Scott’s Thoughts

The Problem If you run database migrations with Flyway inside Docker containers, you’ve probably noticed the steady stream of CVE findings from your vulnerability scanner. AWS ECR image scanning, Trivy, Grype — they all flag the same thing: dozens of OS-level vulnerabilities in the base image that have nothing to do with your migrations. The official Flyway Docker image is built on Debian with a full JDK installation. That means you’re shipping apt, bash, curl, openssl, hundreds of shared libraries, and an entire Linux userspace — all so you can run a Java process that connects to PostgreSQL and executes SQL files. Every one of those packages is a potential source of CVE findings, and most of them will never be patched in the Flyway image because Redgate doesn’t rebuild on every upstream security release. ...

When your organization runs Zscaler Private Access (ZPA) for zero trust network access, you inevitably need visibility into what’s happening: who’s connecting, what they’re accessing, and whether your app connectors are healthy. ZPA’s Log Streaming Service (LSS) gets those logs out of Zscaler’s cloud — but getting them into your SIEM reliably and cheaply is a design problem worth talking about. It was not as simple as the documentation makes it out to be. ...

These are the songs I was listening to this year. edamame – bbno$, Rich Brian AAAHH MEN! – Doja Cat Pretty Girls (feat. OBanga) – Will Smith, OBanga Woman – Doja Cat Jealous Type – Doja Cat Sugar On My Tongue – Tyler, The Creator 1-800 – bbno$, Ironmouse Mystical Magical – Benson Boone gigolo – bbno$ And that’s it for 2025! See you next year!

I’ve been doing a lot of thinking lately on a particular topic and I have come to the conclusion that I have a confession to make. I withdrew late from my MATH 153 course in first-year university. There, I said it. It doesn’t seem so bad once I write it here, it’s almost laughable, but I have hidden this information as a deep, dark secret my entire adult life. I even allowed it to become a core part of my identity. Let me break down what happened, because this confession is more about shining a light on something that wants to remain in the dark than it is about just me talking about the past. ...

AWS Identity Centre makes access sane, but the config file still ends up full of manual work. Every account, every permission set, every profile name. Setlist removes the tedium by building a full .aws/config from the permission sets you actually have provisioned. It walks AWS Organizations, pulls the permission sets per account, and writes clean profiles for each combination. If you want friendly names instead of 12 digit account IDs, it can map those too. ...

I keep a lot of repositories spread across organizations. When I need a local copy of everything (backup, audit, offline work, whatever), I end up writing one-off scripts that are boring, fragile, and always missing the one repo I forgot about. So I wrote a tool to make this boring task repeatable: gitgrab. https://github.com/scottbrown/gitgrab gitgrab does one thing: it grabs every repository from a GitHub organization and puts them in a directory on disk. It talks to the GitHub API, so it sees both public and private repos. When you run it again, it doesn’t re-clone; it updates what you already have. ...

Most risk matrices fall apart because the numbers are vibes. One team calls an impact a 5, another calls it a 2, and nobody can agree why. This tool forces the hard part first: define what each impact level and likelihood level actually means. That could be dollars, headlines, or hours of downtime. Once the definitions are set, the matrix shows the severity bands and a summary of the quantitative levels. ...

Most meetings fail before they start. Not because people are lazy, but because nobody wrote down the basics: what we are doing, who is needed, and what decisions are on the table. The Meeting Prep Checklist is a small tool that keeps that list tight. Set the objective, capture the agenda, list attendees and pre-reads, and track a few prep checks. When you are done, it copies a clean summary you can drop into a doc or email. ...

I keep a risk register for the same reason I keep a TODO list: memory is not a system. So I built a small, browser-only tool to keep the register clean and boring. Risk Register Lite lets you add a risk, set likelihood and impact, and capture mitigation notes. It scores each item, stays local in your browser, and can export to CSV when you need to move the data elsewhere. ...

If you’ve been running AWS ECS for any length of time, you’ve likely noticed something annoying: task definition revisions accumulate. Every deployment creates a new revision, and AWS never cleans up the old ones. Over years of active development, this adds up. I recently inherited an AWS account that had been running ECS workloads for about 6 years. When I looked at the task definitions, I found over 178,000 revisions spread across various task families. The AWS Console offers no bulk delete option, so cleaning these up manually would mean clicking through each revision one by one. That’s not happening. ...