今日已更新 80 条资讯 | 累计 20052 条内容
关于我们

标签:#DevOps

找到 357 篇相关文章

AI 资讯

How to criar Dockerfiles eficientes com multi stage builds

Multi stage builds sao uma das melhores features do Docker para manter imagens pequenas e organizadas. Vou mostrar como aplicar isso em um projeto Python real. Crie um arquivo app.py simples: # app.py def main(): print("Hello from a multi stage build") if __name__ == "__main__": main() Agora crie o Dockerfile sem multi stage: FROM python:3.12-slim WORKDIR /app COPY requirements.txt . RUN pip install --no-cache-dir -r requirements.txt COPY . . CMD ["python", "app.py"] Essa imagem inclui o pip, o cache do pip e ferramentas de build que nao precisamos em producao. O resultado e uma imagem maior que o necessario. Com multi stage builds separamos o ambiente de build do ambiente final. Veja o mesmo Dockerfile com dois stages: FROM python:3.12-slim AS builder WORKDIR /app COPY requirements.txt . RUN pip install --no-cache-dir -r requirements.txt FROM python:3.12-slim WORKDIR /app COPY --from=builder /usr/local/lib/python3.12/site-packages /usr/local/lib/python3.12/site-packages COPY . . CMD ["python", "app.py"] O primeiro stage instala as dependencias. O segundo stage copia so o que importa. O resultado e uma imagem final muito menor. Para construir e ver o tamanho: docker build -t minha-app . docker images | grep minha-app Para linguagens compiladas como Go o ganho e ainda maior. Veja um exemplo com uma aplicacao Go: FROM golang:1.23 AS builder WORKDIR /app COPY go.mod go.sum ./ RUN go mod download COPY . . RUN CGO_ENABLED=0 GOOS=linux go build -o /app/server FROM scratch COPY --from=builder /app/server /server CMD ["/server"] A imagem final comeca do zero (scratch). Nao tem shell, sistema operacional, nem ferramentas de build. So o binario compilado. Uma dica pratica: sempre nomeie seus stages com AS para facilitar a leitura. Use nomes como builder, test, ou dev. Isso ajuda a saber o que cada stage faz sem precisar contar linhas. That's all for now. Thanks for reading!

2026-07-07 原文 →
AI 资讯

We Made Our AI-vs-Human PR Stats a Public Live Dashboard

A while back I wrote about 64% of our merged PRs being written by AI . A few people (reasonably) asked: "nice story, but can I verify any of that?" So we put it on a public, auto-updating dashboard: 👉 www.codens.ai/stats/en It shows, for our GitHub organization: What % of merged PRs are authored by AI agents (currently 65%) Median time from PR-open to merge (2 minutes) Who merged what — task-execution agents vs maintenance bots vs auto-fix vs humans Weekly AI-merge counts and a per-repository breakdown Every number is tallied straight from the GitHub API by a small collector script, and the page regenerates itself weekly. We can't inflate it — it's measured, and the down weeks show up too (that's kind of the point). Why bother making it public Two reasons. 1. "Trust me bro" doesn't scale. When you claim most of your code is AI-written, the only honest move is to expose the raw counts so anyone can sanity-check them. The dashboard is that receipt. 2. It's a live dogfooding test. The whole thing — the PRD, the implementation, the review, the auto-fix on production errors — runs on Codens , our own AI dev-automation suite. If our own numbers ever tanked, the dashboard would be the first place it'd show. Public accountability is a good forcing function. Funny footnote: the dashboard itself was code-reviewed by our own AI reviewer before it shipped, and it caught two real bugs — an OG-image percentage that had drifted out of sync with the live number, and a broken error-fallback that would have blanked the page on malformed data. The tool built to sell "AI reviews your PRs" reviewed the PR that announces it. We'll take it. If you want to see the same machinery on your repos, there's a 14-day free trial (no card): codens.ai . Japanese version of the dashboard is here .

