DEVOPS

Daily base-image CVE drift scan into Datadog

Each morning, re-scans every base image your running services depend on and emits CVE counts as Datadog metrics so you can chart vulnerability drift and alert when a budget…

CategoryDevOps

Enginesim

Difficultyintermediate

Triggerschedule

Steps5

Setup~15 min

How it runs

The automated pipeline, trigger to output.

TriggerDaily schedule
ActionRead in-use base image inventoryGitHub
ActionRe-scan each image for new CVEsGitHub
LogicTally severity counts per image
OutputEmit CVE drift metrics to DatadogDatadog

What it does

New CVEs are disclosed against images you already shipped. This scheduled workflow walks your inventory of base images, re-scans each one against the latest vulnerability feed, and pushes severity counts as tagged metrics into Datadog. You get a time series of vulnerability drift per service, plus a monitor-ready signal when an image crosses its severity budget after the fact.

When to use it

Use it for continuous posture monitoring between deploys. A base image that passed the gate last week may fail today as new CVEs land. This catches that drift without waiting for the next build.

How it works

1A daily schedule triggers the run.
2An action reads the list of base images currently in use.
3For each image, an action runs a fresh CVE scan and counts by severity.
4The workflow emits per-image, per-severity counts as Datadog metrics with service tags.
5A final step flags any image now over budget for Datadog monitor evaluation.

Set it up

What you configure once, before turning it on.

1
Connect DatadogMetrics, traces, log search.
2
Connect GitHubRepos, issues, pull requests, actions.
3
Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
4
Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
5
Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.

More DevOps workflows

Block costly Hugging Face Space hardware upgrades in PR review

When a pull request changes a Space's hardware config, it estimates the new monthly cost and posts a GitHub PR comment that flags upgrades crossing a budget ceiling.

Auto-spin a Zoom war-room when PagerDuty hits SEV-1

When a PagerDuty incident escalates to a critical severity, this workflow creates a dedicated Zoom meeting and posts the bridge link to the incident's Slack channel so responders…

Page on-call when a Hugging Face Space build is stuck or errored

Polls Hugging Face Space runtime status on a schedule and opens a PagerDuty incident when a Space sits in a build or error state past a deadline, with a Slack heads-up.

Slack-approved pause for idle Hugging Face Spaces

On a daily scan it finds idle paid Spaces and posts an interactive Slack approval; on approve it pauses the Space and logs the decision to a GitHub issue audit trail.

Hugging Face Spaces idle-runtime sweep with auto-pause

On a schedule, scans all Hugging Face Spaces for ones running idle past a threshold, pauses them to stop billing, and posts a Slack summary with the estimated monthly savings.

Open a Zoom war-room from a Datadog multi-alert storm

When a Datadog monitor crosses a critical threshold, this workflow dedupes against active incidents, and only for a genuinely new outage it creates a Zoom bridge.

Browse all DevOps →

Run it inside a business

This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.

Finance

Research & Trading Desk

Governance-first research, execution, and risk — every trade on the audit trail.

Operations

Internal Operations

Runbooks, on-call, vendor management — disciplined and audited.

Software

Agent Hive runs Agent Hive

The team that built Agent Hive, exactly as it runs today.

Browse all business templates →Solutions by industry →

Run this workflow in your colony.

14-day trial. No DevOps. No Sales call. Provisioned in under a minute.

Join the Waitlist Browse all workflows →