Noros connects to your AWS, GCP, and Azure accounts in 5 minutes and answers questions like “why did my spend spike this month?” in seconds. DevOps Bulletin readers get a free month at launch.

This week, BeyondTrust uncovered a command injection flaw in OpenAI Codex that exposed GitHub tokens, and Claude Code’s source code was leaked through npm source maps. Giant Swarm detailed how they live-migrated hundreds of Kubernetes clusters to the Cluster API with zero downtime.

On the tutorial side: AWS launched S3 Files to let you mount buckets as file systems; Ingress NGINX hit EOL, and Datadog walks through migrating to Kubernetes Gateway API; SpecterOps shows how Claude Code raises the bar for secure code reviews in pentesting engagements. Plus: why you should never let AI near your production database, how Slack replaced custom network tooling with Prometheus for HTTP/3 readiness, a complete Terraform setup for EKS Auto Mode, and the Git commands worth running before touching any unfamiliar codebase.

This week’s open source picks include PentAGI, a fully autonomous AI pentest agent in Go with 14.7k stars; Gardener, which manages Kubernetes clusters at scale across any infrastructure using hosted control planes; keeper, a Go cryptographic secret store; and skrun, which deploys agent skills defined in SKILL.md files as callable REST APIs.

What if you could ask your cloud bill anything?

Why is my spend 5% higher this month?” Noros is the AI agent that answers in seconds. Ask about anomalies, overprovisioned instances, cost spikes, and more across AWS, GCP, and Azure. DevOps Bulletin readers get a free month at launch.

Join the waitlist.

Newsworthy stories

• Open source security at Astral

• Live migrating hundreds of Kubernetes clusters to Cluster API

• OpenAI Codex command injection vulnerability exposes GitHub tokens

• Claude Code source leaked via npm source maps: lessons for every DevOps team

• Trunk-based development: why most teams think they use it (but don’t)

• How we built a real-world evaluation platform for autonomous SRE agents at scale

Tutorials of the week

• Enforcing AI governance across AWS organizations

• Launching S3 Files, making S3 buckets accessible as file systems

• Don’t let AI touch your production database

• I replaced Portainer, Grafana, and Prometheus with this stack

• Leveling up secure code reviews with Claude Code

• The Git commands I run before reading any code

• I let Claude review my PRs: what it caught and missed

• A practical guide for migrating to Kubernetes Gateway API

• A complete Terraform setup for EKS Auto Mode: is it right for you?

• Scalable network probing and HTTP/3 readiness with Prometheus

• Deploying Go apps to Google Cloud Run

Videos of the week

Projects of the week

• keeper is a Go cryptographic secret store that encrypts payloads at rest.

• npm-security-best-practices is a list of security best practices across supply chain attack mitigation, dependency resolution, and vulnerability scanning.

• PentAGI is a fully autonomous AI agent system for penetration testing, packing 20+ built-in security tools.

• tui-use is a tool that lets AI agents control interactive terminal programs (REPLs, debuggers, TUI apps) that normally require a human at the keyboard.

• DriftHound is an app that receives Terraform drift reports via API and provides a centralized dashboard for tracking infrastructure drift across projects.

• Gardener is a Go platform for managing homogeneous Kubernetes clusters at scale across any infrastructure using hosted control planes.

• skrun is a framework that deploys agent skills defined in SKILL.md files as callable REST APIs.

Meme of the week

Welcome to this week’s edition of the DevOps Bulletin.

The Axios npm library was compromised through a targeted attack on the maintainer’s computer, exposing how vulnerable open-source projects can be. At the same time, developers are switching from traditional SSH keys to certificates for better security, and attackers are using fake VS Code alerts on GitHub to trick developers into clicking malicious links.

On the practical side, teams are using AI agents to automatically respond to incidents, securing LLM running on Kubernetes against injection attacks and model tampering, and learning how to use AWS KMS to mitigate ransomware attacks. Plus guides on running Terraform generation locally with open source tools, using Atlantis and GitHub Actions together for infrastructure changes, and securing Kubernetes clusters for payment compliance.

