Built a tool that auto-fixes security vulnerabilities in PRs. Need beta testers to validate if this actually solves a problem.

DevOps/DevSecOps folks, quick question: Do you ignore security linter warnings because fixing them is a pain?

I built CodeSlick to solve this, but I've been building in isolation for 6 months. Need real users to tell me if I'm solving a real problem.

# What It Does

[](https://github.com/VitorLourenco/codeslick2/blob/claude/codeslick-marketing-posts-011CV4APdZXGdG2bV7eaNXGr/docs/marketing/REDDIT_POST.md#what-it-does)

1. Analyzes PRs for security issues (SQL injection, XSS, hardcoded secrets, etc.)
2. Posts comment with severity score (CVSS-based) and OWASP mapping
3. **Opens a fix PR automatically** (this is the new part)

So instead of:

[Bot] Found SQL injection vulnerability in auth.py:42
You: *adds to backlog*
You: *forgets about it*
You: *gets pwned in 6 months*


You get:

[CodeSlick] Found SQL injection (CVSS 9.1, CRITICAL)
[CodeSlick] Opened fix PR #123 with parameterized query
You: *reviews diff* → *merges* → *done*


# Coverage

[](https://github.com/VitorLourenco/codeslick2/blob/claude/codeslick-marketing-posts-011CV4APdZXGdG2bV7eaNXGr/docs/marketing/REDDIT_POST.md#coverage)

* 79+ security checks (OWASP Top 10 2021 compliant)
* Dependency scanning (npm, pip, Maven)
* Languages: JavaScript, TypeScript, Python, Java
* GitHub PR integration live
* Auto-fix PR creation shipping in next version (maybe next week)

# Why I'm Here

[](https://github.com/VitorLourenco/codeslick2/blob/claude/codeslick-marketing-posts-011CV4APdZXGdG2bV7eaNXGr/docs/marketing/REDDIT_POST.md#why-im-here)

I need beta testers who will:

* Use it on real repos (not toy projects)
* Tell me what's broken
* Help me figure out if auto-fix PRs are genuinely valuable
* Break my assumptions about workflows

# What's In It For You

[](https://github.com/VitorLourenco/codeslick2/blob/claude/codeslick-marketing-posts-011CV4APdZXGdG2bV7eaNXGr/docs/marketing/REDDIT_POST.md#whats-in-it-for-you)

* Free during beta
* Direct access to me (solo founder)
* Influence on roadmap
* Early-bird pricing at launch

# The Reality Check

[](https://github.com/VitorLourenco/codeslick2/blob/claude/codeslick-marketing-posts-011CV4APdZXGdG2bV7eaNXGr/docs/marketing/REDDIT_POST.md#the-reality-check)

I don't know if this is useful or over-engineered. That's why I need you. If you've been burned by security audits or compliance issues, let's talk.

**Try it:** [codeslick.dev](http://codeslick.dev) **Contact:** Comment or DM

https://redd.it/1ovbao6
@r_devops

Helm upgrades

What is the best way to handle upgrades of applications deployed by helm?

We have several deployments like ingress-nginx where we need to have custom config in services configmaps. Like tcp-services config map, and additional port that need to be added to svc.



https://redd.it/1ovbuk7
@r_devops

Kubernetes ingress-nginx is retired. Will be archived in March 2026.

> Best-effort maintenance will continue until March 2026. Afterward, there will be no further releases, no bugfixes, and no updates to resolve any security vulnerabilities that may be discovered.

> (InGate development never progressed far enough to create a mature replacement; it will also be retired.)

> SIG Network and the Security Response Committee recommend that all Ingress NGINX users begin migration to Gateway API or another Ingress controller immediately.

Link: https://www.kubernetes.dev/blog/2025/11/12/ingress-nginx-retirement/

Let the migrations begin.

https://redd.it/1ove34w
@r_devops

Giving credit ?

To make this as short as possible, I was googling ways to do use an auto schedule with lambda and long and behold, I found an aws document / article by AWS on how to do this very thing, they even included sample code from their aws-samples repo.

I can use their python lambda solution as is

I’ve never actually had a solution readily available like this - so when copying the lambdas in your PRs if you copy something like this, do you link it or reference it ? I don’t want to pass it off as my own but I’ve never done something like this - is it shameful ?

Some context - I am a noscript kidding , working on my python.

https://redd.it/1ovfglh
@r_devops

Can I realistically get a devops job with 5YOE and some certs and personal projects?

Resume: https://imgur.com/a/g4BOxRn

Currently studying CKA. Know experience > certs, but at least I can study as well as lab. And CKA is very hands on, so that would help directly. I know ppl tend to look down on certs, but after I got AWS Solutions Architect Professional, I was very confident setting up infrastructure and policies on AWS next time around. It was rigorous enough that it at least holds some weight imo.

