Marcin Firmuga, a solo developer at HCK_Labs, details his mandatory security process for the PC_Workman AI-powered PC monitor. Given that 5 out of 6 freelance repositories reportedly contain malware, he rejects promises in favor of proof. His workflow ensures every executable is verified before release, treating security as a non-negotiable engineering step rather than a marketing claim.

For every stable release, Firmuga runs a consistent checklist. He enables GitHub's Dependabot and Secret Scanning by default, and runs CodeQL analysis on every single commit to catch vulnerabilities like SQL injection. Before publishing any .exe, he uploads it to VirusTotal for scanning across 70 antivirus engines, documenting results and acknowledging common false positives from PyInstaller.

Documentation is the second critical step. He maintains a public Security Report page that logs scan results for each version, creating a verifiable history. The pre-release checklist is strict: no shortcuts. This foundational work on file scanning and repository security is part one of a three-part series, with future articles covering Sigstore for cryptographic signing and OpenSSF Best Practices.