Sonarqube and other Code Qualify with mono repo support

So we have been using sonarqube for a while, but our dev team feels its a bit clunky - running the self hosted dev version, but the issue is the next jump to enterprise just to utilize the AI suggestions cost 25k USD a year, and way over my budget.

I have been looking around for alternatives, and some might have tested some. The two requirements we have is support for self hosted GitLab and support for monorepos, and some kind of AI suggestions (Not AI auto correct, but AI suggestions) - could be self hosted or managed.

The only tool I have ruled out if Qudona, because of Jetbrains non existing support

And yes, I have done google searches, but most of the tools pretty much say the same "im the best", but might be better options. I prefer a software that looks modern at least and a good UI/flow.

If it can integrate in Rider etc its a plus (yes I hate Jetbrains support, but he IDE is fine)

https://redd.it/1pfjcs9
@r_devops

can you actually automate end to end testing without coding or is that fantasy?

Non technical founder here trying to figure out testing for our saas product. We have 2 developers and they're focused on building features, don't have bandwidth to also become testing experts.

I keep seeing ads for tools that claim you can automate testing without writing code, just record what you're doing and it creates tests automatically. Sounds too good to be true but figured i'd ask if anyone has actually used these successfully.

Main concern is we keep shipping bugs to customers and it's embarrassing. Need some way to catch obvious issues before they go live but don't have budget to hire qa team yet.

Is no code test automation legit or am i gonna waste money on something that doesn't actually work? Would rather pay for a tool than have developers spend weeks learning selenium if there's a faster option.

https://redd.it/1pfksec
@r_devops

Help for Survey Needed😊

https://forms.office.com/r/E3RGz3Y0B3
Hi all, I’m working on my Final Year Project and I need your help! If you’re a Solution Architect, DevOps Engineer, Cloud Engineer, or anyone who wrangles cloud infrastructure for a living, I’d love to hear from you.



Cloud outages, failovers, DR drills that never happen—if these sound familiar, this survey is for you. I’m researching how teams actually handle cloud reliability and disaster recovery in the real world (not just what the documentation says), and your insights will help shape a practical automated multi-cloud DR/failover solution.



The survey only takes 5–7 minutes, everything is anonymous, and your experience could genuinely influence a tool designed for people like you.



If you have a moment, I’d really appreciate your input—thanks for helping make my FYP a little less painful and a lot more meaningful!

https://redd.it/1pfpnn9
@r_devops

Beginner in AWS: need mock papers resources and project recommendation

Asking again - I’ve been learning AWS for the past 2-3 months, along with Terraform, Gitlab, Kubernetes, and Docker through YouTube tutorials and hands-on practice. I’m now looking to work on more structured, real-world projects - possibly even contributing to public cloud related projects to build practical experience.

I’m also planning to take the AWS Cloud Practitioner exam. Could anyone suggest resources or websites that offer mock tests in an exam-like environment? Also, any recommendations for platforms where I can find beginner-friendly cloud projects to build my portfolio would be greatly appreciated.

https://redd.it/1pfpg1p
@r_devops

Self-learner seeking guidance. I want to know which of these online courses (CS50x and Helsinki Python Mooc) would be more useful if I want to build towards a devops job and what I should learn beyond them.

Basically as a beginner starting from scratch I would like to know which of these introductory programming courses would lay a foundation for learning devops. One is based on C and CS fundamentals (CS50x) and the other is based on python(Helsinki).

Other than these what else should I learn if I want to lay a foundation for devops and what resources should I look up? Like I looked into other threads and found this.

https://www.reddit.com/r/devops/comments/1bifxf7/comment/kvk7y17/?utmsource=share&utmmedium=mweb3x&utmname=mweb3xcss&utmterm=1&utmcontent=sharebutton

> I recommend https://www.linuxfromscratch.org/ and https://beej.us/guide/bgnet/ and later ansible/terraform/k8s/ci/etc for anyone who wants to have a serious career.

Is something like this necessary? Any advise would be appreciated.

https://redd.it/1pft0mm
@r_devops

reducing the cold start time for pods

hey so i am trying to reduce the startup time for my pods in GKE, so basically its for browser automation. But my role is to focus on reducing the time (right now it takes 15 to 20 seconds) , i have come across possible solutions like pre pulling image using Daemon set, adding priority class, adding resource requests not only limits. The image is gcr so i dont think the image is the problem. Any more insight would be helpful, thanks

https://redd.it/1pfukjc
@r_devops

Looking for Guidance & Referrals in DevOps — Tough Year, Still Trying to Stand Strong

Hi everyone,
I hope you're all doing well. I don’t usually post things like this, but today I really needed to take a chance and reach out.

