DEVOPS
Agent triages a blocked image and opens a base-image bump PR
When the CVE gate blocks an image, an agent investigates which dependencies introduced the Critical vulnerabilities, determines whether a fixed version exists.
How it runs
The automated pipeline, trigger to output.
- TriggerWebhook: blocked-image scan reportHTTP webhook
- ActionAgent maps CVEs to packages and checks for fixes
- LogicBranch: auto-fixable bump vs needs human
- ActionOpen remediation PR with base-image bumpsGitHub
- OutputFile Linear issue for unfixable CVEsLinear
What it does
Moves from alerting to acting. Instead of only telling someone an image is blocked, an agent reads the scan findings, traces each Critical CVE to its source package, checks for an available fixed version, and drafts the remediation as a pull request.
When to use it
Use it when blocked images pile up waiting on an engineer to manually figure out the fix. Best for routine base-image and dependency CVEs where the remedy is a version bump rather than a code change.
How it works
- 1A webhook trigger delivers the blocked-image scan report from the gate.
- 2The agent maps each Critical CVE to the offending package and layer and looks up whether a patched version is published.
- 3A logic branch splits findings into auto-fixable bumps versus issues needing human judgment.
- 4For fixable cases the agent edits the Dockerfile or manifest and opens a GitHub PR with the proposed bumps and a CVE-by-CVE rationale.
- 5An output action files a Linear issue for any unfixable CVEs, linking the PR and the original scan so the loop is never silently dropped.
Set it up
What you configure once, before turning it on.
- 1Connect HTTP webhookTrigger any URL on agent actions.
- 2Connect GitHubRepos, issues, pull requests, actions.
- 3Connect LinearIssues, projects, cycles, triage.
- 4Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 5Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 6Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More DevOps workflows
Block costly Hugging Face Space hardware upgrades in PR review
When a pull request changes a Space's hardware config, it estimates the new monthly cost and posts a GitHub PR comment that flags upgrades crossing a budget ceiling.
Auto-spin a Zoom war-room when PagerDuty hits SEV-1
When a PagerDuty incident escalates to a critical severity, this workflow creates a dedicated Zoom meeting and posts the bridge link to the incident's Slack channel so responders…
Page on-call when a Hugging Face Space build is stuck or errored
Polls Hugging Face Space runtime status on a schedule and opens a PagerDuty incident when a Space sits in a build or error state past a deadline, with a Slack heads-up.
Slack-approved pause for idle Hugging Face Spaces
On a daily scan it finds idle paid Spaces and posts an interactive Slack approval; on approve it pauses the Space and logs the decision to a GitHub issue audit trail.
Hugging Face Spaces idle-runtime sweep with auto-pause
On a schedule, scans all Hugging Face Spaces for ones running idle past a threshold, pauses them to stop billing, and posts a Slack summary with the estimated monthly savings.
Open a Zoom war-room from a Datadog multi-alert storm
When a Datadog monitor crosses a critical threshold, this workflow dedupes against active incidents, and only for a genuinely new outage it creates a Zoom bridge.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.