2026-07-07 原文 →
AI 资讯

100 Days of DevOps, Day 6: Cron's Sneaky OR, and the EC2 Key You Only Get Once

Automation is the part of DevOps that actually earns the title. Day 6 was two of the most everyday automation tasks there are, and both had a trap sitting in plain sight. One Linux task, one AWS task. Schedule a recurring job with cron, and launch an EC2 instance from the AWS CLI. The tasks come from the KodeKloud Engineer platform if you want the same lab to work through. Cron: five fields, one rule that trips everyone Cron is the scheduler that has quietly run Linux automation for decades. You hand it a job and a schedule, and its daemon, crond, wakes up every minute to check whether anything is due. If that daemon is not running, nothing fires, so the first move is making sure it is installed and enabled. # Become root sudo su - # Install the cron daemon if it is missing yum install cronie -y # Enable it at boot, start it now, and confirm it is alive systemctl enable crond.service systemctl start crond.service systemctl status crond.service cronie is the package name on RHEL-family distros. enable makes the service survive a reboot, start brings it up right now, and status is how you confirm it is actually running instead of assuming it is. Now edit the crontab: # Edit the current user's crontab crontab -e # minute hour day-of-month month day-of-week command 0 2 * * * /path/to/script.sh # List what is currently scheduled crontab -l That line runs the script every day at 2am. The five fields, in order, are minute, hour, day of month, month, and day of week: minute: 0 to 59 hour: 0 to 23 day of month: 1 to 31 month: 1 to 12 day of week: 0 to 7, where both 0 and 7 mean Sunday Here is the rule that quietly breaks schedules. When you set both the day-of-month field and the day-of-week field to something other than a star, cron treats them as OR, not AND. So 0 0 13 * 5 does not mean midnight on Friday the 13th. It means midnight on every 13th of the month, and also every Friday, whichever lands first. If you actually want the AND, you restrict one field in cron and che

2026-07-07 原文 →
AI 资讯

AI Attribution Governance: Enforcing AI Disclosure Policies at the CI Level

The open-source ecosystem is converging on a hard question: when a commit is written with AI assistance, how do we know — and how do we enforce the disclosure policy? Python's discourse, Linux kernel's Assisted-by trailer, Fedora's AI policy, Apache's disclosure guidelines — every major project is grappling with this. But until now, there has been no tool at the CI level to enforce whatever policy a project chooses. Commit Check v2.11.0 introduces AI Attribution Governance — a new feature that detects known AI tool signatures in commit messages and lets projects decide whether to forbid them outright. To our knowledge, no existing tool enforces this kind of policy at the CI level. The industry need The conversation around AI disclosure is no longer theoretical: The Linux kernel standardized on the Assisted-by: trailer format — but deliberately stopped short of CI enforcement. As Sasha Levin noted at the Maintainers Summit, the kernel sets the convention, not the gate. The Python community is actively discussing whether Claude Code usage should be documented VS Code issue #313962 proposes replacing Co-authored-by with Assisted-by for AI agents Fedora requires AI disclosure (recommends the Assisted-by trailer). QEMU and Gentoo go further and forbid AI-generated contributions entirely. Each community defines its own policy — but none provides a neutral enforcement layer. That is the gap Commit Check fills. Configuration: a single toggle Commit Check keeps it simple. One configuration value, three ways to set it. TOML ( cchk.toml ): [commit] ai_attribution = "forbid" CLI: commit-check --message --ai-attribution = forbid Environment variable: CCHK_AI_ATTRIBUTION = forbid commit-check --message Two modes: Mode Behavior "ignore" No validation (default, backward compatible) "forbid" Rejects any commit containing known AI tool signatures There is no require mode in this release — only ignore and forbid . The reason is pragmatic: requiring an Assisted-by or similar trailer is

2026-07-07 原文 →
AI 资讯

Helm 4 Migration Guide: What Breaks and How to Fix It Before EOL

Originally published on DevToolHub . Helm 4 shipped in November 2025. Eight months later, most teams are still running Helm 3 in production CI/CD because it works. But Helm 3's final feature release lands September 9, 2026, and security patches stop completely on February 10, 2027. This helm 4 migration is simpler than it looks. Your charts don't need rewriting — Helm 3 Chart API v2 charts are fully compatible with Helm 4. But the automation around Helm has four real breaking points that fail silently if you don't know where to look. [IMAGE: articles/images/2026-07-05-helm-4-migration-guide-featured.png | alt: "helm 4 migration flow from Helm 3 to Helm 4 upgrade path"] Why This Helm 4 Migration Matters Now The EOL timeline has three stages, and they matter differently based on your situation: September 9, 2026 — Final Helm 3 feature release (limited to Kubernetes client library updates only after this date) February 10, 2027 — All security patches stop If your organization runs regulated workloads with requirements around supported software, February 2027 is your hard deadline. But waiting until then means doing this migration under pressure, after 14 months of Helm 4 fixes shipped without you tracking them. The better path: upgrade now, before September, so you're on supported software when new Kubernetes releases land and need updated client libraries. What Actually Broke: The Four Real Changes 1. Post-renderers require plugin registration In Helm 3, you could pass any executable directly to --post-renderer : helm install myapp ./chart --post-renderer ./scripts/mutate.sh Helm 4 drops this. Post-renderers must now be registered as named Helm plugins and referenced by plugin name: helm install myapp ./chart --post-renderer my-post-renderer If your pipeline calls --post-renderer ./path/to/script.sh , it fails on Helm 4. The error message doesn't say "plugin required," so this is easy to miss in a quick smoke test. To wrap an existing script as a plugin, create a plug

