Skip to content

Add cross-links between IaC testing, policy, and agentic explainers#20097

Open
alexleventer wants to merge 1 commit into
masterfrom
workprentice/internal-links-testing-agentic-policy
Open

Add cross-links between IaC testing, policy, and agentic explainers#20097
alexleventer wants to merge 1 commit into
masterfrom
workprentice/internal-links-testing-agentic-policy

Conversation

@alexleventer

@alexleventer alexleventer commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Proposed changes

Three closely related pages — the How to Test Infrastructure as Code blog post, What Is Agentic Infrastructure?, and What Is Policy as Code? — cover overlapping ground but were barely linked to one another. A reader on any one of them had no easy path to the others.

This PR adds cross-links at the points where the prose already makes the connection, so each link is somewhere a reader would actually want to click through:

  • blog/how-to-test-infrastructure-as-code — links "policy as code" and "infrastructure as code" to their explainer pages at first mention (the post previously had no concept-explainer links).
  • what-is/what-is-agentic-infrastructure — links "unit tests" to the testing guide, and the Policy as code governance heading to the policy explainer (alongside the existing Pulumi Policies docs link).
  • what-is/what-is-policy-as-code — links the "AI agents write and modify infrastructure" passage to the agentic explainer, links "unit tests" to the testing guide, and adds What is agentic infrastructure? to the related-reading list.

No prose was rewritten and no anchor text was forced — only existing phrases were turned into links. Net result: the three pages now reference each other bidirectionally and each ties back to the IaC concept hub.

Related issues (optional)

None.

Connect three closely related pages that were barely linked to each
other. Each link sits where the prose already makes the connection and
a reader would want to follow it: the testing guide now points to the
policy-as-code and IaC explainers; the agentic page links to the
testing guide and policy explainer; the policy page links to the
agentic and testing pages and adds the agentic explainer to its
related-reading list.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@alexleventer alexleventer requested review from joeduffy and sicarul July 6, 2026 23:11
@github-actions github-actions Bot added review:triaging Claude Triage is currently classifying the PR domain:docs PR touches technical docs domain:mixed PR touches more than one domain domain:blog PR touches blog posts or customer stories review:in-progress Claude review is currently running and removed review:triaging Claude Triage is currently classifying the PR labels Jul 6, 2026
@pulumi-bot

Copy link
Copy Markdown
Collaborator

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Pre-merge Review — Last updated 2026-07-06T23:16:20Z

Tip

Summary: This PR adds seven internal cross-links interconnecting three existing pages — the How to Test Infrastructure as Code blog post and the What is agentic infrastructure? / What is policy as code? explainers — including one new "Related reading" entry. It adds no new prose or factual claims; the only reader-facing risk is a broken link target, and all four distinct targets (/what-is/what-is-policy-as-code/, /what-is/what-is-infrastructure-as-code/, /blog/how-to-test-infrastructure-as-code/, /what-is/what-is-agentic-infrastructure/) resolve to existing pages in this repo. The frontmatter sweep is clean and no build or link-integrity errors surfaced (Hugo build skipped — content-only, templating untouched). The claim-verification pass scanned the full text of all three touched files (not just the changed lines) and surfaced pre-existing factual discrepancies and unsourced figures — none of them on the lines this PR changed — so none block this link-only change; they're logged under Pre-existing and Low-confidence for separate follow-up.

Review confidence:

Dimension Level Notes
mechanics HIGH
facts MEDIUM This PR introduces no new claims; the full-file scan flagged 11 pre-existing factual errors and several unsourced figures on untouched lines (see Pre-existing / Low-confidence). Worth a separate fix, but not caused by these link additions.
coherence HIGH
editorial balance HIGH
Investigation log
  • Cross-sibling reads: not run (not in a templated section)
  • External claim verification: 183 of 209 claims verified (10 unverifiable, 11 contradicted) · 4 specialists (numerical, cross-reference, capability, framing); 0 cross-specialist corroborations · routed: 0 inline, 139 Pass 1, 0 Pass 2, 70 Pass 3 (verified 57, contradicted 5, unverifiable 8).
  • Cited-claim spot-checks: not run (no cited claims)
  • Frontmatter sweep: ran on body + meta_desc
  • Temporal-trigger sweep: ran (recency words present in diff; spot-check in-review)
  • Code execution: not run (no static/programs/ change)
  • Code-examples checks: not run (no fenced code blocks in content files)
  • Editorial-balance pass: ran (9 H2 sections, 4 flags fired)
🚨 Outstanding ⚠️ Low-confidence 💡 Pre-existing ✅ Resolved
0 12 11 0

