. Managed Apigee Edge, employing a Terraform-based pipeline for systematic updates, and played a key role in reviewing PRs and advising on complex proxy logic. Eventually became a maintainer of the official Apigee Terraform provider.
Contributed to the construction of the Fastly CDN pipeline for over 100 web applications, utilizing Terraform, Docker, Golang, and Jenkins for automated deploys and testing. Monitored system performance using New Relic, Splunk, and Sumo Logic, ensuring optimal operation and swift issue resolution.
Enhanced our application pipeline through the development of applications for tasks like container building and pushing to Artifactory, and secret management using Vault and Consul configurations.
Implemented and tested modules covering crop growth, nutrient cycling, nutrient uptake, harvest date, and parameter estimation, enhancing the effectiveness of agricultural models. Developed a weather ingestion system capable of integrating data from GFS, ECMWF, and HRRR models, improving the accuracy of agricultural predictions. Backend development, focusing on aggregating model outputs to front-end products, utilizing Python, PostgreSQL, Redis, and RabbitMQ.
h1domains (Python)
Small script to pull all the domains from HackerOne's bug bounty program directory. Scheduled to run hourly on a Github-Actions.
This list helps bug bounty hunters find new programs to hack on.
TruffleHog (Go)
Like Gitleaks, TruffleHog is a SAST tool for detecting secrets like passwords, api keys,
and tokens in git repos, filesystems, Slack messages, Jira tickets, GitHub comments, etc.
TruffleHog is able to verify the liveliness of secrets by attempting to use the secret to
authenticate with the secret provider. This essentially eliminates false positives.
Go-TDAmeritrade (Go)
Go client for the tdameritrade api. Helpful for building trading bots.
See also: GitHub
Blog: Contributor Spotlight [Truffle Security Co. Blog]
Blog: Hacktoberfest and Video [Truffle Security Co. Blog]
Blog: Making TruffleHog Faster with Aho-Corasick [Truffle Security Co. Blog]
Video: How to create a Detector [YouTube]
Video/Talk: All Things Open Talk [YouTube]
Video: Zach Rice Joins Truffle Security [YouTube]
Blog: Finding Secrets with Regular Expressions [Gitleaks Blog]
Blog: Getting Started with Gitleaks-Action [Gitleaks Blog]
Patent: Adaptively generated program model [Google Patents]