2026-07-06 原文 →
AI 资讯

Scaling Terraform Infrastructure Beyond a Single Team

When a single engineer manages all the Terraform in an organisation, everything is simple. One repo, one state, one pipeline, one set of credentials. There's no coordination overhead because there's no one to coordinate with. That stops working the moment a second team needs to deploy infrastructure. And by the time you have three or four teams — networking, platform, application, security — the single-team model is actively slowing everyone down. This guide covers what breaks, how teams typically work around it, and how to set up a structure where each team owns their slice of infrastructure independently. What breaks State lock contention Terraform's state locking is per-state. When the networking team is running terraform plan , the application team's pipeline is blocked — even though they're changing completely unrelated resources. The more teams share a state, the more time everyone spends waiting. Blast radius A junior engineer deploying a new application service shouldn't be able to accidentally destroy the VPC. But if application resources and networking resources share a state, a single misconfigured terraform apply can touch anything. Code review catches some of this. Not all of it. Credential sprawl A shared pipeline needs credentials for everything — the networking team's Azure subscription, the application team's AWS account, the security team's DNS provider. Every team's secrets end up in one CI environment, accessible to anyone who can trigger a run. This fails most compliance audits. Approval bottlenecks In many organisations, one person or a small group gatekeeps all infrastructure changes. Every PR needs their review. Every apply needs their approval. The gatekeeper becomes a bottleneck not because they're slow, but because they're a single point of serialisation for all infrastructure work. Backend access as implicit access control Terraform has no built-in concept of per-team or per-workspace permissions. All workspaces in a backend share the sam

2026-07-06 原文 →
AI 资讯

Managing Terraform Across Multiple Cloud Providers

Most organisations don't live in a single cloud. You might run compute in AWS, DNS in Cloudflare, identity in Azure AD, and logging in GCP. Terraform handles each provider fine on its own, but the moment you need to coordinate across providers the tooling fights you. This guide walks through the common pain points of multi-cloud Terraform setups and the approaches teams use to cope — then shows how Snap CD makes cross-cloud dependency management a solved problem. Where it gets difficult Credential sprawl Each cloud provider has its own authentication mechanism. AWS uses IAM roles and access keys. Azure uses service principals and managed identities. GCP uses service accounts and workload identity federation. A single Terraform state that spans providers needs credentials for all of them — which means your CI runner or developer workstation holds keys to everything. That's a security problem. A compromised CI pipeline with AWS and Azure credentials exposes both clouds simultaneously. And it's an operational problem — rotating credentials means updating every pipeline that touches that state. This problem compounds at scale: Terraform couples provider processes tightly to credentials , so managing hundreds of accounts across clouds means spawning thousands of provider processes, which quickly becomes unmanageable. Provider version conflicts Terraform providers are versioned independently. Upgrading the AWS provider to fix a bug in aws_eks_cluster shouldn't require you to also test a new version of the Azure provider. But when they share a state, a terraform init -upgrade pulls new versions for everything, and a regression in one provider blocks all deployments. Terraform also lacks built-in support for instantiating multiple providers with a loop and passing providers to modules in for_each , making multi-cloud configurations especially verbose and repetitive. Blast radius across clouds A misconfigured terraform apply in a single-cloud state damages resources in one c

2026-07-06 原文 →
AI 资讯

You Can't Review an Agent. You Can Review a Plan.