This week’s open source picks include SQLite with built-in JSON and search features; rpg, a Postgres client with AI built in; zerobox, a tool to safely run untrusted code; and argo-rollouts for smoother Kubernetes deployments. Plus coasts for running isolated development environments, databend for analytics and AI, and nushell for a better shell.

All this and more in this week’s DevOps Bulletin, don’t miss out!

Is your infrastructure keeping pace with AI?

IaCConf 2026 is the annual virtual event for all things infrastructure-as-code. This year's theme: keeping pace. Hear real stories from practitioners, demos of what platform teams are building, and discussions from those leading IaC initiatives.

Register for free today

Newsworthy stories

• SSH certificates: the better SSH experience

• Modern SQLite features you didn’t know it had

• DevOps AI: Where are we headed?

• Post Mortem: axios npm supply chain compromise

• How automated release approvals reduced deployment latency to seconds

• Widespread GitHub campaign uses fake VSCode security alerts

Tutorials of the week

• Leverage agentic AI for autonomous incident response with AWS DevOps agent

• Simulating ransomware with AWS KMS

• LLMs on Kubernetes

• 6,000 AWS accounts, three people, one platform

• Using AI for Terraform

• How to use Atlantis with GitHub Actions for Terraform

• Building PCI DSS-compliant architectures on Amazon EKS

• Best way to upload 25-30 TB data from a HDD to S3

Videos of the week

Projects of the week

• rpg is a PostgreSQL terminal client written in Rust that brings AI diagnostics and schema-aware completion to psql, with 15+ DBA tools built in.

• zerobox is a cross-platform process sandbox in Rust that restricts file, network, and credential access for safely running AI-generated code.

• argo-rollouts is a Kubernetes controller enabling blue-green, canary, and progressive delivery strategies with automated metric-driven promotion.

• agents-anywhere syncs AI agent configs, skills, and instructions across 10+ tools (Claude Code, Cursor, Windsurf, Gemini) from a single git repo.

• coasts runs isolated development environments in containerized worktrees on a single machine with a local observability UI, integrating with existing Docker Compose setups.

• nushell is a shell written in Rust that treats data as structured objects instead of text streams, enabling more powerful pipelines and type-aware operations.

Meme of the week

Welcome to this week’s edition of the DevOps Bulletin.

Malware hit PyPI through a poisoned LiteLLM package last week, and the full minute-by-minute response took just 72 minutes from discovery to public disclosure. Dropbox shrank its server monorepo from 87 GB to 20 GB. BeyondTrust got a full DNS reverse shell running inside AWS AgentCore’s supposedly isolated sandbox. And Cursor now has autonomous security agents reviewing over 3,000 PRs a week. Also, IaCConf is back for year two on May 14. If you work with IaC at any level, this is where the real conversations happen.

Tutorials this week cover a one-line Kubernetes fix that saved Cloudflare 600 hours a year, a Postgres upsert that silently quadrupled WAL syncs on every no-op write, simplifying containers with Cloudflare Sandboxes, Terraform drift detection with GitHub Actions, pentesting AWS’s own Security Agent and a practical guide to Go naming conventions.

Open source picks include Augustus, a Go-based LLM vulnerability scanner with 210+ adversarial probes; OpenSandbox from Alibaba for isolated AI agent workloads; TerraVision for automatically generating architecture diagrams from Terraform; LayerLeak for scanning Docker images for leaked secrets; and CISO Assistant, which covers 100+ compliance frameworks in one platform.

All this and more in this week’s DevOps Bulletin, don’t miss out!

IaCConf is the only conference built entirely around infrastructure as code

Year two is here. Come meet your peers who are doing this work at the highest level. Learn what’s actually working and join these real conversations that don't happen at other virtual DevOps events. Don’t miss out. Register now.

