If your laptop dumps plaintext AWS keys into a malware sweep, you don't just get a Slack message - your SSO stops working until the secrets are gone. That's the loop Guillaume Ross wired together with bagel, Fleet, and a handful of osquery policies.
The threat model: code execution on every dev machine
Millions of developers run PyPI, npm, VS Code extensions, and brew every day. Companies pretend "all code changes are reviewed," but every dev box is one malformed package away from credential exfiltration. Non-technical users now run agent pipelines that pull the same packages, spreading the blast radius. Endpoint security tools block some of it. Ross's answer: scan the home directory like malware does, then enforce policy.
bagel: trufflehog for workstations
Bagel by Boost Security is a Go binary that probes SSH keys, GitHub tokens, cloud provider creds, and more - exactly the same locations malware targets. It outputs JSON with severity, rule ID, file path, and fingerprint, but never logs the actual secret. Schedule it with a LaunchAgent and you get periodic scans without asking developers to remember to run a command.
Fleet: GitOps-driven osquery with package deployment and policy checks
Fleet turns osquery into an MDM-like platform managed via GitOps. Critical features: package deployment (push bagel as a macOS .pkg), policy queries that pass or fail based on returned rows, and a parse_json table to ingest bagel's output. Fleet's API and webhooks feed into Slack, n8n, SIEM, or - the killer integration - an Identity Provider via Entra Conditional Access.
Fleebag: the glue that makes SSO conditional on secret hygiene
Ross's proof-of-concept, Fleebag, bundles: a pkg installer with LaunchAgent for bagel, an osquery query that parses findings into a structured table, and a policy query that passes only if results are fresh and contain no critical findings. A macOS profile grants bagel full disk access so users don't hit approval prompts. When the policy fails, Fleet sends a Slack notification and - through Entra Conditional Access - blocks the developer's SSO on their next login attempt.
The osquery query that makes it work
The SQL parses nested JSON from findings/N groups, extracts severity, rule_id, probe, file_path, and fingerprints, then joins against findings/N/metadata for line numbers and optional locations arrays. The policy query returns rows only when at least one critical finding exists. No rows = pass. Pass = SSO works.
This is the first concrete pipeline I've seen that couples workstation secret scanning directly to identity access control. Ross kept the whole thing open-source and portable beyond macOS with cron and scheduled tasks. Expect to see bagel scan results sitting inside MDM compliance checks by end of year.
Source: Detecting and removing dangerous secrets on dev workstations before Shai-Hulud does
Domain: recyclebin.zip
Comments load interactively on the live page.