A harness for AI-era Terraform. I'm building one. For a while now I've been developing a harness for infrastructure-as-code as a private SDK and compiler — the layer that sits between whoever proposes a change (a person, an agent, CI) and whatever actually reaches production. This post isn't the tool. It's the thinking underneath it, and the few pieces I've become most convinced by while building it. (Notes from inside the work — where I've landed so far, not advice.) The problem that sent me down this road is easy to state and easy to underrate. A version of it happened recently. An agent fixed some Terraform; the PR read clean — tidy diff, sensible resource names, a plan output that looked exactly like what I'd asked for. It got approved. And then, at apply time, a different plan ran than the one that was reviewed: apply had re-planned against state that moved in between, and the diff that touched production wasn't quite the diff anyone had read. Nothing broke, that time. But that near-miss is the whole reason the harness exists. Because the danger was never "the agent writes bad HCL." Agents write perfectly good HCL; I let them. The danger is the distance between the plan a human reviewed and the plan that actually runs — and once agents are the ones proposing changes at volume, that distance is the thing I most want to nail shut. Where I've landed for now (and expect to keep revising): What AI-era IaC needs isn't AI that can apply . It's a structure where every change — human or agent — is evaluated at the same boundary , and only a reviewed plan ships. The unit of trust isn't the agent. It's a specific, reviewed plan , bound byte for byte. You can't review an agent. You can only review a plan. Instructions to an agent can be broken. A CI gate can't be talked out of it. Put guidance in the prompt; put the guarantee in the gate. Terraform/OpenTofu don't go away. You wrap them in a harness; you don't replace them. Your repo has non-human authors now For years IaC

2026-07-06 原文 →
AI 资讯

Self-Hosting Like a Pro, Part 1: Hardening a Fresh Ubuntu VPS

This is the first article in a four-part series where I document how I turned a 10€/month VPS into a production-grade platform hosting my portfolio, a university group webapplication and a SaaS product, all isolated from each other with Kubernetes. In this part, we take a fresh Ubuntu server and lock it down properly before installing anything else. Why bother with hardening? The moment your VPS gets a public IP address, it starts receiving attacks. Not "might receive", it starts . Within minutes, automated bots will probe port 22, try root:root , admin:admin123 and thousands of other credential combinations. If you skip this step and jump straight to deploying your apps, you are building on sand. The good news: an hour of work is enough to eliminate the vast majority of these threats. Here is what we will set up: A non-root user with sudo privileges SSH key authentication, with passwords and root login disabled UFW as a simple, effective firewall Fail2ban to ban brute-force attackers automatically Automatic security updates What you need A fresh VPS running Ubuntu 24.04 LTS or newer. I use a Hostinger KVM 2 (2 vCPU, 8 GB RAM, 100 GB NVMe), but any provider works: Hetzner, DigitalOcean, OVH, Contabo. The root password or SSH key your provider gave you. A terminal on your local machine (macOS, Linux, or WSL on Windows). Throughout this tutorial, replace YOUR_SERVER_IP with your server's IP address and deploy with the username you want to use. Step 1: First login and system update Connect as root for the first and last time: ssh root@YOUR_SERVER_IP Update everything before touching anything else: apt update && apt upgrade -y apt autoremove -y If a kernel update was installed, reboot now: reboot Wait a minute, then reconnect. Step 2: Create a non-root user Working as root is like driving without a seatbelt: fine until it isn't. One mistyped rm -rf and the party is over. Create a dedicated user: adduser deploy Choose a strong password (you will still need it for sudo ,

2026-07-06 原文 →
AI 资讯

What I Learned After Building AI Systems Across Multiple Brands

One of the biggest misconceptions about AI is that every project is unique. At first glance, it certainly feels that way. One project is a chatbot. Another is an AI-powered search system. Another automates documentation. Another generates code. But after building AI systems across multiple brands and initiatives, I started noticing something surprising. The technology changes. The business domain changes. The users change. The underlying principles rarely do. Here are some of the biggest lessons I've learned. 1. AI Doesn't Fix Broken Systems Many teams believe AI will solve operational problems. In reality, AI usually exposes them. If documentation is inconsistent, AI becomes inconsistent. If data is outdated, AI produces outdated answers. If workflows are unclear, automation becomes unreliable. One of the biggest lessons I've learned is this: AI amplifies the quality of your existing systems. It rarely compensates for poor foundations. That's why I spend far more time understanding processes than choosing models. 2. Simplicity Beats Complexity Every new AI framework looks exciting. Agents. Memory. Planning. Reflection. Tool calling. Multi-agent orchestration. I've experimented with many of these approaches, but one principle keeps proving itself. The simplest solution that solves the problem is usually the best solution. A straightforward workflow is often easier to: Build Test Maintain Scale Explain Complexity should be introduced only when it delivers clear value. 3. Prompt Libraries Are More Valuable Than Individual Prompts When I first started using AI, I wrote prompts from scratch. Eventually I realized I was solving the same problems repeatedly. Now I build prompt libraries. Instead of creating new prompts every day, I improve existing ones. This creates consistency across projects. If you're interested in how I manage this, I recently shared the system I use to organize more than 10,000 prompts across different projects. The shift from individual prompts to