This year has been extremely difficult for me — I’ve faced losses both in my family and in my personal life. Through it all, I’ve tried to stay focused on my work and on becoming a better version of myself every day. But lately things have become emotionally and mentally exhausting.

I’m currently working in a service-based company, but I feel stuck and burned out. I’m passionate about DevOps and truly want to grow in this field I have 2.5 years of work ex. I’m actively looking for opportunities where I can contribute, learn, and be part of a team that values ownership, automation, and good engineering culture.

If anyone here is hiring for DevOps / SRE / Platform Engineering roles or knows someone who is, a referral or even guidance would mean a lot to me right now. I’m not looking for sympathy — only for a fair chance to prove myself.

Here’s my LinkedIn if someone wants to connect or check my profile:
🔗 **linkedin.com/in/nipun-kumar-85544a190/**

Thank you to everyone who took the time to read this. Even a small suggestion or connection can make a big difference. I truly appreciate it. 🙏

https://redd.it/1pfvkcq
@r_devops

🚀 Announcing Guardon v0.4 — Real-Time Kubernetes YAML Validation in Your Browser!

Hi everyone! 👋

I’m thrilled to share the release of **Guardon v0.4**, a browser extension that validates Kubernetes YAML *directly inside GitHub and GitLab* — no clusters, servers, or CI pipelines required. This release brings a major leap forward in usability, policy coverage, collaboration, and real-world cluster alignment.

# ✨ What’s New in v0.4

# 🔧 Interactive Rule Management

Create, edit, group, and organize rules visually — no coding required.

# 📦 Import & Export Rule Packs

Instantly load policy bundles, including:

* Custom enterprise rule packs

# ⚡ Live YAML Validation + Autofix

As you browse PRs, files, and diffs, Guardon:

* Detects misconfigurations in real time
* Provides actionable explanations
* Suggests copy-paste–ready fixes

# 📘 OpenAPI & CRD Schema Import

Validate manifests against **your actual cluster schema** for true environment-specific accuracy.

# 🤝 Collaboration & Team Workflows

Share rule packs, annotate findings, exchange feedback, and standardize policies across teams.

# 🧩 No-Code / Low-Code Policy Authoring

Enable security, DevOps, and platform teams to define guardrails without writing complex policy code.

# 🔒 Privacy-First Architecture

Everything runs locally in your browser.
No data leaves your machine — ever.

# 🔗 Useful Links

* **📘 README & Documentation:** [*https://github.com/guardon-dev/guardon/blob/main/README.md*](https://github.com/guardon-dev/guardon/blob/main/README.md)
* **🧩 Chrome Extension:** [*https://chromewebstore.google.com/detail/jhhegdmiakbocegfcfjngkodicpjkgpb?utm\_source=item-share-cb*](https://chromewebstore.google.com/detail/jhhegdmiakbocegfcfjngkodicpjkgpb?utm_source=item-share-cb)
* **💻 GitHub Repository:** [*https://github.com/guardon-dev/guardon*](https://github.com/guardon-dev/guardon)



# 🌐 Community & CNCF Journey

Guardon has successfully completed the **CNCF TAG-Security self-assessment**, and I’m actively working toward **CNCF Sandbox submission**. Community adoption, contributors, and early feedback will be critical to shaping its future direction.

# 🙏 Looking for Feedback & Contributors

Your feedback, suggestions, and contributions mean a lot!
Please give Guardon a try, share your thoughts, and help build the next generation of Kubernetes security tooling.

Thanks for your support — and more exciting updates are on the way! 🚀

https://redd.it/1pfuzse
@r_devops

Digital Ocean's bandwidth pricing is criminal. Any alternatives for image hosting?

 I run a small image hosting service for a niche community. My droplet bill is fine, but the bandwidth overage fees on Digital Ocean are starting to cost more than the server itself.

I am testing a migration to virtarix because they claim unmetered bandwidth on their NVMe plans. It almost feels too good to be true. I moved a backup bucket there last week and transfer speeds were consistent, but I am worried about hidden "fair use" caps.

Has anyone pushed more than 10TB/month through their pipes? Did they throttle you?



https://redd.it/1pfyc2d
@r_devops

is it possible to see request and response for API call in Dynatrace?

Hi All!
is it possible to see request and response for HTTP/Rest API in Dynatrace? I couldn't find it. It detects an API call but I cannot find what was the request

https://redd.it/1pfuqab
@r_devops

can you actually automate end to end testing without coding or is that fantasy?

Non technical founder here trying to figure out testing for our saas product. We have 2 developers and they're focused on building features, don't have bandwidth to also become testing experts.

I keep seeing ads for tools that claim you can automate testing without writing code, just record what you're doing and it creates tests automatically. Sounds too good to be true but figured i'd ask if anyone has actually used these successfully.

