agent hive
Join the Waitlist

DATA OPS

Snowflake new-column PII sampler with auto-quarantine

Detects newly added Snowflake columns, samples their values for unmasked sensitive data, and revokes access on the table while opening a Linear review ticket.

CategoryData Ops
Enginesim
Difficultyintermediate
Triggerschedule
Steps6
Setup~15 min

How it runs

The automated pipeline, trigger to output.

  • TriggerScheduled scan interval
  • ActionDiff Snowflake columns vs last snapshotSnowflakeSnowflake
  • ActionSample distinct values from new columnsSnowflakeSnowflake
  • LogicClassify sample; keep only PII matches
  • ActionRevoke SELECT to quarantine the tableSnowflakeSnowflake
  • OutputOpen Linear review ticket with evidenceLinearLinear

What it does

Watches Snowflake for columns that appeared since the last run, pulls a small sample of real values from each, and runs them through a sensitive-data classifier (emails, SSNs, card numbers, phone, names). If a new column holds unmasked PII, it quarantines the parent table by revoking SELECT from analyst roles and files a Linear ticket with the evidence so a data owner can mask or approve it.

When to use it

Run it when new tables and columns land in your warehouse faster than your governance team can review them, and you need a safety net that catches sensitive fields the moment they become queryable.

How it works

  1. 1A schedule fires the scan on a fixed interval.
  2. 2Query Snowflake INFORMATION_SCHEMA and diff against the last snapshot to find brand-new columns.
  3. 3For each new column, sample a capped set of distinct values.
  4. 4Classify the sample; branch only on columns that match a PII pattern above a confidence threshold.
  5. 5Revoke analyst-role SELECT on the affected table to quarantine it.
  6. 6Open a Linear ticket tagged for the data owner with column, table, and matched categories.

Set it up

What you configure once, before turning it on.

  1. 1
    Connect SnowflakeWarehouses, queries, shares.
  2. 2
    Connect LinearIssues, projects, cycles, triage.
  3. 3
    Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
  4. 4
    Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
  5. 5
    Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.

More Data Ops workflows

Weekly BigQuery Cost Trend Sheet and Exec Digest

Compiles week-over-week BigQuery scheduled-query cost by owner and dataset into a Google Sheet with trend columns.

Daily BigQuery Scheduled-Query Cost Attribution to Owners

Each morning, totals the prior day's on-demand bytes-billed per scheduled query, maps each query to its owner from a label, and posts a per-owner cost leaderboard to Slack.

BigQuery Per-Team Budget Breach Alert to PagerDuty

Tracks month-to-date BigQuery scheduled-query spend per team and, when a team crosses its monthly budget, pages the team's on-call in PagerDuty and snapshots the spend breakdown…

dbt source freshness watcher with severity-routed alerts

Checks Snowflake loaded-at timestamps against each dbt source's freshness SLA, then routes warnings to Slack and hard breaches to a PagerDuty incident so stale data never…

dbt orphan model detector with Linear cleanup tickets

Scans your dbt manifest for models that no other model, exposure, or BI tool consumes.

Raw Sensor Telemetry Archive to BigQuery

Captures every incoming building sensor reading via webhook, normalizes the payload into a consistent schema.

Browse all Data Ops

Run this workflow in your colony.

14-day trial. No DevOps. No Sales call. Provisioned in under a minute.

Join the WaitlistBrowse all workflows