DEVOPS
Route blocked images through a Slack approval before promotion
When an image fails the CVE gate, posts an interactive approval request to a Slack security channel.
How it runs
The automated pipeline, trigger to output.
- TriggerWebhook: failed-scan payload from CIHTTP webhook
- ActionPost approval request to Slack security channelSlack
- LogicBranch: approved, denied, or timed out?
- ActionPromote image and log time-boxed exceptionSlack
- OutputNotify requester of final decisionSlack
What it does
Adds a human override to the automated gate. Not every Critical CVE is exploitable in your context, so this lets a security approver consciously waive a finding in Slack instead of forcing an out-of-band manual deploy.
When to use it
Use it when a hard block is too rigid — you want the gate to stay strict by default but allow an accountable, audited exception path for false positives or accepted risk.
How it works
- 1A webhook trigger receives a failed-scan payload from your CI gate (image, CVE IDs, requester).
- 2An action posts an interactive Slack message to the security channel with Approve and Deny buttons and the CVE details.
- 3A logic branch waits for and routes on the approver's choice.
- 4On approval, an action promotes the image to staging and records the exception with approver, reason, and expiry.
- 5On denial or timeout, an output action notifies the requester in Slack that the image stays blocked, with the logged rationale.
Set it up
What you configure once, before turning it on.
- 1Connect HTTP webhookTrigger any URL on agent actions.
- 2Connect SlackChannels, DMs, threads, mentions.
- 3Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 4Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 5Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More DevOps workflows
Slack-approved pause for idle Hugging Face Spaces
On a daily scan it finds idle paid Spaces and posts an interactive Slack approval; on approve it pauses the Space and logs the decision to a GitHub issue audit trail.
Block costly Hugging Face Space hardware upgrades in PR review
When a pull request changes a Space's hardware config, it estimates the new monthly cost and posts a GitHub PR comment that flags upgrades crossing a budget ceiling.
Hugging Face Spaces idle-runtime sweep with auto-pause
On a schedule, scans all Hugging Face Spaces for ones running idle past a threshold, pauses them to stop billing, and posts a Slack summary with the estimated monthly savings.
Open a Zoom war-room from a Datadog multi-alert storm
When a Datadog monitor crosses a critical threshold, this workflow dedupes against active incidents, and only for a genuinely new outage it creates a Zoom bridge.
Auto-spin a Zoom war-room when PagerDuty hits SEV-1
When a PagerDuty incident escalates to a critical severity, this workflow creates a dedicated Zoom meeting and posts the bridge link to the incident's Slack channel so responders…
Spin up a war-room on demand from a Slack slash command
When an engineer runs a Slack command, this workflow creates a Zoom bridge, opens a tracking Sentry-linked incident, files a Linear issue for follow-up.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.