Best of CI/CDMarch 2026

  1. 1
    Article
    Avatar of lnLaravel News·11w

    Ward: A Security Scanner for Laravel

    Ward is a Go-based command-line security scanner built specifically for Laravel projects. It parses Laravel's structure (routes, models, controllers, Blade templates, config files, env vars, dependencies) and runs four targeted scan engines: env-scanner, config-scanner, dependency-scanner (using live OSV.dev data), and a rules-scanner with 42 built-in rules covering secrets, injection, XSS, weak crypto, and more. It features a terminal UI, multiple output formats (JSON, SARIF, HTML, Markdown), CI/CD integration with exit-code gating, baseline management to track acknowledged findings, custom rule support, and scan history diffing.

  2. 2
    Article
    Avatar of freecodecampfreeCodeCamp·10w

    CI/CD in Production with Jenkins

    A 17-hour Jenkins course covering CI/CD from fundamentals to production-grade DevSecOps has been released on freeCodeCamp's YouTube channel. Topics include modern SDLC, CI/CD concepts, branching strategies, Jenkins basics and installation, freestyle jobs, pipelines, multibranch pipelines, Maven for DevOps, DevSecOps, and Jenkins shared libraries. A hands-on project builds and deploys a Dockerized Flask app.

  3. 3
    Article
    Avatar of bytebytegoByteByteGo·10w

    How Stripe’s Minions Ship 1,300 PRs a Week

    Stripe runs over 1,300 fully automated pull requests per week using internal coding agents called Minions. These unattended agents work without human supervision, spinning up isolated cloud machines in under ten seconds, reading documentation, writing code, running linters, and submitting PRs ready for review. The system works because of four foundational layers: isolated devbox environments built for human engineers long before LLMs existed, hybrid 'blueprint' orchestration that mixes deterministic steps with agentic loops, curated context delivery via scoped rule files and a centralized MCP tool server called Toolshed, and fast feedback loops capped at two CI rounds to avoid diminishing returns. The key insight is that strong developer infrastructure—test suites, isolated environments, fast feedback—is the prerequisite for effective coding agents, not model selection.

  4. 4
    Article
    Avatar of danielhaxxsedaniel.haxx.se·8w

    Don’t trust, verify

    Daniel Stenberg, curl's creator, outlines the comprehensive security and verification practices the curl project employs to protect one of the world's most widely used software components. He enumerates realistic attack vectors — from insider threats and credential breaches to CI pipeline compromises and supply chain attacks — and explains how curl counters them through 21 specific practices: strict code style enforcement, banning binary blobs and Unicode obfuscation, mandatory 2FA, 200+ CI jobs, fuzzing via OSS-Fuzz, valgrind/sanitizer runs, torture tests, external audits, and a public verification page. He urges users to independently verify curl releases and to demand similar transparency from all software dependencies.

  5. 5
    Article
    Avatar of kentcdoddsKent C. Dodds·10w

    Migrating to Workspaces and Nx

    Kent C. Dodds shares his experience migrating kentcdodds.com from an informal multi-package repo to a proper npm workspaces monorepo with Nx. The repo already had multiple deployable services (a React Router site, OAuth worker, audio worker, and Docker container), but each had its own lockfile and no shared workspace structure. The migration moved all services under services/*, consolidated lockfiles, and added minimal Nx config for caching. Three notable breakages emerged: Node rejecting package import aliases that pointed outside the new package boundary, production going down because hardcoded GitHub API content paths didn't reflect the new directory structure, and Docker stages missing Prisma schema files. CI was also restructured to install only per-service dependencies. The key takeaway: structural refactors expose hidden assumptions, and AI coding agents should be made to prove correctness rather than just claim confidence.

  6. 6
    Article
    Avatar of jetbrainsJetBrains·10w

    How We Taught AI Agents to See the Bigger Picture

    AI agents writing code for large legacy codebases tend to repeat outdated patterns because they mistake frequency for correctness. The JetBrains TeamCity team tackled this by building CommitAtlas, an internal tool that mines Git history to extract accepted patterns, naming conventions, and migration examples. Before writing code, agents query CommitAtlas for task-specific guidance derived from real, reviewed commits rather than raw codebase frequency. This approach reduced pull request rejections and helped agents produce code that fits the project's evolving standards rather than its historical defaults. The core insight: repository history is implicit documentation, and giving agents access to it bridges the gap between technically correct and genuinely acceptable code.

  7. 7
    Article
    Avatar of rubylaRUBYLAND·10w

    From Heroku to Render

    A developer migrates a personal Rails photo-sharing app from Heroku to Render after Heroku announced entering maintenance mode. After a failed attempt with Fly.io due to confusing setup and validation errors, Render proved straightforward: Docker-based deployment via GitHub's container registry, easy PostgreSQL setup with automatic DATABASE_URL linking, a simple database restore using heroku pg:backups and pg_restore, and a smooth DNS cutover. The whole process required minimal manual configuration compared to Heroku's classic git-push workflow, and the author praises Render's UI simplicity compared to AWS.

  8. 8
    Article
    Avatar of octopusdeployOctopusDeploy·8w

    Verified Argo CD deployments

    Octopus Deploy has added a step verification feature to its Argo CD integration, allowing deployments to wait until Argo CD applications are healthy before proceeding. Three verification modes are available: direct commit (existing behavior), pull request merged, and Argo CD application is healthy. A trigger sync option is also introduced to speed up deployments. The post explains how Octopus tracks intended changes using JSON patches and file hashes, and introduces the concept of 'Git drift' to handle scenarios where Argo CD's view diverges from Octopus's committed changes. The feature is available from version 2026.1.

  9. 9
    Article
    Avatar of softwaretestingmagazineSoftware Testing Magazine·10w

    Scaling Your QA Strategy: Why Open Source Cross Browser Testing Tools are the Future of DevSecOps

    Engineering teams are shifting from expensive SaaS-based testing clouds to self-hosted, open source cross-browser testing setups running on Kubernetes or Docker. This approach eliminates per-minute billing, enables elastic scaling via Horizontal Pod Autoscalers, and aligns with DevSecOps principles by keeping test artifacts and credentials within the organization's perimeter. Infrastructure-as-Code tools like Terraform and Helm charts allow ephemeral, disposable test environments that support zero-trust security. CI/CD pipelines using GitHub Actions, GitLab CI, or Jenkins can trigger browser containers within the same network boundary, enabling security scanning and compliance checks inline. The cultural shift also improves developer experience by using familiar tools like kubectl and Docker CLI, shortening feedback loops and reducing dependency on vendor platforms.

  10. 10
    Article
    Avatar of pulumiPulumi·11w

    Treating Prompts Like Code: A Content Engineer's AI Workflow

    A solo technical content engineer at Pulumi describes building a modular AI workflow system by treating prompts like code. Facing a one-person docs practice, the author created reusable Claude Code 'skills' (e.g., /docs-review, /pr-review, /shipit, /slack-to-issue) that share a central context file (REVIEW-CRITERIA.md) following DRY principles. The system was wired into CI/CD to automate PR reviews, dramatically improving contribution quality. Key lessons include modularizing prompts, version-controlling them, managing token costs, knowing when to use scripts vs. AI generation, and treating the AI as a conversational collaborator rather than a command executor. The approach turned a personal survival tool into a shared team platform.

See all CI/CD archives