ENGINEERING
Fast-Track Dependabot Security PRs and Escalate Critical CVEs
When Dependabot opens a security PR, it pulls the linked advisory severity and, for critical or high CVEs.
How it runs
The automated pipeline, trigger to output.
- TriggerDependabot opens a security PRGitHub
- ActionFetch advisory, CVSS score, affected packageGitHub
- LogicBranch on severity: critical/high vs moderate/low
- ActionPage on-call for critical/high CVEsPagerDuty
- ActionOpen tracked Linear issue for escalationsLinear
- OutputPost routing summary to SlackSlack
What it does
Dependabot security PRs carry a CVE severity that should dictate urgency, but they often land in the same pile as routine version bumps. This workflow separates them: it reads the advisory attached to each security PR, fast-tracks critical and high-severity fixes by paging on-call and opening a Linear issue, and quietly labels moderate and low fixes into the standard review flow.
When to use it
Use it when you need a guaranteed path for critical vulnerability patches to reach a human immediately, rather than relying on someone noticing the PR during normal triage.
How it works
- 1A GitHub webhook fires when Dependabot opens a security PR.
- 2GitHub fetches the linked security advisory, CVSS score, and affected package.
- 3A branch splits on severity: critical/high versus moderate/low.
- 4For critical/high, PagerDuty pages the on-call engineer and a Linear issue is opened with the advisory details.
- 5For moderate/low, the PR is labeled into the standard security-review queue.
- 6A summary of the routing decision posts to Slack.
Set it up
What you configure once, before turning it on.
- 1Connect GitHubRepos, issues, pull requests, actions.
- 2Connect PagerDutyIncidents, on-call, escalations.
- 3Connect LinearIssues, projects, cycles, triage.
- 4Connect SlackChannels, DMs, threads, mentions.
- 5Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 6Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 7Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More Engineering workflows
Agent reviews model-license fit and suggests compliant swaps on the PR
When a PR adds a Hugging Face model, an agent reads the model card and license, judges fit against your commercial-use policy.
Block PRs that add incompatible Hugging Face model licenses
When a pull request adds or bumps a Hugging Face model dependency, it fetches the model card license, checks it against your org's allowed-license policy.
Quarterly Logging Hygiene Audit Agent
An agent-driven quarterly sweep that surveys all Axiom datasets, builds a logging-hygiene scorecard per service.
Post-Merge Log Volume Recheck After Downsampling PR
After a log-level PR merges, waits a day then re-queries Axiom to confirm the targeted stream's volume actually dropped.
Axiom Ingest Cost Spike to Linear Triage Ticket
When Axiom ingest volume spikes beyond its baseline, identifies which service caused it and files a Linear ticket with the offending log stream, sample lines, and a downsampling…
File a Linear license-review ticket for risky model adds
When a PR introduces a Hugging Face model with a non-permissive or unknown license, it opens a Linear issue assigned to the legal-review team with the model, license.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.