If you want people to trust your software, you need to prove it.
Not say it. Prove it.
The Problem
Here's the reality: 5 out of 6 repositories on freelance platforms have malware.
Most indie devs handle security like this:
- Upload .exe
- Write "safe and tested" in description
- Maybe add "open source"
- Ship it
I get it. Security verification takes time. Documentation takes even more. When you're building alone, time is the only thing you don't have.
But users are running your code on their machines. Giving you system access. That deserves more than a promise.
This is Part 1 of my 3-part series on how I verify PC_Workman security before every release.
What I Actually Do
Before every stable release, I run the same process. Every time. No shortcuts.
1. GitHub Security Features (Always On)
The baseline. Not optional.
- Dependabot - Watches for vulnerable dependencies, auto-creates PRs
- Secret Scanning - Prevents accidentally committing API keys
- Security Advisories - Public disclosure channel if issues are found
- Private Vulnerability Reporting - Secure channel for researchers
These aren't "nice to have." They're mandatory for any project distributing executables.
2. CodeQL Analysis (Every Commit)
GitHub runs CodeQL on every commit to PC_Workman.
What it catches:
- SQL injection patterns
- Command injection vulnerabilities
- Insecure data handling
- Common security anti-patterns
Not just at release. Every. Single. Commit.
# .github/workflows/codeql.yml
name: "CodeQL"
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
schedule:
- cron: '0 0 * * 0' # Weekly scan
jobs:
analyze:
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- uses: actions/checkout@v3
- uses: github/codeql-action/init@v2
with:
languages: python
- uses: github/codeql-action/analyze@v2
3. VirusTotal Scan (Before Every Release)
I upload every .exe to VirusTotal before publishing.
Not one antivirus engine. Seventy.
For v1.6.4:
- Result: 4/70 detections
- Why 4? False positives from lesser-known engines that flag PyInstaller by default
- Major engines (Defender, Kaspersky, Malwarebytes): All clean
I document these results. Save screenshots. Link to scans in release notes.
You can verify any release yourself:
# 1. Download PC_Workman.exe
# 2. Go to virustotal.com
# 3. Upload file
# Expected: 0-4 detections (PyInstaller false positives)
Why Documentation Matters
Running scans is step one. Documenting them is step two.
I maintain a Security Report page showing:
- Which version was tested
- When tests ran
- What the results were
When v1.6.5 releases, that page updates. New scan results. New dates. New proof.
This creates history. Users can verify that security isn't a one-time thing.
The Pre-Release Checklist
Here's exactly what happens before a stable release:
[ ] Final build compiled
[ ] VirusTotal scan complete (save results)
[ ] CodeQL shows 0 alerts
[ ] Security Report page update
[ ] All about POLICY created.
[ ] Release notes include verification links
[ ] Screenshots archived
Nothing ships without this completing. No exceptions.
What This Doesn't Cover
File scanning catches:
- Known malware signatures
- Common vulnerability patterns
File scanning doesn't prove:
- Code does what it claims
- Who actually published the release
- Binary hasn't been tampered with
Those are separate problems requiring separate solutions.
Coming up:
- Part 2: Sigstore (cryptographic signatures proving origin)
- Part 3: OpenSSF Best Practices Badge (60+ security requirements)
The Point
Security isn't a marketing checkbox. It's a process.
I do this because users deserve to know exactly what they're downloading.
Every test. Every version. Every time.
Try PC_Workman
Current version: v1.6.4
GitHub: HuckleR2003/PC_Workman_HCK
Security Report: View verification results
What is PC_Workman?
AI-powered PC monitoring tool. Built solo on dying hardware during warehouse shifts in the Netherlands.
Features:
- Real-time CPU/GPU/RAM monitoring
- AI diagnostics (HCK_GPT)
- Custom fan control with profiles
- Time-travel debugging (see what was running hours ago)
- 100% open source
Tech stack:
- Python + PyQt5
- PyInstaller for .exe builds
- Sigstore for signing (Part 2 topic)
- CodeQL for security scanning
Series Navigation
This is Part 1 of 3 in the PC_Workman Security Series:
- File Scanning & Repository Security (you are here)
- Sigstore and Cryptographic Verification (coming soon)
- Working Toward OpenSSF Best Practices Badge (coming soon)
About Me
I'm Marcin Firmuga. Solo dev at HCK_Labs.
Built PC_Workman from scratch:
- 680+ hours of code
- 4 complete UI rebuilds
- 16,000 lines deleted
- Coded after 10-hour warehouse shifts
- On a laptop hitting 94°C
Before this: game translations, PC technician internships, and countless projects I never finished.
But this one stuck.
Find me:
- GitHub: @HuckleR2003
- X/Twitter: @hck_lab
- LinkedIn: /marcinfirmuga
--
Discussion
Questions for the community:
- How do you handle security verification for your projects?
- Ever had a false positive that scared users away?
- What security tools do you swear by?
Drop your experiences in the comments. Let's learn from each other.
FEEDBACK IS GOLD!
--
Building in public. Securing in public. One release at a time.
BuildInPublic #Security #OpenSource #Python #IndieHacker
About the Author
I’m Marcin Firmuga. Solo developer and founder of HCK_Labs.
I created PC Workman , an open-source, AI-powered
PC resource monitor
built entirely from scratch on dying hardware during warehouse
shifts in the Netherlands.
This is the first time I’ve given one of my projects a real, dedicated home.
Before this:
game translations, PC technician internships, warehouse operations in multiple countries, and countless failed projects I never finished.
But this one? This one stuck.
700+ hours of code. 4 complete UI rebuilds. 16,000 lines deleted.
3 AM all-nighters. Energy drinks and toast.
And finally, an app I wouldn’t close in 5 seconds.
That’s the difference between building **and **shipping.
PC_Workman is the result.
BuildInPublic #IndieDev #OpenSource #Python #World
Top comments (0)