ENGINEERING
Security-Advisory Upgrade Triage to PagerDuty
On a security advisory for a dependency, checks whether vulnerable modules are actually used in your code, and pages on-call only when a reachable internal module is affected.
How it runs
The automated pipeline, trigger to output.
- TriggerWebhook receives a dependency security advisoryHTTP webhook
- ActionSearch repo for modules using the vulnerable packageGitHub
- LogicExit if no reachable module is affected
- ActionWrite triage brief with CVE and patch stepsOpenAI
- OutputOpen a severity-scaled PagerDuty incidentPagerDuty
What it does
This workflow cuts security-advisory noise down to what actually matters for your codebase. When an advisory lands for a dependency, it checks whether the vulnerable package is genuinely imported by your modules, and escalates to on-call only when a real, reachable code path is at risk, with a brief on what to patch.
When to use it
Use it when CVE alerts flood the team and most do not apply because the affected package is transitive or unused. Ideal for security-conscious teams who want to page humans precisely instead of crying wolf on every advisory.
How it works
A webhook receives a dependency security advisory (from your scanner or GitHub advisory feed). The flow extracts the affected package and version range, then searches the repository to confirm which internal modules import it and whether the vulnerable APIs are actually called. A logic branch ends quietly if nothing reachable is affected. When a real exposure exists, the model writes a triage brief: the CVE, the affected modules, the fixed version, and the upgrade steps. A PagerDuty incident is created at a severity scaled to the exposure, with the brief attached so on-call can act immediately.
Set it up
What you configure once, before turning it on.
- 1Connect HTTP webhookTrigger any URL on agent actions.
- 2Connect GitHubRepos, issues, pull requests, actions.
- 3Connect OpenAIModels, embeddings, files.
- 4Connect PagerDutyIncidents, on-call, escalations.
- 5Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 6Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 7Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More Engineering workflows
Agent reviews model-license fit and suggests compliant swaps on the PR
When a PR adds a Hugging Face model, an agent reads the model card and license, judges fit against your commercial-use policy.
Block PRs that add incompatible Hugging Face model licenses
When a pull request adds or bumps a Hugging Face model dependency, it fetches the model card license, checks it against your org's allowed-license policy.
Quarterly Logging Hygiene Audit Agent
An agent-driven quarterly sweep that surveys all Axiom datasets, builds a logging-hygiene scorecard per service.
Post-Merge Log Volume Recheck After Downsampling PR
After a log-level PR merges, waits a day then re-queries Axiom to confirm the targeted stream's volume actually dropped.
Axiom Ingest Cost Spike to Linear Triage Ticket
When Axiom ingest volume spikes beyond its baseline, identifies which service caused it and files a Linear ticket with the offending log stream, sample lines, and a downsampling…
File a Linear license-review ticket for risky model adds
When a PR introduces a Hugging Face model with a non-permissive or unknown license, it opens a Linear issue assigned to the legal-review team with the model, license.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.