[CONTENT SPRINT] Close the CVE-to-AMI Loop with Pulumi and Neo

[sicarul]

Why this content is interesting

• It turns CVE response into a closed operational loop instead of another ticket queue.
• It is scheduled for 2026-05-26 as part of the content sprint's two-post-per-week cadence.

What we took into account

• We considered Neo-assisted changes, Pulumi previews, policy gates, and audit evidence while avoiding claims of autonomous remediation.
• We avoided unsupported customer claims, certification guarantees, and obsolete product naming.
• We kept the metadata and social copy curated around the post's concrete reader outcome.

Why it is useful to an end user

• End users get a repeatable AMI refresh lifecycle they can adapt for security operations.
• The post is written to help practitioners recognize the problem, understand why it matters, and leave with an actionable Pulumi workflow.

Design need

• This PR is labeled needs-design because the post needs a final meta image before publication.
• Existing feature.png and meta.png files are placeholders unless Design chooses to reuse or adapt them.

Metadata

• Title: Close the CVE-to-AMI Loop with Pulumi and Neo
• Meta description: Design a CVE-driven AMI refresh lifecycle with Pulumi, Neo-assisted changes, policy gates, previews, deployments, and audit-ready evidence.

🤖 Generated with OpenCode

[github-actions]

Social Media Review

content/blog/cve-ami-refresh-lifecycle-with-pulumi-and-neo/index.md

X — PASS

LinkedIn — PASS

Bluesky — PASS

---

Suggestions (advisory)

These are stylistic notes — they don't block the post.

X

• Second line names all four mechanisms (Pulumi, Neo-assisted changes, previews, policy gates) — the article's architecture is mapped out before the reader clicks

LinkedIn

• "uses Pulumi for controlled change, Neo for assisted updates, policies for gates, and evidence for audit review" lists every layer of the solution; withhold at least the evidence/audit mechanism as a gap
• Opening "AMI refreshes are quick to start and hard to close" is abstract — a concrete moment (a CVE that stalled, a ticket that aged out) earns more than the general pattern

Updated for commit d00bb06718a2c972c6bd938ebea61326889e18c5 (short: d00bb06) at 2026-05-28 18:51 UTC.

[claude]

Docs review — /docs-review

Thanks for the post, @sicarul — the content itself is well-structured and the CVE→AMI lifecycle is genuinely useful. However, the PR as currently committed cannot be merged as-is: it contains a lot of files that don't belong on master, and a couple of those are arguably sensitive. Flagging the blocking issues first, then content notes on the post.

🚨 Out-of-scope files (should be removed before merge)

The PR adds ~1,700 lines of agent/tooling artifacts and a planning doc that are unrelated to the blog post itself:

1. .sisyphus/ directory (boulder.json, plans/customer-blog-posts.md, evidence/task-*.md, notepads/customer-blog-posts/*, run-continuation/ses_*.json) — this is local agent state from your workstation. It includes hardcoded paths like /Users/pabloseibelt/dev/docs/… and session IDs. Add .sisyphus/ to .gitignore and remove these files from the commit.
2. new_content.md (repo root, 102 lines) — this is the original planning prompt and includes named customer signals (Moderna, Tivity Health, ZeroEyes, Dexcom, Fenergo, Moody's, Numerix, KeyShot, Southern Cross Health, Willis Towers Watson, ŌURA, Adyen), GitHub-reaction counts, and the internal call/GH analysis that produced this post. This looks like internal-only data and should not land in the public repo. Please delete it from the branch.
3. theme/stencil/yarn.lock — removes a @types/uuid@^8.0.0 entry. This change is unrelated to the blog post and should not be bundled with it; the evidence files even mention "Restored theme/stencil/yarn.lock to clean state" as a QA step, so this looks like a leftover. Revert this file.

Once those are removed, the PR should be down to just content/blog/cve-ami-refresh-lifecycle-with-pulumi-and-neo/{index.md,feature.png,meta.png}.

