MVP GitHub Action: Zero Trust checks + compliance proof in CI/CD

I built a GitHub Action that blocks Terraform misconfigs and emits signed attestations. Yes, it’s a simple CNAPP with one important addition: it generates trust documentation. The point is to move past “scan and warn” into verifiable proof that risky changes never hit production.

Why it matters:
- Manual reviews don’t scale, screenshots aren’t proof.
- Tools like Vanta, Wiz, or Chainguard cover parts of the workflow, but there’s no open-source, end-to-end chain of compliance evidence.
- SOC 2 costs run $10k–$80k+ plus hundreds of staff hours — out of reach for teams below the security poverty line.

What it does today:
- Blocks public S3 buckets, open 0.0.0.0/0 security groups, long-lived AWS keys in PRs
- Emits DSSE-signed attestations as compliance evidence
- Built in Go with hashicorp/hcl + Cobra

Usage:

name: Zero Trust Infra Check
on: [pull_request]
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: miqcie/mondrian/.github/actions/mondrian-check@main
        with:
          generate-attestation: true

Repo: github.com/miqcie/mondrian

Looking for input:
- What misconfigs are the biggest pain in your pipelines?
- How do you balance blocking gates with deploy velocity?
- Anyone chaining compliance proofs into a live trust center?

https://redd.it/1ng4lu7
@r_devops

What are the hardest things you've implemented as a DevOps engineer?

What are the hardest things you've implemented as a DevOps engineer? I am asking so that I can learn what I should be studying to future-proof myself.

https://redd.it/1ng4zvm
@r_devops

I feel I'm doing some greater evil

I set up a decent CI/CD for the infra (including kubernetes, etc). Battery of tests, compatibility reboot tests, etc. I plan to write much more, covering every shaky place and every bug we find.

It works fine. Not fast, but you can't have those things fast, if you do self-service k8s.

But. My CI is updating Cloudflare domain records. On each PR. But of course we do CI/CD on each PR, it's in the DNA for a good devops.

But. Each CI run leaves permanent scar in the certificate transparency log. World-wide. Now there are more than 1k of entries for our test domain, and I just started (the CI/CD start to work about a month ago). Is it okay? Or do I do some greater evil?

I feel very uncomfortable, that ephimerial thing which I do with few vendors, cause permanent growth of a global database. Each PR. Actually, each failing push into open PR.

Did I done something wrong? You can't do it without SSL, but with SSL behind CF, we are getting new certificate for new record in the domain every time.

I feel it's wrong. Plainly wrong. It shouldn't be like that, that ephimerial test entities are growing something which is global and is getting bigger and bigger every working day...

https://redd.it/1ng6vzz
@r_devops

Dev Ops in 2025 for a beginner?

Hey, I've got no real DevOps experience, just Linux basics. Thinking about diving into junior developer or DevOps roles, focusing on Linux and automation, but with AI advancing, is it still worth learning? Are Linux and DevOps skills valuable when AI can do so much? Need advice from experienced devs or DevOps folks!

https://redd.it/1ng6q9m
@r_devops

Am I wasting my time trying to build this?

I’m a DevOps/SRE I’ve had multiple debugging sessions with teammates and worked a lot in slack. I’ve experienced multiple micro-incidents and major incidents. I’m aware of the standard; ALWAYS DOCUMENT! I create tickets and RFOs for the incidents I tackle, with the necessary details and so forth, some times I keep personal notes for easy recall of some specific recurring similar incidents, but when I have to deal with hundreds of incidents, it becomes a hassle, and I lose the zeal to keep documenting. I guess you could say I’m just lazy. 😅

I’ve been thinking about building something that remembers every debugging session and incident engineering teams have ever resolved all in one place, without context switching— well in slack. A tool that can answer questions in natural language “have we seen this incident before?”, then it returns a list of related past resolved incidents. I’m focusing purely on capturing and retrieving knowledge from conversations. No runbooks, no on-call schedules, no status pages. Just “turn my debugging conversations into searchable memory.”

PS: More details can be found here: https://incidly.com

My major concern is this;
- is this worth building? Maybe people won’t care enough about this problem to want to use it?

- Maybe the major players in the incident field will add it as a feature?

- Am I naive to think there’s an opportunity here for me to build?

I’d really appreciate your honest opinions. Thank you very much!

https://redd.it/1nggnwj
@r_devops

I built a sandbox SMTP server for email testing in staging/dev – feedback welcome!