2026-07-06 原文 →
AI 资讯

Benchmark NVENC vs CPU transcoding (and find your real break-even) with FFmpeg

📦 Code: github.com/USER/nvenc-vs-cpu-bench - replace before publishing TL;DR A GPU encodes faster than a CPU, but "faster" and "cheaper" are different claims. We'll build a small FFmpeg + VMAF harness that times software (libx264/SVT-AV1) against hardware (h264_nvenc/av1_nvenc), then plug the results into a dollars-per-encoded-minute formula so you find your break-even instead of trusting a benchmark blog. We're using FFmpeg 7.1.x (current stable line) and an NVIDIA GPU with NVENC. Same approach works for Intel QSV ( *_qsv ) and AMD AMF ( *_amf ) if you swap the encoder names. Why this isn't obvious NVENC is a fixed-function hardware block, not "the GPU doing x264 in parallel." It's extremely fast and barely touches the CPU, but it exposes fewer rate-control knobs and gives up a little compression efficiency versus a slow software preset. The gap has narrowed a lot, but it's still there at the quality-obsessed end. So the decision is per-job, and it comes down to one number: dollars per encoded minute = (instance $/hr) ÷ (minutes encoded/hr) . GPU instances cost more per hour but encode many streams in parallel, so the answer depends on whether you can keep the encoder saturated. Let's measure instead of argue. 1. Set up the encoders Three contenders. One representative source file (use real footage, not a synthetic clip). # software H.264, quality-leaning preset ffmpeg -y -i source.mp4 -c :v libx264 -preset slow -crf 21 -an out_cpu.mp4 # NVENC H.264, quality-tuned ffmpeg -y -hwaccel cuda -i source.mp4 -c :v h264_nvenc -preset p6 -tune hq \ -rc vbr -cq 23 -an out_gpu.mp4 # AV1: software (SVT-AV1) vs hardware (needs Ada / RTX 40+) ffmpeg -y -i source.mp4 -c :v libsvtav1 -preset 6 -crf 30 -an out_svtav1.mp4 ffmpeg -y -hwaccel cuda -i source.mp4 -c :v av1_nvenc -preset p5 -cq 30 -an out_av1nvenc.mp4 💡 Tip: -preset p1 (fastest) through -preset p7 (slowest/highest quality) for NVENC. p6 / p7 is where it competes on quality; p1 - p3 is where it competes on raw throughput.

2026-07-06 原文 →
AI 资讯

Docker vs Kubernetes: Do You Actually Need an Orchestrator Yet?

"Docker vs Kubernetes" is one of those framings that quietly sends people down the wrong road. It sounds like a choice between two competing tools, so teams treat it like a bake-off. It isn't. Docker builds and runs containers. Kubernetes orchestrates a fleet of them. You can happily use one without the other, and most teams should — at least for a while. The question that actually matters is hiding underneath: do I need an orchestrator yet? That's the one worth thinking about carefully, because the cost of answering "yes" too early is real, and it mostly shows up later, on a Saturday, when you're the one holding the pager. What each tool actually does Let me separate the two cleanly, because the confusion causes most of the bad decisions. Docker (or any OCI-compatible runtime — Podman, containerd, and friends) does two jobs: it builds an image from a Dockerfile , and it runs that image as a container on a host. That's the unit of packaging. When you type this: docker build -t registry.example.com/myapp:1.4.2 . docker run -d -p 8080:8080 registry.example.com/myapp:1.4.2 you've packaged your app and started it on one machine . If that machine dies, your app dies with it. If you need three copies, you start three by hand. If you push a bad image, you roll it back by hand. Kubernetes doesn't build or run containers itself — it schedules them across a set of machines and keeps them in the state you declared. You tell it "I want three replicas of myapp:1.4.2 , behind a stable network name, and if a node dies, reschedule them." Kubernetes then spends its life making reality match that declaration. So they're not competitors. Kubernetes runs your Docker-built images. The real comparison isn't "Docker vs Kubernetes" — it's "a couple of containers on a host I manage" versus "a control plane that manages containers for me." A small, honest comparison Concern Plain Docker (or Compose) Kubernetes Where it runs One host you manage A cluster of nodes If a node dies You notice and