Should I continue to do CKA as well as personal projects and open source? Or should I maybe offer my services for very low pay on upwork to get actual "experience". I feel like devops isn't one of those things where you really stick to one stack for years on end (like a Java developer who does nothing but Java for 8 years). But I could be wrong, happy to get feedback. Have touched tools related to devops even if at a light level: Dynatrace, Splunk, Terraform, K8, Docker, Jenkins. And some stacks at heavy level: Coding/Scripting, SQL, IAM

https://redd.it/1ovjsyc
@r_devops

Looking to collaborate / I’m good at sales + getting startup perks

Hey everyone,

I’ve been wanting to team up with people who are building something cool. I’m not after money right now just looking to work on real ideas that make sense and have potential.

My main strengths are in sales and partnerships (I like helping startups get their first users or clients), and I also know how to unlock startup perks like free credits, premium tools, and partner deals from places like AWS, Notion, Tiktok, etc.

Basically, if you’re building a startup and could use someone who can help with sales and save you a ton through perks, I’d love to connect and see if we can build something together.

https://redd.it/1ovlrnn
@r_devops

Expression Language Injection: When ${} Becomes Your Worst Nightmare 💀

https://instatunnel.my/blog/expression-language-injection-when-becomes-your-worst-nightmare

https://redd.it/1ovqz0i
@r_devops

Finally, a non-hacky way to build iMessage automations with TypeScript

If you’ve ever tried using AppleScript for iMessage, you know the pain.
This open-source SDK (search photon imessage kit) abstracts all that away.

You can basically treat iMessage like an API send, receive, even group chat support.
Feels like Twilio, but for iMessage.

https://redd.it/1ovsfy7
@r_devops

I have made an ai upscaler that runs locally what more should I add to app(any suggestions)

It is an ai upscaler that runs locally on Android and also contain edit , resize , background eraser, and changing image to other formats , what more can I add
And also should I publish it on playstore.

https://redd.it/1ovsy0z
@r_devops

Learning Journey Review and Guidance

Hi all,

I'm currently working as IT Support Technician and during free time, I have been learning devops. The first 2 personal projects I did was to learn as much as possible while breaking things. The first one was learning to use docker, docker compose and github actions to achieve CICD. The next one was using minikube cluster, and self hosted runner that would update the cluster after a push.

Currently, I have been building a k8s cluster from scratch, iteratively and gradually. I've used 3 VMs, one control plane node and 2 worker nodes. I have been attempting to simulate professional working environment. I have created 3 environments (namespaces in cluster and branches in github), dev, stage and prod. The app code and the manifests for the cluster are in the same repo. I also decided to document every step in a mark down file. For CI, I have created reusable workflows for both app and manifests. The app CI will only run in dev branch and it will lint, test, build, containerize and push the app in dockerhub with sha-commit tag. The manifests-ci will run a bunch of pre-deploy tests like yamllint, kube-score, conftesg, kusotmize build, etc. These reusable workflows are branch agnostic and designed to work on different event types like pull request and push. Once both the ci's results are satisfied, a tag-bump reusable workflow will run which will bump the tags from the manifests. Each app will call these workflows using it's own ci workflow with necessary inputs. I'm using ArgoCD for CD. Once a tag is changed, Argo CD will automatically deploy the latest change.

Next Steps: I'm gonna version everything in the infra like the packages I've created, the workflows and the manifests. Then, add monitoring and logging tools. Then, I'm thinking to deploy a full stack app I've created to learn about using and provisioning persistent voluumes in k8s. Next is to migrate everything to cloud, both AWS and AZURE.

Please feel free to checkout what I've done so far in detail here.

My questions to lovely peeps here:
Am I following professional standards and since Ihaven't worked as a devops engineer before,, is my attempt at simulating professional envs correct? If not, where can I improve? Also, are my next steps logical and am I thinking the right ?

Thank you very much in advance. Have a great day!

https://redd.it/1ovw75j
@r_devops

Integrating test automation into CI/CD pipelines

How are you integrating automated testing into CI/CD without slowing everything down? We’ve got a decent CI/CD pipeline in place (GitHub Actions + Docker + Kubernetes) but our testing
process is still mostly manual.


I’ve tried a few experiments with Selenium and Playwright in CI, but the test runs end up slowing deployments to a crawl. Especially when UI tests kick in. Right now we only run unit tests automatically, everything else gets verified manually before release.


How are teams efficiently automating regression or E2E testing? Basically, how do you maintain speed and reliability without sacrificing deployment frequency?


Parallelization? Test environment orchestration? Separate pipelines for smoke vs. full regression?


