gadievron

gadievron / honeyslop

Public

Code canaries to quickly triage hallucinated ('slop') vulnerability reports

18
1
100% credibility
Found Apr 23, 2026 at 18 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
AI Summary

honeyslop provides decoy source code files in C, Python, and JavaScript that mimic vulnerabilities to help developers triage and dismiss AI-generated false positive security reports.

How It Works

1
๐Ÿ˜ค Frustrated by fake alerts

You're maintaining an open-source project and keep getting flooded with nonsense vulnerability reports from AI tools.

2
๐Ÿ” Discover honeyslop

You learn about honeyslop, a smart collection of decoy files designed to catch and expose those fake reports.

3
๐Ÿ’พ Add decoy files

Copy the special decoy files into your project's folders, disguised as old legacy code.

4
โš™๏ธ Ignore decoys in scans

Adjust your project's build and checking tools to skip over these harmless decoys so they don't cause false alarms for you.

5
๐Ÿ“‹ Update security guide

Add simple check rules to your project's security notes to instantly spot and close fake reports.

๐ŸŽ‰ Clean inbox victory

Fake AI reports now trip over the decoys, making them easy to dismiss while real issues stand out.

Sign up to see the full architecture

4 more

Sign Up Free

Star Growth

See how this repo grew from 18 to 18 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is honeyslop?

Honeyslop drops code canaries into your GitHub repoโ€”fake vulnerable snippets in Python, JavaScript, and C that lure AI scanners into hallucinating bogus security reports. These canaries mimic common CWE sinks, fake secrets, and even Heartbleed shapes, but stay inert through import guards and build exclusions. Spot slop instantly via grep for unique UUIDs, shibboleth functions, or the fake CVE-2025-99919 in reports.

Why is it gaining traction?

Unlike generic vuln scanners, it flips the script: scanners waste cycles on decoys, self-identifying fakes via triage rules you paste into SECURITY.md. Multi-language support covers Python code on GitHub, JS utils, and C buffer ops, with rotation guides to dodge LLM training. Devs love the grep-close workflow amid rising code GitHub AI slop from tools like Copilot.

Who should use this?

Open-source maintainers buried in unverified vuln reports from automated GitHub bots or agentic LLMs. Python package owners, JS lib authors, or C projects hit by memcpy claims. Ideal for repos with active SECURITY.md and CI scans like CodeQL or Bandit.

Verdict

Grab it for a quick win against slop if you're triaging reports dailyโ€”18 stars and 1.0% credibility score scream early PoC, but solid README and templates make setup trivial. Rotate canaries regularly; skip for production without tweaks.

(187 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.