Newsworthy stories

• My minute-by-minute response to the LiteLLM malware attack

• Stop enabling every AWS security service

• Reducing our monorepo size to improve developer velocity

• Securing our codebase with autonomous agents

• Pwning AWS AgentCore code interpreter

• The incident challenge

• Debugging Postgres performance

• Harness design for long-running application development

Tutorials of the week

• Simplifying containers with Cloudflare Sandboxes

• Terraform drift detection with GitHub Actions

• A one-line Kubernetes fix that saved 600 hours a year

• Audit-ready infrastructure

• SQL injection through LLM output

• Pentesting a pentest agent: here’s what I’ve found in AWS Security Agent

  

• Kubernetes strategic merge patch

• Artisanal handcrafted Git repositories

• Building reusable custom images for Azure VMs

• Go naming conventions

Videos of the week

Projects of the week

• TerraVision converts Terraform code into professional cloud architecture diagrams using official AWS, GCP, and Azure icons.

• Optio is a workflow orchestration platform for AI coding agents that takes tasks from GitHub Issues or Linear tickets and drives them through to merged PRs, automatically handling CI failures and code review feedback.

• Expect lets AI agents test your code in a real browser. It scans git diffs, generates a test plan, and executes it via Playwright with recorded sessions for replay.

• Elastic Agent Skills is the official skills library that teaches AI coding agents how to work correctly with Elasticsearch, Kibana, and Elastic’s observability and security APIs.

• CISO Assistant is an open-source GRC platform covering risk assessments, compliance tracking across 100+ frameworks, and third-party risk management in a single interface.

• LayerLeak is a Docker Hub and OCI image secret scanner written in Go that analyzes image layers, config metadata, and build history without requiring a local Docker daemon.

• Augustus is a Go-based LLM vulnerability scanner that runs 210+ adversarial probes across 47 attack categories, including jailbreaks, prompt injection, and data extraction.

• OpenSandbox is Alibaba’s sandbox platform for AI agent workloads, providing isolated code execution with gVisor, Kata Containers, and Firecracker microVMs.

Meme of the week

From S3 bucketsquatting finally being dead after a decade of exploitation, to Reddit migrating petabyte-scale Kafka from EC2 to Kubernetes with zero downtime, and an active phishing campaign targeting AWS console credentials using adversary-in-the-middle proxies.

On the tutorial side, we look at how AI agents write Go, vibe coding’s attribution problem, why git blame matters more than ever, and how Datadog caught an AI-powered bot trying to inject malicious code into their open-source repos. Plus a $7 Lightsail setup that replaces your local AI agent, and a deep dive into when Kubernetes actually restarts your pod.

This week’s open source picks feature Serie, a Rust-based terminal tool for clean Git commit graphs, Bromure, a macOS app that runs each browser session inside a disposable Linux virtual machine, and Trajan, a scanner that detects vulnerabilities across platforms like GitHub Actions, GitLab CI, Azure DevOps, Jenkins, and JFrog.

All this and more in this week’s DevOps Bulletin, don’t miss out!

Building an IDP from Scratch - Live Workshop

Design and build an Internal Developer Platform that scales and gets adopted. This hands-on, 2-day workshop covers platform-as-a-product thinking, cloud-native architecture, IaC, automation patterns, and production readiness. Ideal for platform engineers, DevOps teams, and engineering leaders building IDPs. Exclusive 40% discount code: DEVOPSBULLETIN

Newsworthy stories

• S3 bucketsquatting is finally dead

• Security architecture of GitHub agentic workflows

• How Reddit migrated Petabyte-scale Kafka from EC2 to Kubernetes

• Azure DevOps remote MCP server

• What if your Git history were a SQL database?

• Active phishing campaign targeting AWS console credentials

• Postgres is the Gateway drug

• When should you use BFF, and should it replace API Gateway?

Tutorials of the week

• The $7 AWS setup that replaced my local OpenClaw

• Catching malicious contributions in Datadog’s open source repos

• Vibe coding needs git blame

• Building a virtualized Kubernetes homelab

• How AI agents want to write Go

• When Kubernetes restarts your pod

• Hosting and scaling EKS hybrid nodes

• Complete guide to AWS ECS

• Mastering GKE multi-tenancy

Videos of the week

Projects of the week

• Serie is a TUI application that renders Git commit graphs with rich visuals using the terminal’s image display protocol.

• Git Quest is a web-based RPG game that converts your GitHub commit history into character progression and in-game resources.