2026-07-06 原文 →
AI 资讯

From Docker Compose to Kubernetes: What Actually Changes

If you're comfortable with docker compose up , you already understand more of Kubernetes than you think. Compose taught you to describe an application declaratively — services, their images, their config, how they talk to each other — instead of running containers by hand. Kubernetes is the same instinct, scaled out across a cluster, with more moving parts because it's solving a harder problem: keeping that application running when machines fail. The good news is the mental model transfers. The honest news is that the operational surface grows, and it's worth knowing exactly what changes before you commit. Let me map the concepts you already know onto their Kubernetes equivalents, show the YAML side by side, and be straight about the parts that get harder. First, the thing that doesn't change: your images This trips people up, so let's clear it early. The Docker images you already build run on Kubernetes unmodified. Kubernetes doesn't use the Docker daemon to run them — most clusters use containerd or CRI-O — but every one of those runtimes runs standard OCI images. That's the whole point of the OCI standard: the image you built with docker build is the same artifact the cluster pulls and runs. docker build -t registry.example.com/myapp:1.4.2 . docker push registry.example.com/myapp:1.4.2 That image works identically whether docker run starts it or a Kubernetes node's containerd does. So the packaging is settled. What changes is everything around the container. The concept map Here's the translation table I'd keep next to you while you learn: Docker Compose Kubernetes What changed service Deployment + Service Running vs. reachable are now two objects image: spec.containers[].image Same OCI image ports: Service (+ Ingress for external) Networking is explicit and named depends_on: probes / initContainers Ordering becomes health, not sequence environment: / .env ConfigMap / Secret Config decoupled from the pod volumes: PersistentVolume / PVC Storage is claimed, not jus

2026-07-06 原文 →
AI 资讯

Docker Containerization: Turning 'Works on My Machine' Into a Reproducible Artifact

"Works on my machine" is one of the oldest jokes in software, and it stopped being funny the first time it cost me a weekend. The code was fine. The environment wasn't. A library version on the build box didn't match production, and nobody could see it because "the environment" was a fuzzy, undocumented thing that lived partly in a config management tool, partly in someone's .bashrc , and partly in tribal memory. Containerization is the boring, durable fix for that whole class of problem. Not because containers are magic, but because they force you to turn a fuzzy environment into a single, inspectable, reproducible artifact. That shift — from "a machine we hope is configured right" to "an image we can point at" — is the actual win. Let me walk through what that means operationally, with a minimal example. What containerization actually solves Strip away the tooling and a container image is one thing: your application plus everything it needs to run, packaged together and frozen. The OS libraries, the runtime, the dependencies, your code — all captured at build time into one immutable blob with a content-addressable identity. That has three consequences that matter when you're the one on call: The environment stops being a variable. If it runs from image myapp:1.4.2 in staging, the same image runs in production. You're no longer debugging the difference between two machines. The artifact is immutable. You don't patch a running container in place and hope. You build a new image, tag it, and roll it out. The old one still exists, unchanged, if you need to go back. Rollback becomes trivial. "Roll back" means "run the previous image tag." That's it. No reinstalling packages, no un-applying config drift. After enough years in operations, you learn that most 3 a.m. incidents aren't exotic. They're some version of "this box isn't like the other boxes." Containers don't make you smarter, but they take that entire category off the table. Images vs. containers, briefly These