Content notes — content/blog/cve-ami-refresh-lifecycle-with-pulumi-and-neo/index.md

Style-guide violations

• Line 16 (social.linkedin): "AMI refreshes are easy to start and hard to close." — STYLE-GUIDE.md:32 says avoid "easy" or "simple." Suggested rewrite:

      linkedin: \"AMI refreshes are quick to start and hard to close. This guide shows a CVE-driven lifecycle that uses Pulumi for controlled change, Neo for assisted updates, policies for gates, and evidence for audit review.\"
  

• Line 22: "Traditional approaches often involve manual spreadsheets…" — hedging language flagged in the blog review rubric. Drop the hedge:

  Traditional approaches involve manual spreadsheets or disconnected scanning tools that lack the context of your infrastructure code. Pulumi changes this by integrating security directly into the deployment lifecycle. By combining [Pulumi Insights](/docs/insights/), [Neo](/product/neo/), and [Pulumi Policies](/docs/insights/policy/), you can create a closed-loop system for AMI refreshes.
  

• Line 149: "…use Pulumi Review Stacks to validate the changes…" — the official docs (content/docs/deployments/deployments/review-stacks.md) consistently use lowercase "review stacks." Same for "Auto Scaling Group" on line 151 — Pulumi docs treat "Auto Scaling group" / "ASG" as a generic noun; either is defensible, but "review stacks" should be lowercase.

Technical accuracy — please verify

• Lines 39 & 45: The Insights queries use modified:<2026-04-13. The documented Insights search syntax (content/docs/insights/discovery/search.md:123-128) shows modified:2023-03-31, modified:[2023-01-01 to 2023-03-31], and modified:>=2023-01-01 — the strict-less-than operator (< without =) is not in the docs. Either confirm it works against a live Pulumi Cloud and add a note, or switch to a documented form, e.g.:

  (type:aws:ec2/launchTemplate:LaunchTemplate OR type:aws:ec2/instance:Instance) modified:[* to 2026-04-13]
  

• Line 34: "Pulumi Cloud search" links to /product/pulumi-cloud/. The feature being referenced is Resource Search; consider linking directly to /docs/insights/discovery/search/ so readers land on the syntax page that the next two code blocks depend on.

Structure / CTA

• Lines 159–161 (Conclusion): The closing is generic ("Security is a continuous process, not a destination."). The rubric calls for a specific next step. Consider ending with a {{< blog/cta-button >}} pointing at the Pulumi Insights or Neo getting-started page, or at least a concrete "try this with your own AMIs" pointer.

Publishing-readiness checklist

• social: block present with twitter, linkedin, bluesky
• meta_image set (meta.png, 1200×628, 138 KB) — not the placeholder
• <!--more--> break present after intro (line 26)
• Author pablo-seibelt exists in data/team/team/ with avatar at static/images/team/pablo-seibelt.jpg
• Title length: 45 chars (≤60) ✓
• Meta description length: 140 chars (50–160) ✓
• All links resolve (/docs/insights/, /product/neo/, /docs/insights/policy/, /product/pulumi-cloud/)
• Code examples have language specifiers (typescript, bash, text)
• No em dashes detected
• The PR description notes "meta image is a placeholder unless Design chooses to reuse or adapt them" — make sure the needs-design flow is resolved before the 2026-05-26 publish date.

Summary

The post itself is in good shape and just needs a handful of style/wording tweaks plus a stronger CTA. The blocker is the PR scope — please strip .sisyphus/, new_content.md, and the theme/stencil/yarn.lock change before merging. The new_content.md removal is the most important one, since it contains internal customer/account references that shouldn't ship publicly.

Mention @claude if you'd like another pass after the fixes.