• Pertmux is a terminal dashboard that unifies merge requests, git worktrees, tmux sessions, and AI coding agents into a single real-time monitoring interface.

• Nord Stream is a security testing tool that extracts secrets from CI/CD environments by deploying malicious pipelines across Azure DevOps, GitHub, and GitLab.

• Trajan is a security scanner that identifies vulnerabilities in CI/CD pipeline configurations across GitHub Actions, GitLab CI, Azure DevOps, Jenkins, and JFrog.

• Bromure is a native macOS app that runs every browser session inside a lightweight, disposable Linux virtual machine for full isolation.

Meme of the week

An autonomous bot spent 7 days exploiting GitHub Actions across Microsoft, DataDog, Aqua Security, and CNCF projects — exfiltrating tokens with write permissions from awesome-go (140K stars) and fully compromising Trivy’s releases. Meanwhile, new research shows that roughly half of SWE-bench-passing AI PRs would be rejected by actual maintainers, and Uber shares how it replaced thousands of individual Kafka policies with a single CEL-based access control rule.

On the tutorial side, a HashiCorp Core team engineer breaks down Terraform internals from addressing to expansion logic, while a researcher shows how opening a GitHub issue let them steal npm publish tokens from Cline’s CI — poisoning 4,000 machines before detection. Plus: why you should turn Dependabot off, how a Rust rewrite cut batch jobs from 30 minutes to under 5, and how ParadeDB optimized top-K queries from 37 seconds to 300ms.

This week’s open source picks include Terrapod — an open-source Terraform Enterprise replacement with built-in governance, PipeStep — a debugger that lets you step through GitHub Actions workflows locally in Docker, and Aegis — an EDR tool that monitors AI agent behavior in real time.

All this and more in this week’s DevOps Bulletin, don’t miss out!

Newsworthy stories

• Building a database on S3

• A bot actively exploiting GitHub Actions - Microsoft, DataDog, and CNCF projects

• When Kubernetes is the wrong default

• Many SWE-bench-passing PRs would not be merged into main

• How AI agents automate CVE vulnerability research

• Please, please, please stop using passkeys for encrypting user data

• How I dropped our production database and now pay 10% more for AWS

• How Uber reinvented access control for microservices

Tutorials of the week

• Migrating from Heroku to AWS

• How I use LLMs for security work

• Building AI teams with Docker sandboxes

• A series about the internals of Terraform

• How to steal npm publish tokens by opening GitHub issues

• Turn Dependabot off

• Using Rust and Postgres for everything

• A multi-agent architecture for automated penetration testing

• Understanding the Go runtime

• Getting started with GitOps

• How we optimized top K in Postgres

• How LDAP works

Videos of the week

Projects of the week

• Temps is a self-hosted deployment platform that combines app hosting, monitoring, and infra management in a single binary.

• Neko is a self-hosted, Dockerized virtual browser that uses WebRTC for multi-user collaborative browsing.

• Terrapod is an open-source Terraform Enterprise replacement with built-in collaboration, governance, and state management.

• PipeStep is a debugger for GitHub Actions that lets you step through CI workflows locally in Docker.

• OneCLI is a credential gateway that transparently injects API keys into AI agent requests so agents never touch secrets.

• Switchboard is a desktop app that lets you manage all your Claude Code sessions from a single, unified interface.

• load-secrets-action is a GitHub Action to load 1Password secrets into workflow environment variables.

• Aegis is an EDR tool that monitors AI agent behavior, tracking processes, file access, and network activity in real time.

Meme of the week

Welcome to this week’s edition of the DevOps Bulletin.

From Iranian drone strikes taking down AWS data centers in the UAE and Bahrain, to Truffle Security finding 2,863 live Google API keys on the public internet that now silently authenticate to Gemini.

On the tutorial side, we get into designing caching architectures that cut LLM costs by 30% through semantic deduplication, building AI agents for infrastructure teams with proper safety guardrails, and a hands-on guide to pg_semantic_cache in Postgres that achieves 60-80% cache hit rates. Plus: debugging Go memory leaks with pprof, secure error-handling patterns in Go, and AWS cost optimization with up to 72% savings.