Hey folks 👋

I've been working on a tool called [Mailfrom.dev](https://mailfrom.dev) – a sandbox SMTP server designed for staging and development environments. If you’ve ever had to deal with testing email flows like password resets or onboarding confirmations, you know how messy it can get when you don’t want to send real emails.

[Mailfrom.dev](http://Mailfrom.dev) lets you send emails to a fake SMTP server, where you can inspect everything in a web UI — no emails actually go out to the end users and you can also share everything with you team.

I was frustrated with how expensive or overly complex other tools in this space are.. I wanted something affordable and dead simple to use. Just check the pricing — you'll see what I mean.

I’d love any feedback, thoughts, or feature suggestions.

**Tech stack**:

* Backend: Laravel (Horizon, Reverb, Cashier)
* Frontend: Vue 3 + shadcn + reka
* Infra: k3s on Hetzner, S3 & SES on AWS

https://redd.it/1ngttiq
@r_devops

Is AI coming after DevOps?

As I go through so many new tools and platforms, I have got many questions!

- is AI going to eliminate DevOps jobs?
- will Dev & DevOps be managed by genetic platforms in future?

https://redd.it/1ngv4nu
@r_devops

Need Full Stack Dev for Hackathon

Hey everyone,
I'm working on a hackathon project that's about 50% complete, but the submission deadline is tomorrow. I’m looking for someone with Full Stack experience who can jump in today and help speedrun the rest of the build.

The project is solid so far, just need help finishing up features and polishing for submission. If we win, I’m happy to split the prize.

If you're up for a fast-paced collab and can start ASAP, DM me and I’ll share the details.

Let’s crush this. 💪

https://redd.it/1ngwjdw
@r_devops

About to take the CKA exam, couldn't find documentation for Kustomize in the official Kubernetes docs

So I heard that I am allowed to use the kubernetes official documentation on the exam as long as I'm using their secure browser, but I cannot find Kustomize in the official docs. Instead it seems it has its own independent website. Am I allowed to use it in the exam or did I miss it in the docs

https://redd.it/1nh1uo1
@r_devops

I Battled Google's Inconsistent Docs to Set Up Custom Error Pages with Cloud Armor + Load Balancer, Here's the Workaround That Saved the Day

As a cloud consultant and staff cloud engineer, I’ve seen my fair share of GCP quirks, but setting up a custom error page for Cloud Armor–blocked traffic was a real nightmare! 😫

Setup: HTTP(S) Load Balancer, Cloud Run backend, and a GCS-hosted error page. Google’s docs made it sound possible, but contradictory info and Terraform errors told a different story, no love for serverless NEGs.

I dug through this subreddit for answers (no luck), then turned to GitHub issues and a lot of trial and error. Eventually, I figured out a slick workaround: using Cloud Armor redirects to a branded GCS page instead of the ugly generic 403s. Client’s happy, and I’m not stuck explaining why GCP docs feel like a maze.

Full story and Terraform code here: Setting up a Custom Error Page with Cloud Armor and Load Balancer (on Medium).

TL;DR: GCP docs are messy, custom_error_response_policy doesn’t work for Cloud Armor + serverless. Used Cloud Armor redirects to GCS instead. Code’s in the article!

So what’s your worst GCP doc struggle? Anyone got Cloud Armor hacks or workarounds? Spill the beans.

==========================
Documentation Contradiction:

One part of the documentation states that custom error pages work for errors generated by Cloud Armor: [https://cloud.google.com/load-balancing/docs/https/custom-error-response?utm\_source=chatgpt.com](https://cloud.google.com/load-balancing/docs/https/custom-error-response?utm_source=chatgpt.com)
However, another part of the same documentation says the policy only applies to responses that come from the backend, not the Google Front End (GFE). Since Cloud Armor operates at the GFE level, it seems this feature is not applicable to our setup: https://cloud.google.com/load-balancing/docs/https/custom-error-response?utm\_source=chatgpt.com#limitations

https://redd.it/1nh3ae8
@r_devops

Small teams adapting faster to AI-driven changes in software delivery?

Interesting early signal from the first two weeks live of Warestack.

While we expected mid-size engineering organizations to jump in first, it’s the smaller, fast-moving teams that are setting up modern processes and context-aware rules to keep AI-driven changes safe.

