The Score That Wouldn't Move: Stuck at 8/10
The releases were signed. Checksums published. SBOM generated. Every asset had a Cosign signature.
OpenSSF Scorecard: Signed-Releases 8/10.
Not 9. Not 10. Eight. Stuck.
Blog¶
OpenSSF Best Practices Badge in 2 Hours: The Documentation Gap
Six pull requests. Two hours. OpenSSF Best Practices badge earned.
The readability project passed certification on December 13, 2025. But the work didn't start that day. It started months earlier when we built the infrastructure the badge measures.
Environment Progression Testing: Dev → Stage → Prod Validation
The deployment worked in dev. Unit tests passed. Code review approved. Merged to main.
Production exploded.
The config used a dev secret. Migration locked tables at scale. Feature flag on in staging. Off in prod.
Environmental differences killed us.
Zero-Vulnerability Container Pipelines: Scanning Before Build
The CVE dropped. The container was in production. CRITICAL severity. Remote code execution. Tagged latest.
Nobody knew which deployments used it. Scanning happened post-push. The flaw lived in production six hours.
This is the pattern that stops CVEs before they reach the registry.
Event-Driven Deployments with Argo: The Journey to Zero-Latency Automation
The From 5 Seconds to 5 Milliseconds post showed how caching eliminated cluster scans. But that was only half the story. The real magic happens in how events flow through the system.
This is that story.
Policy-as-Code with Kyverno: Kubernetes Validation at Admission Time
The deployment had no resource limits. Memory leaked. The node crashed. Three pods died.
The developer missed the requirement. Code review missed it. CI passed. Tests skip resource checks.
Admission control stops this. Before etcd. Before production. Before damage.
How to Harden Your SDLC Before the Audit Comes
The email arrived on a Monday. "SOC 2 audit in 30 days. Need evidence of secure development practices."
We had policies. Documentation. Training slides. None of it mattered.
Auditors don't want to hear what you say you do. They want to see what the system forces you to do.
golangci-lint v2: What Broke and How to Fix It
You updated golangci/golangci-lint-action to v9. CI failed. Welcome to golangci-lint v2.
The new version has stricter errcheck rules by default. Functions that return errors need handling. Yes, even fmt.Fprintln.
Here's how to fix it properly.
Pre-commit Hooks That Don't Make You Wait
Your first commit after cloning a repo takes 30 seconds. Why? Pre-commit is compiling Go from source.
Binary releases fix this. Ship hooks backed by pre-built binaries.
Go-Based GitHub Actions: From Code to Marketplace
Go works well for GitHub Actions. Single binaries, fast starts, cross-platform builds, and no runtime deps.
Here's how to go from code to release.