This week’s open-source picks include Shannon - an autonomous AI pentesting framework that validates vulnerabilities using real exploits, Titus - a high-performance secrets scanner with 487 detection rules, and safe-chain — a local proxy that blocks malicious npm and PyPI packages before installation.

All this and more in this week’s DevOps Bulletin, don’t miss out!

Your Terraform Plan passed. Your app just broke. Here's why.

Clean plan. Successful apply. App down two hours later. Sound familiar? Learn how platform teams scale IaC without the chaos.

Free virtual event, March 12 at 12 PM ET. Register now.

Newsworthy stories

• How even senior developers mess up their Git workflow

• Amazon says it could take at least a day to restore data centers hit by ‘objects’ in the UAE

• Terraform, feature flags, and configurability

• Designing caching architectures to minimize latency and LLM costs at scale

• Google API keys weren’t secrets. But then Gemini changed the rules

• The KFC architecture blueprint: Kafka, Flink, and ClickHouse

Tutorials of the week

• How to design, build, and operate AI agents for infrastructure teams

• Draw.io MCP for DevOps diagrams generation

• Master Kubernetes through production-ready practice

• Running OpenClaw safely

• Use CLI like a modern tech bro

• Semgrep + AI for Infrastructure as Code

• Debugging a Go memory leak

• AWS cost optimization best practices

• A hands-on guide to Postgres caching

• Best practices for secure error handling in Go

Videos of the week

Projects of the week

• Self-hosted platform for provisioning secure cloud development environments and workspaces defined with Terraform and accessed through remote IDEs.

• Autonomous AI pentesting framework that analyzes source code, discovers attack paths, and executes real exploits to validate web app vulnerabilities.

• Local proxy that protects developers and CI pipelines by scanning npm and PyPI packages for malware and blocking risky or newly published dependencies before installation.

• AI-powered threat modeling tool that analyzes system architectures and generates security threat models using LLM agents.

• A Kubernetes operator that deploys, autoscales, and manages Ray clusters and workloads for distributed AI and machine learning on Kubernetes.

• YAML-driven CLI for scenario-based testing, API automation, and load testing across HTTP, gRPC, databases, browsers, SSH, and local commands

• High-performance secrets scanner that detects and validates API keys, tokens, and credentials across source code, git history, binaries, and web traffic

• Kubernetes native batch scheduler designed for AI, ML, big data, and HPC workloads with advanced resource scheduling and queue management

Meme of the week

Welcome to this week’s edition of the DevOps Bulletin.

Big news this week includes an exclusive offer for DevOps Bulletin subscribers: up to $100k in free credits for building or scaling your stack on AWS. Our curated stories share how Datadog reduced its Go agent binaries by 77%, Netflix’s journey migrating RDS Postgres workloads to Aurora, enterprise strategies for scaling GitOps, rendering 100 million pixels per second over SSH, FinOps tips to reduce 70% of S3 cost, running Git inside Postgres, and why securing OpenClaw may be the wrong problem to solve.

Tutorials this week go deep into Postgres fundamentals, Docker BuildKit, and hard lessons from real-world SQL queries, as well as building Terraform review agents with Gemini, designing secure agent skills and MCP servers, and deploying a production-ready, scalable code modernization platform.

The open source picks include an autonomous Claude powered multi agent system that turns Linear issues into reviewed pull requests, a PostgreSQL proxy with connection pooling and sharding, a terminal dashboard for managing cron jobs over SSH, a VSCode extension that visualizes SQL lineage and dependencies, a local first AI agent task manager, and an S3 native Kafka compatible event streaming server built as a single Rust binary.

All this and more in this week’s DevOps Bulletin, don’t miss out!

Get up to $100k in FREE AWS credits

How to reduce your AWS expenses without compromising your product's potential? Spendbase, in partnership with AWS, offers up to $100k in free AWS credits for DevOps Bulletin subscribers. The application process is simple: new & existing AWS users are eligible (even if you've received credits before). Everything you need is a startup under 10 years old with a corporate website.

Claim your credits now!