2026-07-06 原文 →
开发者

The Helm Chart Is a Platform Contract — Not a Template

Early in building our cloud infrastructure, we had a problem nobody talks about — because it happens so slowly you almost don't notice it. We had eight separate Helm charts. One for services that needed KEDA scaling. One for standard HPA. One for backends that exposed HTTP. One for workers that didn't. One for Azure Functions. One for frontends. Eight charts, all living in the same repository, all drifting apart from each other. The charts started as copies of each other. Over time each one picked up its own fixes, its own conventions, its own slightly-different take on security contexts and ServiceAccount annotations and rolling update strategy. Nobody made a decision to diverge. It just happened. Every time we fixed something in one chart — say, wiring up Azure Workload Identity to every ServiceAccount — we had to remember to propagate that fix to seven others. Sometimes we did. Sometimes we didn't. We'd find out when something broke in an unexpected way six weeks later. Helm chart drift is more dangerous than dependency drift. At least with a dependency, you know what version you're on. With eight loosely related charts, you just don't know what you don't know. This is the story of how we replaced all eight with a single versioned chart, published to an OCI registry, and consumed by 70+ services through ArgoCD multi-source Applications — and what that structure forced us to think clearly about. The Two-Questions Framework The first thing we had to do was figure out why we had eight charts in the first place. What was actually different between services that justified a different chart? We landed on two questions: Does it expose HTTP? — This determines whether it needs an ingress, a Service, liveness/readiness probes on an HTTP path. What drives its scaling? — Standard CPU/memory HPA, or event-driven scaling via KEDA (Azure Service Bus, Event Hubs)? That's it. Everything else — security contexts, Workload Identity, pod anti-affinity, rolling update strategy, how s

2026-07-05 原文 →
AI 资讯

Securing Your Terraform Infrastructure with Checkov and GitHub Actions

Infrastructure as Code (IaC) has revolutionized how we provision and manage cloud resources. Tools like Terraform, Pulumi, and OpenTofu allow us to define infrastructure using code, making it versionable, repeatable, and scalable. However, with great power comes great responsibility. Misconfigurations in IaC can lead to massive security breaches, such as publicly exposed data storage or overly permissive access roles. This is where Static Application Security Testing (SAST) comes in. SAST tools analyze your source code to find security vulnerabilities before the code is deployed. In this article, we'll explore how to apply SAST to a Terraform project using Checkov , a popular open-source static analysis tool for IaC, and how to automate this process using GitHub Actions. (Note: We are intentionally avoiding tfsec for this demonstration to explore other powerful alternatives). Why Checkov? Checkov, created by Bridgecrew (now part of Prisma Cloud), is a static code analysis tool for IaC. It scans cloud infrastructure provisioned using Terraform, Terraform plan, Cloudformation, Kubernetes, Dockerfile, Serverless, or ARM Templates and detects security and compliance misconfigurations. It includes hundreds of built-in policies covering security and compliance best practices for AWS, Azure, and Google Cloud. The Demo Scenario: A Vulnerable S3 Bucket Let's start by creating a simple Terraform configuration for an AWS S3 bucket. We will intentionally introduce a security misconfiguration: making the bucket public without encryption. Create a file named main.tf : # main.tf provider "aws" { region = "us-east-1" } resource "aws_s3_bucket" "my_vulnerable_bucket" { bucket = "my-company-public-data-bucket-12345" } # Misconfiguration 1: Public Read Access resource "aws_s3_bucket_acl" "example" { bucket = aws_s3_bucket . my_vulnerable_bucket . id acl = "public-read" } If we were to deploy this, anyone on the internet could read the contents of this bucket. Let's see how Checkov can

2026-07-05 原文 →
AI 资讯

Add a post-quantum readiness gate to your CI in 5 lines

Your codebase almost certainly relies on RSA and elliptic-curve cryptography — TLS, JWTs, SSH keys, signed tokens. All of it is breakable by a large enough quantum computer (Shor's algorithm), and "harvest now, decrypt later" means data you encrypt today can be captured today and decrypted later. Regulators noticed: CNSA 2.0 (US federal + suppliers), DORA (EU financial entities, applies from Jan 2025), and NIS2 now mandate strict cryptographic risk management — which in practice means knowing where your quantum-vulnerable crypto lives, a cryptographic bill of materials (CBOM). Most teams can't answer "where is our RSA/ECC?" off the top of their head. Here's how to make CI answer it for you, on every push, for free. What we're building A GitHub Action that scans your repo, grades its post-quantum readiness A–F , writes a CycloneDX 1.6 CBOM , and — if you want — fails the build when classically-broken crypto (MD5, RC4, 3DES, deprecated TLS) shows up. Step 1 — try it in your browser first (30 seconds, nothing uploaded) Before touching CI, paste a package.json / requirements.txt / cipher list into the in-browser scanner and see your grade. It runs entirely client-side — no upload: https://throndar.ai/cbom Step 2 — add it to CI (the 5 lines) # .github/workflows/pqc-readiness.yml name : PQC readiness on : [ push , pull_request ] jobs : scan : runs-on : ubuntu-latest steps : - uses : actions/checkout@v4 - uses : brandonjsellam-Releone/pq-readiness-scorecard@v1 with : path : . That's it. The Action is self-contained and dependency-free — no npm install , no setup step. On the next push it prints a scorecard to the job summary: Post-Quantum Readiness Scorecard: D (52/100) — Quantum-vulnerable — migrate 3 files · broken-classical 0 · quantum-broken 4 · weakened 1 · resistant 0 Step 3 — see findings in the Security tab (SARIF) The Action emits SARIF 2.1.0. Upload it and every finding shows up as a code-scanning alert: - id : pqc uses : brandonjsellam-Releone/pq-readiness-score

