agent hive
Join the Waitlist

DEVOPS

Fleet-Wide CVE Ledger: Track Every Service Still on a Vulnerable Base Digest

Maintains a Postgres ledger of which services run which base-image digest, marks rows vulnerable when a CVE re-tag lands.

CategoryDevOps
Enginesim
Difficultyadvanced
Triggerschedule
Steps6
Setup~25 min

How it runs

The automated pipeline, trigger to output.

  • TriggerDaily schedule
  • ActionLoad tracked repos and digests from ledgerPostgreSQLPostgres
  • ActionRead pinned digests and resolve upstreamGitHubGitHub
  • LogicMark services still on vulnerable digest
  • ActionOpen rebuild PR per vulnerable repoGitHubGitHub
  • OutputPost fleet exposure summary to SlackSlack

What it does

Gives you one queryable source of truth for base-image exposure across many repos. It records each service's pinned base digest in Postgres, and when an upstream re-tag fixes a CVE it flags every service still on the old digest as vulnerable, then opens a rebuild PR per affected repo so you can see and close the whole blast radius.

When to use it

Ideal for platform teams managing dozens of services off a few shared base images, who need an auditable record of "who is still vulnerable" rather than a flood of disconnected alerts.

How it works

  1. 1A schedule fires daily.
  2. 2The flow lists tracked repos from the Postgres ledger and reads each one's current pinned digest from GitHub.
  3. 3It resolves upstream digests and updates the ledger, marking rows where the pinned digest is now superseded by a CVE re-tag.
  4. 4A logic step selects ledger rows flagged vulnerable.
  5. 5For each, it opens a digest-bump rebuild PR on GitHub and writes the PR URL back to the ledger row.
  6. 6It posts a fleet exposure summary to Slack with counts of vulnerable, in-flight, and patched services.

Set it up

What you configure once, before turning it on.

  1. 1
    Connect PostgresAny Postgres URL — query, write, migrate.
  2. 2
    Connect GitHubRepos, issues, pull requests, actions.
  3. 3
    Connect SlackChannels, DMs, threads, mentions.
  4. 4
    Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
  5. 5
    Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
  6. 6
    Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.

More DevOps workflows

Slack-approved pause for idle Hugging Face Spaces

On a daily scan it finds idle paid Spaces and posts an interactive Slack approval; on approve it pauses the Space and logs the decision to a GitHub issue audit trail.

Block costly Hugging Face Space hardware upgrades in PR review

When a pull request changes a Space's hardware config, it estimates the new monthly cost and posts a GitHub PR comment that flags upgrades crossing a budget ceiling.

Hugging Face Spaces idle-runtime sweep with auto-pause

On a schedule, scans all Hugging Face Spaces for ones running idle past a threshold, pauses them to stop billing, and posts a Slack summary with the estimated monthly savings.

Open a Zoom war-room from a Datadog multi-alert storm

When a Datadog monitor crosses a critical threshold, this workflow dedupes against active incidents, and only for a genuinely new outage it creates a Zoom bridge.

Auto-spin a Zoom war-room when PagerDuty hits SEV-1

When a PagerDuty incident escalates to a critical severity, this workflow creates a dedicated Zoom meeting and posts the bridge link to the incident's Slack channel so responders…

Spin up a war-room on demand from a Slack slash command

When an engineer runs a Slack command, this workflow creates a Zoom bridge, opens a tracking Sentry-linked incident, files a Linear issue for follow-up.

Browse all DevOps

Run this workflow in your colony.

14-day trial. No DevOps. No Sales call. Provisioned in under a minute.

Join the WaitlistBrowse all workflows