They already sense how quickly the ground is shifting:

- AI code editors are writing production code and developers don’t always own every change
- Autonomous agents may soon manage pull requests end-to-end

That means unmanaged changes can reach production in seconds. Some of these smaller teams are already moving beyond static GitHub settings toward more agentic, adaptive guardrails, like:

- Enforce smart review thresholds (e.g. large PRs require extra reviewers) with the flexibility to bypass only when an urgent hotfix is created by a senior team member
- Apply critical-path ownership and secret / config change controls
- Block risky deployments outside approved windows
- Align every PR with its project ticket to keep scope transparent


Curious if others here have seen similar patterns - are small teams actually quicker at adapting to this shift than larger organizations?

https://redd.it/1nh5dcn
@r_devops

Wanna build a production ready fullstack website

I’ve only done like student projects never deployed or done something scalable. If anyone’s willing to coach/manage/guide me through the process would be greatly appreciated. Having trouble figuring out the apis and tools ill need to calculate like a cost analysis and have an accurate full picture.
I have an initial functional and non functional requirements list but I need experienced advice and reviews theres alot i dont know about im in way over my head

https://redd.it/1nh7h12
@r_devops

Need Help in Learning Devops

I'll be joining Cognizant as a Fresher and I'm planning to learn Devops during this and in 1-1.5 years after cognizant,get a Devops job.
How can I do that?
What all resources should I follow??
How can I manage work along with Devops learning coz I will be doing a non Devops work in cognizant most probably..

https://redd.it/1nhddcv
@r_devops

Looking for minimal containers with built in audit trails and signed metadata

Our environment demands high transparency like every deployed container image must be traceable and verifiable. We are talking signed provenance, tamper proof SBOMs, and easy audit exports for regulatory reviews.
The usual workflow of building images locally and then generating SBOMs feels brittle. manual, inconsistent, and prone to oversight. Ideally i would use ready made, minimal container images that include signed SBOMs and provenance data. Even better if they integrate with our CI/CD pipeline and help speed up compliance audits. Any recommendations?



https://redd.it/1nhf3bs
@r_devops

Feeling unfulfilled in tech

Hey ,

I’m currently a Software Engineer with 2.4 years of experience at a major MNC, and I’m finding myself at a professional crossroads. While I've been doing decent in my career so far, I’m feeling a deep sense of unfulfillment. I've always been good in the of my peer group because of my ability to learn quickly and solve complex problems, but the tech itself just doesn’t excite me anymore. I'm ready for something more.

I'm not looking for just another job or a promotion. I'm looking for something worthwhile. I believe my intelligence and drive can be applied to much more than optimizing pipelines. I want to use my skills to solve a real-world problem and build something that truly matters.

I’m not interested in the stereotypical path of an MBA or upskilling in a field that no longer resonates with me. Instead, my biggest goal is to work with and learn from highly influential people—founders, visionaries, and leaders who have already succeeded. I want to be in an environment where I can absorb their wisdom and contribute .

I'm open to almost any field. I'm a fast learner and adaptable. I’m a tech professional on paper, but at my core, I'm a problem-solver who just happens to be getting paid for it. If you're a leader who is tackling a real-world challenge, and you're looking for someone with an intense will to build something worthwhile, let’s talk.

I’m ready to put my all into a new challenge. If you’re a founder or visionary who can offer a role with fantastic environment, I’d love to connect.

Feel free to comment or send me a DM.

https://redd.it/1nhg46l
@r_devops

Steps to move to DevSecOps

Hello, i am wondering what would be the ideal steps to add Sec on top of DevOps poisition. Where to even begin?

There is quite push to start somewhere in my small company and position opened for anyone interested in the team. Where should i begin?

https://redd.it/1nhgjfh
@r_devops

[Hiring] [Remote] [Competitive Pay] Technical Project Manager

FP Block is a blockchain consulting firm (formerly FP Complete, founded 2012) delivering high-performance applications across EVM, Cosmos, Solana, and Near. We are hiring a Technical Project Manager to oversee timelines, communication, and project deliveries.