Newsworthy stories

• How we reduced the size of our Agent Go binaries by up to 77%

• Automating RDS Postgres to Aurora Postgres migration

• How to scale GitOps in the enterprise

• Rendering 100M pixels a second over SSH

• How a video hosting platform saved 70% on S3

• Git in Postgres

• Why is trying to secure OpenClaw ridiculous

Tutorials of the week

• You just need Postgres

• Bash for agents

• Building an in-house Terraform review agent with Gemini CLI

• Building a scalable code modernization solution with AWS Transform custom

• Docker’s hidden gem that can build almost anything

• Hard lessons from a real SQL query

• MCP server security

• 3 principles for designing agent skills

• Migrate Amazon EC2 to ECS Express Mode using Kiro CLI and MCP servers

• Making Harbor production-ready

Videos of the week

Projects of the week

• An autonomous Claude-powered multi-agent system that turns Linear issues into reviewed, tested, and merged pull requests.

• Terminal dashboard for managing and scheduling local and remote cron jobs over SSH with validation and autocompletion.

• VSCode extension that turns SQL queries and whole workspaces into interactive execution flow, lineage, and dependency diagrams.

• PostgreSQL proxy that provides connection pooling, query-aware load balancing, health checks, and built-in database sharding.

• Local first AI agent task manager that organizes, prioritizes, and orchestrates multiple coding agents with a dashboard.

• S3 native Kafka-compatible event streaming server that stores data directly in object storage with a single Rust binary and no broker fleet.

Meme of the week

Welcome to this week’s edition of the DevOps Bulletin.

In this week’s news, we unpack the hidden friction inside FOCUS 1.2 and what happens when a clean FinOps specification collides with messy real billing data. We also cover why Docker sandboxes deserve more attention, how Netflix scales LLM post-training, a Firebase misconfiguration that exposed 300 million messages, and a reflective farewell to Rust.

This week’s tutorials include an interactive tour of Go 1.26, an OpenClaw security engineer’s cheat sheet, the one Claude skill every DevOps engineer should master, how to detect read efficiency issues in Postgres queries, Docker log rotation basics, and a living PostgreSQL sample database you can run locally. We also explore a FinOps guide to updated spend-based CUDs, deploying a production-ready FastAPI app with Terraform on AWS, and encrypting files with passkeys and age.

Our video of the week breaks down AI fatigue and why cloud engineers feel overwhelmed by nonstop AI hype. We also spotlight Bright Data MCP, a single entry point for searching, crawling, and extracting real-time web data without dealing with CAPTCHA, JavaScript rendering, or geo restrictions.

The open source picks include a macOS helper that plays Warcraft style sounds when Claude Code finishes tasks, a continuously updated IPv4 blocklist for firewall and WAF protection, a production ready Go based LLM vulnerability scanner that tests models against more than 210 adversarial attacks, a lightweight command runner for project specific tasks, a SQL driven dashboard platform powered by DuckDB, and a Claude Code plugin marketplace focused on security auditing and malware analysis skills.

All this and more in this week’s DevOps Bulletin, don’t miss out!

One MCP to access the Web

Bright Data MCP gives you a single entry point to search, crawl, and extract real-time web data. It automatically selects the right tool for each site and handles CAPTCHA, JavaScript rendering, and geo restrictions out of the box.

If you are building RAG pipelines or autonomous agents with LangChain, CrewAI, or LlamaIndex and are tired of stale data or broken scrapers, MCP removes the data plumbing so you can focus on the logic.

Start building.

Newsworthy stories

• The FOCUS problem nobody talks about

• Docker sandboxes are great

• The uncomfortable truth about vibe coding

• Scaling LLM post-training at Netflix

• Firebase misconfiguration exposes 300M messages

• Examining Chinese national vulnerability databases

• I intercepted 3,177 API calls across 4 AI coding tools

• Farewell, Rust

Tutorials of the week

• Go 1.26 interactive tour

• OpenClaw security engineer’s cheat sheet

• The only Claude skill every DevOps engineer needs

• Read efficiency issues in Postgres queries

• The Claude skills I actually use for DevOps

• TIL: Docker log rotation

• A living PostgreSQL sample database

• A FinOps guide to updated spend-based CUDs

• Deploying a production-ready FastAPI app with Terraform

• Chat with your App Service logs using GitHub Copilot

• Encrypting files with Passkeys and age

Videos of the week

Projects of the week

• A macOS helper that plays Warcraft-style sound notifications when Claude Code finishes or needs input, so you never miss terminal events

• A continuously updated, community-maintained IPv4 blocklist of malicious IPs for firewall and WAF protection.

