DEVOPS
Block staging promotion when a pushed image has Critical CVEs
When a new container image is pushed to the registry, scan it for vulnerabilities and only promote it to the staging environment if no Critical CVEs are found.
How it runs
The automated pipeline, trigger to output.
- TriggerImage pushed to GitHub container registryGitHub
- ActionScan image digest for CVEs (Trivy)Shell
- LogicBranch: Critical CVE count == 0?
- ActionRetag image staging-ready and deployGitHub
- OutputPage on-call with blocked image + CVE listPagerDuty
What it does
Gates the staging deploy on a clean vulnerability scan. Every freshly built image is scanned before it is allowed to move from the build registry into staging, so a Critical CVE never lands on a shared environment by accident.
When to use it
Run this when your CI pushes images on every merge to `main` and you want an automated security checkpoint between build and staging — without a human manually reading scan reports.
How it works
- 1A GitHub package (container registry) push event fires the workflow with the new image digest and tag.
- 2A shell step runs your scanner (e.g. `trivy image --severity CRITICAL --format json`) against the digest and emits structured findings.
- 3A logic branch checks the Critical count: zero means proceed, one or more means block.
- 4On a clean scan, an action promotes the image by retagging it `staging-ready` and triggering the staging deploy.
- 5On a failed scan, PagerDuty is paged with the image, CVE IDs, and the GitHub run link so on-call can triage immediately.
Set it up
What you configure once, before turning it on.
- 1Connect GitHubRepos, issues, pull requests, actions.
- 2Connect ShellRun sandboxed commands inside the workspace.
- 3Connect PagerDutyIncidents, on-call, escalations.
- 4Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 5Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 6Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More DevOps workflows
Slack-approved pause for idle Hugging Face Spaces
On a daily scan it finds idle paid Spaces and posts an interactive Slack approval; on approve it pauses the Space and logs the decision to a GitHub issue audit trail.
Block costly Hugging Face Space hardware upgrades in PR review
When a pull request changes a Space's hardware config, it estimates the new monthly cost and posts a GitHub PR comment that flags upgrades crossing a budget ceiling.
Hugging Face Spaces idle-runtime sweep with auto-pause
On a schedule, scans all Hugging Face Spaces for ones running idle past a threshold, pauses them to stop billing, and posts a Slack summary with the estimated monthly savings.
Open a Zoom war-room from a Datadog multi-alert storm
When a Datadog monitor crosses a critical threshold, this workflow dedupes against active incidents, and only for a genuinely new outage it creates a Zoom bridge.
Auto-spin a Zoom war-room when PagerDuty hits SEV-1
When a PagerDuty incident escalates to a critical severity, this workflow creates a dedicated Zoom meeting and posts the bridge link to the incident's Slack channel so responders…
Spin up a war-room on demand from a Slack slash command
When an engineer runs a Slack command, this workflow creates a Zoom bridge, opens a tracking Sentry-linked incident, files a Linear issue for follow-up.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.