Open source, MIT

Your morning
DevSecOps brief,
in your voice.

crew scans Hacker News, GitHub Trending, and NVD every morning, drafts a LinkedIn post and X thread in your voice, and Telegrams you the result. Copy, paste, post. Done before coffee is cold.

View on GitHub Quickstart
Telegram — crew bot
☕ Morning. Sunday, 25 May. 3 signals worth posting about today. ━━━━━━━━━━━━━━━━━━━━ Option 1 — NVD CVE-2025-1234: Kubernetes API server... Hook: "If your cluster still runs anonymous auth to the API server, fix that before lunch." 📘 LinkedIn (1,142 chars) K8s just shipped a patch for CVE-2025-1234. Unauthenticated read on the metrics endpoint... Reply done 1 once posted. skip to mark all seen.
How it works

Four steps. Five minutes.

No web UI. No scheduler. No publisher. One Python file and a cron job.

06:00 UTC
01

Signals fetched

HN front page, GitHub Trending, and NVD CVEs scanned. Top 3 fresh signals selected and ranked.

06:01 UTC
02

Claude drafts

One LinkedIn post and one X thread per signal, in your voice. Your prompt. Your banned words list.

06:02 UTC
03

Telegram pings you

Copy-paste-ready code blocks. Tap and hold to copy. No login, no app, no dashboard.

07:00 your time
04

You pick one

Read 3 drafts with coffee. Copy the best one. Edit a line if you want. Post. Done.

Signal sources

Three feeds. Zero noise.

Only signals that match your keyword list reach the drafting stage. CVEs always win.

Y

Hacker News

Front page stories matching DevSecOps keywords, filtered by engagement. Fallback per-topic search on quiet days.

Algolia API

GitHub Trending

Today's top repos. Useful for spotting new tools before they hit your Slack. Fallback when HN is quiet.

Daily scrape

NVD CVE Feed

HIGH severity CVEs from the last 48 hours, filtered to products you actually run: K8s, Docker, OpenSSH, Nginx, Vault.

NVD REST API v2
Output

Two formats. One signal.

LinkedIn gets the long take. X gets the thread. Same idea, different shape.

📘 LinkedIn post
K8s 1.32 turned on AppArmor by default.
3 of my 12 services failed to start this morning.

containerd/CRI-O now enforce runtime/default profiles
unless you explicitly set unconfined. Containers writing
to /proc, mounting tmpfs, using raw sockets: all blocked.
Error messages don't mention AppArmor.

Run this before Monday's deployments:
kubectl get pods -A -o json | jq '.items[].metadata.annotations'

1,142 chars
𝕏 Thread
1/5 K8s 1.32 just turned on AppArmor by default
and your containers are about to break in production.

2/5 What changed: containerd/CRI-O now enforce
runtime/default profiles unless explicitly set unconfined.

3/5 The profile blocks ~40 syscalls: ptrace, mount,
some socket ops. No annotation = confined by default.

4/5 What to do Monday:
kubectl get pods -A -o json | jq '...'

5 tweets
Cost

~€10 a month.

No SaaS subscription. No per-seat pricing. You own the infrastructure.

VPS (Hetzner CX11, Nuremberg) €4.51
Anthropic API (Sonnet, daily) ~€1–3
Infisical (free tier) €0
Total ~€5–8

Ship your first post
before lunch.

Clone it, fill in two API keys, run it. The first Telegram message arrives in under 30 seconds.

$ git clone github.com/fendora-io/crew
Read the quickstart