🔍 Verification trail

209 claims extracted · 183 verified · 10 unverifiable · 11 contradicted
  • L16 in content/blog/how-to-test-infrastructure-as-code/index.md "IaC testing means validating infrastructure code the same way you test application software: unit tests with mocked cloud providers that run in milliseconds." → ➖ not-a-claim (evidence: This is a definitional/explanatory statement framing the blog's own concept of IaC testing (unit tests with mocked providers), not a falsifiable third-party assertion about a specific product feature or external fact.; source: repo:content/blog/how-to-test-infrastructure-as-code/index.md)
  • L16 in content/blog/how-to-test-infrastructure-as-code/index.md "Integration tests deploy and inspect real resources." → ✅ verified (evidence: The same document states later (L574): "Integration tests deploy real cloud resources, run assertions against them, and then destroy everything—giving you end-to-end confidence at the cost of actual cloud spend and time," and the compariso…; source: repo:content/blog/how-to-test-infrastructure-as-code/index.md)
  • L16 in content/blog/how-to-test-infrastructure-as-code/index.md "Policy checks enforce compliance rules on every preview and deploy." → ✅ verified (evidence: The same document states later: "Policy as code enforces what your infrastructure must conform to—security standards, tagging conventions, compliance requirements—and it runs automatically on every pulumi preview and pulumi up," and…; source: repo:content/blog/how-to-test-infrastructure-as-code/index.md (L893-897))
  • L20 in content/blog/how-to-test-infrastructure-as-code/index.md "Infrastructure bugs are often harder to debug than application bugs because the feedback loop is slow and the blast radius is large." → ➖ not-a-claim (evidence: This is a subjective, opinion-based positioning statement (common in IaC blog intros) rather than a falsifiable factual assertion that can be verified against an authoritative source.; source: N/A - not a falsifiable claim)
  • L22 in content/blog/how-to-test-infrastructure-as-code/index.md "Pulumi is built on general-purpose programming languages, which means you can test infrastructure code with the same tools and frameworks used to test applicat…" → ✅ verified (evidence: Pulumi programs are written in general-purpose languages (Python, TypeScript/JS, Go, C#, Java), and the same blog post demonstrates unit and integration tests written with pytest ("Run with: pytest test_integration.py -v"), Mocha ("Run wit…; source: repo:content/blog/how-to-test-infrastructure-as-code/index.md)
  • L30 in content/blog/how-to-test-infrastructure-as-code/index.md "A unit test can check whether a security group allows SSH from 0.0.0.0/0 and catch that misconfiguration in milliseconds before any cloud API call is made." → ✅ verified (evidence: The same blog post demonstrates this exact pattern with runnable code: mocks intercept resource registration ("the mock intercepts the call, returns dummy state, and never makes a real cloud API call") and a test_no_public_ssh example as…; source: repo:content/blog/how-to-test-infrastructure-as-code/index.md)
  • L36 in content/blog/how-to-test-infrastructure-as-code/index.md "Pulumi policy rules run on every pulumi preview and pulumi up, not just at audit time." → ✅ verified (evidence: The same doc states elsewhere: "Policy as code | ... | Milliseconds | Free | No (runs at preview time)" and "it runs automatically on every pulumi preview and pulumi up", consistent with Pulumi CrossGuard's documented behavior that pol…; source: repo:content/blog/how-to-test-infrastructure-as-code/index.md (lines 50, 895))
  • L36 in content/blog/how-to-test-infrastructure-as-code/index.md "Policy as code lets you encode your organization's security rules as executable tests." → ✅ verified (evidence: The linked page defines policy as code as "the practice of defining and enforcing security, compliance, cost, and operational governance rules as version-controlled, testable code" and notes "Policies can have unit tests, just like applica…; source: content/what-is/what-is-policy-as-code.md)
  • L40 in content/blog/how-to-test-infrastructure-as-code/index.md "The annual DORA State of DevOps research is consistently associated with a pattern among elite-performing engineering teams (those that deploy frequently and r…" → ✅ verified (evidence: Google Cloud's DORA reports consistently link elite performers (defined by frequent deployment and fast recovery) with strong technical capabilities; one blog notes "Continuous integration, automated testing, and monitoring are some of the…; source: https://cloud.google.com/blog/products/devops-sre/the-2019-accelerate-state-of-devops-elite-performance-productivity-and-scaling)
  • L46-50 in content/blog/how-to-test-infrastructure-as-code/index.md "Policy as code checks run in milliseconds, are free, and require no cloud credentials (running at preview time)." → ✅ verified (framing: strengthened — claim narrows general "free/local/preview-time" framing to add a specific "milliseconds" speed claim not explicitly stated in sources; the free/…; evidence: Pulumi docs confirm policy as code runs locally for free during preview before resources are created: "The Pulumi CLI (also under the Apache 2.0 license) allows you to run policies during pulumi preview or pulumi up by specifying the --pol…; source: https://www.pulumi.com/docs/iac/crossguard/faq/ ; https://www.pulumi.com/docs/iac/crossguard/)
  • L66 in content/blog/how-to-test-infrastructure-as-code/index.md "Pulumi unit tests replace the communication channel between the Pulumi program and the cloud provider with mocks." → ✅ verified (evidence: Pulumi's mocking API (pulumi.runtime.Mocks / WithMocks) implements NewResource/Call handlers that intercept resource registration calls in-process, returning dummy state instead of invoking the real cloud provider — exactly matching the cl…; source: content/blog/how-to-test-infrastructure-as-code/index.md (lines 66, 81-91, 195-222); pulumi/pulumi SDK mocking pattern (pulumi.runtime.Mocks / WithMocks))
  • L66 in content/blog/how-to-test-infrastructure-as-code/index.md "When a Pulumi program registers a resource, the mock intercepts the call, returns dummy state, and never makes a real cloud API call." → ✅ verified (evidence: The file itself shows the mocks implementation (e.g. Python new_resource, TS newResource, Go NewResource) which intercepts RegisterResource calls and returns a mocked id/state pair instead of contacting a real cloud provider — this…; source: repo:content/blog/how-to-test-infrastructure-as-code/index.md (lines 66, 81-91, 133-144, 215-222))
  • L70 in content/blog/how-to-test-infrastructure-as-code/index.md "You must set up mocks before importing your Pulumi program in a unit test, or the Pulumi runtime initializes without mocks and attempts real cloud calls." → ✅ verified (evidence: Official Pulumi docs (content/docs/iac/guides/testing/unit.md) confirm this exact pattern: "It's important to import the program after the mocks are defined." followed by pulumi.runtime.set_mocks(MyMocks()) before importing the program…; source: gh search code repo:pulumi/docs "set_mocks" "before" "import" — content/docs/iac/guides/testing/unit.md)
  • L83 in content/blog/how-to-test-infrastructure-as-code/index.md "State property keys in the mock's new_resource/newResource return value must be camelCase (e.g., cidrBlocks, not cidr_blocks), regardless of the langua…" (also L136, L301, L570) → ✅ verified (evidence: The official Pulumi testing guide (content/docs/iac/guides/testing/unit.md) states verbatim: "When returning explicit output properties from new_resource, property names must use camelCase (e.g., "publicIp", "instanceState") rather t…; source: repo:content/docs/iac/guides/testing/unit.md)
  • L574 in content/blog/how-to-test-infrastructure-as-code/index.md "Integration tests deploy real cloud resources, run assertions against them, and then destroy everything." → ✅ verified (evidence: The article itself states: "Integration tests deploy real cloud resources, run assertions against them, and then destroy everything—giving you end-to-end confidence at the cost of actual cloud spend and time," which matches the standard cr…; source: repo:content/blog/how-to-test-infrastructure-as-code/index.md (L574, L875))
  • L578 in content/blog/how-to-test-infrastructure-as-code/index.md "The Pulumi Automation API lets you drive pulumi up, pulumi destroy, and every other Pulumi CLI operation programmatically from within a test." → ✅ verified (evidence: pulumi/pulumi sdk/go/auto/README.md states "Package auto contains the Pulumi Automation API, the programmatic interface for driving Pulumi programs," and pulumi/providertest README notes it "extends the Go Automation API" for testing, conf…; source: gh search code --owner pulumi "automation api" (sdk/go/auto/README.md, providertest/README.md))
  • L610 in content/blog/how-to-test-infrastructure-as-code/index.md "The example integration tests install the AWS provider plugin pinned at v7.34.0." (also L672, L844) → ✅ verified (evidence: The blog's Python, TypeScript, and Java integration test examples all call install_plugin/installPlugin("aws", "v7.34.0"), and pulumi-aws v7.34.0 is a real published release tag (https://github.com/pulumi/pulumi-aws/releases/tag/v7.34.0).; source: repo:content/blog/how-to-test-infrastructure-as-code/index.md (lines 610, 672, 844); gh release view v7.34.0 -R pulumi/pulumi-aws)
  • L873-875 in content/blog/how-to-test-infrastructure-as-code/index.md "Pulumi ships a purpose-built Go test framework at github.com/pulumi/pulumi/pkg/v3/testing/integration that handles the full create → validate → destroy lifec…" → ⚔️ mismatch (evidence: The package actually lives at github.com/pulumi/pulumi/pkg/testing/integration (verified via GitHub contents API), not pkg/v3/testing/integration as the claim states; `ExtraRuntimeValidation func(t *testing.T, stack RuntimeValidationStac…; source: gh api repos/pulumi/pulumi/contents/pkg/testing/integration; gh search code --owner pulumi ExtraRuntimeValidation; intuition: The 'v3' in the path looks like a mistaken carryover from the pulumi/sdk/v3 or pulumi/pkg/v3 module naming convention;…)
  • L875 in content/blog/how-to-test-infrastructure-as-code/index.md "The Go integration test framework provides an ExtraRuntimeValidation hook for assertions against deployed state." → ✅ verified (evidence: gh code search confirms ExtraRuntimeValidation is a field/hook in pulumi/pulumi's Go integration test framework at pkg/testing/integration/program.go, used across many integration tests (e.g. tests/examples/examples_test.go) for post-dep…; source: gh search code "ExtraRuntimeValidation" (pkg/testing/integration/program.go in pulumi/pulumi))
  • L891 in content/blog/how-to-test-infrastructure-as-code/index.md "Leaked integration test stacks are a common cause of unexpected cloud spend." → ✅ verified (framing: strengthened — the claim narrows the broader, widely-documented pattern of "forgotten/idle dev-test environments causing cloud waste" to the specific case of "…; evidence: Multiple industry sources corroborate this general claim: e.g. cloudcapital.co notes "Engineers forget to deprovision these resources after the test concludes, leaving the CFO to address unexpected overspending," and Wiz's cloud cost guide…; source: WebSearch ran query "forgotten test infrastructure cloud bill surprise cleanup")
  • L895 in content/blog/how-to-test-infrastructure-as-code/index.md "Policy as code runs automatically on every pulumi preview and pulumi up." → ✅ verified (evidence: Pulumi's Policy as Code (CrossGuard) is documented to run policy checks during pulumi preview and pulumi up, evaluating resources against mandatory/advisory policies before deployment—matching the claim that policy runs "automatically…; source: content/blog/how-to-test-infrastructure-as-code/index.md (internal consistency, lines 50, 895, 1182) and Pulumi CrossGuard docs describing policy enforcement at preview/update time)
  • L897 in content/blog/how-to-test-infrastructure-as-code/index.md "A mandatory Pulumi policy blocks a deployment entirely when violated." → ✅ verified (evidence: Pulumi's own analyzer.proto defines: "MANDATORY = 1; // Stops deployment, cannot be overridden." and "ADVISORY = 0; // Displayed to users, but does not block deployment." confirming a mandatory policy blocks deployment entirely when violat…; source: gh search code --owner pulumi "EnforcementLevel mandatory advisory" (pulumi/pulumi:proto/pulumi/analyzer.proto))
  • L897 in content/blog/how-to-test-infrastructure-as-code/index.md "An advisory Pulumi policy surfaces a warning but allows the deploy to proceed." → ✅ verified (evidence: pulumi/pulumi-policy README states: "Policy violations can have enforcement levels that are advisory, which results in a printed warning, or mandatory, which results in an error after pulumi preview or pulumi up completes." Thi…; source: gh api repos/pulumi/pulumi-policy/contents/README.md)
  • L897 in content/blog/how-to-test-infrastructure-as-code/index.md "Pulumi Policies are currently supported in Python and TypeScript." → ✅ verified (evidence: The pulumi/pulumi-policy repo (the official CrossGuard Policy-as-Code SDK) has an sdk/ directory containing only two language subdirectories: "nodejs" and "python" — no go, dotnet, or java SDKs exist for writing policy packs, confirming po…; source: gh api repos/pulumi/pulumi-policy/contents/sdk)
  • L1006 in content/blog/how-to-test-infrastructure-as-code/index.md "Joe Duffy, Pulumi CEO, stated in a Pulumi blog post: 'The smartest agent in the world still needs guardrails, audit trails, and policy enforcement to be truste…" → ✅ verified (evidence: The source blog post at content/blog/the-agentic-infrastructure-era/index.md contains the exact sentence: "The smartest agent in the world still needs guardrails, audit trails, and policy enforcement to be trusted with production systems a…; source: repo:content/blog/the-agentic-infrastructure-era/index.md)
  • L1008 in content/blog/how-to-test-infrastructure-as-code/index.md "You can publish Pulumi policies to Pulumi Cloud and assign them via policy groups to enforce them across stacks or accounts, including organization-wide." → ✅ verified (evidence: Pulumi docs state: "Policy groups organize one or more policy packs and apply them to specific stacks or cloud accounts. They determine when and where policies are enforced across your organization," and default policy groups (e.g. `defaul…; source: repo:content/docs/insights/policy/policy-groups.md)
  • L1010-1012 in content/blog/how-to-test-infrastructure-as-code/index.md "With Terraform, infrastructure is written in HCL but tests must be written in something else — either Go (via Terratest) or a constrained HCL DSL (`terraform t…" → ✅ verified (evidence: Sources confirm the two options: "Terraform tests are written natively in Terraform code and files, while Terratest requires tests to be written in Go" and Terratest is described as "a Go library that provides patterns and helper functions…; source: https://medium.com/@antoniosmarinos7/testing-terraform-code-with-the-new-native-testing-framework-e673f0762d74)
  • L1014-1021 in content/blog/how-to-test-infrastructure-as-code/index.md "Terratest has no mock layer for cloud providers, so its tests are real deployments by default and take minutes." → ✅ verified (evidence: Terratest's own site states: "Use Terratest to execute your real IaC tools (e.g., Terraform, Packer, etc.) to deploy real infrastructure (e.g., servers) in a real environment (e.g., AWS)." A comparison source adds: "Terratest's realism com…; source: https://terratest.gruntwork.io/ and https://www.morethanmonkeys.co.uk/article/terratest-vs-terraform-test-which-one-should-you-actually-use/)
  • L1014-1021 in content/blog/how-to-test-infrastructure-as-code/index.md "Terraform's Sentinel policy tool is an enterprise feature." → ✅ verified (framing: strengthened — claim says "enterprise feature" broadly; source shows it's tied to Terraform Enterprise and HCP Terraform paid tiers, with only a minimal free-t…; evidence: Sentinel is documented as a policy-as-code tool used with HCP Terraform and Terraform Enterprise: "Use Sentinel with HCP Terraform and Terraform Enterprise to enforce policy on Terraform configurations, states, and plans." It's widely char…; source: https://developer.hashicorp.com/sentinel/docs/terraform)
  • L1014-1021 in content/blog/how-to-test-infrastructure-as-code/index.md "Pulumi YAML programs can be tested via the Automation API from any of Python, TypeScript, Go, C#, or Java." → ✅ verified (evidence: Pulumi docs confirm Automation API is available in "TypeScript/JavaScript, Python, Go, C#, and Java" and that it can drive "local programs" (any Pulumi.yaml-based program, including YAML) as well as supporting cross-language use where the…; source: repo:content/docs/iac/concepts/automation-api.md (lines 82-95))
  • L1014-1021 in content/blog/how-to-test-infrastructure-as-code/index.md "Terratest always requires tests to be written in Go regardless of the infrastructure language." → ✅ verified (evidence: Terratest's official README states: "Terratest is a Go library that makes it easier to write automated tests for your infrastructure code," listing support for testing Terraform, Packer, Docker, Kubernetes, Helm, AWS/Azure/GCP APIs, etc.—a…; source: gh api repos/gruntwork-io/terratest/contents/README.md)
  • L1014-1021 in content/blog/how-to-test-infrastructure-as-code/index.md "Pulumi Policies run at preview time and are written in Python or TypeScript." → ✅ verified (evidence: Line 1019 of the same doc states "Policy / guardrails | Pulumi Policies: Python or TypeScript, runs at preview time", consistent with line 897 ("Pulumi Policies are currently supported in Python and TypeScript"). The pulumi/pulumi-policy r…; source: repo:content/blog/how-to-test-infrastructure-as-code/index.md (lines 897, 1019); gh search code --owner pulumi pulumi-policy sdk directories (nodejs, python only))
  • L1014-1021 in content/blog/how-to-test-infrastructure-as-code/index.md "Terraform's policy/guardrails options are external tools such as checkov, tfsec, and OPA/Rego, a separate toolchain." → ❌ contradicted (framing: narrowed/overclaim — claim asserts Terraform's policy options are "external tools" (checkov, tfsec, OPA), but HashiCorp's own Sentinel is a native, first-party…; evidence: The claim omits HashiCorp Sentinel, which is HashiCorp's own native policy-as-code framework, not an external tool: "HashiCorp Sentinel - Policy-as-code framework embedded in Terraform Cloud/Enterprise for enforcing compliance rules on run…; source: https://github.com/antonbabenko/awesome-terraform-compliance; intuition: Claim conspicuously excludes Sentinel, which is the most commonly cited HashiCorp-native policy tool in every compariso…)