2026-07-05 原文 →
AI 资讯

Osloq — ให้ AI reproduction เวลาเกิด bug

Osloq — ใช้ AI หาสาเหตุ bug แทน เวลา AI coding tools เสนอจะ "fix bug ให้" — เราได้แต่กด Accept หรือไม่ก็ Reject สองปุ่ม สองทางเลือก แต่เราไม่เคยรู้ว่า: AI รู้ได้ยังไงว่า bug เกิดจากตรงนี้? มัน reproduce แล้วหรือแค่อ่านโค้ดแล้วเดา? ถ้าเรา accept — มันจะพังของอย่างอื่นไหม? Osloq เลือกทางที่สาม: ไม่ใช่ "fix ให้" — แต่ " หาให้เจอแล้วบอกว่าเกิดอะไรขึ้น " Osloq คืออะไร Osloq เป็น AI agent ที่ทำหน้าที่ "นักสืบ bug" มีคนเปิด GitHub Issue → Osloq อ่าน → trace โค้ด → reproduce ใน sandbox → ส่งรายงานพร้อมหลักฐาน ┌─────────────────────────────────────────────────────┐ │ GitHub Issue: "ปุ่ม submit กดไม่ติดบน Safari" │ └─────────────────────┬───────────────────────────────┘ ▼ ┌─────────────────────────────────────────────────────┐ │ Osloq: │ │ 1. อ่าน issue → เข้าใจว่า "ปุ่มไม่ทำงาน" │ │ 2. trace โค้ด: จาก handler → service → DOM event │ │ 3. reproduce: รัน Safari ใน sandbox → ปุ่มไม่ติดจริง │ │ 4. จับหลักฐาน: logs, screenshots, call stack │ │ 5. สรุป: "event listener ใช้ 'click' แต่ Safari │ │ บน iOS 18 ไม่ bubble event — ต้องใช้ 'pointerdown' │ └─────────────────────┬───────────────────────────────┘ ▼ ┌─────────────────────────────────────────────────────┐ │ Report บน GitHub Issue: │ │ 📸 screenshot ของ Safari ที่ปุ่มไม่ทำงาน │ │ 📋 console error: "Unhandled Promise Rejection" │ │ 🔗 code path: handler.ts:42 → form.ts:17 │ │ 💡 suggestion: เปลี่ยน event type │ └─────────────────────────────────────────────────────┘ คุณอ่าน report → เข้าใจปัญหา → ตัดสินใจเอง ว่าจะแก้ยังไง ต่างจาก "AI Fix Everything" ยังไง Devin / Sweep AI Osloq แนวคิด "Fix the bug" "Find the cause" ทำงานยังไง เขียนโค้ดใหม่ → เปิด PR Reproduce → รายงาน evidence เราเห็นอะไร PR diff ภาพ, log, call stack, บทสรุป ใครตัดสินใจ AI (เราแค่ merge) เรา (AI บอกว่าอะไรผิด) ถ้าผิดพลาด โค้ดผิดเข้า main Report ผิด — ไม่กระทบโค้ด ความเสี่ยง สูง — AI แก้โค้ดโดยตรง ต่ำ — AI แค่แนะนำ ทำไมถึง "สบายใจกว่า" 1. คุณเห็นหลักฐาน — ไม่ใช่แค่ diff ❌ "Fixed button click handler — please review" → review 300 บรรทัด — ไม่รู้ว่าแก้ถูกไหม ✅ "Button

2026-07-05 原文 →