DEVOPS
Block PRs when base-image CVEs exceed severity budget
Scans the base image referenced in a pull request's Dockerfile and sets a failing GitHub status check when high or critical CVEs exceed your configured budget.
How it runs
The automated pipeline, trigger to output.
- TriggerPull request opened or updatedGitHub
- LogicFilter: Dockerfile changed in diff
- ActionResolve base image and scan for CVEsGitHub
- LogicCompare severity counts to budget
- OutputSet commit status and post PR commentGitHub
What it does
On every pull request that touches a Dockerfile, this workflow resolves the `FROM` base image, runs a vulnerability scan, and counts findings by severity. If the count breaks your budget (for example, zero criticals and at most three highs), it posts a failing commit status so the PR cannot merge. Clean images get a passing check and a short comment with the CVE tally.
When to use it
Use it as a required status check on repos that build container images. It stops a risky base bump from sneaking in during a routine feature PR, and gives reviewers an inline summary instead of forcing them to read raw scanner output.
How it works
- 1A pull request event fires from GitHub when files change.
- 2A filter checks whether a Dockerfile is in the diff; non-Docker PRs exit early.
- 3An action pulls the base image tag and runs the CVE scan, returning counts per severity.
- 4A branch compares the counts against the configured budget thresholds.
- 5The workflow posts a pass/fail commit status plus a summary comment back to the PR.
Set it up
What you configure once, before turning it on.
- 1Connect GitHubRepos, issues, pull requests, actions.
- 2Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 3Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 4Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More DevOps workflows
Slack-approved pause for idle Hugging Face Spaces
On a daily scan it finds idle paid Spaces and posts an interactive Slack approval; on approve it pauses the Space and logs the decision to a GitHub issue audit trail.
Block costly Hugging Face Space hardware upgrades in PR review
When a pull request changes a Space's hardware config, it estimates the new monthly cost and posts a GitHub PR comment that flags upgrades crossing a budget ceiling.
Hugging Face Spaces idle-runtime sweep with auto-pause
On a schedule, scans all Hugging Face Spaces for ones running idle past a threshold, pauses them to stop billing, and posts a Slack summary with the estimated monthly savings.
Open a Zoom war-room from a Datadog multi-alert storm
When a Datadog monitor crosses a critical threshold, this workflow dedupes against active incidents, and only for a genuinely new outage it creates a Zoom bridge.
Auto-spin a Zoom war-room when PagerDuty hits SEV-1
When a PagerDuty incident escalates to a critical severity, this workflow creates a dedicated Zoom meeting and posts the bridge link to the incident's Slack channel so responders…
Spin up a war-room on demand from a Slack slash command
When an engineer runs a Slack command, this workflow creates a Zoom bridge, opens a tracking Sentry-linked incident, files a Linear issue for follow-up.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.