What you will do:

* Manage 1–3 projects in GameFi, DeFi, high-frequency trading, dapps, and audits
* Coordinate between clients and engineers in a fully remote setup
* Ensure smooth execution using agile practices

What we are looking for:

* 4+ years project management in software, DevOps, finance, or blockchain
* Strong English and async communication skills
* Proven track record with stakeholders and deliverables

Big pluses:

* Experience across multiple areas (development, DevOps, finance, blockchain)
* Smart contract or dapp project management
* Cloud or distributed systems knowledge

Apply by sending your CV and a short cover letter to [jobs@fpcomplete.com](mailto:jobs@fpcomplete.com).
More info: [www.fpblock.com/jobs](http://www.fpblock.com/jobs)
Reddit: [https://www.reddit.com/r/FPBlock/](https://www.reddit.com/r/FPBlock/)

https://redd.it/1nhfjs1
@r_devops

Is support in the same time zone important to you?

Have you ever dropped (or avoided) a tool because the vendor was on the ‘wrong’ side of the world for your team?

I‘ve had a quite interesting discussion with my buddy working as a CTO (based in Germany), who said he prefers to work with European Vendors due to their customer support being in the same time zone. Of course AI Bots are reducing this friction, but still.

Would you chose a US-based vendor over an Australian or European? Or does time zone difference not have any impact at all?

https://redd.it/1nhk60j
@r_devops

Feeling stuck in DevOps career after 2 years, not sure how to prepare for interviews

Hey folks,

I have been working as the DevOps Engineer with 2 yrs of experience, so my current company is completely uncertain and don't know what will happen at what time, so I am applying for job switch , I have did good accomplishments like scaling Kubernetes workloads, automating mobile build pipeline from scratch but the thing is, I am not mastered any of the things, I kept my footprints in the all the tech stacks and worked on demand by researching it.

Recently i gave an interview with ZETA for SRE 2 role, they asked me below questions
1. Jenkinsfile stages , like checkout,build, push and deploy so I wrote the skeleton


2 - python question (two sum problem), i solved it, but u was asked for the time complexity of the 5 line python problem 🙂, why do DevOps Engineers need Time complexity, since we use python most of the time to automatic the tasks


3 - python noscript for archiving 10 days older file and push to s3, I created a pseudocode noscript with the flow



4 - among 3 replica , 1 pod is giving crashloopback, I answered , possibilities, OOMkilled, PvC in different regions node is in different

But they expected the bookish answers I think, Nothing they have asked about my work which i mentioned in resume, just came up with the questions and share it with Google docs

Pls can anyone guide me how can I prepare for the interview and become interview-ready

Thank you in advance

https://redd.it/1nhlgn0
@r_devops

Our AWS bill is getting insane (>95k/mo), I'm going insane, how do we even start to lower it?

Our company's AWS bill has been steadily climbing for the past few months and it's starting to get out of control.



We don't even fully understand why. We have all the usual monitoring tools and dashboards, which tell us what services are costing the most (EC2, RDS, S3, of course), and when usage spikes. But things are still unpredictable.



It feels like we're constantly reacting. We see a spike, we investigate, maybe we find an obvious runaway process or an unoptimized query, we fix it, and then another cost center pops up somewhere else. It's getting rly fkn annoying.



We don't know which teams are contributing most to the increases in a meaningful way. We can see service usage, but translating that into "Team A's new feature" or "Team B's analytics pipeline" is a manual, time-consuming nightmare involving cross-referencing dashboards and asking around.



We don't know why specific architectural decisions or code deployments are leading to cost increases before they become a problem.



Our internal discussions about cost optimization often go in circles because everyone has anecdotal evidence, but we lack a clear, synthesized understanding of the underlying drivers. Is it dev environments? Is it staging? Is it that new batch job? Is it just general growth?. No way to validate these.



We're trying to implement FinOps principles, but without a clear way to attribute costs and understand the why behind usage patterns, it's incredibly difficult to foster a culture of cost awareness and ownership among our engineering teams. We need something that can connect the dots between our technical metrics and the actual human decisions and activities driving them.



Any advice or tips would be greatly appreciated. Also open to third party tools as long as they won't take over our account or billing.

https://redd.it/1nhlsz5
@r_devops

P50 vs P95 vs P99 Latency: What These Percentiles Actually Mean

A practical guide to understanding P50, P95, and P99 latency percentiles—why averages lie, what each percentile tells you about user experience, how to set SLOs around them, and how to collect them correctly with histograms.



https://oneuptime.com/blog/post/2025-09-15-p50-vs-p95-vs-p99-latency-percentiles/view

https://redd.it/1nhlknf
@r_devops