Last Saturday, at the AWS Community Day Brasília, I ran a workshop that combined two things I'm passionate about: open source contribution and AI-powered productivity.

The goal was simple and ambitious: take a real project, understand the codebase, select a viable issue, and submit a legitimate Pull Request — all live, using Kiro as my right hand.

The project I chose was ScanAPI (scanapi.dev) — the first Brazilian project to receive GitHub sponsorship. Created by Camila Maia, it's a Python tool for chained API testing via YAML. It runs on CLI, integrates into CI/CD pipelines, automatically redacts sensitive data, and generates visual reports. A serious project with worldwide contributors.

I started by asking Kiro to analyze open issues. It brought 3 candidates. Issue 957 (replace a deprecated library) looked perfect — but when we checked GitHub, we found a PR had been open for 3 weeks, just awaiting review. Issue 901 too. This was the real-world scenario: your first pick doesn't always work. I had to refine the request: "find open issues with no PR and no assignee."

That's when it found issue 916 — a Docker Hub Image Hash Dependency Check bug. Commit 392 had introduced hash validation in the Dockerfile for security (OpenSSF Scorecard, a Linux Foundation project), but in release 2.13, PIP and SetupTools became outdated, breaking the build. The temporary fix was removing hashes and publishing manually. The project was left vulnerable.