Main concern is we keep shipping bugs to customers and it's embarrassing. Need some way to catch obvious issues before they go live but don't have budget to hire qa team yet.

Is no code test automation legit or am i gonna waste money on something that doesn't actually work? Would rather pay for a tool than have developers spend weeks learning selenium if there's a faster option.

https://redd.it/1pg6gj5
@r_devops

Built a GitHub based life metrics tracker

I've been journaling my daily metrics (mood, sleep, exercise, habits) for a while and wanted a better way to visualize the data without giving it to some random app.

So I built Gitffy - a life metrics dashboard that reads from a markdown file in your private GitHub repo.

How it works:

\- You maintain a life.md file in a private repo with daily entries

\- Connect Gitffy to your GitHub (via GitHub App)

\- It parses the markdown and shows charts, trends, and insights

\- Auto-syncs when you push changes - no manual uploads

Example entry format:

\## 2024-12-07

\- mood: 8

\- sleep: 7.5

\- exercise: running

\- coffee: 2

\- productivity: 7

Features:

\- Multiple chart types (line, bar, radar, etc.)

\- Dark/light mode

\- AI-powered insights (optional, uses Gemini)

\- Timeline and day-detail views

\- Your data stays in YOUR repo

Why GitHub?

\- Version history for free

\- Private repos = your data stays private

\- Edit from anywhere (phone, VS Code, etc.)

\- No vendor lock-in - it's just markdown

Live at: gitffy.com

Payments not live yet

Would love feedback! What metrics do you track daily?

https://redd.it/1pg7tsg
@r_devops

For people who are on-call: What actually helps you debug incidents (beyond “just roll back”)?

I’m a PhD student working on program repair / debugging and I really want my research to actually help SREs and DevOps engineers. I’m researching how SRE/DevOps teams actually handle incidents.

Some questions for people who are on-call / close to incidents:

1. Hardest part of an incident today?
* Finding real root cause vs noise?
* Figuring out what changed (deploys, flags, config)?
* Mapping symptoms → right service/owner/code?
* Jumping between Datadog/logs/Jira/GitHub/Slack/runbooks?
2. Apart from “roll back,” what do you actually do?
* What tools do you open first?
* What’s your usual path from alert → “aha, it’s here”?
3. How do you search across everything?
* Do you use standard ELK stack?
4. Tried any “AI SRE” / AIOps / copilot features? (Datadog Watchdog/Bits, Dynatrace Davis, PagerDuty AIOps, [incident.io](http://incident.io) AI, Traversal or Deductive etc.)
* Did any of them actually help in a real incident?
* If not, what’s the biggest gap?
5. If one thing could be magically solved for you during incidents, what would it be? (e.g., “show me the most likely bad deploy/PR”, “surface similar past incidents + fixes”, “auto-assemble context in one place”, or something else entirely.)

I’m happy to read long replies or specific war stories. Your answers will directly shape what I work on, so any insight is genuinely appreciated. Feel free to also share anything I haven’t asked about 🙏

https://redd.it/1pg8e1c
@r_devops

Cloud Metadata Service Exploitation: IMDSv1's Open Door to AWS Credentials ☁️

https://instatunnel.my/blog/cloud-metadata-service-exploitation-imdsv1s-open-door-to-aws-credentials

https://redd.it/1pg8qkr
@r_devops

Built a self-service platform with approvals and SSO. Single Binary

I wanted to share Flowctl which is an open-source self-service platform that can be used to turn noscripts into self-service offerings securely. This is an alternative to Rundeck. It supports remote execution via SSH. There is in-built support for SSO and approvals. Executions can wait for actions to be approved.

Workflow definitions are simple YAML files that can be version controlled. Flows are defined as a list of actions that can either run locally or on remote nodes. These actions can use different executors to run the noscripts.

I built Flowctl because I wanted a lighter-weight alternative to Rundeck that was easier to configure and version control. Key features like SSO and approvals are available out of the box without enterprise licensing.

## Features

SSO and RBAC
Approvals
Namespace isolation
Encrypted executions secrets and SSH credentials
Execution on remote nodes via SSH
Docker and noscript executors
Cron based scheduling
YAML/HUML based workflow definitions.

## Use Cases

Database migrations with approval
Incident response
Server maintenance
Infra provisioning with approvals

Homepage - https://flowctl.net
GitHub - https://github.com/cvhariharan/flowctl

https://redd.it/1pgbtiv
@r_devops

Certificate Ripper v2.6.0 released - tool to extract server certificates

* Added support for:
* wss (WebSocket Secure)
* ftps (File Transfer Protocol Secure)
* smtps (Simple Mail Transfer Protocol Secure)
* imaps (Internet Message Access Protocol Secure)
* Bumped dependencies
* Added filtering option (leaf, intermediate, root)
* Added Java DSL
* Support for Cyrillic characters on Windows

You can find/view the tool here: [GitHub - Certificate Ripper](https://github.com/Hakky54/certificate-ripper)

https://redd.it/1pge830
@r_devops

Sophisticated rate limits as a service: please roast!