  • L1014-1021 in content/blog/how-to-test-infrastructure-as-code/index.md "Pulumi unit test execution speed is milliseconds, and integration test speed depends on the cloud." → ✅ verified (evidence: Pulumi's own product page states "Run unit tests in milliseconds" and "Spin up ephemeral environments for integration tests," and Pulumi docs note integration tests "deploy actual infrastructure to verify your code's behavior end-to-end,"…; source: https://www.pulumi.com/product/infrastructure-as-code/)
  • L1014-1021 in content/blog/how-to-test-infrastructure-as-code/index.md "Terratest execution is minutes because it performs real deployments by default." → ✅ verified (evidence: Official Terratest docs and guides confirm it deploys real infrastructure by default and execution takes minutes: "Since automated tests with Terratest deploy real resources into real environments" and typical runtime is "~3 minutes" with…; source: https://terratest.gruntwork.io/docs/getting-started/quick-start/ and https://terratest.gruntwork.io/docs/)
  • L1014-1021 in content/blog/how-to-test-infrastructure-as-code/index.md "terraform test plan-only mode is fast, while apply mode takes minutes." → ✅ verified (evidence: Multiple sources confirm this framing: "Unit and contract tests using terraform test with command = plan create no real infrastructure, so they're fast enough to run on every pull request" while "Integration tests create real resources and…; source: https://spacelift.io/blog/terraform-test)
  • L1014-1021 in content/blog/how-to-test-infrastructure-as-code/index.md "terraform test (version 1.6 and later) supports a mock_provider feature (available from v1.7+) that is HCL-declarative with no programmatic logic." → ✅ verified (evidence: HashiCorp's docs state: "Note: Test mocking is available in Terraform v1.7.0 and later" and the Terraform 1.6 blog confirms the test framework itself became GA in 1.6: "Terraform 1.6 is now generally available, highlighted by a powerful ne…; source: https://developer.hashicorp.com/terraform/language/tests/mocking)
  • L1017 in content/blog/how-to-test-infrastructure-as-code/index.md "Pulumi unit tests with mocks require no cloud credentials, using pulumi.runtime.set_mocks()." → ✅ verified (evidence: gh search confirms pulumi.runtime.set_mocks() is a real Pulumi Python SDK function (sdk/python/lib/pulumi/runtime/mocks.py) used to register a Mocks class that intercepts resource registrations, returning fake IDs/state instead of callin…; source: gh search code --owner pulumi set_mocks; content/blog/how-to-test-infrastructure-as-code/index.md L1162)
  • L1023 in content/blog/how-to-test-infrastructure-as-code/index.md "Terratest offers deep integrations with AWS, GCP, Azure, and Kubernetes." → ✅ verified (evidence: Terratest's official docs and contributing guide confirm first-class support: "we currently only support three major public clouds (AWS, GCP, Azure) and Kubernetes" and the docs list "Working with AWS APIs · Working with Azure APIs · Worki…; source: https://terratest.gruntwork.io/docs/community/contributing/)
  • L1023 in content/blog/how-to-test-infrastructure-as-code/index.md "Terratest has no mock layer for cloud providers, so most Terratest test suites deploy real infrastructure, making them slower and costlier to run on every comm…" → ✅ verified (evidence: Official Terratest docs and multiple independent sources confirm Terratest's core workflow is to deploy real infrastructure: "Use Terratest to execute your real IaC tools (e.g., Terraform, Packer, etc.) to deploy real infrastructure (e.g.,…; source: https://terratest.gruntwork.io/)
  • L1023 in content/blog/how-to-test-infrastructure-as-code/index.md "Terratest is battle-tested and widely adopted, particularly for Terraform module testing." → ✅ verified (evidence: Multiple sources corroborate this: one describes Terratest as "the most widely used framework" for Terraform integration testing, and another notes it "has been around for many years and has a robust library of tests, as well as many examp…; source: https://oneuptime.com/blog/post/2026-02-16-how-to-test-terraform-azure-infrastructure-with-terratest-in-go/view; https://www.env0.com/blog/terratest-vs-terraform-opentofu-test-in-depth-comparison)
  • L1025 in content/blog/how-to-test-infrastructure-as-code/index.md "In terraform test, the command = plan mode avoids real deployments." → ✅ verified (evidence: HashiCorp's official Terraform docs state: "Replacing the command value with command = plan instructs Terraform to not create new infrastructure for this run block."; source: https://developer.hashicorp.com/terraform/language/tests)
  • L1025 in content/blog/how-to-test-infrastructure-as-code/index.md "The mock_provider feature in terraform test enables basic unit-like testing." → ✅ verified (evidence: HashiCorp's Terraform docs confirm: "In Terraform tests, you can mock a provider with the mock_provider block," used with terraform test to enable "unit and integration testing" without real infrastructure, functioning like unit-like tests.; source: https://developer.hashicorp.com/terraform/language/tests/mocking)
  • L1025 in content/blog/how-to-test-infrastructure-as-code/index.md "terraform test's expressiveness is bounded by HCL's declarative model, with no general-purpose programming, no third-party assertion libraries, and a fixed s…" → ✅ verified (framing: strengthened — sources describe terraform test as declarative HCL-based with run/assert blocks and no need for third-party tools/languages; the claim's specifi…; evidence: HashiCorp and third-party sources confirm terraform test uses declarative HCL with a fixed set of run/assert constructs: "The new testing framework is declarative, meaning that you write tests using the same language that you use for the r…; source: https://mattias.engineer/blog/2023/terraform-testing-and-validation/ ; https://developer.hashicorp.com/terraform/language/tests)
  • L1025 in content/blog/how-to-test-infrastructure-as-code/index.md "terraform test has improved significantly in Terraform 1.6 and 1.7." → ✅ verified (evidence: HashiCorp's own blog confirms the progression: Terraform 1.6 introduced the native test framework, and "Terraform 1.7 brings several improvements to the testing framework, highlighted by the new mocking feature," including mock providers,…; source: https://www.hashicorp.com/en/blog/terraform-1-7-adds-test-mocking-and-config-driven-remove)
  • L1039 in content/blog/how-to-test-infrastructure-as-code/index.md "The described seven-step process for setting up IaC testing with Pulumi takes a total time of 30 minutes." → 🤷 unverifiable (evidence: No Pulumi documentation, blog post, or third-party source found describes a "seven-step process" for IaC testing setup with a specific "30 minutes" total time estimate; this appears to be a specific, unsupported time claim not corroborated…; source: WebSearch ran query "how to test infrastructure as code Pulumi blog seven-step 30 minutes" and ""how-to-test-infrastructure-as-code" Pulumi blog seven steps 30 minutes total time"; top results didn't address the claim; intuition: A precise "30 minutes" total for a multi-step tutorial is a suspiciously specific round-number estimate that's hard to…)
  • L1154 in content/blog/how-to-test-infrastructure-as-code/index.md "IaC testing includes policy checks that are rules enforcing compliance standards on every preview and deploy." → ✅ verified (evidence: The same document states: "Policy as code enforces what your infrastructure must conform to—security standards, tagging conventions, compliance requirements—and it runs automatically on every pulumi preview and pulumi up." This direc…; source: repo:content/blog/how-to-test-infrastructure-as-code/index.md (line 895))
  • L1154 in content/blog/how-to-test-infrastructure-as-code/index.md "Infrastructure as code testing is the practice of writing automated checks that validate IaC programs before they deploy to production." → ➖ not-a-claim (evidence: The linked URL /what-is/what-is-infrastructure-as-code/ is a real, canonical Pulumi page used consistently across dozens of blog/docs pages as the standard IaC background link; the sentence itself is the blog post's own definition of IaC *…; source: gh search code --owner pulumi "what-is-infrastructure-as-code")
  • L1158 in content/blog/how-to-test-infrastructure-as-code/index.md "Pulumi's mocking framework intercepts all cloud API calls and replaces them with in-process stubs so unit tests run entirely in memory with no cloud credential…" → ✅ verified (evidence: Pulumi SDK's runtime.setMocks/Mocks interface (newResource, call) intercepts resource registration and provider calls in-process, returning mock state instead of making real cloud calls; the same blog file states "the mock intercepts the c…; source: pulumi/pulumi:sdk/nodejs/runtime/mocks.ts; content/blog/how-to-test-infrastructure-as-code/index.md L66)
  • L1158 in content/blog/how-to-test-infrastructure-as-code/index.md "A suite of 50 unit tests runs in under a second using Pulumi's mocking framework." → 🤷 unverifiable (evidence: Pulumi docs confirm mocked unit tests run very fast (e.g. example showing 3 tests in 0.022s, and a case study of 700 tests running in ~20 seconds), but no source states the specific figure of "50 unit tests" running "in under a second."; source: WebSearch ran query "Pulumi unit tests mocking framework 50 tests under a second"; top results (pulumi.com/docs/iac/guides/testing/unit/, pulumi.com/blog/infrastructure-testing-got-better/) didn't state this exact figure; intuition: Specific round number (50 tests, under 1 second) reads like an illustrative/plausible estimate rather than a benchmarke…)
  • L1162 in content/blog/how-to-test-infrastructure-as-code/index.md "Integration tests that use the Automation API require cloud credentials because they deploy real resources." → ✅ verified (evidence: The article's own table states integration tests require cloud credentials ("Yes") because they involve "Real cloud spend," and the Automation API section confirms it drives pulumi up/pulumi destroy to deploy real resources — consisten…; source: repo:content/blog/how-to-test-infrastructure-as-code/index.md)
  • L1162 in content/blog/how-to-test-infrastructure-as-code/index.md "Pulumi policy checks run without credentials at pulumi preview time." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
  • L1170 in content/blog/how-to-test-infrastructure-as-code/index.md "Implementing pulumi.runtime.Mocks (Python) or calling pulumi.runtime.setMocks() (TypeScript/JavaScript) before importing a Pulumi program routes all resour…" → ✅ verified (evidence: Pulumi SDK source confirms pulumi.runtime.Mocks (Python) and setMocks (Node.js: sdk/nodejs/runtime/mocks.ts exports setMocks) intercept resource registration calls; SDK settings.ts notes "When writing unit tests, you can set this f…; source: gh search code --owner pulumi "setMocks" --repo pulumi/pulumi (sdk/nodejs/runtime/mocks.ts, settings.ts))
  • L1174 in content/blog/how-to-test-infrastructure-as-code/index.md "Because YAML has no control flow or executable statements, you cannot write test logic in YAML itself in Pulumi." → ✅ verified (evidence: Pulumi YAML is documented as a purely declarative configuration format (see pulumi/pulumi-yaml), lacking general-purpose control flow or imperative statements like loops/conditionals/functions found in Python, TypeScript, Go, etc. This sup…; source: repo:pulumi/pulumi-yaml (declarative YAML spec) and content/blog/how-to-test-infrastructure-as-code/index.md L1174)
  • L1174 in content/blog/how-to-test-infrastructure-as-code/index.md "YAML programs are tested by pointing the Automation API from Python, TypeScript, Go, C#, or Java at the project directory and asserting on the stack outputs." → ✅ verified (evidence: The article itself documents that the Automation API "lets you drive pulumi up, pulumi destroy, and every other Pulumi CLI operation programmatically... You define the stack inline... or point it at an existing project directory" (L578…; source: repo:content/blog/how-to-test-infrastructure-as-code/index.md (L578, L1063-1064))
  • L1174 in content/blog/how-to-test-infrastructure-as-code/index.md "YAML is Pulumi's declarative configuration language and, because it has no control flow or executable statements, you cannot write test logic in YAML itself." → ✅ verified (evidence: Pulumi YAML (pulumi/pulumi-yaml) is a declarative language provider supporting only resources, variables, and a fixed set of builtin functions (fn::invoke, fn::join, fn::select, fn::toJSON, etc.) — it has no general-purpose control flow, l…; source: gh api repos/pulumi/pulumi-yaml/contents/README.md; gh search code --owner pulumi repo:pulumi/pulumi-yaml "fn::invoke")
  • L1178 in content/blog/how-to-test-infrastructure-as-code/index.md "The Pulumi GitHub Actions integration simplifies credential injection and stack management for CI/CD test stages." → ✅ verified (evidence: The pulumi/actions README confirms the action authenticates via PULUMI_ACCESS_TOKEN or a configured cloud-url backend ("this action will try to authenticate Pulumi with Pulumi Cloud... you will need to specify an alternative backend via th…; source: gh api repos/pulumi/actions/contents/README.md)
  • L1186 in content/blog/how-to-test-infrastructure-as-code/index.md "Terratest tests must be written in Go regardless of what language the infrastructure uses." → ✅ verified (evidence: Official Terratest docs confirm: "Write tests using Go's built-in package testing" and note it supports testing "a variety of infrastructure code, not just Terraform" (Packer, Docker, Kubernetes, etc.), all still requiring Go test code.; source: https://terratest.gruntwork.io/docs/getting-started/quick-start/)
  • L1186 in content/blog/how-to-test-infrastructure-as-code/index.md "Terratest typically deploys real infrastructure because it has no mock layer for cloud providers, so most test runs provision actual cloud resources, incurring…" → ✅ verified (evidence: Terratest's own docs and multiple guides confirm it "execute[s] your real IaC tools ... to deploy real infrastructure ... in a real environment," with no mock layer, and tests commonly use extended timeouts because deployments can be time-…; source: https://terratest.gruntwork.io/ ; https://terratest.gruntwork.io/docs/getting-started/quick-start/ ; https://docs.cloud.google.com/docs/terraform/best-practices/testing; intuition: The "5–30 minutes" range is a plausible but not directly sourced approximation; actual Terratest run times vary widely…)
  • L1186 in content/blog/how-to-test-infrastructure-as-code/index.md "Most Terratest test runs provision actual cloud resources, incurring real cost and taking 5–30 minutes." → ✅ verified (evidence: Terratest's own docs and multiple guides confirm it "provisions real resources using Terraform or other IaC tools, validates that they work correctly, and then destroys them," and consistently recommend -timeout 30m because "it's not uncom…; source: https://terratest.gruntwork.io/docs/testing-best-practices/timeouts-and-logging/ and https://spacelift.io/blog/what-is-terratest)
  • L1190 in content/blog/how-to-test-infrastructure-as-code/index.md "Pulumi Cloud has built-in stack TTL and auto-destroy features." → ✅ verified (evidence: Pulumi's own blog post confirms: "Pulumi Cloud's new Time-to-Live (TTL) Stacks feature ... After the specified time, these stacks are automatically destroyed" — i.e., built-in stack TTL and auto-destroy functionality.; source: repo:content/blog/ttl/index.md)
  • L1204 in content/blog/how-to-test-infrastructure-as-code/index.md "The Pulumi conversion tool (tf2pulumi) translates existing HCL to Python, TypeScript, Go, C#, and more, including test infrastructure." → ❌ contradicted (framing: shifted — claim attributes current HCL-to-multi-language conversion capability to "tf2pulumi," but the source states this tool "has been replaced with pulumi c…; evidence: Multiple Pulumi sources confirm tf2pulumi is no longer the current tool: "As of Pulumi CLI v3.71.0, tf2pulumi has been replaced with pulumi convert --from terraform." The claim names "tf2pulumi" as the current conversion tool, but it has b…; source: https://www.pulumi.com/blog/from-terraform-to-infrastructure-as-software/; intuition: The claim uses outdated tool branding (tf2pulumi) for what is now pulumi convert --from terraform, which could mislea…)
  • L1204 in content/blog/how-to-test-infrastructure-as-code/index.md "Terratest or terraform test suites can be ported to Pulumi's native test runner as part of a migration." → ❌ contradicted (framing: narrowed/overclaim — source tooling (tf2pulumi/pulumi-converter-terraform) converts HCL infrastructure code only; claim broadens this to imply automated portin…; evidence: The blog claims tf2pulumi/Pulumi's conversion tool translates HCL "including your test infrastructure" and that Terratest/terraform test suites "can be ported" to Pulumi's native test runner. But tf2pulumi and its successor pulumi-converte…; source: gh issue list -R pulumi/pulumi-converter-terraform --search test; intuition: Suspicious that a HCL-to-Pulumi-program converter would also "port" Go-based Terratest suites or HCL test DSL files — t…)
  • L9 in content/what-is/what-is-agentic-infrastructure.md "Agentic infrastructure is defined as cloud infrastructure that AI agents provision, govern, and operate autonomously — writing code, running deployments, enfor…" → ✅ verified (framing: strengthened — the claim synthesizes and slightly consolidates Pulumi's marketing language (provision/govern/operate, PR-based proposals, human review-not-exec…; evidence: Pulumi's own materials describe this framing closely: "Pulumi gives both engineering teams and AI agents a single substrate for provisioning, governing, and operating infrastructure across every cloud and SaaS," with "Built-in verifiabilit…; source: https://www.prnewswire.com/news-releases/pulumi-closes-the-ai-deployment-gap-with-agent-native-infrastructure-and-superintelligence-partnerships-302776114.html)
  • L15 in content/what-is/what-is-agentic-infrastructure.md "The word 'agentic' refers to an AI system that takes sequences of actions to reach a goal, observing state, making decisions, and executing steps, rather than…" → ✅ verified (evidence: Multiple industry sources confirm this framing, e.g. IBM: "The term 'agentic' refers to these models' agency, or, their capacity to act independently and purposefully," and Google Cloud describes agentic AI as a "continuous cycle of percep…; source: https://www.ibm.com/think/topics/agentic-ai; https://www.salesforce.com/agentforce/what-is-agentic-ai/)
  • L17 in content/what-is/what-is-agentic-infrastructure.md "If CI/CD feedback comes back, such as a failed security scan or a policy violation, the agentic system reads it, pushes a fix, and iterates." → 🤝 matches (evidence: The same document later details this exact behavior for Pulumi Neo: "Handle CI/CD feedback. If a pipeline check fails (a security scan, a policy violation, a test), Neo reads the output, pushes a corrective fix to the same PR, and iter…; source: repo:content/what-is/what-is-agentic-infrastructure.md)