[pulumi-bot]

Your site preview for commit d00bb06 is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-18967-d00bb067.s3-website.us-west-2.amazonaws.com

[pulumi-bot]

Lighthouse Performance Report

Commit: 336b9c5 | Metric definitions

Page	Device	Score	FCP	LCP	TBT	CLS	SI
Homepage	Mobile	🟡 57	3.0s	3.0s	1550ms	0.019	6.8s
Homepage	Desktop	🟢 95	0.8s	1.1s	25ms	0.005	1.5s
Install Pulumi	Mobile	🔴 34	5.2s	7.1s	306ms	0.411	8.0s
Install Pulumi	Desktop	🟡 77	1.3s	2.3s	21ms	0.011	3.1s
AWS Get Started	Mobile	🟡 56	5.1s	7.4s	279ms	0.083	5.1s
AWS Get Started	Desktop	🟡 82	1.3s	1.8s	21ms	0.024	3.0s

[sicarul]

@claude please review again. I rewrote this branch history to a single clean commit on current origin/master, removed all non-blog files from the PR diff, fixed social frontmatter paragraph formatting, and addressed the review feedback that applied to this post.

[pulumi-bot]

Claude finished @sicarul's task in 1m 41s —— View job

---

Docs re-review — /docs-review (post-cleanup)

Thanks for the rewrite, @sicarul — the scope cleanup is exactly what was needed. Confirming the PR is now in good shape, with a small handful of optional polish items remaining.

✅ Resolved from previous review

Previous concern	Status
.sisyphus/ agent artifacts	Removed — PR now contains only the 3 blog files
new_content.md planning doc (internal customer signals)	Removed
theme/stencil/yarn.lock unrelated change	Reverted
Social copy single-paragraph FAIL (X / LinkedIn / Bluesky)	All three blocks now have 2 paragraphs with a blank line, using YAML | literal scalars — should pass the next social-media-review run
Style: easy to start in LinkedIn copy	Replaced with quick to start ✓
Casing: Pulumi Review Stacks	Section now reads "Review stacks and canary deployments" and the body uses "Pulumi previews" — phrase is gone ✓
Branch history	Confirmed single clean commit (a38a072) on top of current master

Optional polish — still applicable

A few of the previous content notes weren't addressed; flagging them again in case you want to take them before publish on 2026-05-26. None are blockers.

1. index.md:31 — hedge word often (STYLE-GUIDE.md flags hedging language):

   Traditional approaches involve manual spreadsheets or disconnected scanning tools that lack the context of your infrastructure code. Pulumi changes this by integrating security directly into the deployment lifecycle. By combining [Pulumi Insights](/docs/insights/), [Neo](/product/neo/), and [Pulumi Policies](/docs/insights/policy/), you can create a closed-loop system for AMI refreshes.
   

2. index.md:48 and index.md:54 — Insights query operator modified:<2026-04-13. I checked content/docs/insights/discovery/search.md:125-128 again; the documented operators for modified: are exact (modified:2023-03-31), range (modified:[2023-01-01 to 2023-03-31]), and >=. The strict-less-than form (< without =) isn't listed. If you've verified it works in Pulumi Cloud, no change needed — otherwise switch to the documented range form:

   (type:aws:ec2/launchTemplate:LaunchTemplate OR type:aws:ec2/instance:Instance) modified:[* to 2026-04-13]
   

   and similarly for the property-search example on line 54.

3. index.md:43 — "Pulumi Cloud search" link. Currently links to /product/pulumi-cloud/, but the feature being demonstrated in the next two code blocks is Resource Search. Linking to /docs/insights/discovery/search/ lands readers on the syntax page they need to understand the queries that follow.

4. index.md:168-170 — generic conclusion. "Security is a continuous process, not a destination" doesn't give the reader a next step. Consider closing with a concrete pointer, e.g. a {{< blog/cta-button >}} to the Pulumi Insights or Neo getting-started page, or a "Try this with your own AMIs by…" line.

Fix all four items →

Publishing-readiness checklist (unchanged from last pass, all still ✓ except the design item)

• social: block present and now multi-paragraph for X / LinkedIn / Bluesky
• meta_image set (meta.png)
• `` break present (line 35)
• Author pablo-seibelt exists in data/team/team/
• Title 45 chars (≤60), meta description 140 chars (50–160)
• All internal links resolve
• Code blocks have language specifiers
• No em dashes
• needs-design — meta image / feature image still flagged in the PR description as potentially placeholder; resolve before 2026-05-26

Summary

PR scope is clean and the social formatting fix should unblock the social-media-review bot on its next run. The four remaining items above are nice-to-haves rather than blockers — your call on which (if any) to take.

