ENGINEERING

Score transitive CVE blast radius on dependency-bump PRs

When a dependency-bump PR opens, walks the resolved lockfile diff to find every transitive package the bump pulls in, cross-references known CVEs.

CategoryEngineering

Enginesim

Difficultyintermediate

Triggerevent

Steps5

Setup~15 min

How it runs

The automated pipeline, trigger to output.

TriggerDependency-bump PR opened or updatedGitHub
ActionResolve transitive packages from lockfile diffGitHub
ActionLook up CVEs and severity for affected packagesGitHub
LogicCompute blast-radius score and compare to threshold
OutputPost pass/block check run with score to PRGitHub

What it does

Gives every Dependabot or Renovate PR a deterministic risk score before a human looks at it. It expands the bump beyond the top-level package into the full transitive set it changes, weights each new or upgraded package by known CVE severity and reachability, and writes one consolidated verdict back to the PR.

When to use it

Use it when dependency PRs pile up and reviewers can't tell a trivial patch bump from one that quietly drags in a vulnerable transitive package. It replaces eyeballing the lockfile with a repeatable number.

How it works

1A GitHub pull_request event fires when a bump PR opens or updates.
2The flow fetches the lockfile diff and resolves the full transitive dependency set the bump introduces or changes.
3It queries a CVE/advisory source for each affected package and pulls severity plus affected version ranges.
4A scoring step combines CVE severity, count of newly exposed transitive packages, and direct-vs-indirect reach into one number.
5A logic branch compares the score to a threshold to choose pass or block.
6It writes a GitHub check run with the score, the offending packages, and the verdict.

Set it up

What you configure once, before turning it on.

1
Connect GitHubRepos, issues, pull requests, actions.
2
Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
3
Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
4
Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.

More Engineering workflows

Gate breaking API PRs behind downstream consumer acknowledgement

When a PR introduces a breaking contract change, comments the impact summary back on the PR, applies a blocking label.

Publish a versioned API changelog to Confluence on each release tag

On a new semver release tag, gathers the contract changes since the last release and writes a clean.

Agent reviews model-license fit and suggests compliant swaps on the PR

When a PR adds a Hugging Face model, an agent reads the model card and license, judges fit against your commercial-use policy.

Upgrade Impact Router to Module Code Owners

Maps a dependency-bump PR's affected modules to their CODEOWNERS, then DMs each owner on Slack with only the changelog slice that touches code they own.

Re-Voice IVR Prompts on Phone-Tree Config Merge

When a phone-tree config change merges in GitHub, regenerates the ElevenLabs audio for any prompt whose script changed in the diff and opens a follow-up PR adding the new audio…

Upstream Release to Notion Upgrade Brief

When a watched package publishes a new release, fetches the release notes, maps them to the internal modules that depend on it.

Browse all Engineering →

Run it inside a business

This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.

Software

Agent Hive runs Agent Hive

The team that built Agent Hive, exactly as it runs today.

Marketing

Content Marketing Agency

SEO, blogs, social, and reporting on autopilot.

Operations

Internal Operations

Runbooks, on-call, vendor management — disciplined and audited.

Browse all business templates →Solutions by industry →

Run this workflow in your colony.

14-day trial. No DevOps. No Sales call. Provisioned in under a minute.

Join the Waitlist Browse all workflows →