DEVOPS
Page on-call when a pushed image breaches critical CVE budget
Scans every image pushed to your registry and, when critical-severity CVEs exceed the budget, opens a PagerDuty incident and quarantines the tag so it cannot be promoted…
How it runs
The automated pipeline, trigger to output.
- TriggerRegistry image push webhookGitHub
- ActionScan pushed tag for critical CVEsGitHub
- LogicEvaluate against production budget
- ActionQuarantine image tagGitHub
- OutputOpen PagerDuty incident with detailPagerDuty
What it does
This workflow reacts the moment an image lands in your registry. It scans the pushed tag, counts critical and high CVEs, and compares them to a strict production budget. A clean image is left untouched. A breaching image is quarantined — relabeled so promotion pipelines skip it — and a PagerDuty incident is opened with the offending CVE list and the image digest.
When to use it
Use it when a vulnerable image reaching the registry is itself an incident worth paging on, not just a failed check. It is the safety net for builds that bypass the PR gate, such as automated dependency bumps or manual pushes.
How it works
- 1A webhook fires on an image push event from the registry.
- 2An action scans the pushed tag and tallies critical and high CVEs.
- 3A branch evaluates the tally against the production budget.
- 4Within budget, the run ends silently.
- 5Over budget, an action quarantines the image tag in GitHub.
- 6A final step opens a PagerDuty incident with the digest and CVE detail.
Set it up
What you configure once, before turning it on.
- 1Connect GitHubRepos, issues, pull requests, actions.
- 2Connect PagerDutyIncidents, on-call, escalations.
- 3Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 4Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 5Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More DevOps workflows
Slack-approved pause for idle Hugging Face Spaces
On a daily scan it finds idle paid Spaces and posts an interactive Slack approval; on approve it pauses the Space and logs the decision to a GitHub issue audit trail.
Block costly Hugging Face Space hardware upgrades in PR review
When a pull request changes a Space's hardware config, it estimates the new monthly cost and posts a GitHub PR comment that flags upgrades crossing a budget ceiling.
Hugging Face Spaces idle-runtime sweep with auto-pause
On a schedule, scans all Hugging Face Spaces for ones running idle past a threshold, pauses them to stop billing, and posts a Slack summary with the estimated monthly savings.
Open a Zoom war-room from a Datadog multi-alert storm
When a Datadog monitor crosses a critical threshold, this workflow dedupes against active incidents, and only for a genuinely new outage it creates a Zoom bridge.
Auto-spin a Zoom war-room when PagerDuty hits SEV-1
When a PagerDuty incident escalates to a critical severity, this workflow creates a dedicated Zoom meeting and posts the bridge link to the incident's Slack channel so responders…
Spin up a war-room on demand from a Slack slash command
When an engineer runs a Slack command, this workflow creates a Zoom bridge, opens a tracking Sentry-linked incident, files a Linear issue for follow-up.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.