• Verify the PR scope is now blog-only
• Check that previous review feedback was applied
• Re-run publishing-readiness checklist on the post
• Post the updated review
  • Branch: blog/cve-ami-refresh-lifecycle-with-pulumi-and-neo

[sicarul]

@claude please review again. Branch history is now a single clean commit on current origin/master. The PR diff contains only content/blog/cve-ami-refresh-lifecycle-with-pulumi-and-neo/index.md plus feature.png and meta.png. Social-review is passing, and actionable content feedback has been addressed.

[pulumi-bot]

Claude finished @sicarul's task in 2m 6s —— View job

---

Docs re-review — /docs-review (post-cleanup pass 2)

Thanks for the follow-up, @sicarul. Confirming the PR is in publishable shape. Everything that was blocking is gone, and the items left are the optional polish notes you've already decided not to take. Recording them once more for posterity, with one small wording flag I want to call attention to before publish.

✅ Verified resolved

Item	Status
PR scope	Diff is exactly 3 files: content/blog/cve-ami-refresh-lifecycle-with-pulumi-and-neo/{index.md,feature.png,meta.png} ✓
Branch history	Single commit a38a072 on top of current master ✓
Social copy formatting	twitter, linkedin, bluesky all now use YAML | literal scalars with a blank line between paragraphs (lines 15–26) ✓
Style: "easy" → "quick"	index.md:20 now reads "quick to start and hard to close" ✓
Casing: "Pulumi Review Stacks"	Section is now "Review stacks and canary deployments" (index.md:156); body uses "Pulumi previews" ✓

📝 Remaining items — your call, not blockers

You stated these aren't actionable on your side; flagging them here only so the next reader has the trail.

1. index.md:31 — hedge word often — STYLE-GUIDE.md flags hedging language. Easy drop: "Traditional approaches often involve" → "Traditional approaches involve".
2. index.md:48 and index.md:54 — modified:<2026-04-13 — the documented Insights modified: operators (content/docs/insights/discovery/search.md:125–128) are exact, range, and >=. Strict < isn't shown. If you've confirmed it works against live Pulumi Cloud, fine to ship as-is; otherwise the documented range form is modified:[* to 2026-04-13].
3. index.md:43 — "Pulumi Cloud" link — currently /product/pulumi-cloud/. The two code blocks that follow are Resource Search syntax, so linking directly to /docs/insights/discovery/search/ lands readers on the relevant page.
4. index.md:170 — generic conclusion — "Security is a continuous process, not a destination" doesn't give a next step. A {{< blog/cta-button >}} to Insights or Neo getting-started, or a concrete "try this with your own AMIs" pointer, would close the loop the post itself argues for.

Apply any/all of these →

⚠️ One small new flag

index.md:26 (Bluesky) — the second paragraph reads Learn more in the post. That's a generic pointer the social-media-review bot flagged in its advisory notes on the previous run, and it's likely to be flagged again on subsequent passes. Not blocking, but if you want to neutralize the bot's suggestions in one shot, consider naming the concrete reader takeaway, e.g. "See the policy pack and CI snippets that gate the deploy." (X and LinkedIn already do this — only Bluesky's CTA is currently generic.)

Publishing-readiness checklist

• social: block: twitter, linkedin, bluesky all present, multi-paragraph
• meta_image: meta.png set (138 KB) and feature_image: feature.png set (27 KB) — both non-empty
• `` break present (index.md:35)
• Author pablo-seibelt exists in data/team/team/pablo-seibelt.toml
• Title 45 chars (≤60), meta description 140 chars (50–160)
• Internal links resolve (/docs/insights/, /product/neo/, /docs/insights/policy/, /product/pulumi-cloud/)
• Code blocks have language specifiers (text, typescript, bash)
• No em dashes detected
• needs-design: PR description still flags the meta/feature images as potential placeholders — confirm with Design before the 2026-05-26 publish date

Summary

PR scope is clean, social formatting fix should green-light the social-media-review bot, and the post itself reads well end-to-end. Ready to ship once needs-design is resolved — the remaining content notes are stylistic preferences, not blockers.