• A production-ready Go-based LLM vulnerability scanner that tests models against +210 adversarial attacks, including prompt injection and jailbreaks

• Just is a handy way to save and run project-specific commands.

• A SQL-driven dashboard platform powered by DuckDB that lets you build and share analytics with pure SQL queries

  

• A Claude Code plugin marketplace providing security-focused skills for auditing, testing, malware analysis, and secure development workflows

Meme of the week

In this week’s news, we look at what Heroku’s “sustaining engineering” announcement really means for teams still running production workloads there, how GitLab deploys the largest GitLab instance in the world 12x a day, and why Postgres’ postmaster model becomes a scaling bottleneck under extreme concurrency. We also cover ChatGPT Containers now running bash and installing packages, a developer accidentally DDoS-ing their own laptop while learning Go concurrency, and fresh data from the 2025 State of Cloud Security report.

This week’s tutorials go deep into orchestrating specialized AI agent teams, implementing hierarchical AWS Cost Categories for better financial visibility, reducing Kubernetes cold-start latency when scaling nodes from zero, testing whether LLMs can detect hidden backdoors in binaries, building a fully serverless CI/CD pipeline with GitHub Actions and Terraform, understanding Postgres locks visually and conceptually, simplifying Control Tower governance with enhanced CloudFormation Hooks, building a local-first Obsidian RAG with DuckDB and MotherDuck, and generating readable Terraform plan reports for pull request reviews.

The open-source picks include a Kubernetes-native database provisioning platform, a lightweight real-time Docker log viewer, a modern JavaScript-based load testing tool, a GitHub-style diff pager for your terminal, and a security scanner that analyzes AI agent skills for prompt injection and data exfiltration risks.

All this and more in this week’s DevOps Bulletin, don’t miss out!

Newsworthy stories

• Heroku is officially dead

• How we deploy the largest GitLab instance 12 times daily

• ChatGPT Containers can now run bash, pip/npm install packages, and download files

• DDOS'd my own laptop learning Go

• State of cloud security

• Postgres Postmaster does not scale

• The many flavors of .ignore files

Tutorials of the week

• Orchestrating specialized agent teams for compound engineering

• Improve cost visibility and observability with AWS cost categories

• Scaling Kubernetes nodes from zero

• We hid backdoors in binaries — Opus 4.6 found 49% of them

• Building a Serverless CI/CD pipeline on AWS with GitHub Actions and Terraform

• Postgres locks explained

• Simplify AWS Control Tower governance with enhanced AWS CloudFormation Hooks

• Building an Obsidian RAG with DuckDB and MotherDuck

• Create readable Terraform plans for pull request reviews with tfplan2md

Videos of the week

Projects of the week

• A platform to provision, manage, scale, and back up databases such as MySQL, PostgreSQL, and MongoDB using Helm or a CLI.

• Lightweight web UI to stream and search Docker container logs in real time across single or multiple hosts.

• A developer-focused load testing tool that lets you write performance tests in JavaScript and run them locally, in CI, or at scale.

• A git diff pager based on delta but with a file tree, à la GitHub.

• Security scanner that analyzes AI agent skills for prompt injection, data exfiltration, and malicious code using static rules, dataflow analysis, and optional LLM review.

Meme of the week

In this week’s news, we look at why GitHub Actions is becoming a serious productivity bottleneck for many teams, what it actually takes to own a $5M data center instead of paying a $25M cloud bill, and a new SDLC threat framework designed to map real supply-chain risks across CI, registries, and production. We also cover why AI-powered SRE breaks down without system topology, how Preply structures Terraform with minimal modules and policy guardrails, how Salesforce can roll back 1.5 trillion requests in under ten minutes, and how Pinterest built a compute platform capable of billions of async task executions.

