9 messages
General Discussions
Slackbot20 days ago
This message was deleted.
G
Gabriel Eweka18 days ago
Hey everyone 👋
That whole Claude Code npm leak last week really got my attention basically one small packaging mistake ended up exposing a huge amount of source code, and attackers started taking advantage of it almost immediately by uploading malicious versions of packages and impersonating internal ones. Pretty crazy how fast that escalated.
It made me realize how many pipelines just build and ship code without really checking if what’s being deployed is safe or verified.
So I’ve been experimenting with a setup in my homelab where I:
• generate a list of everything inside my builds (SBOMs)
• sign my container images using Cosign
• add some basic verification rules using Kyverno so only trusted images can run
I’m also looking into SLSA, but still wrapping my head around that part.
Not sure yet how much this would actually help in a real-world incident like that, but it’s been a really good learning experience so far.
Would love to hear how others are thinking about this or handling it in practice — still learning here 🙏
That whole Claude Code npm leak last week really got my attention basically one small packaging mistake ended up exposing a huge amount of source code, and attackers started taking advantage of it almost immediately by uploading malicious versions of packages and impersonating internal ones. Pretty crazy how fast that escalated.
It made me realize how many pipelines just build and ship code without really checking if what’s being deployed is safe or verified.
So I’ve been experimenting with a setup in my homelab where I:
• generate a list of everything inside my builds (SBOMs)
• sign my container images using Cosign
• add some basic verification rules using Kyverno so only trusted images can run
I’m also looking into SLSA, but still wrapping my head around that part.
Not sure yet how much this would actually help in a real-world incident like that, but it’s been a really good learning experience so far.
Would love to hear how others are thinking about this or handling it in practice — still learning here 🙏
G
Gabriel Eweka18 days ago
basically the goal is simple, make sure every container image that runs in production can answer three questions: what's inside it, who built it, and was it tampered with. If it can't answer all three, it doesn't get in
D
DE18 days ago
Hello everyone, a problem we are having is that CODEOWNERS protect filenames, example
*elasticache* for the dba-team to approve. However, we need to have some sort of codeowners based on TF plans and resources affected. Does Atmos or AtmosPro provide this functionality? (ie. if a plan touches a PRD database, we need dba-team to approve)P
Priyanshu Raturi17 days ago
hello
M
Mauricio Batista16 days ago
Hi, Any recommendations for getting into Toptal? I'm trying to join the platform—do you think I should start networking daily?
Slackbot4 days ago
This message was deleted.
J
JS3 days ago
hi guys, somebody knows if is possible learn AWS (how build a IA Landing-Zone) on a Free Tier (Using OpenSearch, BedRock, AppFlow, Amazon Q?) I need learn it, I'm a self-taught student
J
JS3 days ago
I need to learn in depth EKS too, but I need to practice with new Gateway API on EKS and if I learn with k8s on my local computer, the real problems I can't learn well (production) and AWS is very expensive for me (not a company)