DEVOPS

Post a CVE scan summary as a PR comment before staging review

When a pull request is opened or updated, builds and scans the candidate image and posts a plain-English vulnerability summary as a PR comment.

CategoryDevOps

Enginesim

Difficultybeginner

Triggerevent

Steps5

Setup~5 min

How it runs

The automated pipeline, trigger to output.

TriggerPull request opened or updatedGitHub
ActionBuild and scan candidate imageShell
LogicBranch: any Critical or High CVE?
ActionPost severity summary as PR commentGitHub
OutputSet commit status check pass/failGitHub

What it does

Puts the vulnerability verdict where reviewers already are — inside the pull request. It scans the image that the PR would produce and leaves a comment plus a status check, so the human reviewing the code also sees the security posture of the resulting artifact.

When to use it

Use it when staging promotion is tied to PR merge and you want reviewers to make an informed call, with a hard status check that blocks merge on Critical findings.

How it works

1A GitHub pull_request event (opened or synchronized) triggers the run.
2A shell step builds the PR's image and scans it, grouping findings by severity.
3A logic branch decides the verdict: pass if no Critical/High, fail otherwise.
4An action posts a formatted comment to the PR with counts per severity and the top fixable packages.
5An output action sets the commit status check (success or failure) that gates the staging-promotion merge rule.

Set it up

What you configure once, before turning it on.

1
Connect GitHubRepos, issues, pull requests, actions.
2
Connect ShellRun sandboxed commands inside the workspace.
3
Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
4
Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
5
Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.

More DevOps workflows

Slack-approved pause for idle Hugging Face Spaces

On a daily scan it finds idle paid Spaces and posts an interactive Slack approval; on approve it pauses the Space and logs the decision to a GitHub issue audit trail.

Block costly Hugging Face Space hardware upgrades in PR review

When a pull request changes a Space's hardware config, it estimates the new monthly cost and posts a GitHub PR comment that flags upgrades crossing a budget ceiling.

Hugging Face Spaces idle-runtime sweep with auto-pause

On a schedule, scans all Hugging Face Spaces for ones running idle past a threshold, pauses them to stop billing, and posts a Slack summary with the estimated monthly savings.

Open a Zoom war-room from a Datadog multi-alert storm

When a Datadog monitor crosses a critical threshold, this workflow dedupes against active incidents, and only for a genuinely new outage it creates a Zoom bridge.

Auto-spin a Zoom war-room when PagerDuty hits SEV-1

When a PagerDuty incident escalates to a critical severity, this workflow creates a dedicated Zoom meeting and posts the bridge link to the incident's Slack channel so responders…

Spin up a war-room on demand from a Slack slash command

When an engineer runs a Slack command, this workflow creates a Zoom bridge, opens a tracking Sentry-linked incident, files a Linear issue for follow-up.

Browse all DevOps →

Run it inside a business

This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.

Software

Agent Hive runs Agent Hive

The team that built Agent Hive, exactly as it runs today.

Marketing

Content Marketing Agency

SEO, blogs, social, and reporting on autopilot.

Operations

Internal Operations

Runbooks, on-call, vendor management — disciplined and audited.

Browse all business templates →Solutions by industry →

Run this workflow in your colony.

14-day trial. No DevOps. No Sales call. Provisioned in under a minute.

Join the Waitlist Browse all workflows →