What am I missing here?

https://redd.it/1ovzhu1
@r_devops

what ai tools do you use for the “boring” parts of coding?

something i’ve been thinking about lately is how much of coding is actually the small, repetitive stuff that nobody talks about. not the big features or cool refactors, but the tiny things that eat time quietly. everyone uses chatgpt or copilot for broad tasks, but i’m curious about the lesser-known tools people use specifically to clean up the boring parts.

i’ve tried a few like aider for quick edits, tabnine for suggestions that don’t feel too heavy, cosine for checking how changes affect different files, and windsurf for small cleanup passes. none of these are headline tools, but they help in those moments where you just want to save ten minutes and move on.

wondering what everyone else uses for that category. which smaller ai tools or utilities help you handle the day-to-day friction points that slow you down but never make it into tutorials or tech talks?

https://redd.it/1ovz1u2
@r_devops

AI SRE Platforms: Because What DevOps Really Needed Was Another Overpriced Black Box

Oh good, another vendor has launched a “fully autonomous AI SRE platform.”
Because nothing says resilience like handing your production stack to a GPU that panics at YAML.

These pitches always read like:

>

I swear, half these platforms are just:

if (anything happens):

call LLM()

blame Kubernetes

send invoice

DevOps: “We’re trying to reduce our cloud bill.”

AI SRE platforms:
“What if… hear me out…we multiplied it?”

Every sneeze in your cluster triggers an LLM:
LLM to read logs, LLM to misinterpret logs, LLM to summarize its own confusion, LLM to generate poetic RCA haikus, LLM to hallucinate remediation steps that reboot prod

You know what isn’t reduced?

Your cloud bill, Your MTTR, Your sanity

“Use your normal SRE/DevOps workflows, add AI nodes where needed, and keep costs predictable.”

Wow.
Brilliant.
How innovative.
Why isn’t this a keynote?

But no platforms want you to: send them all your logs, your metrics, your runbooks, your hopes, your dreams, your savings, and your firstborn child (optional, but recommended for better support SLAs)

The platform:

>

Me checking logs:
It turned the cluster OFF. Off. Entirely. Like a light switch.

I’m convinced some of these “AI remediation” systems are running:

rm -rf / (trial mode)

Are these AI SRE platforms the future… or just APM vendors reincarnated with a GPU addiction?

Because at this point, I feel like we’re buying:

GPT-powered Nagios
Clippy with root access
A SaaS product that’s basically just /dev/null ingesting tokens
“Intelligent Incident Management” that’s allergic to intelligence

Let me know if any of these platforms have actually helped, or if we should all go back to grepping logs like it’s 2012.

https://redd.it/1ow1653
@r_devops

Security scanner flagged critical vulnerability in our Next.js app. The vulnerable code literally never runs in production.

got flagged for a critical vulnerability in lodash during our pre-deployment security scan. cve with a high severity score. leadership immediately asked when we're patching it.

dug into it. we use lodash in one of our build noscripts that runs during compilation. the vulnerable function never makes it to the production bundle. nextjs tree-shakes it out completely. the code doesn't even exist in our deployed application.

tried explaining this to our security team. they said "the scanner detected it in the repository so it needs to be fixed for compliance." spent three days updating lodash across the entire monorepo and testing everything just to satisfy a scanner that has no idea what actually ships to production.

meanwhile we have an actual exposed api endpoint with weak auth that nobody's looking at because it's not in the scanner's signature database.

the whole process feels backwards. we're prioritizing theoretical vulnerabilities in build tooling over actual security issues in running code because that's what the scanner can see.

starting to think static scanners just weren't built for modern javanoscript apps where most of your dependencies get compiled away.

anyone else dealing with this or found tools that understand what actually runs versus what's just sitting in node_modules.

https://redd.it/1ow3pyr
@r_devops

Working on a kubernetes and gitops

I am working on a kubernetes and gitops complex project. Touch basing even driver level things and also hardware setup that i am not understanding.
It is been 6 months and most things are going above my head. Making so many mistakes and technical debts. I dont know what to do.
Tried learning kubernetes looks simple on those video and labs but i feel the project complexity is eating me. Not sure what is wrong.
Please suggest .

https://redd.it/1ow5ax5
@r_devops

Better noscript/tool distribution to team than Colab or web-app?

I work on a small team (15 people) at a startup and am tasked with building internal tools / single and multi-use noscripts (usually in python / JS). I do a mix of Colabs with iPywidget interfaces and stand alone web apps for more complete tools. Wondering if there is a better way, since there is always a large surface area to deal with for: errors, updates, UX/UI, etc.

tldr; After you generate/code a noscript or internal process tool, how do you distribute/give this to other coworkers to use?


EDIT: for semi/non-tech coworkers mainly

https://redd.it/1ow68ea
@r_devops

How did you start your career in DevOps?

