SECOPS
Triage agent that reads GitLab MRs and assigns the right pod
An agent reads each security-labeled merge request, reasons about which reviewer pod and specialist should own it, applies the routing labels.
How it runs
The automated pipeline, trigger to output.
- TriggerGitLab security label added to MRGitLab
- ActionPull MR metadata and diffGitLab
- LogicAgent reasons to pick owning podOpenAI
- ActionApply pod label and notify SlackSlack
- OutputOpen Linear issue with triage rationaleLinear
What it does
Deploys a triage agent over incoming security-labeled merge requests. Instead of static label-to-pod mapping, the agent reads the MR title, description, changed files, and diff to decide which reviewer pod and named specialist is the best fit, then applies the routing labels and opens a Linear issue with a written rationale.
When to use it
Use it when label namespaces are too coarse to route accurately, for example a single MR that touches both crypto and infra. The agent reasons about overlap and picks a primary owner with a justification, instead of forcing a brittle rule.
How it works
- 1A GitLab webhook fires when a security label is added to a merge request.
- 2The agent pulls the MR metadata and diff through the GitLab API.
- 3It reasons over the changes to select the owning pod, a backup pod, and a suggested specialist.
- 4It writes its routing decision and rationale as a structured summary.
- 5It applies the chosen pod label on the MR and posts the rationale to that pod's Slack channel.
- 6It opens a Linear issue containing the triage summary, the assignee, and the MR link.
Set it up
What you configure once, before turning it on.
- 1Connect GitLabRepos, MRs, pipelines, registry.
- 2Connect LinearIssues, projects, cycles, triage.
- 3Connect SlackChannels, DMs, threads, mentions.
- 4Connect OpenAIModels, embeddings, files.
- 5Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 6Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 7Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Scheduled AWS Access-Key Age Sweep and Forced Rotation
Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.
Correlate Datadog WAF anomaly alert with Cloudflare evidence
When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
Non-Rotatable Leaked Secret to PagerDuty Escalation
Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.
GitHub Secret-Scan Hit to Auto-Revoke and Rotate
When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.