Hi folks,

This week’s lead story looks at the launch of Betterleaks, a new open-source secrets scanner from the creator of Gitleaks, and what it says about how security tooling — and ownership — is evolving in the AI era.

Elsewhere, China is pulling ahead on open AI models much to the chagrin of the US; Google expands Android Automotive deeper into the car stack; Cisco rolls out a new open-source tool to secure AI systems; and a fresh round of donations and project graduations points to continued momentum in open infrastructure and governance.

As usual, feel free to reach out to me with any questions, tips, corrections, or suggestions: forkable[at]pm.me.

Paul

<Open issue>

Secrets scanning for the agentic era

Gitleaks is one of the most popular open-source secret scanning tools, ratcheting up more than 25,000 GitHub stars and tens of millions of downloads since its launch in 2018.

Now, Gitleaks creator Zach Rice is starting afresh with Betterleaks, a new open-source scanner designed to catch exposed credentials — API keys, tokens, passwords — as code is written and shared.

So… why launch a new thing when the old thing was seemingly doing so well? The answer traces back to Rice’s move to Truffle Security in 2023, where his focus shifted to rival open-source scanner TruffleHog. Development on Gitleaks slowed, he said, and Rice no longer had full control over the project.

Betterleaks is positioned as a continuation — a drop-in replacement, with existing commands and configurations still working, but with a reworked detection approach, faster scanning, and more flexibility over how secrets are identified and validated.

Rice says the goal is to keep moving development forward without forcing the existing community to migrate.

“Hopefully it’s not going to cause too much of a backlash to the community – I love the Gitleaks community, and I don’t want to fracture that,” Rice told me in an interview for The New Stack this week. “So if you want to continue using Gitleaks, feel free. It’s stable — and security patches and stuff like that, I’ll continue to do. But if you want the next generation of Gitleaks and the evolution, then switch to Betterleaks.”

Betterleaks is also being built with AI-assisted development in mind. As more code is generated quickly — often with less review — the risk of accidentally exposing credentials increases.

The project is sponsored by Aikido, a billion-dollar security startup that’s backing a broad array of open source security tooling, including OpenGrep, Zen, and Safe Chain.

Betterleaks, for its part, is available under an MIT license, with Rice retaining ownership. It’s also worth noting that there are no plans to build a commercial entity off the back of Betterleaks — the focus, instead, is on building and maintaining a tool that others can rely on, even competitors.

“Like what Aikido did with OpenGrep (forked Semgrep) we’re dedicated to providing really great open source projects for the security community,” Rice said. “A strong open source project is the backbone of a lot of the security products out there. Yes, it’s beneficial to other companies, but it’s also really beneficial to Aikido to have these stable projects.”

Read more: The New Stack

<Patch notes>

China leads on open AI models

As per a recent report from Hugging Face, Chinese AI labs are leading on open AI models — though not the infrastructure behind them (that’s Nvidia) — with data showing they dominate downloads and usage globally. In turn, this is raising concerns among US policymakers that China’s warm embrace of open AI models could erode the US’s lead in AI development.

Read more: The New Stack & Hugging Face & SCMP

Android Automotive moves beyond infotainment

Google is expanding its Android Automotive OS to handle more of the car’s internal systems beyond infotainment, as vehicles shift toward software-defined architectures.

Read more: The Verge

Cisco launches DefenseClaw

Cisco this week introduced DefenseClaw, an open-source tool for monitoring AI agents and detecting issues like prompt injection and unsafe tool.

Read more: Cisco

Fivetran donates SQLMesh to Linux Foundation

Data integration giant Fivetran has donated SQLMesh, its open-source data transformation framework, to the Linux Foundation.

Read more: The New Stack

Tekton and Fluid move up at CNCF

Tekton, a Kubernetes-native CI/CD framework, and Fluid, a data orchestration system for AI and big data workloads, have both been promoted to incubating status by the Cloud Native Computing Foundation (CNCF).

Read more: CNCF and CNCF

<Final commit>

Built on open, sold as new

AI coding company Cursor last week launched Composer 2, an AI model designed to handle longer programming tasks at lower cost.

However, arguably the more interesting detail is that it’s built on Kimi K2.5, an open model from Chinese AI company Moonshot AI. This helps demonstrate how smaller players can build competitive products without training frontier systems like those from OpenAI, Anthropic, or Google.

That detail only emerged after developers dug into the system, prompting criticism over how the underlying model was credited (or not) — a long-running tension in the open source sphere.

It’s a reminder that open models are changing who is able to compete, while raising fresh questions about who gets the credit.

Read more: Tessl & VentureBeat