I graduated this May with a bachelor’s in computer engineering and a CS minor. I originally planned to go into software engineering, mostly web development, but I was pretty passive during undergrad and waited too long to look for internships. By the time I started applying for SWE jobs after graduation, I was way behind my classmates in experience and could not even get an interview.

Fortunately, my dad is the IT director at his company and had been struggling to fill an IT specialist role. He got me hired in June, and while it was not the career path I had in mind, I have ended up liking it more than I expected. I started with basic help desk tasks, onboarding and offboarding, and simple O365 and Active Directory work. The job was pretty boring at first and I had a lot of downtime, so I kept asking for more things to do. Now I am doing a fair amount of sysadmin work like GPO configuration, server management, and email administration.

In my downtime I've been learning PowerShell and automating pretty much everything I can get my hands on. A couple months ago finished a full onboarding automation system that integrates with Jira's API, and I learned a lot from it. Our CIO happened to notice all of the microsoft graph apps I have been making, so he created a repo in our company's Azure DevOps for me to push all my automation stuff to (I had previously been using my personal Github).

Since then I’ve built a few small projects in my down time. One was a simple web app that shows password expiry info for our AD users. I wrote the backend logic, threw together a basic frontend, and packaged it in Docker so I could deploy it on one of our servers. Working through that whole build, containerize, deploy workflow made me realize I actually really enjoy the DevOps side of things. I still have a lot to learn, but all this has gotten me thinking about a potential career in this field.

For others already in the field: how did you get started, especially if you came from help desk or sysadmin work? And what should I be doing if my goal is to eventually move into a DevOps role?

TL:DR: Currently working in IT with a mix of sysadmin responsibilities, wondering how others got into DevOps now that I am interested in the field.

https://redd.it/1ow7yu3
@r_devops

Snyk is not finding the same base image vulnerabilities as jfrog

Short version: We scan our docker images using snyk. We have a customer than scans then using jfrog. We got a report from the customer that shows medium and low base image vulnerabilities from their jfrog scan that our snyk scan doesn't show.

Medium and low are outside of our SLA but in principle I don't like this. I don't like not having all the info.

I've been playing with snyk settings but I can't reproduce the jfrog results. Does anyone know any nice little snyk tricks to fix this? We are using the default security policy.

https://redd.it/1ow80sn
@r_devops

How is devops in New Zealand?

I'm looking to immigrate, working with a firm and currently applying to positions, but I've only just started my search. I've been in DevOps orgs for over 14 years mostly jumping around from SRE, Platform engineering, and "DevOps Engineer", but have spent some time as a SWE as well. Are things super competitive in the senior/principal/staff positions? Are companies generally pretty decent to employees? Anyone looking to hire an immigrant, lol?

https://redd.it/1owbvkn
@r_devops

Automating Jira releases from my CI/CD Pipeline

Hi!

I want to know if I'm on the right track with my idea. Here is my problem/status quo:

* BitBucket and Jira
* Software repo pipeline builds container images and updates GitOps repo with new image tags
* GitOps repo deploys container images to different production environments
* Software repo is integrated with Jira and development information is visible in Jira work items
* I have no information in Jira work items about the actual deployments
* Releases/Versions in Jira are created manually and someone has to set that version on the work items
* DORA metrics are wrong (especially change lead time)


My plan:

* Run semantic-release in my software repo pipeline
* Build container images and tag them with the version from semantic-release
* Run a noscript to create an unreleased version in Jira and update all work items with that version (fixVersions field) using the work item reference in the commit message
* Trigger a deployment pipeline in my GitOps repo that runs a noscript that:
* Get all work items for that release from the Jira API
* Use the [Jira Deployments API](https://developer.atlassian.com/cloud/jira/software/rest/api-group-deployments/#api-group-deployments) to add deployment information on work items
* Set the release in Jira as 'released' with the correct release date
* Have correct DORA metrics
* No manual interaction
* Release management in Jira is driven by my git versions

Has anyone done something like this? Are there better ways to do this? Good tools?


Thanks for reading this mess 😘

https://redd.it/1owcuiv
@r_devops

How confident are you that your container images aren't compromised at build time?

I've been digging into our container supply chain and it's frankly terrifying. We pull base images from Docker Hub, npm packages from who knows where, and our build process has zero visibility into what's actually getting baked in.

Had a security audit last month and they asked for signed SBOMs. We had nothing. Asked about provenance attestation, we had none. Meanwhile we're shipping containers with 500+ CVEs because our base images are bloated with stuff we don't even use.

What's everyone doing beyond trust but don't verify? Are you signing everything? How do you even audit this mess at scale?



https://redd.it/1owfer2
@r_devops