Mostafa Moradian

Declarative Audit Log Collection from HTTP APIs Introducing Helr: a Rust-based generic HTTP API log collector that turns YAML config into a resilient log pipeline

I just published a new article about a project I've been working on past couple of weeks:

mostafa.dev/declarative-...

Pattern Detection and Correlation in JSON Logs Introducing RSigma: a Rust toolkit for evaluating Sigma detection rules against JSON events without a SIEM

What if jq could hunt threats, too?

mostafa.dev/fab16334e4ee

Over the past couple of weeks I've been busy cooking something in Rust. A generic HTTP API log collector for audit trails: github.com/timescale/helr
And a parser, linter, evaluator and backend for Sigma in Rust along with an experimental LSP: github.com/timescale/rs...

xk6-kafka v1.2.0 is out! 🚀

This release brings an updated k6 baseline, a new Avro implementation, better precision and resiliency around time handling, balancer functions in JS, plus a handful of quality-of-life and security linting fixes.

github.com/mostafa/xk6-...

GCP canary tokens How to create and monitor GCP service accounts as canary tokens

I just published a new article on GCP canary tokens by turning Google Cloud service accounts into high-signal tripwires.
mostafa.dev/gcp-canary-t...

Detection as Code How to Build an Automated Security Detection Pipeline with GitHub Actions, Sigma, Grafana and Loki

I just published a new blog post: "Detection as Code".

I break down what detection & response really means in practice, how Sigma fits into the picture, and a brief intro to the Sigma Rule Deployment (SRD) project we built during my time at Grafana.

mostafa.dev/detection-as...

I'm happy to share that I'm starting a new position as Lead Security Engineer at Tiger Data (creators of TimescaleDB)!

I've been accepted into the Google Developer Experts Academy! I'm working toward becoming a GDE in Cloud, with a strong focus on security.

After nearly five months of development and testing, I'm truly content to share that the auto-fix feature is now stable in v1.15.0. 🎉

Epic ticket: github.com/zizmorcore/z...

Release announcement: github.com/zizmorcore/z...

Blog post: mostafa.dev/github-actio...

Crate: crates.io/crates/yamlp...

Canary tokens: Learn all about the unsung heroes of security at Grafana Labs | Grafana Labs Learn why the use of canary tokens let us spot a recent intrusion and swarm quickly in response, and find out why you should be using canary tokens to prevent serious security incidents in the future.

I will be speaking at Devfest Berlin on November 22, 2025, presenting a session called "Tiny Little Birds", where I talk about canary tokens.

The talk is based on my recent blog post on Grafana Labs blog: grafana.com/blog/2025/08...

I look forward to seeing many of you in Berlin.

The Sigma Rule Validator project, that I created and we donated to the Sigma project, is now being used in two security training courses:

1. CJDE from Security Blue Team
2. Detection Engineering with Sigma by Applied Network Defense

blog.sigmahq.io/how-to-valid...

Screenshot of a Grafana Labs blog post by Mostafa Moradian titled "Canary tokens: Learn all about the unsung heroes of security", explaining how canary tokens help detect breaches early and secure infrastructure.

Happy to see my article on canary tokens featured again, this time in the "CTO at NCSC" newsletter!

ctoatncsc.substack.com/i/172751253/...

Big thanks to Ollie Whitehouse for the mention.

Here's original write-up on the Grafana Labs blog: grafana.com/blog/2025/08...

Screenshot of Detection Engineering Weekly newsletter featuring an article by Mostafa Moradian on using canary tokens at Grafana Labs for detecting code leaks.

Excited to see my write-up on canary tokens at Grafana Labs featured in this week's Detection Engineering Weekly!

grafana.com/blog/2025/08...

Big thanks to the Detection Engineering Weekly team for the shout-out! 🙌

👉 Read the full issue here: www.detectionengineering.net/p/dew-131-ne...

SAML SSO in Django Part 2: Integrating SAML SSO into a Django app with Okta

The SAML SSO package I've been maintaining surpassed 1 million downloads. 🎉

As promised, the second part is now live. In this article, I'll show you how to configure a fresh Django app to authenticate with Okta using the SAML 2 protocol:

mostafa.dev/saml-sso-in-...