  • L17 in content/what-is/what-is-agentic-infrastructure.md "An agentic infrastructure agent can receive a goal in natural language, query actual deployed state, write or modify infrastructure code, preview the impact ag…" → ✅ verified (evidence: The claim at L17 is the article's own definitional paraphrase of "agentic infrastructure," and it matches the concrete workflow the same document later describes for Pulumi Neo: "Neo queries your actual Pulumi state graph," "Run `pulumi pr…; source: repo:content/what-is/what-is-agentic-infrastructure.md)
  • L23-25 in content/what-is/what-is-agentic-infrastructure.md "Joe Duffy wrote in 'The Agentic Infrastructure Era' (linked at /blog/the-agentic-infrastructure-era/): 'Agentic infrastructure is a super exciting one-way door…" → ✅ verified (evidence: The Pulumi blog post "The Agentic Infrastructure Era" contains the exact sentence: "Agentic infrastructure is a super exciting one-way door for our industry."; source: https://www.pulumi.com/blog/the-agentic-infrastructure-era/)
  • L27 in content/what-is/what-is-agentic-infrastructure.md "The share of infrastructure deployments done by LLMs, as tracked by Pulumi, was up from nearly zero a year prior to this statement." → ✅ verified (evidence: Pulumi's blog states: "we're seeing something magical happen here at Pulumi: LLMs are now doing over 20% of the infrastructure deployments, up from virtually zero a year ago."; source: https://www.pulumi.com/blog/the-agentic-infrastructure-era/)
  • L33 in content/what-is/what-is-agentic-infrastructure.md "Frontier models scored 33% on SWE-bench Verified in August 2024." → ✅ verified (framing: strengthened — claim generalizes "GPT-4o" to "Frontier models," but GPT-4o was the frontier model benchmarked at that August 2024 launch, so the specific case…; evidence: OpenAI's own announcement states: "On SWE-bench Verified, GPT‑4o resolves 33.2% of samples," at the benchmark's August 2024 launch — matching the claim's "33% ... in August 2024" (rounded).; source: https://openai.com/index/introducing-swe-bench-verified/)
  • L33 in content/what-is/what-is-agentic-infrastructure.md "There are billions of lines of production-grade Python, TypeScript, and Go for models to learn from." → 🤷 unverifiable (evidence: This is a general rhetorical claim about LLM training data abundance rather than a precise, sourced statistic. Independent sources corroborate the general premise—e.g. one source notes "There are millions of repositories out there, collect…; source: WebSearch ran query "billions of lines of code Python TypeScript Go training data LLM"; results support general plausibility but no source confirms the specific claim; intuition: Claim is a vague, unfalsifiable order-of-magnitude assertion typical of blog rhetoric rather than a precise, checkable…)
  • L35 in content/what-is/what-is-agentic-infrastructure.md "Andrej Karpathy said: 'The reality of building web apps in 2025 is that it's a bit like assembling IKEA furniture.'" → ✅ verified (evidence: Karpathy's X post states verbatim: "The reality of building web apps in 2025 is that it's a bit like assembling IKEA furniture."; source: https://x.com/karpathy/status/1905051558783418370)
  • L39 in content/what-is/what-is-agentic-infrastructure.md "Joe Duffy said: 'It is a happy accident that the combination of this plus the verifiability of every change is the exact combination that empowers agents to do…" → ✅ verified (evidence: The Pulumi blog post "The Agentic Infrastructure Era" contains this exact passage: "It is a happy accident that the combination of this plus the verifiability of every change is the exact combination that empowers agents to do infrastructu…; source: https://www.pulumi.com/blog/the-agentic-infrastructure-era/)
  • L45 in content/what-is/what-is-agentic-infrastructure.md "An agent writing a Pulumi program can import a library, write a test, refactor a module, or inherit from a base class." → ➖ not-a-claim (evidence: This is a general illustrative statement about standard programming language capabilities (imports, tests, refactoring, inheritance) used to make an analogy in a conceptual explainer, not a falsifiable product/feature claim about Pulumi it…; source: repo:content/what-is/what-is-agentic-infrastructure.md)
  • L45 in content/what-is/what-is-agentic-infrastructure.md "Agents can use real software engineering primitives. Loops, functions, classes, package imports, unit tests, t…" → 🤷 unverifiable (evidence: Multiple Pulumi blog searches for the exact slug "/blog/how-to-test-infrastructure-as-code/" did not surface that URL; the closest matches are differently-slugged Pulumi posts like "testing-in-practice" ("How to Test Infrastructure with Pu…; source: WebSearch ran query "pulumi.com/blog/how-to-test-infrastructure-as-code/"; top results returned similarly-named but differently-slugged Pulumi testing blog posts, not this exact URL; intuition: The linked slug does not match any indexed Pulumi blog post found; likely either a renamed/redirected URL or a broken l…)
  • L47 in content/what-is/what-is-agentic-infrastructure.md "pulumi preview maps code changes to a concrete, auditable list of resource operations (what will be created, updated, or deleted) before anything in the clou…" → ✅ verified (evidence: pulumi preview is Pulumi's documented dry-run command that computes and displays the exact set of resource creates/updates/deletes that pulumi up would perform, without making any changes to actual cloud resources — this is core, well-…; source: repo:content/what-is/what-is-agentic-infrastructure.md (L47) + Pulumi CLI documented behavior for pulumi preview)
  • L47 in content/what-is/what-is-agentic-infrastructure.md "Joe Duffy said: 'Just as we wouldn't vibe code without git showing us the source changes, we shouldn't vibe infrastructure without a tool that shows what it wi…" → ✅ verified (evidence: The Pulumi blog post "The Agentic Infrastructure Era" contains the exact quote: "Just as we wouldn't vibe code without git showing us the source changes, we shouldn't vibe infrastructure without a tool that shows what it will do before it…; source: https://www.pulumi.com/blog/the-agentic-infrastructure-era/)
  • L49 in content/what-is/what-is-agentic-infrastructure.md "The CodeAct paper (Wang et al., ICML 2024) measured 17 models across a range of tasks and found that agents consistently perform better when they act by writin…" → ✅ verified (evidence: The paper's abstract states: "Our extensive analysis of 17 LLMs on API-Bank and a newly curated benchmark shows that CodeAct outperforms widely used alternatives (up to 20% higher success rate)," confirming both the 17-model count and the…; source: https://arxiv.org/abs/2402.01030)
  • L53 in content/what-is/what-is-agentic-infrastructure.md "Pulumi Neo is an AI infrastructure engineering agent built into Pulumi Cloud." → ✅ verified (evidence: content/product/neo.md describes Neo as "AI infrastructure agent" / "AI Infrastructure Agent" ("Meet Neo, your AI platform engineer... Neo provisions, governs, and optimizes your cloud infrastructure"), and pulumi/docs blog content explici…; source: repo:content/product/neo.md; pulumi/docs:content/blog/pulumi-neo-cli/index.md)
  • L57 in content/what-is/what-is-agentic-infrastructure.md "Neo creates a task to track the work when a user sends a goal." → ✅ verified (evidence: Sibling docs page content/docs/ai/tasks/_index.md confirms: "Tasks are Neo's primary unit of work. Each task is a conversation where you describe what you want to accomplish, and Neo handles the infrastructure changes," consistent with the…; source: repo:content/docs/ai/tasks/_index.md)
  • L57 in content/what-is/what-is-agentic-infrastructure.md "A user can send a goal to Pulumi Neo in natural language through Pulumi Cloud, the CLI, or the Slack integration." → ✅ verified (evidence: Docs confirm all three channels: the Neo docs list "Pulumi CLI: Run pulumi neo to start an interactive Neo session," an "Integrations" page connecting Neo to Slack, and the Slack integration page states "Mention @Neo in any channel whe…; source: repo:content/docs/ai/integrations/slack/_index.md and repo:content/docs/ai/_index.md)
  • L59 in content/what-is/what-is-agentic-infrastructure.md "In Plan Mode, Neo queries the user's actual Pulumi state graph, identifies every Lambda function running Node 16, checks dependencies, and synthesizes a plan g…" → ✅ verified (framing: strengthened — claim narrows the general "investigates infrastructure, checks dependencies, synthesizes plan" workflow to a specific Lambda/Node16 worked examp…; evidence: Pulumi's own blog post on Neo Plan Mode confirms the general behavior: "Neo investigates your environment — examining existing infrastructure, reading relevant code, checking dependencies, and researching patterns" then "produces a plan ex…; source: content/blog/neo-plan-mode/index.md)
  • L59 in content/what-is/what-is-agentic-infrastructure.md "Neo's plan is presented for human review before anything changes." → 🤝 matches (evidence: The same document states elsewhere that "Review mode, the default, requires human approval at every step" and that Neo's execution proceeds "Depending on your task mode (Review for step-by-step human approval, Balanced for approval before…; source: repo:content/what-is/what-is-agentic-infrastructure.md)
  • L61 in content/what-is/what-is-agentic-infrastructure.md "Neo has three task modes: Review (step-by-step human approval), Balanced (approval before pulumi up), and Auto (fully automated workflows)." → ✅ verified (evidence: content/docs/ai/tasks/_index.md confirms: "Review mode (default): Running pulumi preview, running pulumi up, and opening a PR all require approval. Balanced mode: Neo will only request approval before running pulumi up. Auto mode: Neo will…; source: repo:content/docs/ai/tasks/_index.md)
  • L61 in content/what-is/what-is-agentic-infrastructure.md "Neo operates within the RBAC entitlements of the user who initiated the task and cannot do anything the user themselves could not do." → ✅ verified (evidence: The same doc restates this at line 99: "Neo operates within the Pulumi Cloud RBAC entitlements of the user who initiated the task. It cannot escalate privilege. If a developer cannot delete a production database, Neo cannot either, regardl…; source: repo:content/what-is/what-is-agentic-infrastructure.md)
  • L61 in content/what-is/what-is-agentic-infrastructure.md "Neo cannot do anything the user themselves could not do." → ✅ verified (evidence: The same document states elsewhere (line 99): "Neo operates within the Pulumi Cloud RBAC entitlements of the user who initiated the task. It cannot escalate privilege. If a developer cannot delete a production database, Neo cannot either,…; source: repo:content/what-is/what-is-agentic-infrastructure.md (lines 61, 99))
  • L63 in content/what-is/what-is-agentic-infrastructure.md "Neo runs pulumi preview, validates generated code, shows exactly which resources will be created, updated, or deleted, and runs the user's Pulumi Policies, w…" → ✅ verified (evidence: The official Neo docs page (content/docs/ai/running-previews/_index.md) confirms this exact workflow: "When you ask Neo to make infrastructure changes, it utilizes previews to: 1. Validate proposed changes: Ensure the generated code is syn…; source: gh api repos/pulumi/docs/contents/content/docs/ai/running-previews/_index.md)
  • L65 in content/what-is/what-is-agentic-infrastructure.md "Neo creates a pull request containing a problem description, a list of modified resources, and the preview summary, which flows through the user's existing Git…" → ❌ contradicted (framing: shifted — claim says "GitHub, GitLab, or Bitbucket" but source says "GitHub, Azure DevOps, and GitLab"; Bitbucket is not a supported integration and Azure DevO…; evidence: Official Pulumi docs (content/docs/ai/pull-requests/_index.md) confirm Neo's PR contains a problem description, modified resources list, and preview summary — but state VCS/CI-CD support as "Pulumi supports GitHub, Azure DevOps, and GitLab…; source: gh api repos/pulumi/docs/contents/content/docs/ai/pull-requests/_index.md (master))
  • L65 in content/what-is/what-is-agentic-infrastructure.md "The PR Neo creates flows through the user's existing GitHub, GitLab, or Bitbucket CI/CD pipeline." → ❌ contradicted (framing: shifted — claim substitutes 'Bitbucket' for the source's 'Azure DevOps' as the third supported CI/CD provider alongside GitHub and GitLab; evidence: The official Pulumi docs page on Neo pull requests states: "Neo requires a version control integration to read code from and create pull requests. Pulumi supports GitHub, Azure DevOps, and GitLab... To set up CI/CD with Pulumi, see the doc…; source: gh api repos/pulumi/docs/contents/content/docs/ai/pull-requests/_index.md)
  • L67 in content/what-is/what-is-agentic-infrastructure.md "If a pipeline check fails (a security scan, a policy violation, a test), Neo reads the output, pushes a corrective fix to the same PR, and iterates." → ✅ verified (evidence: Official Neo product page describes "Debug & diagnose: Ask why a deployment failed or what's misconfigured. Neo investigates and explains in seconds" and the Neo launch blog shows Neo creating PRs with "policy validation and pull request c…; source: repo:content/product/neo.md, repo:content/blog/pulumi-neo/index.md)
  • L69 in content/what-is/what-is-agentic-infrastructure.md "Neo opens a PR whenever a scheduled run detects infrastructure drift or produces changes." → ✅ verified (evidence: Sibling blog post "Neo Automations: Scheduled Tasks Shipped as Pull Requests" confirms: "[Pulumi Neo] can now run any task on a cadence you set, opening a pull request for each run," with drift checks and provider freshness checks given as…; source: pulumi/docs:content/blog/neo-automations/index.md)
  • L69 in content/what-is/what-is-agentic-infrastructure.md "Any Neo task can become a recurring job, and Neo opens a pull request whenever a scheduled run detects infrastructure drift or produces changes." → ✅ verified (evidence: The claim closely paraphrases the source file's own step 6 text: "Schedule automations. Any task can become a recurring job. Neo opens a PR whenever a scheduled run detects infrastructure drift or produces changes, so environments stay cur…; source: repo:content/what-is/what-is-agentic-infrastructure.md (L69); repo:content/pricing/_index.md)
  • L71 in content/what-is/what-is-agentic-infrastructure.md "Pulumi Neo is described as 'grounded AI' that reasons over the user's actual state graph and deployment history rather than generating code from internet patte…" → ✅ verified (evidence: Multiple sibling blog posts in the same repo consistently describe the same linked post with identical framing, e.g.: "Pulumi Neo reasons over the state graph directly, so the checker grounds every claim in what the change actually does" a…; source: gh search code --owner pulumi "grounded-ai-why-neo-knows-your-infrastructure" (content/blog/*/index.md sibling references))
  • L91-93 in content/what-is/what-is-agentic-infrastructure.md "Joe Duffy said: 'The smartest agent in the world still needs guardrails, audit trails, and policy enforcement to be trusted with production systems at scale, a…" → ✅ verified (evidence: Pulumi's blog "The Agentic Infrastructure Era" contains the exact quote: "The smartest agent in the world still needs guardrails, audit trails, and policy enforcement to be trusted with production systems at scale, and that layer gets more…; source: https://www.pulumi.com/blog/the-agentic-infrastructure-era/)
  • L97 in content/what-is/what-is-agentic-infrastructure.md "Pulumi Policies lets teams define organizational rules as code (e.g., no unencrypted storage, required tags, allowed instance types) that run on every pulumi…" → ✅ verified (evidence: Sibling page confirms: "Pulumi Policies adds policy as code to the Pulumi infrastructure as code platform... Policies apply during pulumi previewandpulumi up`, blocking violations before resources are created or modified," and separat…; source: repo:content/what-is/what-is-policy-as-code.md)
  • L99 in content/what-is/what-is-agentic-infrastructure.md "Neo operates within the Pulumi Cloud RBAC entitlements of the user who initiated the task and cannot escalate privilege." → ✅ verified (evidence: content/docs/ai/get-started/_index.md states: "Neo operates within the conversing user's RBAC entitlements and cannot perform actions that the user couldn't perform themselves. This means: - There's no privilege escalation risk or special…; source: repo:content/docs/ai/get-started/_index.md)
  • L99 in content/what-is/what-is-agentic-infrastructure.md "If a developer cannot delete a production database, Neo cannot either, regardless of what the task requests." → ✅ verified (framing: strengthened — claim gives a concrete illustrative example ("cannot delete a production database") of the broader stated policy ("cannot escalate privilege" /…; evidence: The document itself states: "Neo operates within the Pulumi Cloud RBAC entitlements of the user who initiated the task. It cannot escalate privilege." The claim in question is a direct, consistent restatement/example of this stated RBAC de…; source: repo:content/what-is/what-is-agentic-infrastructure.md (L99, surrounding context))
  • L101 in content/what-is/what-is-agentic-infrastructure.md "Review mode is Neo's default mode and requires human approval at every step." → ✅ verified (evidence: Sibling docs page content/docs/ai/tasks/_index.md states: "Review mode (default): Running pulumi preview, running pulumi up, and opening a PR all require approval." This confirms Review mode is Neo's default and requires human approval…; source: repo:content/docs/ai/tasks/_index.md and repo:content/what-is/what-is-agentic-infrastructure.md L101)
  • L101 in content/what-is/what-is-agentic-infrastructure.md "Balanced mode gates specifically on pulumi up." → 🤝 matches (evidence: The same document earlier states: "Depending on your task mode (Review for step-by-step human approval, Balanced for approval before pulumi up, or Auto for trusted, fully automated workflows)..." which directly corroborates line 101's cl…; source: repo:content/what-is/what-is-agentic-infrastructure.md (line 61 vs line 101))
  • L101 in content/what-is/what-is-agentic-infrastructure.md "Auto mode runs completely unattended." → ✅ verified (evidence: Pulumi's own docs at content/docs/ai/tasks/_index.md state: "Auto mode: Neo will not request any approvals" alongside "Review mode (default): ... require approval" and "Balanced mode: Neo will only request approval before running `pulumi u…; source: repo:content/docs/ai/tasks/_index.md)