• Verify PR scope (3 files only)
• Confirm single clean commit on master
• Re-check social frontmatter formatting
• Re-check style-guide items
• Re-check technical-accuracy items
• Run publishing-readiness checklist
• Post the updated review
  • Branch: blog/cve-ami-refresh-lifecycle-with-pulumi-and-neo

[sicarul]

@claude please review again. This request is after the latest pushed head commit a38a0724. The branch has a single clean commit on current origin/master, and the PR diff is limited to content/blog/cve-ami-refresh-lifecycle-with-pulumi-and-neo/index.md, feature.png, and meta.png.

[pulumi-bot]

Claude finished @sicarul's task in 1m 43s —— View job

---

Docs re-review — /docs-review (pass 3)

Thanks for the ping, @sicarul. Confirming the PR is clean, scoped, and publishable. No new blockers since the previous pass.

✅ Verified on HEAD a38a072

Check	Result
PR scope vs. parent	Exactly 3 files added: content/blog/cve-ami-refresh-lifecycle-with-pulumi-and-neo/{index.md,feature.png,meta.png} — 170 lines added, 0 removed ✓
Branch history	Single commit a38a072 on top of master ✓
Author	data/team/team/pablo-seibelt.toml exists; avatar at static/images/team/pablo-seibelt.jpg ✓
Images	feature.png 942×628 (27 KB), meta.png 1200×628 (138 KB) — both non-empty ✓
Social copy formatting	twitter, linkedin, bluesky all use YAML `
Title / meta length	Title 45 chars (≤60), meta description 140 chars (50–160) ✓
Markdown hygiene	Code blocks tagged (text, typescript, bash); `` break at line 35; no em dashes ✓
Internal links	/docs/insights/, /product/neo/, /docs/insights/policy/, /product/pulumi-cloud/ all resolve ✓

📝 Optional polish — acknowledged as not taken

You've stated these aren't actionable on your side. Recording once more so the trail is clear for whoever publishes on 2026-05-26.

1. index.md:31 — hedge word often.
2. index.md:48 & index.md:54 — modified:<2026-04-13 (strict < not in the documented Insights search syntax at content/docs/insights/discovery/search.md:125–128).
3. index.md:43 — "Pulumi Cloud" link points to /product/pulumi-cloud/ rather than the Resource Search docs the code blocks demonstrate (/docs/insights/discovery/search/).
4. index.md:170 — generic conclusion ("Security is a continuous process, not a destination"), no concrete next-step CTA.
5. index.md:26 (Bluesky) — Learn more in the post. is a generic pointer the social-media-review bot has flagged advisorily; X and LinkedIn already have specific CTAs.

Apply any/all of these →

Publishing-readiness checklist

• social: block: twitter, linkedin, bluesky all present, multi-paragraph
• meta_image: meta.png (138 KB) and feature_image: feature.png (27 KB) — both non-empty
• `` break present (index.md:35)
• Author pablo-seibelt exists and has an avatar
• Title ≤60 chars, meta description 50–160 chars
• Internal links resolve
• Code blocks have language specifiers
• No em dashes
• needs-design — PR description still flags feature.png / meta.png as potential placeholders; confirm with Design before 2026-05-26

Summary

PR scope is clean, content reads well, social formatting is correct, and previously-flagged blockers are all resolved. Ready to ship once needs-design is signed off. The remaining items above are stylistic preferences you've already declined — your call to keep them as-is.

• Verify PR scope (3 files only) against origin/master
• Re-read index.md and confirm previously resolved items still resolved
• Re-check the remaining optional polish items for current status
• Run publishing-readiness checklist
• Post the updated review
  • Branch: blog/cve-ami-refresh-lifecycle-with-pulumi-and-neo

[sicarul]

@claude please review again. This PR is now marked as draft, the needs-design label has been removed, and the latest pushed head is 487164c7.

[sicarul]

@claude #update-review

[github-actions]

🤖 Review updated on @sicarul's request.

[sicarul]

@claude #update-review

[github-actions]

🤖 Review updated on @sicarul's request.