This week’s tutorials go deep into running Kubernetes inside a container, partitioning a 17TB PostgreSQL table, closing container supply-chain gaps with admission control, designing effective SLOs, runbooks, and post-mortems, implementing correct readiness checks for Spring Boot, automating Route 53 updates with Terraform, building a minimal Kubernetes cluster on NixOS, and understanding how MFA downgrade attacks and Kubernetes RBAC misconfigurations lead to real-world compromises.

The open-source picks include a VS Code and Cursor extension that detects malicious IDE behavior in real time, a collection of Falco rules for Kubernetes attack detection, a single-binary Kubernetes dashboard with built-in AI, a near-zero-downtime MySQL migration library from Shopify, an idempotent SQL schema management tool, and a high-performance job queue for Bun that replaces Redis with SQLite.

All this and more in this week’s DevOps Bulletin, don’t miss out!

Newsworthy stories

• GitHub Actions is slowly killing your engineering team

• Owning a $5M data center

• The first threat framework dedicated to SDLC infrastructure

• Git shitstorm

• Why AI-SRE needs topology, not just telemetry

• How do we use Terraform at Preply

• Automating global rollback for 1.5 trillion requests in 10min

• How Pinterest built a compute platform for billions of task executions

Tutorials of the week

• Kubernetes in a container

• Partitioning a 17TB table in PostgreSQL

• Offensive security MCP servers

• Closing the supply chain gap in Kubernetes

• SLOs, Runbooks and Post-Mortems

• Container readiness checks for Spring Boot deployments

• Database indexing

• Automating Route 53 DNS updates with Terraform

• A ‘small’ vanilla Kubernetes install on NixOS

• Deep dive into MFA bypass

• Kubernetes remote code execution via Nodes/Proxy GET permission

Videos of the week

Projects of the week

• A VSCode and Cursor extension that provides real-time security monitoring to detect malicious extensions and supply chain attacks inside the IDE.

• A collection of custom Falco rules and test cases to detect real-world Kubernetes attack techniques.

• A single binary Kubernetes dashboard for multi-cluster management with built-in AI assistance.

• A live MySQL data migration library that copies selected data between databases with near zero downtime.

• Idempotent schema management for MySQL, PostgreSQL, SQLite, and SQL Server.

• A high-performance job queue for Bun that uses SQLite for persistence and runs without any external services.

Meme of the week

Welcome to this week’s edition of the DevOps Bulletin.

We open with a growing problem security teams are quietly struggling with. AI tools are moving sensitive data across SaaS and internal systems in…

Read more

Welcome to this week’s edition of the DevOps Bulletin.

We’re kicking off with AI and Infrastructure-as-Code. IaCConf Spotlight on January 28 brings engineers together to share how they’re using AI in …

Read more

Welcome to this week’s edition of the DevOps Bulletin.

AI isn’t replacing DevOps teams, it’s changing how they work. Learn how by joining the IaCConf Spotlight on January 28. In the news, AWS’s direct…

Read more

Welcome to this week’s edition of the DevOps Bulletin.

We’re kicking off with AI and Infrastructure as Code: a spotlight event on January 28 will show how platform and DevOps teams are using AI for re…

Read more

This week: AWS’s CTO share his predictions for 2026 and beyond, why developers are gaming GitHub profiles (and why star…

Read more

Why Kubernetes clusters are massively underutilized in production, how Cloudflare is eliminating cold starts with “shard and conquer,” and what h…

Read more

Welcome to this week’s edition of the DevOps Bulletin!

Cloudflare shared how they run Cloudflare at enterprise scale with IaC, SonarSource dropped a GitHub Actions “zombie workflows” horror story, and…

Read more

Teams shared how they migrated 1B records without downtime, saved 70% CPU and 60% memory by optimizing Go services, and how Reddit moved its comm…

Read more

One team explained why they’re leaving serverless behind after hitting scaling and performance limits, security researchers warned users to stop …

Read more

Researchers scanned 5.6 million GitLab repositories and uncovered thousands of live secrets, AWS finally added a way to spot idle NAT Gateways, a…

Read more