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor
continued from previous comment
  • L101 in content/what-is/what-is-agentic-infrastructure.md "Teams can set a different Neo task mode per environment." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
  • L103 in content/what-is/what-is-agentic-infrastructure.md "Every agent action (every preview, every deployment, every PR) is logged with timestamps, the initiating user, and the full resource diff, using the same audit…" → ✅ verified (framing: strengthened — claim adds specific fields (timestamps, initiating user, full resource diff) to the source's general "logged... complete visibility into what ch…; evidence: Pulumi's own product page for Neo (content/product/neo.md) advertises: "Full audit trail — Every action is previewed, logged, and reversible, giving you complete visibility into what changed and when," corroborating the claim that every ag…; source: repo:content/product/neo.md (audit trail feature description); repo:content/what-is/what-is-agentic-infrastructure.md L103)
  • L103 in content/what-is/what-is-agentic-infrastructure.md "The audit trail that applies to agent-initiated changes is the same audit trail that applies to human-initiated changes." → ✅ verified (evidence: The document states: "Every agent action (every preview, every deployment, every PR) is logged with timestamps, the initiating user, and the full resource diff. This is the same audit trail that applies to human-initiated changes." This is…; source: repo:content/what-is/what-is-agentic-infrastructure.md)
  • L105 in content/what-is/what-is-agentic-infrastructure.md "Agents reference secrets through Pulumi ESC without ever handling raw values, and credentials are rotated, scoped, and auditable." → ✅ verified (evidence: Pulumi ESC's own docs describe exactly these properties: "Issue short-lived OIDC credentials for AWS, Azure, GCP, GitHub, and more" (rotation/short-lived), "Dynamically import secrets from external stores into your environment" (agents ref…; source: repo:content/docs/esc/_index.md (Login providers: "Issue short-lived OIDC credentials..."; Secrets providers: "Dynamically import secrets from external stores into your environment"))
  • L105 in content/what-is/what-is-agentic-infrastructure.md "Credentials managed via Pulumi ESC are rotated, scoped, and auditable." → ✅ verified (evidence: Pulumi ESC docs confirm all three properties: login providers "issue short-lived credentials... OIDC issues short-lived credentials on demand and requires no stored keys" (i.e., effectively rotated), access is scoped via RBAC ("Access cont…; source: gh search code --owner pulumi path:content/docs/esc/providers/login/aws-login.md; pulumi/docs:content/docs/esc/administration/audit-logs.md)
  • L113 in content/what-is/what-is-agentic-infrastructure.md "Wiz manages over 1 million cloud resources with Pulumi." → ✅ verified (evidence: Pulumi's official Wiz case study states: "Wiz uses Pulumi's Automation API to manage thousands of Kubernetes clusters across hundreds of data centers worldwide, handling hundreds of thousands of infrastructure updates daily while maintaini…; source: https://www.pulumi.com/case-studies/wiz/)
  • L113 in content/what-is/what-is-agentic-infrastructure.md "Wiz handles hundreds of thousands of infrastructure updates daily with Pulumi." → ✅ verified (evidence: Pulumi's official Wiz case study states: "Wiz uses Pulumi's Automation API to manage thousands of Kubernetes clusters across hundreds of data centers worldwide, handling hundreds of thousands of infrastructure updates daily while maintaini…; source: https://www.pulumi.com/case-studies/wiz/)
  • L115 in content/what-is/what-is-agentic-infrastructure.md "BMW manages 20,000+ cloud resources with Python-based IaC." → ✅ verified (evidence: Pulumi's official BMW case study states: "Learn how BMW's Software Factory uses Pulumi to manage 20,000+ cloud resources with Python-based infrastructure code" and "The platform manages over 20,000 cloud resources across multiple stacks us…; source: https://www.pulumi.com/case-studies/bmw/)
  • L117 in content/what-is/what-is-agentic-infrastructure.md "Werner Enterprises reduced infrastructure provisioning time from 3 days to 4 hours after adopting Pulumi Neo for provisioning workflows." → 🤝 matches (evidence: Sibling pages confirm the same figure: content/product/neo.md states "Automate complex multi-cloud deployments in minutes. Werner Enterprises reduced provisioning time from 3 days to 4 hours" under a Neo feature card, and content/blog/ai-i…; source: repo:content/product/neo.md, repo:content/blog/ai-infrastructure-tools/index.md)
  • L119 in content/what-is/what-is-agentic-infrastructure.md "Mysten Labs described their goal as 'minimizing the time it takes an engineer to go from an idea to an experiment in production.'" → ✅ verified (evidence: Pulumi's Neo product page contains the testimonial: "Our goal has always been to minimize the time it takes an engineer to go from an idea to an experiment in production." This matches the claim's quote almost verbatim.; source: https://www.pulumi.com/product/neo/)
  • L125 in content/what-is/what-is-agentic-infrastructure.md "Pulumi Neo is built into Pulumi Cloud." → ✅ verified (evidence: The same source document states directly: "Pulumi Neo is an AI infrastructure engineering agent built into Pulumi Cloud." This is corroborated by pulumi/docs content/docs/ai/mcp-server/index.md linking to Pulumi Neo at /docs/pulumi-cloud/n…; source: repo:content/what-is/what-is-agentic-infrastructure.md (line 53); pulumi/docs:content/blog/pulumi-neo-cli/index.md)
  • L127 in content/what-is/what-is-agentic-infrastructure.md "Pulumi provides conversion documentation for common starting points for teams migrating from another IaC tool." → ✅ verified (evidence: content/docs/iac/comparisons/terraform/_index.md exists and includes a dedicated "## Adoption: coexistence, conversion, and import" section stating "There are several common paths for adopting Pulumi alongside or in place of Terraform, and…; source: repo:content/docs/iac/comparisons/terraform/_index.md)
  • L151 in content/what-is/what-is-agentic-infrastructure.md "Pulumi Neo writes and modifies infrastructure code in Python, TypeScript, Go, C#, Java, and YAML." (also L159, L167) → ✅ verified (evidence: The source page itself states: "Pulumi Neo writes and modifies infrastructure in Python, TypeScript, Go, C#, Java, and YAML." This list matches Pulumi's standard set of supported SDK languages (Python, TypeScript/JavaScript, Go, C#, Java)…; source: content/what-is/what-is-agentic-infrastructure.md (L151), cross-referenced against Pulumi's standard supported-language set)
  • L155 in content/what-is/what-is-agentic-infrastructure.md "Pulumi Neo runs pulumi preview before every deployment, enforces Pulumi Policies on every change, operates within the initiating user's RBAC entitlements, lo…" → ✅ verified (evidence: The claim is a condensed restatement of detailed governance descriptions earlier in the same document: "Neo operates within the Pulumi Cloud RBAC entitlements of the user who initiated the task"; Pulumi Policies "run on every `pulumi previ…; source: repo:content/what-is/what-is-agentic-infrastructure.md (lines 59-103))
  • L159 in content/what-is/what-is-agentic-infrastructure.md "Pulumi Neo accepts natural-language tasks, reasons over the actual infrastructure state graph, writes and modifies infrastructure code, runs previews, enforces…" → ✅ verified (evidence: The same document describes Neo's workflow: users "state the intent" in natural language, Neo "queries your actual Pulumi state graph," generates code, "Run pulumi preview... runs your Pulumi Policies," and "Open a pull request" — matching…; source: repo:content/what-is/what-is-agentic-infrastructure.md)
  • L159 in content/what-is/what-is-agentic-infrastructure.md "Pulumi Neo supports Amazon Web Services (AWS), Microsoft Azure, Google Cloud, Kubernetes, and hundreds of other providers." (also L167) → ✅ verified (evidence: The sibling page content/product/neo.md description states: "Neo has visibility across AWS, Azure, Google Cloud, and hundreds of other providers, all in one place," directly corroborating the claim that Pulumi Neo supports AWS, Azure, Goog…; source: repo:content/product/neo.md)
  • L167 in content/what-is/what-is-agentic-infrastructure.md "Pulumi Neo supports Amazon Web Services (AWS), Microsoft Azure, Google Cloud, Kubernetes, and hundreds of other providers." → ✅ verified (evidence: The source file itself states: "Pulumi Neo supports Amazon Web Services (AWS), Microsoft Azure, Google Cloud, Kubernetes, and hundreds of other providers, matching the full scope of the Pulumi IaC platform." This aligns with Pulumi's estab…; source: repo:content/what-is/what-is-agentic-infrastructure.md and repo:content/product/infrastructure-as-code.md)
  • L171 in content/what-is/what-is-agentic-infrastructure.md "Pulumi provides migration documentation for teams moving from HashiCorp Terraform and other tools." → ✅ verified (evidence: The linked page content/docs/iac/comparisons/terraform/_index.md exists and includes an "Adoption: coexistence, conversion, and import" section describing paths such as "Convert HCL to Pulumi" via pulumi convert --from terraform and link…; source: repo:content/docs/iac/comparisons/terraform/_index.md)
  • L179 in content/what-is/what-is-agentic-infrastructure.md "Neo queries the Pulumi state graph, resource relationships, and deployment history, and does not generate code from generic internet patterns." → 🤝 matches (evidence: The exact phrasing "Neo queries your Pulumi state graph, resource relationships, and deployment history. It does not generate code from generic internet patterns" appears in the file itself, and the same "grounded in your actual infrastruc…; source: gh_query search code --owner pulumi "grounded-ai-why-neo-knows-your-infrastructure")
  • L183 in content/what-is/what-is-agentic-infrastructure.md "Joe Duffy delivered a keynote titled 'The Last Mile Is Code' at CascadiaJS 2026, covering the in-distribution argument and the CodeAct research, with a live de…" → ✅ verified (evidence: CascadiaJS 2026 official schedule confirms: "Keynote · The Last Mile Is Code · Joe Duffy · 5:10pm · Closing Day One." This verifies the keynote title, speaker, and event, but the schedule page does not describe the specific content (in-dis…; source: https://cascadiajs.com/2026/schedule; intuition: Talk title/speaker/event confirmed, but specific content details (CodeAct research, live Neo-to-AWS demo) are unverifia…)
  • L185 in content/what-is/what-is-agentic-infrastructure.md "The embedded YouTube video with ID 'SOMEfFNPsew' corresponds to Joe Duffy's CascadiaJS 2026 keynote 'The Last Mile Is Code'." → 🤷 unverifiable (evidence: The file embeds the youtube shortcode with video ID \"SOMEfFNPsew?rel=0\" preceded by text attributing it to "Joe Duffy's CascadiaJS 2026 keynote, 'The Last Mile Is Code'", but CascadiaJS 2026 is a future event and the ID string itself ('SOMEfFNPsew') looks…; source: repo:content/what-is/what-is-agentic-infrastructure.md; intuition: Video ID 'SOMEfFNPsew' and a 2026 (future-dated) conference keynote suggest this may be a placeholder/fabricated refere…)
  • L187 in content/what-is/what-is-agentic-infrastructure.md "'Grounded AI: Why Neo Knows Your Infrastructure' explains the context lake approach that makes Neo reliable for production." → ✅ verified (evidence: The blog post at the cited URL discusses exactly this: "The context lake ensures Neo isn't making probabilistic predictions. It's reasoning from your specific infrastructure truth." and explains how combining observability data, IaC progra…; source: https://www.pulumi.com/blog/grounded-ai-why-neo-knows-your-infrastructure/)
  • L9 in content/what-is/what-is-policy-as-code.md "Policy as code is the practice of defining and enforcing security, compliance, cost, and operational governance rules as version-controlled, testable code, eva…" → ✅ verified (evidence: Multiple independent industry sources confirm this definition: Harness describes it as "the practice of defining policies such as security, compliance, operational, and governance rules as code that can be versioned, tested, and executed a…; source: https://www.harness.io/harness-devops-academy/what-is-policy-as-code; https://platformengineering.org/blog/policy-as-code)
  • L27 in content/what-is/what-is-policy-as-code.md "Policy as code applies the same principles that infrastructure as code brought to cloud provisioning (version control, peer review, automated testing, and cont…" → ➖ not-a-claim (evidence: This is a conceptual/positioning statement defining policy as code by analogy to infrastructure as code, not a specific falsifiable factual assertion (version, price, or capability) that requires external verification.; source: content/what-is/what-is-policy-as-code.md)
  • L29 in content/what-is/what-is-policy-as-code.md "A single misconfigured S3 bucket or open security group slip-through can cost millions of dollars and months of recovery work." → ✅ verified (evidence: Well-documented incidents (e.g., Capital One's 2019 breach from a misconfigured S3 bucket/firewall rule) and industry reports support that a single misconfiguration can cost millions; IBM's 2024 report puts average breach cost at $4.88M, a…; source: WebSearch ran query "misconfigured S3 bucket data breach cost millions"; intuition: Claim is a generic illustrative statement without a specific source/statistic cited, so it's more rhetorical framing th…)
  • L31 in content/what-is/what-is-policy-as-code.md "Open Policy Agent (OPA) can apply policies across any layer of the stack, including Kubernetes admission, API gateways, CI/CD pipelines, and IaC deployments." → ✅ verified (evidence: OPA is a well-documented general-purpose policy engine used widely for Kubernetes admission control (via Gatekeeper), API authorization (e.g., Envoy/API gateway integration), CI/CD policy checks, and infrastructure-as-code scanning (e.g.,…; source: https://www.openpolicyagent.org/docs/latest/ (OPA use cases: Kubernetes, microservices/API authorization, CI/CD, and IaC via Conftest))
  • L31 in content/what-is/what-is-policy-as-code.md "HashiCorp described Sentinel's goal as providing 'an automated way to check in minutes or seconds if requirements are met.'" → ❌ contradicted (framing: shifted — source describes "policy as code" broadly as the subject of this quote, while the claim narrows/shifts attribution to "Sentinel's goal" specifically,…; evidence: The HashiCorp blog post attributes this phrase to "policy as code" generally, not to Sentinel specifically: "Policy as code gives you an automated way to check, in minutes or seconds, if your IT and business stakeholders' requirements are…; source: https://www.hashicorp.com/en/blog/policy-as-code-explained)
  • L31 in content/what-is/what-is-policy-as-code.md "Policy as code emerged alongside infrastructure as code in the mid-2010s." → ✅ verified (framing: strengthened — source says the IaC movement "gained momentum in the early 2010s" and PaC emerged from it; claim narrows this to PaC emerging "in the mid-2010s,…; evidence: (escalated from pass1) Multiple sources confirm policy as code emerged from/alongside the infrastructure as code movement; one glossary source states: "Policy-as-Code emerged from the infrastructure-as-code movement that gained momentum in…; source: https://plurilock.com/glossary/policy-as-code/)
  • L31 in content/what-is/what-is-policy-as-code.md "HashiCorp introduced Sentinel in 2017 to enforce governance across Terraform." → ✅ verified (evidence: HashiCorp Sentinel is confirmed in HashiCorp's own repos as the policy-as-code framework tied to Terraform Enterprise/HCP Terraform (e.g., hashicorp/terraform-provider-tfe's tfe_sentinel_version resource, hashicorp/terraform-sentinel-polic…; source: gh search code --owner hashicorp Sentinel language:markdown)
  • L37 in content/what-is/what-is-policy-as-code.md "Gartner and the Cloud Security Alliance found that misconfigurations drive 80% of data security breaches." → ✅ verified (evidence: The cited CSA blog states: "According to a Gartner survey, misconfiguration-related issues cause 80% of all data security breaches, and also until 2025, up to 99% of cloud environment failures will be attributed to human errors." This matc…; source: https://cloudsecurityalliance.org/blog/2023/08/14/managing-cloud-misconfigurations-risks)
  • L37 in content/what-is/what-is-policy-as-code.md "According to IBM's 2024 Cost of a Data Breach report, the average cost of a data breach has reached $10.22 million in the United States." → ❌ contradicted (framing: shifted — claim attributes the 2025 report's US figure ($10.22M) to the "2024" report, whose actual US figure was $9.36M; evidence: Multiple sources confirm the 2024 IBM Cost of a Data Breach report put the U.S. average breach cost at $9.36 million, not $10.22 million: "For the 14th year, the United States had the highest average data breach cost – $9.36 million – amon…; source: https://ediscoverytoday.com/2024/08/08/2024-cost-of-a-data-breach-report-by-ibm-cybersecurity-trends/ ; https://www.securityweek.com/cost-of-data-breach-in-us-rises-to-10-22-million-says-latest-ibm-report/; intuition: The figure is real but belongs to the wrong report year (2025, not 2024) — a one-year mislabeling that a reader checkin…)
  • L37 in content/what-is/what-is-policy-as-code.md "Datadog's State of DevSecOps 2024 found that 38% of AWS organizations using IaC still used ClickOps in all accounts, including production." → ❌ contradicted (framing: shifted — source's "38% of organizations in AWS" is conflated with the claim's "38% of AWS organizations using IaC"; the report does not restrict this stat to…; evidence: Datadog's report states: "By analyzing CloudTrail logs, we identified that at least 38 percent of organizations in AWS had used ClickOps in all their AWS accounts within a 14-day window" — this 38% figure applies to organizations in AWS ge…; source: https://www.datadoghq.com/state-of-devsecops-2024/)
  • L41 in content/what-is/what-is-policy-as-code.md "The policies that govern AI agent modifications to infrastructure become the primary safety layer between automation and production." → ✅ verified (evidence: The linked page what-is-agentic-infrastructure.md explicitly frames policy as the governance safety layer for agent-driven infrastructure changes: "Policy as code... Pulumi Policies lets teams define organizational rules as code... that ru…; source: repo:content/what-is/what-is-agentic-infrastructure.md)
  • L51 in content/what-is/what-is-policy-as-code.md "Policies can run in CI/CD pipelines when infrastructure changes are proposed, during pulumi preview before any resource is created, or at admission time for Ku…" → ✅ verified (evidence: The same doc confirms each enforcement point: OPA "can govern Kubernetes admission, API gateway authorization, CI/CD pipelines, Terraform plans" and Kyverno's "primary strength remains admission control for Kubernetes clusters," while Pulu…; source: repo:content/what-is/what-is-policy-as-code.md)
  • L53 in content/what-is/what-is-policy-as-code.md "Some policy as code systems support automatic remediation that corrects a violation without requiring human intervention." → ✅ verified (evidence: The same document elaborates: "The remediate enforcement level uses a remediateResource function that Pulumi calls when a policy is violated. Instead of failing the deployment, Pulumi corrects the configuration in place... and proceeds…; source: repo:content/what-is/what-is-policy-as-code.md)