Hi everyone,



I’m a backend / infra engineer with \~20 years of experience.

Right now I’m building a very boring but, I think, painful-problem tool:



**API governance + rate limits + anomaly alerts as a service.**



The goal is simple:

to catch and stop things like:

\- runaway cron jobs

\- infinite webhook loops

\- abusive or buggy clients

\- sudden API/cloud bill explosions



This is NOT:

\- an AI chatbot

\- not just metrics/observability

\- not another generic Nginx limiter



It’s focused on:

\- real-time enforcement

\- per-tenant / per-route policies

\- hard + soft limits

\- alerts + audit trail



Think:

\> “a strict traffic cop for your API, focused on cost control and abuse prevention.”

\---



I’m trying to validate this against real-world pain before I overbuild.



A few quick questions:

1) Have you personally seen runaway API usage or a surprise bill?

2) How do you protect against this today?

(Nginx? Redis counters? Cloudflare? Custom noscripts? Just hope?)

3) What would be a *must-have* feature for you in such a tool?



Not selling anything yet — just doing customer discovery.

Brutal, technical feedback is very welcome.

https://redd.it/1pge56p
@r_devops

Bitbucket to GitHub + Actions (self-hosted) Migration

Our engineering department is moving our entire operation from bitbucket to github, and we're struggling with a few fundamental changes in how github handles things compared to bitbucket projects.

We have about 70 repositories in our department, and we are looking for real world advice on how to manage this scale, especially since we aren't organization level administrators.

Here are the four big areas we're trying to figure out:

# 1. Managing Secrets and Credentials

In bitbucket, secrets were often stored in jenkins/our build server. Now that we're using github actions, we need a better, more secure approach for things like cloud provider keys, database credentials, and artifactory tokens.

Where do you store high-value secrets? Do you rely on github organization secrets (which feel a bit basic) or do you integrate with a dedicated vault like hashicorp vault or aws/azure key vault?
How do you fetch them securely? If you use an external vault, what's the recommended secure, passwordless way for a github action to grab a secret? We've heard about OIDC - is this the standard and how hard is it to set up?

# 2. Best Way to Use jfrog

We rely heavily on artifactory (for packages) and xray (for security scanning).

What are the best practices for integrating jfrog with github actions?
How do you securely pass artifactory tokens to your build pipelines?

# 3. Managing Repositories at Scale (70+ Repos)

In bitbucket, we had a single "project" folder for our entire department, making it easy to apply the same permissions and rules to all 70 repos at once. github doesn't have this.

How do you enforce consistent rules (like required checks, branch protection, or team access) across dozens of repos when you don't control the organization's settings?
Configuration as Code (CaC): Is using terraform (or similar tools) to manage our repository settings and github rulesets the recommended way to handle this scale and keep things in sync?

# 4. Tracking Build Health and Performance

We need to track more than just if a pipeline passed or failed. We want to monitor the stability, performance, and flakiness of our builds over time.

What are the best tools or services you use to monitor and track CI/CD performance and stability within github actions?
Are people generally exporting this data to monitoring systems or using specialized github-focused tools?

Any advice, especially from those who have done this specific migration, would be incredibly helpful! Thanks!

https://redd.it/1pghkmk
@r_devops

Do tools like Semgrep or Snyk Upload Any Part of My Codebase?

Hey everyone, quick question. How much of my codebase actually gets sent to third-party servers when using tools like Semgrep or Snyk? I’m working on something that involves confidential code, so I want to be sure nothing sensitive is shared.

https://redd.it/1pgkwq3
@r_devops

Anyone else hit by Sha1-Hulud 2.0 transitive NPM infections in CI builds?

My team got hit months ago, three different Node.js microservices pulling malicious packages through transitive deps we didn't even know existed. Our SBOM tooling caught it but only after images were already built and tagged.

The bottleneck is we're running legacy base images with hundreds of CVEs each, so when the real threat shows up it gets buried in noise. Spent hours last week mapping which services were affected because our dependency graphs are a mess. We have never recovered.

Anyone found a clean way to block these at build time without breaking your CI pipeline? We don’t want a repeat ever.

https://redd.it/1pglm8j
@r_devops

Final Year Project in DevOps

Hi Guys,
I am in my Final year of my BSc and am cleat that I want to pursue my career in DevOps. I already have AWS cloud practitioner and Terraform Associate certification. I would like suggestions on what my Final year project should be. I want it to help me stand out from other candidates in future when applying for jobs. I would really appreciate your thoughts.

https://redd.it/1pgl52u
@r_devops