Thanks @thinkstcanary.canary.tools for making this awesome platform! 🙌

If you still haven't read my blog post, here it is: grafana.com/blog/2025/08...

[tl;dr sec] #297 - Self-Propagating NPM Malware, Securely Deploying AI Agents, China's Great Firewall Leaked Moar backdoored NPM packages (+ how to secure GitHub Actions), agents making sensitive decisions autonomously, source code and internal docs for China's Great Firewall leaked

I haven't been mentioned once, but twice, in the [tl;dr sec] newsletter #297 about my two recent articles on canary tokens and zizmor. 🎉🙌

tldrsec.com/p/tldr-sec-297

Thank you! 🙏

After 6+ years, my journey at Grafana Labs is coming to a close.

I feel grateful for the opportunities I had to grow, build and contribute.

Grafana Labs will always hold a special place in my heart. ♥️

Now it's time to turn the page and start a new chapter. 🚀

GitHub Actions Security Zizmor auto-fixes for the win!

An incident inspired me to contribute to an OSS security project.

Here's a quick read on my journey:
mostafa.dev/github-actio...

GitHub - grafana/django-saml2-auth: Django SAML2 Authentication Made Easy. Easily integrate with SAML2 SSO identity providers like Okta, Azure AD and others. Django SAML2 Authentication Made Easy. Easily integrate with SAML2 SSO identity providers like Okta, Azure AD and others. - grafana/django-saml2-auth

🚀 The project I've been maintaining for 6 years just hit 1 million downloads! 🎉

I'm also continuing my series on SAML SSO and the next article is coming soon.

In case you missed the first one: mostafa.dev/saml-sso-in-...

Repo: github.com/grafana/djan...

Canary tokens: Learn all about the unsung heroes of security at Grafana Labs | Grafana Labs Learn why the use of canary tokens let us spot a recent intrusion and swarm quickly in response, and find out why you should be using canary tokens to prevent serious security incidents in the future.

How do you know you're compromised?

Read my newest article to see how we used canary tokens to detect an attack on our infrastructure.

grafana.com/blog/2025/08...

SAML SSO in Django Part 1: Introduction to SAML SSO

The SAML SSO package I've been maintaining is about to hit 1 million downloads. 🎉 I saw this milestone as a great opportunity to share what I've learned and write a series of articles on SAML SSO. The first part is now live:
mostafa.dev/saml-sso-in-...

Detecting PII with Python Horror stories of dumping PII into telemetry

I wrote a tiny article about detection of PII with Python:

Feedback is welcome! 🙏

mostafa.dev/detecting-pi...

crates.io: Rust Package Registry

Published my first package to crates.io as part of the zizmor project. 🎉 Yamlpatch crate provides comment and format-preserving YAML patch operations using yamlpath, without the hassle of going through conversion to JSON and using JSONPath.
crates.io/crates/yamlp...

How to detect vulnerable GitHub Actions at scale with Zizmor | Grafana Labs In order to harden our infrastructure and pipelines, we have introduced the open source tool Zizmor into our CI/CD pipelines.

Do you want to find out more about how @grafana.bsky.social secures its GitHub actions using Zizmor? Check out this post from James on my team : grafana.com/blog/2025/06... @yossarian.net

Thank you for timely reviews and actionable feedbacks. 🙏 Looking forward to releasing it as a stable feature! 🚀

Release Notes - zizmor Abbreviated change notes about each zizmor release.

zizmor v1.10.0 is released!

this is a *huge* new release: it exposes a new (experimental) auto-fix mode, more precise subspanning for fixtures, as well as a brand new pedantic audit (anonymous-definition)

read the full notes here: docs.zizmor.sh/release-note...

Thank you for building zizmor. It's a lifesaver.

thank you @grafana.bsky.social for being a logo-level sponsor of zizmor!

(and also thank you @mosi.bsky.social and other folks at Grafana who've been sending me patches -- the next few releases are going to have a lot of really great new features)