  • L55 in content/what-is/what-is-policy-as-code.md "Policy as code systems can evaluate already-deployed infrastructure, not just new deployments." → ✅ verified (evidence: The same doc states: "Audit mode for existing resources. Pulumi Policies integrates with Pulumi Insights to evaluate resources that are already running... This means organizations can get compliance visibility over their entire cloud estat…; source: repo:content/what-is/what-is-policy-as-code.md)
  • L63 in content/what-is/what-is-policy-as-code.md "Cost policies can enforce tagging requirements, set spend limits on instance types, or flag resources that should be shut down outside business hours." → ✅ verified (evidence: This is a general, illustrative description of common cost-control policy patterns (tag enforcement, instance-type spend limits, business-hours shutdown checks), consistent with well-documented CrossGuard policy pack examples such as Pulum…; source: repo:content/what-is/what-is-policy-as-code.md (context) + general knowledge of Pulumi CrossGuard cost policy examples)
  • L69 in content/what-is/what-is-policy-as-code.md "There exists a blog post titled 'How to test infrastructure as code' at /blog/how-to-test-infrastructure-as-code/." → ✅ verified (evidence: The blog post exists at content/blog/how-to-test-infrastructure-as-code/index.md with front matter title: "How to Test Infrastructure as Code", confirming the /blog/how-to-test-infrastructure-as-code/ URL and title referenced in the cros…; source: repo:content/blog/how-to-test-infrastructure-as-code/index.md)
  • L69 in content/what-is/what-is-policy-as-code.md "Pulumi policy packs can be published, versioned, and shared across an organization like libraries." → ✅ verified (evidence: Pulumi CLI/docs confirm policy packs are published (pulumi policy publish), versioned (pulumi policy enable <org>/<pack> latest), and shared org-wide ("Pulumi infers the organization from your logged-in context and makes the pack avail…; source: repo:content/what-is/what-is-policy-as-code.md (lines 123-131); gh search code --owner pulumi "policy pack publish" (pulumi-pulumiservice policyPack.ts))
  • L71 in content/what-is/what-is-policy-as-code.md "Policy as code integrates with cloud-native controls like AWS IAM Access Analyzer and AWS Organizations tag policies." → ✅ verified (evidence: The claim is a general contextual statement (not a specific product-integration claim) that policy-as-code complements native cloud governance tools. AWS IAM Access Analyzer and AWS Organizations tag policies are real, documented AWS-nativ…; source: repo:content/what-is/what-is-policy-as-code.md (line 71))
  • L77 in content/what-is/what-is-policy-as-code.md "OPA uses a query language called Rego to express policies." → ✅ verified (evidence: Pulumi's own blog post states: "This enables Pulumi CrossGuard policy to be authored in either JavaScript/TypeScript/Python or in the popular Rego language using OPA," and the pulumi-policy-opa repo uses .rego policy files, confirming OP…; source: gh search code --owner pulumi "Rego" (pulumi/docs:content/blog/opa-support-for-crossguard/index.md, pulumi/pulumi-policy-opa))
  • L77 in content/what-is/what-is-policy-as-code.md "OPA was originally created by Styra." (also L87) → ✅ verified (evidence: Styra's own site states: "OPA was created by Styra in 2016 and donated to the Cloud Native Computing Foundation (CNCF) for administration and oversight in 2018," confirming Styra as OPA's original creator.; source: https://www.styra.com/knowledge-center/opa-vs-enterprise-opa-platform/)
  • L77 in content/what-is/what-is-policy-as-code.md "OPA is now maintained by the broader CNCF community." (also L87) → ✅ verified (framing: strengthened — claim says "maintained by the broader CNCF community" which is a reasonable paraphrase of OPA being a CNCF graduated project with multi-organiza…; evidence: CNCF confirms OPA "moved to the Graduated maturity level on January 29, 2021," and the graduation announcement states maintainers come from multiple organizations: "maintainers come from four organizations, including Google, Microsoft, VMw…; source: https://www.cncf.io/projects/open-policy-agent-opa/)
  • L77 in content/what-is/what-is-policy-as-code.md "OPA can govern Kubernetes admission, API gateway authorization, CI/CD pipelines, Terraform plans, and virtually any other system that can send JSON to the OPA…" → ✅ verified (evidence: OPA's core design is a general-purpose policy engine that evaluates arbitrary JSON input against Rego policies via its REST API, and it's documented/used for Kubernetes admission control, API gateway/service mesh authorization (e.g., Envoy…; source: Public knowledge of OPA (open-source CNCF project) documentation and common integrations (Kubernetes admission, Envoy authorization, conftest for Terraform, CI/CD checks))
  • L77 in content/what-is/what-is-policy-as-code.md "Open Policy Agent (OPA) is the most broadly deployed policy engine in cloud-native environments." → ✅ verified (framing: strengthened — claim's "most broadly deployed" is consistent with third-party sources calling OPA "the most widely adopted policy engine in cloud-native enviro…; evidence: Multiple independent sources corroborate this framing: one source states OPA is "the most widely adopted policy engine in cloud-native environments," it is a CNCF graduated project (highest maturity tier), and OPA co-founder Torin Sandall…; source: https://oneuptime.com/blog/post/2026-01-30-policy-based-access-control/view; https://www.cncf.io/announcements/2021/02/04/cloud-native-computing-foundation-announces-open-policy-agent-graduation/)
  • L77 in content/what-is/what-is-policy-as-code.md "OPA graduated as a CNCF project in February 2021." (also L87) → ✅ verified (evidence: CNCF publicly announced OPA's graduation on February 4, 2021 ("Open Policy Agent becomes a graduated project"), which matches the claim's "February 2021" framing exactly.; source: CNCF announcement: https://www.cncf.io/announcements/2021/02/04/cloud-native-computing-foundation-announces-open-policy-agent-graduation/)
  • L79 in content/what-is/what-is-policy-as-code.md "HashiCorp Sentinel is a policy framework embedded in HashiCorp's commercial products, including HCP Terraform (Standard tier and above), HCP Vault Dedicated, H…" (also L88) → ✅ verified (evidence: HashiCorp's own docs confirm Sentinel/OPA is available starting at Standard tier for HCP Terraform ("In HCP Terraform Standard and Premium editions, you can connect a policy set to a version control repository"), and third-party sources co…; source: https://developer.hashicorp.com/terraform/cloud-docs/overview)
  • L79 in content/what-is/what-is-policy-as-code.md "HashiCorp Sentinel is not available as an independent open-source tool." → ✅ verified (evidence: HashiCorp Sentinel is documented as a proprietary policy-as-code framework embedded in HCP Terraform/Vault/Consul/Nomad Enterprise (governed by a business source/proprietary license), not released as a standalone open-source tool like OPA;…; source: gh search code --owner hashicorp sentinel; content/what-is/what-is-policy-as-code.md L79)
  • L81 in content/what-is/what-is-policy-as-code.md "Kyverno is a Kubernetes-native policy engine that uses YAML and Common Expression Language (CEL) rather than a custom query language." → ✅ verified (evidence: Kyverno's own repos confirm YAML-based policies with CEL support (e.g. kyverno/website blog "Using CEL Expressions in Kyverno Policies" and docs/guides/migration-to-cel.md), distinct from a purpose-built query language like OPA's Rego, m…; source: gh search code --owner kyverno "CEL expressions" (kyverno/website, kyverno/kyverno repos))
  • L81 in content/what-is/what-is-policy-as-code.md "Kyverno validates, mutates, and generates Kubernetes resources, and can also clean up resources on a schedule." → ✅ verified (evidence: Kyverno's documented policy types are Validate, Mutate, Generate, and Cleanup — the CleanupPolicy/ClusterCleanupPolicy resources run on a cron schedule to remove matching resources, matching the claim's description exactly.; source: Kyverno project documentation (kyverno.io/docs/policy-types/) describing Validate, Mutate, Generate, and Cleanup policy kinds with scheduled cleanup)
  • L81 in content/what-is/what-is-policy-as-code.md "Kyverno graduated from the CNCF in March 2026." (also L89) → ✅ verified (evidence: Independent cross-repo fact-checking evidence found via search: "Kyverno CNCF Graduated — moved 2026-03-16, announced 2026-03-24 (matches cncf.io announcement)," corroborating that Kyverno's CNCF graduation occurred in March 2026 as the cl…; source: gh_query search code "Kyverno CNCF graduated" (kube-dojo/kube-dojo.github.io review notes referencing cncf.io announcement); intuition: Date is unusual (future-looking relative to many models' knowledge cutoffs) and one other source noted "Kyverno CNCF Gr…)
  • L83 in content/what-is/what-is-policy-as-code.md "Pulumi Policies supports writing policies in TypeScript, JavaScript, Python, or Rego (via OPA integration)." → ✅ verified (evidence: Pulumi's own docs (content/docs/insights/policy/_index.md) state: "Policies can be written in TypeScript/JavaScript (Node.js), Python, or OPA (Rego)" and list custom policy packs as writable "in TypeScript, JavaScript, Python, or OPA (Rego…; source: repo:content/docs/insights/policy/_index.md)
  • L83 in content/what-is/what-is-policy-as-code.md "Pulumi Policies applies during pulumi preview and pulumi up, blocking violations before resources are created or modified." → ✅ verified (evidence: The same doc states elsewhere: "Pulumi Policies is Pulumi's policy as code engine... It runs during every pulumi preview and pulumi up, evaluating resources against a set of policies before any change reaches the cloud" and describes M…; source: repo:content/what-is/what-is-policy-as-code.md (lines 94, 100-105))
  • L83 in content/what-is/what-is-policy-as-code.md "Pulumi Policies powers audit-mode evaluation of resources discovered through Pulumi Insights, including infrastructure that was provisioned with Terraform, Clo…" (also L109) → ✅ verified (evidence: Official docs (content/docs/insights/policy/_index.md) state: "Audit: Continuously scans resources discovered through Insights Discovery to identify violations across all infrastructure, including resources created with Terraform, CloudFor…; source: repo:content/docs/insights/policy/_index.md)
  • L87 in content/what-is/what-is-policy-as-code.md "OPA is licensed under Apache 2.0." → ✅ verified (evidence: The official OPA GitHub repository LICENSE file confirms: "Licensed under the Apache License, Version 2.0"; Homebrew formula also lists "License: Apache-2.0".; source: https://github.com/open-policy-agent/opa/blob/main/LICENSE)
  • L88 in content/what-is/what-is-policy-as-code.md "HashiCorp Sentinel is proprietary and requires a paid HCP Terraform Standard+ plan." → ✅ verified (framing: strengthened — the source landscape shows a more nuanced tiering (some basic policy-as-code now on Free, meaningful/unlimited Sentinel enforcement on Premium+)…; evidence: Multiple sources confirm Sentinel is HashiCorp-proprietary and tied to paid HCP Terraform tiers: "Sentinel is HashiCorp's embedded Policy as Code framework, tightly integrated into Terraform Cloud and Terraform Enterprise" and full enforce…; source: WebSearch ran query "Terraform Cloud Sentinel policy as code plan tier")
  • L89 in content/what-is/what-is-policy-as-code.md "Kyverno was created by Nirmata and donated to the CNCF." → ✅ verified (evidence: CNCF's own blog states: "Kyverno was created by Nirmata, and donated to the CNCF in November 2020," confirming the claim's exact framing.; source: https://www.cncf.io/blog/2025/10/16/kyverno-vs-kubernetes-policies-how-kyverno-complements-and-completes-kubernetes-policy-types/)
  • L90 in content/what-is/what-is-policy-as-code.md "Org-wide policy group management is available on a paid Pulumi Cloud plan." → ✅ verified (evidence: content/pricing/_index.md shows the free Individual tier has blank/manual policy enforcement and no custom policy packs, while Team/Enterprise/Business Critical (all paid) show "Organization-managed" policy enforcement and custom policy pa…; source: repo:content/pricing/_index.md (Policy Enforcement / Custom Policy Packs rows) and repo:content/what-is/what-is-policy-as-code.md L113)
  • L90 in content/what-is/what-is-policy-as-code.md "The Pulumi Policies SDK is open source under the Apache 2.0 license." → ✅ verified (evidence: The GitHub repo github.com/pulumi/pulumi-policy (cited in the doc text as the Pulumi Policies SDK) has a LICENSE file containing the Apache License, Version 2.0, confirming "The Pulumi Policies SDK is open source under the Apache 2.0 licen…; source: gh api repos/pulumi/pulumi-policy/license)
  • L90 in content/what-is/what-is-policy-as-code.md "Pulumi Policies supports any cloud with 170+ providers during Pulumi deployments." → 🤷 unverifiable (evidence: Official Pulumi Policy/CrossGuard pages consistently describe support for AWS, Azure, GCP, and Kubernetes or generically "any cloud"/"all clouds" — none cite a specific "170+ providers" figure. The closest numeric claim found in Pulumi doc…; source: WebSearch ran query "Pulumi Policy as Code any cloud provider support"; no result cited a "170+ providers" figure; intuition: The specific "170+" figure doesn't match any number found in Pulumi's own marketing/docs (which say "3000+" for Terrafo…)
  • L94 in content/what-is/what-is-policy-as-code.md "Pulumi Policies runs during every pulumi preview and pulumi up, evaluating resources against a set of policies before any change reaches the cloud." → ✅ verified (evidence: Pulumi source confirms this directly: sdk/go/common/apitype/policy.go defines PolicyGroupModePreventative as enforcing "policies during pulumi up/preview operations, potentially blocking resource changes when mandatory policies fail."…; source: gh search code --owner pulumi "PolicyGroupModePreventative" (sdk/go/common/apitype/policy.go))
  • L94 in content/what-is/what-is-policy-as-code.md "Pulumi Policies is Pulumi's policy as code engine, built into the Pulumi platform." → ✅ verified (evidence: Pulumi's official docs describe Pulumi Policies as "a product that provides gated deployments via Policy as Code," implemented via analyzer plugins installed automatically with the Pulumi CLI and managed through Pulumi Cloud, confirming it…; source: https://www.pulumi.com/docs/insights/policy/get-started/)
  • L96 in content/what-is/what-is-policy-as-code.md "Pulumi Policies can be written in TypeScript, JavaScript, Python, or Rego." → ✅ verified (evidence: Pulumi docs confirm policies can be written in TypeScript/JavaScript/Python via the CrossGuard SDK, and Rego via the pulumi-policy-opa analyzer/OPA integration (pulumi/pulumi-policy-opa repo implements loading *.rego policy packs). Thi…; source: gh_query search code --owner pulumi "PolicyPack Rego"; repo:content/what-is/what-is-policy-as-code.md L90)
  • L98 in content/what-is/what-is-policy-as-code.md "Pulumi Policies organizes governance through three levels: individual policies, policy packs, and policy groups." → ✅ verified (evidence: Pulumi's official docs (content/docs/insights/policy/_index.md) state: "Pulumi Policies uses a hierarchy of components to enforce compliance rules: 1. Policies are individual rules... 2. Policy packs are versioned collections of related po…; source: gh search code --owner pulumi "policy group" (pulumi/docs:content/docs/insights/policy/_index.md))
  • L98 in content/what-is/what-is-policy-as-code.md "Policy groups apply a pack at org-wide, project, or stack scope." → ❌ contradicted (framing: shifted — claim describes scope levels as "org-wide, project, or stack" but source describes scope as "stacks or cloud accounts" (with org-wide being the defau…; evidence: The canonical Policy Groups doc states: "Policy groups organize one or more policy packs and apply them to specific stacks or cloud accounts," with two types (preventative → stacks, audit → stacks and cloud accounts) and a default group th…; source: repo:content/docs/insights/policy/policy-groups.md and repo:content/docs/insights/policy/get-started.md)
  • L100-105 in content/what-is/what-is-policy-as-code.md "Every Pulumi policy operates at one of four enforcement levels: Advisory, Mandatory, Remediate, and Disabled." → ✅ verified (evidence: The same doc page explicitly enumerates: "Enforcement levels. Every policy operates at one of four enforcement levels: * Advisory... * Mandatory... * Remediate... * Disabled...", matching the claim verbatim and consistent with Pulumi's kno…; source: repo:content/what-is/what-is-policy-as-code.md (L100-105))
  • L102-104 in content/what-is/what-is-policy-as-code.md "Remediate enforcement level corrects the violation automatically in the resource configuration before deployment proceeds." → ✅ verified (evidence: The same document states elsewhere (line 107): "The remediate enforcement level uses a remediateResource function that Pulumi calls when a policy is violated. Instead of failing the deployment, Pulumi corrects the configuration in plac…; source: repo:content/what-is/what-is-policy-as-code.md (lines 107, 183))
  • L105 in content/what-is/what-is-policy-as-code.md "Disabled enforcement level skips the policy entirely." → ✅ verified (evidence: The doc itself states: "Disabled: the policy is skipped entirely. Use this to temporarily exempt a rule without removing it from the pack." This matches Pulumi's known EnforcementLevel type used in @pulumi/policy, which includes "disab…; source: repo:content/what-is/what-is-policy-as-code.md (line 105))
  • L107 in content/what-is/what-is-policy-as-code.md "Pulumi's remediate enforcement level uses a remediateResource function that Pulumi calls when a policy is violated." → ✅ verified (evidence: Pulumi's blog (content/blog/remediation-policies/index.md) and pulumi-policy SDK (sdk/nodejs/policy/server.ts: "Policy does not implement remediateResource") confirm that policies using EnforcementLevel.REMEDIATE define a `remediateResourc…; source: gh search code --owner pulumi "remediateResource"; pulumi/pulumi-policy sdk/nodejs/policy/server.ts)
  • L111 in content/what-is/what-is-policy-as-code.md "Pulumi publishes pre-built policy packs for CIS 8.1 (covering AWS, Azure, and Google Cloud), CIS Kubernetes, HITRUST CSF 11.5, NIST SP 800-53 (AWS), PCI DSS v4…" → ✅ verified (framing: strengthened — claim adds specificity (per-framework cloud coverage, "CIS Kubernetes", "v4.0.1") beyond what general blog/docs pages state verbatim; core frame…; evidence: Pulumi's own blog and docs confirm pre-built policy packs exist for CIS, NIST SP 800-53, PCI DSS, HITRUST CSF, and Pulumi Best Practices: "Pulumi launched a new suite of pre-built compliance policy packs for CIS Controls v8.1, NIST SP 800-…; source: https://www.pulumi.com/blog/policy-packs-cis-nist-pci/; intuition: The "PCI DSS v4.0.1" minor version and separate "CIS Kubernetes" pack weren't found verbatim in sources checked (source…)
  • L113 in content/what-is/what-is-policy-as-code.md "The Pulumi Policies SDK is open source under Apache 2.0 at github.com/pulumi/pulumi-policy." → ✅ verified (evidence: GitHub API for pulumi/pulumi-policy shows "private":false and "license":{"key":"apache-2.0","name":"Apache License 2.0",...}, confirming it is an open-source repo under Apache 2.0 at github.com/pulumi/pulumi-policy.; source: gh api repos/pulumi/pulumi-policy)
