SECOPS
WAF False-Positive Auto-Remediation with GitHub Rule PR
Confirms a WAF block spike is a false positive against Sentry, then drafts a tightened Cloudflare rule expression and opens a GitHub pull request with the change for review.
How it runs
The automated pipeline, trigger to output.
- TriggerWebhook fires on suspected false-positive ruleHTTP webhook
- ActionFetch blocked requests and URIs from CloudflareCloudflare
- ActionConfirm endpoints are healthy in SentrySentry
- ActionDraft tightened rule expression and rationaleOpenAI
- OutputOpen GitHub PR with the proposed rule changeGitHub
What it does
When a Cloudflare WAF rule starts blocking legitimate traffic, this agent-driven workflow confirms the false positive by checking that the blocked endpoints have healthy Sentry traces, then drafts a narrower rule expression that stops catching the good traffic and opens a GitHub pull request against your infrastructure-as-code repo so a human approves the fix.
When to use it
Use it when your WAF rules live in version control and you want false-positive fixes proposed as reviewable diffs instead of hand-edited in the dashboard. It turns a noisy alert into a ready-to-merge change.
How it works
- 1A webhook fires from your alerting layer when a specific rule's false-positive signal trips.
- 2An action fetches the blocked requests and their URIs from Cloudflare for the affected rule.
- 3An action checks Sentry for those endpoints and confirms they return normal traffic with no attack signature.
- 4An agent step drafts a tightened rule expression scoped to exclude the legitimate pattern and writes a plain-English rationale.
- 5An action opens a GitHub pull request with the new expression and rationale for human review.
Set it up
What you configure once, before turning it on.
- 1Connect CloudflareWorkers, Pages, R2, KV — the edge stack.
- 2Connect SentryErrors, performance, releases.
- 3Connect GitHubRepos, issues, pull requests, actions.
- 4Connect HTTP webhookTrigger any URL on agent actions.
- 5Connect OpenAIModels, embeddings, files.
- 6Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 7Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 8Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Scheduled AWS Access-Key Age Sweep and Forced Rotation
Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.
Correlate Datadog WAF anomaly alert with Cloudflare evidence
When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
Non-Rotatable Leaked Secret to PagerDuty Escalation
Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.
GitHub Secret-Scan Hit to Auto-Revoke and Rotate
When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.