SECOPS
Security Advisory to Blast-Radius Pager Alert
When a GitHub security advisory matches a dependency you use, identify which internal services import the vulnerable code path and page the owning team only if a real call site…
How it runs
The automated pipeline, trigger to output.
- TriggerSecurity advisory webhook receivedHTTP webhook
- ActionFind dependent services in inventoryPostgres
- ActionExtract vulnerable symbols + version rangeOpenAI
- ActionSearch services for reachable call sitesGitHub
- LogicReachable + in-range?
- OutputPage owning teamPagerDuty
What it does
Converts a noisy stream of security advisories into precise, owner-targeted alerts. It checks whether an advisory affects a package you actually depend on, then determines whether the vulnerable function or module is reachable from your code before escalating, cutting false-positive pages for dependencies you ship but never call on the affected path.
When to use it
For security and platform teams that get flooded by advisory webhooks and want to wake someone up only when the vulnerable code is genuinely reachable in a service they own.
How it works
- 1A security advisory webhook arrives.
- 2The flow looks up which internal services depend on the named package in a Postgres dependency inventory.
- 3An LLM reads the advisory to extract the specific vulnerable symbols and affected version range.
- 4It searches each dependent service's repo for live call sites of those symbols.
- 5A branch checks whether a reachable call site exists in an in-range service.
- 6If reachable, it pages the owning team via PagerDuty; otherwise it logs a low-priority note.
Set it up
What you configure once, before turning it on.
- 1Connect HTTP webhookTrigger any URL on agent actions.
- 2Connect PostgresAny Postgres URL — query, write, migrate.
- 3Connect OpenAIModels, embeddings, files.
- 4Connect GitHubRepos, issues, pull requests, actions.
- 5Connect PagerDutyIncidents, on-call, escalations.
- 6Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 7Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 8Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Scheduled AWS Access-Key Age Sweep and Forced Rotation
Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.
Correlate Datadog WAF anomaly alert with Cloudflare evidence
When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
Non-Rotatable Leaked Secret to PagerDuty Escalation
Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.
GitHub Secret-Scan Hit to Auto-Revoke and Rotate
When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.