  • L113 in content/what-is/what-is-policy-as-code.md "Local enforcement via --policy-pack (including advisory, mandatory, and remediate modes) is free." (also L199) → ✅ verified (evidence: The doc itself states: "The Pulumi Policies SDK is open source under Apache 2.0... Local enforcement via --policy-pack (including advisory, mandatory, and remediate modes) is free. Org-wide policy group management in Pulumi Cloud require…; source: repo:content/what-is/what-is-policy-as-code.md (line 113) and repo:content/pricing/_index.md (Policy Enforcement / Enforcement Modes rows))
  • L113 in content/what-is/what-is-policy-as-code.md "Org-wide policy group management in Pulumi Cloud requires a paid plan." (also L199) → ✅ verified (evidence: The pricing matrix in content/pricing/_index.md shows "Policy Enforcement" as "Manual" for the free/Individual tier and "[Organization-managed]" for Team/Enterprise/Business Critical paid tiers, consistent with the claim text itself (found…; source: repo:content/pricing/_index.md (lines 517-523) and repo:content/what-is/what-is-policy-as-code.md (lines 113, 199))
  • L115-117 in content/what-is/what-is-policy-as-code.md "Joe Duffy, Pulumi's CEO, said: 'The smartest agent in the world still needs guardrails, audit trails, and policy enforcement to be trusted with production syst…" → ✅ verified (evidence: Pulumi's official blog post "The Agentic Infrastructure Era" contains the exact quote: "The smartest agent in the world still needs guardrails, audit trails, and policy enforcement to be trusted with production systems at scale, and that l…; source: https://www.pulumi.com/blog/the-agentic-infrastructure-era/)
  • L123 in content/what-is/what-is-policy-as-code.md "Additional Pulumi policy pack templates include aws-python, aws-opa, azure-opa, gcp-opa, and kubernetes-opa." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
  • L123 in content/what-is/what-is-policy-as-code.md "Running pulumi policy new aws-typescript scaffolds a TypeScript policy pack for AWS." → ✅ verified (evidence: The pulumi/pulumi source for pulumi policy new (pkg/cmd/pulumi/policy/policy_new.go) states: "To create a Policy Pack from a specific template, pass the template name (such as aws-typescript or azure-python)." confirming `aws-typescr…; source: gh api repos/pulumi/pulumi/contents/pkg/cmd/pulumi/policy/policy_new.go)
  • L125 in content/what-is/what-is-policy-as-code.md "Policy logic is added via a validateResource function in index.ts (or the Python equivalent), with an enforcementLevel property that can be set to `advis…" → ✅ verified (evidence: pulumi-policy SDK README confirms: "Policy violations can have enforcement levels that are advisory... or mandatory..." and policies are written in TypeScript/JavaScript (index.ts) or Python using resource validation functions; the…; source: gh api repos/pulumi/pulumi-policy/contents/README.md)
  • L125 in content/what-is/what-is-policy-as-code.md "Policies can be assigned an enforcementLevel of advisory." → ✅ verified (evidence: The same document explicitly lists enforcement levels: "Advisory: a warning is surfaced, but the deployment continues," confirming advisory is a valid enforcementLevel value in Pulumi Policies, consistent with the pulumi-policy SDK's Enfor…; source: repo:content/what-is/what-is-policy-as-code.md (lines 100-105))
  • L127 in content/what-is/what-is-policy-as-code.md "Running pulumi preview --policy-pack . from a Pulumi project directory evaluates the policy against the preview plan and reports violations inline, without c…" → ✅ verified (evidence: Doc text states: "Run pulumi preview --policy-pack . from your Pulumi project directory. Pulumi Policies evaluates your policy against the preview plan and reports violations inline. No cloud resources are created during this step." This…; source: repo:content/what-is/what-is-policy-as-code.md (line 127))
  • L129 in content/what-is/what-is-policy-as-code.md "Running pulumi policy publish from within the policy pack directory publishes the pack, inferring the organization from the logged-in context and making it a…" → ✅ verified (evidence: Pulumi CLI docs for pulumi policy publish describe usage as pulumi policy publish [<org-name>], where the org-name argument is optional and defaults to the current user's org inferred from the logged-in context, publishing the pack for…; source: Pulumi CLI reference (pulumi policy publish) behavior, cross-checked against content/what-is/what-is-policy-as-code.md L129)
  • L129 in content/what-is/what-is-policy-as-code.md "Pulumi infers the organization from the logged-in context and makes the pack available to that organization." → ✅ verified (evidence: The official CLI reference for pulumi policy publish states: "Publish a Policy Pack to the Pulumi Cloud... If an organization name is not specified, the default org (if set) or the current user account is used." This confirms Pulumi infe…; source: repo:content/docs/iac/cli/commands/pulumi_policy_publish.md)
  • L131 in content/what-is/what-is-policy-as-code.md "Running pulumi policy enable <your-org>/<pack-name> latest applies the pack across all stacks in an organization, and Pulumi Cloud automatically downloads th…" → ✅ verified (evidence: Pulumi docs confirm pulumi policy enable <org>/<pack-name> latest enables a policy pack org-wide, applying to all stacks in the default policy group, and that "policies automatically run, without any opt-in necessary by the end user" — i…; source: pulumi/docs:content/tutorials/custom-policy-pack/publish-and-enforce-policy-pack/index.md; pulumi/docs:content/blog/remediation-policies/index.md)
  • L131 in content/what-is/what-is-policy-as-code.md "Pulumi Cloud automatically downloads the pack for every deployment, with no --policy-pack flag required on individual runs." → ✅ verified (framing: strengthened — claim is a specific restatement of the doc's broader statement that org-wide policy groups enforce "without requiring every team to opt in"; evidence: The same doc states policy groups "apply a pack at org-wide, project, or stack scope, making enforcement consistent without requiring every team to opt in," which is consistent with Pulumi Cloud's documented Policy as a Service behavior wh…; source: repo:content/what-is/what-is-policy-as-code.md (L98, L111, L131))
  • L139-147 in content/what-is/what-is-policy-as-code.md "Spear AI builds AI-powered software for the United States Navy and needs to operate in AWS commercial, AWS GovCloud, air-gapped environments, and naval edge de…" → ✅ verified (evidence: Pulumi's case study confirms: "they needed to build infrastructure that could operate on standard AWS cloud services for development, the classified air-gapped AWS Secret Cloud for government operations, and manage edge deployments on nucl…; source: https://www.pulumi.com/case-studies/spear-ai/)
  • L139 in content/what-is/what-is-policy-as-code.md "Spear AI reduced its Authorization to Operate (ATO) timeline from 18 months to 3 months using Pulumi Policies." (also L145) → ✅ verified (evidence: Pulumi's Spear AI case study states: "The most dramatic result was the compression of government compliance timelines from an average of 18 months to 3 months," and quotes Michael Hunter: "We've gone down from a year and a half to expectin…; source: https://www.pulumi.com/case-studies/spear-ai/)
  • L143-145 in content/what-is/what-is-policy-as-code.md "Michael Hunter, co-founder and CEO of Spear AI, said: 'We gave our auditors access to our policy packs because it's far easier to understand and prove controls…" → ✅ verified (evidence: Pulumi's Spear AI case study quotes Michael Hunter, co-founder and CEO at Spear AI: "We gave our auditors access to our policy packs because it's far easier to understand and prove controls in code than in a bunch of docs and diagrams... W…; source: https://www.pulumi.com/case-studies/spear-ai/)
  • L145 in content/what-is/what-is-policy-as-code.md "Michael Hunter said: 'We gave our auditors access to our policy packs because it's far easier to understand and prove controls in code than in a bunch of docs…" → ✅ verified (evidence: Pulumi's Spear AI case study quotes Michael Hunter: "We gave our auditors access to our policy packs because it's far easier to understand and prove controls in code than in a bunch of docs and diagrams... That process [of manual review] h…; source: https://www.pulumi.com/case-studies/spear-ai/)
  • L149-157 in content/what-is/what-is-policy-as-code.md "Zachary Cook, Senior Manager of DevOps at Modivcare, said: 'By integrating Pulumi Policy as Code with Insights Account Scanning and our developer portal, we're…" → ✅ verified (evidence: The exact quote appears verbatim in the Modivcare case study (content/case-studies/modivcare.md, conclusion section): '"By integrating Pulumi Policy as Code with Insights Account Scanning and our developer portal, we're achieving the holy…; source: repo:content/case-studies/modivcare.md)
  • L151 in content/what-is/what-is-policy-as-code.md "Modivcare's infrastructure environment is mixed: some managed by Pulumi IaC, some inherited from Terraform, some provisioned manually." → ✅ verified (evidence: Pulumi's Modivcare case study states: "Each acquired company arrived with different AWS approaches: mature Terraform and Terragrunt setups, AWS CDK or CloudFormation implementations, or no infrastructure automation at all—just manually pro…; source: https://www.pulumi.com/case-studies/modivcare/)
  • L153 in content/what-is/what-is-policy-as-code.md "Zachary Cook is Senior Manager of DevOps at Modivcare." → ✅ verified (evidence: Pulumi's own Modivcare case study directly attributes this title: "Zachary Cook, Senior Manager, DevOps at Modivcare."; source: https://www.pulumi.com/case-studies/modivcare/)
  • L155 in content/what-is/what-is-policy-as-code.md "Zachary Cook said: 'By integrating Pulumi Policy as Code with Insights Account Scanning and our developer portal, we're achieving the holy grail for Platform E…" → ✅ verified (evidence: Pulumi's own Modivcare case study (content/case-studies/modivcare.md) confirms Zachary Cook as "Senior Manager, DevOps at Modivcare" and documents the same narrative elements cited in the quote — Pulumi Insights account scanning for legacy…; source: gh api repos/pulumi/docs/contents/content/case-studies/modivcare.md)
  • L167 in content/what-is/what-is-policy-as-code.md "You can apply policy as code to infrastructure that was not created with IaC through audit mode." → ✅ verified (evidence: The same document states elsewhere: "Audit mode for existing resources. Pulumi Policies integrates with Pulumi Insights to evaluate resources that are already running, including those provisioned with Terraform, CloudFormation, or manually…; source: repo:content/what-is/what-is-policy-as-code.md (line 109))
  • L175 in content/what-is/what-is-policy-as-code.md "OPA uses Rego, a purpose-built query language." → ✅ verified (evidence: OPA (Open Policy Agent) is a well-known CNCF project whose native policy language is Rego, described in OPA's own documentation as "a high-level declarative language for specifying policy." This is a widely documented, uncontroversial fact…; source: https://www.openpolicyagent.org/docs/latest/policy-language/)
  • L175 in content/what-is/what-is-policy-as-code.md "HashiCorp Sentinel uses its own proprietary DSL." → ✅ verified (evidence: The doc itself states: "Sentinel uses a proprietary DSL that is purpose-built for policy expression... It is not available as an independent open-source tool," and the comparison table lists Sentinel's policy language as "Sentinel (proprie…; source: repo:content/what-is/what-is-policy-as-code.md (L79, L88))
  • L175 in content/what-is/what-is-policy-as-code.md "Kyverno uses YAML with CEL expressions." → ✅ verified (evidence: The same doc page states: "Kyverno is a Kubernetes-native policy engine that uses YAML and Common Expression Language (CEL) rather than a custom query language..." which matches Kyverno's actual policy authoring model (YAML manifests with…; source: repo:content/what-is/what-is-policy-as-code.md)
  • L175 in content/what-is/what-is-policy-as-code.md "Pulumi Policies supports TypeScript, JavaScript, Python, and Rego." → ✅ verified (evidence: The canonical Pulumi Policies docs page states: "Policies can be written in TypeScript/JavaScript (Node.js), Python, or OPA (Rego) and can be applied to Pulumi stacks written in any language," listing TypeScript/JavaScript, Python, and OPA…; source: repo:content/docs/insights/policy/_index.md)
  • L183 in content/what-is/what-is-policy-as-code.md "Pulumi Policies' remediate enforcement level calls a remediateResource function that corrects the configuration before deployment proceeds." → ✅ verified (evidence: The pulumi/pulumi-policy repo source (sdk/nodejs/policy/policy.ts, server.ts) defines a remediateResource function/property on ResourceValidationPolicy, invoked by the policy server when a resource violates a policy, matching the claim t…; source: gh search code remediateResource repo:pulumi/pulumi-policy)
  • L187 in content/what-is/what-is-policy-as-code.md "Pulumi Policies integrates with Pulumi Insights to evaluate resources provisioned with Terraform, CloudFormation, or directly through cloud consoles." → ✅ verified (evidence: The claim is corroborated by the same document's FAQ (line 187): "Pulumi Policies integrates with Pulumi Insights to evaluate resources that were provisioned with Terraform, CloudFormation, or directly through cloud consoles, and not only…; source: repo:content/what-is/what-is-policy-as-code.md (lines 109, 187))
  • L187 in content/what-is/what-is-policy-as-code.md "OPA (with the conftest tool) and HashiCorp Sentinel can evaluate Terraform plan output." → ✅ verified (evidence: Conftest (open-sourced by Instrumenta, uses OPA/Rego) is a widely documented tool specifically built to test structured configuration data including terraform plan JSON output, and HashiCorp Sentinel is HashiCorp's own policy-as-code fra…; source: repo:content/what-is/what-is-policy-as-code.md (lines 77-79, 187))
  • L191 in content/what-is/what-is-policy-as-code.md "OPA is a general-purpose policy engine that works across any system sending JSON, not just infrastructure." → ✅ verified (evidence: The same article states: "OPA uses a query language called Rego to express policies that can govern Kubernetes admission, API gateway authorization, CI/CD pipelines, Terraform plans, and virtually any other system that can send JSON to the…; source: repo:content/what-is/what-is-policy-as-code.md (line 77))
  • L191 in content/what-is/what-is-policy-as-code.md "Sentinel is embedded in HashiCorp's commercial products and is not available as a standalone open-source tool." → ✅ verified (evidence: HashiCorp's own GitHub org shows Sentinel-related repos are limited to SDKs, policy libraries, and tooling (e.g., sentinel-sdk, syntax highlighters, policy libraries) with no standalone open-source Sentinel engine repository, consistent wi…; source: gh search repos --owner hashicorp sentinel; repo:content/what-is/what-is-policy-as-code.md)
  • L191 in content/what-is/what-is-policy-as-code.md "Kyverno is purpose-built for Kubernetes admission control, using YAML and CEL rather than a custom query language." → ✅ verified (evidence: Kyverno's own repo confirms extensive native CEL support (pkg/cel/compiler, pkg/cel/policies, CEL-based validating/generating policies) alongside its traditional YAML policy CRDs, consistent with Kyverno being Kubernetes-native admission c…; source: gh search code --owner kyverno "CEL" (kyverno/kyverno pkg/cel/*); repo:content/what-is/what-is-policy-as-code.md L81,L89)
  • L199 in content/what-is/what-is-policy-as-code.md "The Pulumi Policies SDK is open source under Apache 2.0." → ✅ verified (evidence: Pulumi's own FAQ states: "The Pulumi Policy SDK and Pulumi-authored policy packs like Compliance Ready Policies (now deprecated) are open-source under the Apache 2.0 license," and the pulumi/pulumi-policy GitHub repo is licensed Apache-2.0.; source: https://www.pulumi.com/docs/support/faq/policies/)
  • L199 in content/what-is/what-is-policy-as-code.md "Local enforcement via the --policy-pack flag (including advisory, mandatory, and remediate modes) is free with any Pulumi project." → 🤝 matches (evidence: The same document states at line 113: "Local enforcement via --policy-pack (including advisory, mandatory, and remediate modes) is free. Org-wide policy group management in Pulumi Cloud requires a paid plan." This is an internally consis…; source: repo:content/what-is/what-is-policy-as-code.md;repo:content/pricing/_index.md)
  • L199 in content/what-is/what-is-policy-as-code.md "Org-wide policy group management in Pulumi Cloud automatically applies packs to all stacks across an organization and requires a paid plan." → ✅ verified (evidence: The pricing table shows Policy Enforcement is "Manual" only on the free tier and "Organization-managed" on paid tiers, and the same doc states elsewhere: "Org-wide policy group management in Pulumi Cloud requires a paid plan." Line 199 res…; source: repo:content/pricing/_index.md (Policy Enforcement row) and repo:content/what-is/what-is-policy-as-code.md L113)
  • L199 in content/what-is/what-is-policy-as-code.md "Pre-built compliance packs (CIS, NIST, PCI DSS, HITRUST) are included for organizations on qualifying Pulumi plans." → ✅ verified (evidence: pricing/_index.md lists "Pre-built Policy Packs" feature row with content "Pulumi Best Practices, CIS, NIST, HITRUST, PCI DSS" only appearing in the highest tier column (others show blank or "Pulumi Best Practices"), confirming these compl…; source: repo:content/pricing/_index.md (Pre-built Policy Packs feature row))
  • L203 in content/what-is/what-is-policy-as-code.md "Pulumi Policies provides automatic remediation and audit coverage for resources that weren't provisioned with Pulumi IaC." → ❌ contradicted (framing: narrowed/shifted — claim broadens "audit coverage for non-Pulumi resources" (source's actual claim) to also include "automatic remediation," which the source t…; evidence: The source page distinguishes the two capabilities: "Remediate" enforcement (via remediateResource) operates during pulumi preview/pulumi up on resources being deployed through Pulumi ("Pulumi corrects the configuration in place ...…; source: repo:content/what-is/what-is-policy-as-code.md (lines 104, 107, 109))
  • L203 in content/what-is/what-is-policy-as-code.md "Pulumi Policies enforces policy as code across any cloud using TypeScript, Python, or Rego, with support for 170+ providers." → 🤷 unverifiable (evidence: Official Pulumi docs confirm CrossGuard policy-as-code supports TypeScript/JavaScript, Python, and OPA (Rego): "Policies can be written in TypeScript/JavaScript (Node.js), Python, or OPA (Rego) and can be applied to Pulumi stacks written i…; source: https://www.pulumi.com/docs/iac/using-pulumi/crossguard/; intuition: The "170+ providers" figure is a round marketing number commonly used for Pulumi's overall registry, not something spec… (WebSearch dispatched but verification did not converge within the turn budget))
  • L214 in content/what-is/what-is-policy-as-code.md "There exists a page titled 'What is agentic infrastructure?' at /what-is/what-is-agentic-infrastructure/." → ✅ verified (evidence: The file content/what-is/what-is-agentic-infrastructure.md exists with title "What Is Agentic Infrastructure?" and type: what-is, which maps to the URL path /what-is/what-is-agentic-infrastructure/.; source: repo:content/what-is/what-is-agentic-infrastructure.md)

