SECOPS
Cloudflare WAF ruleset drift detector with GitLab review MR
Snapshots your Cloudflare WAF custom rulesets on a schedule, diffs each snapshot against the last known-good baseline.
How it runs
The automated pipeline, trigger to output.
- TriggerSchedule: every 30 minutes
- ActionFetch Cloudflare WAF custom rulesetsCloudflare
- ActionNormalize JSON and diff against baselineShell
- LogicBranch: meaningful diff detected?
- ActionOpen GitLab MR updating baseline fileGitLab
- OutputEmit MR link for reviewer assignmentGitLab
What it does
This workflow turns silent, dashboard-made WAF edits into a reviewable change record. On a fixed cadence it pulls the current Cloudflare WAF custom rulesets, compares them to the previously stored baseline, and when anything differs it files a GitLab merge request whose description is a readable diff of the rules (expression, action, and ordering changes).
When to use it
Use it when your team manages WAF rules partly through the Cloudflare dashboard and partly through code, and console edits keep bypassing review. It gives security and platform owners a paper trail and an approval gate without forcing every rule through Terraform first.
How it works
- 1A scheduled trigger fires (e.g. every 30 minutes).
- 2A Cloudflare action fetches all custom WAF rulesets for the zone.
- 3A shell step normalizes the JSON and diffs it against the stored baseline snapshot.
- 4A logic branch checks whether a meaningful diff exists; if not, the run ends.
- 5A GitLab action opens a merge request that updates the committed baseline file and embeds the human-readable rule diff in the MR body.
- 6The final output posts the MR link for reviewer assignment.
Set it up
What you configure once, before turning it on.
- 1Connect CloudflareWorkers, Pages, R2, KV — the edge stack.
- 2Connect ShellRun sandboxed commands inside the workspace.
- 3Connect GitLabRepos, MRs, pipelines, registry.
- 4Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 5Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 6Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Compile a weekly WAF tuning review with trends to Confluence
Every week an agent rolls up Cloudflare WAF block clusters by rule and ASN, compares them to prior weeks for trend direction.
Sensitive Dropbox Link Owner Remediation Loop
When a newly created Dropbox shared link points to a sensitive file, this workflow DMs the file owner, gives them a deadline to justify or revoke it.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
Page on-call when a WAF rule mass-blocks legitimate traffic
On demand or every few minutes, it detects a single Cloudflare WAF rule suddenly blocking a broad spread of ASNs and paths (a likely false-positive storm).
PII Content Scan on New Dropbox External Share
When a file gets an external Dropbox link, it reads the file content, uses an AI classifier to detect PII or secrets.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.