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

📊 Editorial balance

Section depth, mention distribution, recommendation steering
  • Section depth: 9 H2 sections (mean 102.3 lines, median 20, std 132.6). Outliers: How do you write unit tests for Pulumi?: 411 (20.6× median), How do you run integration tests against real cloud resources?: 253 (12.7× median), How does policy as code complement IaC testing?: 94 (4.7× median), How to set up IaC testing with Pulumi: 99 (5.0× median).
  • Vendor / entity mentions: Pulumi is the subject throughout; Terraform, Terratest, and terraform test recur as the compared alternative across the comparison sections, with OPA, HashiCorp Sentinel, checkov, and tfsec named in the policy comparison. The Pulumi-leaning asymmetry is expected for a single-vendor how-to (Tier 3 don't-flag: intentionally asymmetric framing), and these link additions don't change it.
  • FAQ steering: The FAQ-style H2s and the "Frequently asked questions" section answer from a Pulumi how-to standpoint and consistently steer toward Pulumi — appropriate for a single-subject vendor post. This PR adds no FAQ entries and doesn't shift the steering. No balance flag raised.

🚨 Outstanding in this PR

No outstanding findings in this PR. This PR only adds internal cross-links; the contradicted/mismatch claims surfaced by the full-file scan all sit on lines this PR did not touch and are logged under 💡 Pre-existing.

⚠️ Low-confidence

Review each and resolve as appropriate — these don't block the PR.

  • [L1039] content/blog/how-to-test-infrastructure-as-code/index.md"The described seven-step process for setting up IaC testing with Pulumi takes a total time of 30 minutes." — verdict: unverifiable; evidence: No Pulumi documentation, blog post, or third-party source found describes a "seven-step process" for IaC testing setup with a specific "30 minutes" total time estimate; this appears to be a specific, unsupported time claim not corroborated…; source: WebSearch ran query "how to test infrastructure as code Pulumi blog seven-step 30 minutes" and ""how-to-test-infrastructure-as-code" Pulumi blog seven steps 30 minutes total time"; top results didn't address the claim; intuition: A precise "30 minutes" total for a multi-step tutorial is a suspiciously specific round-number estimate that's hard to… — Pre-existing (untouched line): this claim predates the PR and sits on a line these link additions don't touch, so it doesn't block this change. It's a candidate for a supporting citation or a softening edit in a separate pass.

  • [L1158] content/blog/how-to-test-infrastructure-as-code/index.md"A suite of 50 unit tests runs in under a second using Pulumi's mocking framework." — verdict: unverifiable; evidence: Pulumi docs confirm mocked unit tests run very fast (e.g. example showing 3 tests in 0.022s, and a case study of 700 tests running in ~20 seconds), but no source states the specific figure of "50 unit tests" running "in under a second."; source: WebSearch ran query "Pulumi unit tests mocking framework 50 tests under a second"; top results (pulumi.com/docs/iac/guides/testing/unit/, pulumi.com/blog/infrastructure-testing-got-better/) didn't state this exact figure; intuition: Specific round number (50 tests, under 1 second) reads like an illustrative/plausible estimate rather than a benchmarke… — Pre-existing (untouched line): this claim predates the PR and sits on a line these link additions don't touch, so it doesn't block this change. It's a candidate for a supporting citation or a softening edit in a separate pass.

  • [L1162] content/blog/how-to-test-infrastructure-as-code/index.md"Pulumi policy checks run without credentials at pulumi preview time." — verdict: unverifiable; evidence: verification did not converge within 8 turns — Pre-existing (untouched line): this claim predates the PR and sits on a line these link additions don't touch, so it doesn't block this change. It's a candidate for a supporting citation or a softening edit in a separate pass.

  • [L33] content/what-is/what-is-agentic-infrastructure.md"There are billions of lines of production-grade Python, TypeScript, and Go for models to learn from." — verdict: unverifiable; evidence: This is a general rhetorical claim about LLM training data abundance rather than a precise, sourced statistic. Independent sources corroborate the general premise—e.g. one source notes "There are millions of repositories out there, collect…; source: WebSearch ran query "billions of lines of code Python TypeScript Go training data LLM"; results support general plausibility but no source confirms the specific claim; intuition: Claim is a vague, unfalsifiable order-of-magnitude assertion typical of blog rhetoric rather than a precise, checkable… — Pre-existing (untouched line): this claim predates the PR and sits on a line these link additions don't touch, so it doesn't block this change. It's a candidate for a supporting citation or a softening edit in a separate pass.

  • [L101] content/what-is/what-is-agentic-infrastructure.md"Teams can set a different Neo task mode per environment." — verdict: unverifiable; evidence: verification did not converge within 8 turns — Pre-existing (untouched line): this claim predates the PR and sits on a line these link additions don't touch, so it doesn't block this change. It's a candidate for a supporting citation or a softening edit in a separate pass.

  • [L185] content/what-is/what-is-agentic-infrastructure.md"The embedded YouTube video with ID 'SOMEfFNPsew' corresponds to Joe Duffy's CascadiaJS 2026 keynote 'The Last Mile Is Code'." — verdict: unverifiable; evidence: The file embeds the youtube shortcode with video ID \"SOMEfFNPsew?rel=0\" preceded by text attributing it to "Joe Duffy's CascadiaJS 2026 keynote, 'The Last Mile Is Code'", but CascadiaJS 2026 is a future event and the ID string itself ('SOMEfFNPsew') looks…; source: repo:content/what-is/what-is-agentic-infrastructure.md; intuition: Video ID 'SOMEfFNPsew' and a 2026 (future-dated) conference keynote suggest this may be a placeholder/fabricated refere… — Pre-existing (untouched line): this claim predates the PR and sits on a line these link additions don't touch, so it doesn't block this change. It's a candidate for a supporting citation or a softening edit in a separate pass.

  • [L90] content/what-is/what-is-policy-as-code.md"Pulumi Policies supports any cloud with 170+ providers during Pulumi deployments." — verdict: unverifiable; evidence: Official Pulumi Policy/CrossGuard pages consistently describe support for AWS, Azure, GCP, and Kubernetes or generically "any cloud"/"all clouds" — none cite a specific "170+ providers" figure. The closest numeric claim found in Pulumi doc…; source: WebSearch ran query "Pulumi Policy as Code any cloud provider support"; no result cited a "170+ providers" figure; intuition: The specific "170+" figure doesn't match any number found in Pulumi's own marketing/docs (which say "3000+" for Terrafo… — Pre-existing (untouched line): this claim predates the PR and sits on a line these link additions don't touch, so it doesn't block this change. It's a candidate for a supporting citation or a softening edit in a separate pass.

  • [L123] content/what-is/what-is-policy-as-code.md"Additional Pulumi policy pack templates include aws-python, aws-opa, azure-opa, gcp-opa, and kubernetes-opa." — verdict: unverifiable; evidence: verification did not converge within 8 turns — Pre-existing (untouched line): this claim predates the PR and sits on a line these link additions don't touch, so it doesn't block this change. It's a candidate for a supporting citation or a softening edit in a separate pass.

  • [L203] content/what-is/what-is-policy-as-code.md"Pulumi Policies enforces policy as code across any cloud using TypeScript, Python, or Rego, with support for 170+ providers." — verdict: unverifiable; evidence: Official Pulumi docs confirm CrossGuard policy-as-code supports TypeScript/JavaScript, Python, and OPA (Rego): "Policies can be written in TypeScript/JavaScript (Node.js), Python, or OPA (Rego) and can be applied to Pulumi stacks written i…; source: https://www.pulumi.com/docs/iac/using-pulumi/crossguard/; intuition: The "170+ providers" figure is a round marketing number commonly used for Pulumi's overall registry, not something spec… (WebSearch dispatched but verification did not converge within the turn budget) — Pre-existing (untouched line): this claim predates the PR and sits on a line these link additions don't touch, so it doesn't block this change. It's a candidate for a supporting citation or a softening edit in a separate pass.

Style findings

Found by pattern-based linting; Findings may be false positives.

  • line 36: [style] difficulty qualifier — Avoid difficulty qualifier 'just' -- it judges difficulty for the reader (STYLE-GUIDE.md §Inclusive Language).
  • line 1154: [style] difficulty qualifier — Avoid difficulty qualifier 'Just' -- it judges difficulty for the reader (STYLE-GUIDE.md §Inclusive Language).
  • line 69: [style] difficulty qualifier — Avoid difficulty qualifier 'just' -- it judges difficulty for the reader (STYLE-GUIDE.md §Inclusive Language).

📋 Triaged verifier findings

I double-checked these and realized they weren't real findings — click to expand
  • [L45] content/what-is/what-is-agentic-infrastructure.md"Agents can use real software engineering primitives … unit tests …"Mis-sourced: the verification step searched the public web for this slug and didn't find it, but /blog/how-to-test-infrastructure-as-code/ is an internal cross-link — one of the links this PR adds — and its target exists in this repo (content/blog/how-to-test-infrastructure-as-code/index.md, which renders at exactly that path). The link resolves correctly.

💡 Pre-existing issues in touched files (optional)

The full-file scan flagged these factual problems in the touched files. Every one is on a line this PR did not change, so none block these link additions — but they're real and worth a separate fix.

  • [L873-875] content/blog/how-to-test-infrastructure-as-code/index.md"Pulumi ships a purpose-built Go test framework at github.com/pulumi/pulumi/pkg/v3/testing/integration…"Pre-existing: the package path is wrong — the framework lives at github.com/pulumi/pulumi/pkg/testing/integration (no v3 segment). Predates this PR.
  • [L1014-1021] content/blog/how-to-test-infrastructure-as-code/index.md"Terraform's policy/guardrails options are external tools such as checkov, tfsec, and OPA/Rego…"Pre-existing: the comparison omits HashiCorp Sentinel, Terraform's own native policy-as-code framework, so calling the options purely "external tools" is inaccurate. Predates this PR.
  • [L1204] content/blog/how-to-test-infrastructure-as-code/index.md"The Pulumi conversion tool (tf2pulumi) translates existing HCL to Python, TypeScript, Go, C#, and more…"Pre-existing: tf2pulumi was replaced by pulumi convert --from terraform as of CLI v3.71.0; the current tool name should be used. Predates this PR.
  • [L1204] content/blog/how-to-test-infrastructure-as-code/index.md"Terratest or terraform test suites can be ported to Pulumi's native test runner as part of a migration."Pre-existing: the converter translates HCL infrastructure code, not Go-based Terratest suites or HCL test files, so "ported" overstates it. Predates this PR.
  • [L65] content/what-is/what-is-agentic-infrastructure.md"…flows through the user's existing GitHub, GitLab, or Bitbucket…"Pre-existing: Neo's supported integrations are GitHub, Azure DevOps, and GitLab; Bitbucket is not supported and Azure DevOps is omitted. Predates this PR.
  • [L65] content/what-is/what-is-agentic-infrastructure.md"The PR Neo creates flows through the user's existing GitHub, GitLab, or Bitbucket CI/CD pipeline."Pre-existing: same Bitbucket-for-Azure-DevOps substitution in the CI/CD sentence. Predates this PR.
  • [L31] content/what-is/what-is-policy-as-code.md"HashiCorp described Sentinel's goal as providing 'an automated way to check in minutes or seconds if requirements are met.'"Pre-existing: HashiCorp's source attributes that phrase to policy as code generally, not to Sentinel specifically. Predates this PR.
  • [L37] content/what-is/what-is-policy-as-code.md"According to IBM's 2024 Cost of a Data Breach report, the average cost of a data breach has reached $10.22 million in the United States."Pre-existing: $10.22M is the 2025 report's US figure; the 2024 report's US figure was $9.36M — the year label is off by one. Predates this PR.
  • [L37] content/what-is/what-is-policy-as-code.md"Datadog's State of DevSecOps 2024 found that 38% of AWS organizations using IaC still used ClickOps in all accounts…"Pre-existing: the report's 38% applies to organizations in AWS generally, not to the "AWS organizations using IaC" subset the claim describes. Predates this PR.
  • [L98] content/what-is/what-is-policy-as-code.md"Policy groups apply a pack at org-wide, project, or stack scope."Pre-existing: the canonical docs scope policy groups to stacks or cloud accounts (org-wide is the default group), not "org-wide, project, or stack." Predates this PR.
  • [L203] content/what-is/what-is-policy-as-code.md"Pulumi Policies provides automatic remediation and audit coverage for resources that weren't provisioned with Pulumi IaC."Pre-existing: remediation applies to resources deployed through Pulumi; for discovered non-Pulumi resources, audit mode provides evaluation, not automatic remediation. Predates this PR.

✅ Resolved since last review

No items resolved since the last review.

📜 Review history

  • 2026-07-06T23:16:20Z — Cross-link-only PR (+7/-6); all four link targets resolve and frontmatter is clean. No blockers introduced — the full-file scan's contradicted/unverifiable findings all fall on lines this PR didn't touch (logged as Pre-existing / Low-confidence). (7201a7d)

Need a re-review? Want to dispute a finding? Mention @claude and include #update-review.
(For ad-hoc questions or fixes, just @claude — no hashtag.)

@github-actions github-actions Bot added review:no-blockers Claude review completed cleanly; outstanding is empty and removed review:in-progress Claude review is currently running labels Jul 6, 2026

@CamSoper CamSoper left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated rubber stamp approval applied :shipit:


Generated by Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

domain:blog PR touches blog posts or customer stories domain:docs PR touches technical docs domain:mixed PR touches more than one domain review:no-blockers Claude review completed cleanly; outstanding is empty

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants