SECOPS
Route copyleft dependency requests to legal for Slack approval
When a PR adds a copyleft-licensed package, it posts an approve/reject request to a legal review Slack channel and holds the PR check pending until a reviewer clicks a decision.
How it runs
The automated pipeline, trigger to output.
- TriggerPull request opened or updatedGitHub
- ActionDetect copyleft dependencies added in the PRGitHub
- ActionPost Approve/Reject request to legal channelSlack
- LogicWait for reviewer decision
- OutputSet commit status from decision and log itGitHub
What it does
Instead of hard-blocking every copyleft package, this workflow opens a human approval loop. When a pull request introduces a dependency under a copyleft license, the workflow gathers the package, version, license, and a link to the PR, then posts an interactive message to your legal or open-source-review Slack channel with Approve and Reject buttons. The PR's status check stays pending until someone decides. Approve marks the check green and records who signed off; Reject marks it red with the reviewer's name attached, giving you an auditable paper trail of every exception.
When to use it
Use it when a blanket ban is too blunt — some copyleft libraries are fine for internal tooling but not for redistributed product code, and that call belongs to legal, not CI. It suits organizations with a formal OSS review process that want the decision captured in-band rather than buried in email.
How it works
- 1A GitHub pull request trigger fires on open and synchronize.
- 2The workflow resolves licenses of the newly added dependencies and filters down to copyleft matches.
- 3If a match exists, it posts an interactive approval message with package details and Approve/Reject buttons to the legal Slack channel, and sets the PR check to pending.
- 4A logic branch waits for the reviewer's click, then updates the GitHub commit status to success or failure and logs the decision and reviewer back to the PR thread.
Set it up
What you configure once, before turning it on.
- 1Connect GitHubRepos, issues, pull requests, actions.
- 2Connect SlackChannels, DMs, threads, mentions.
- 3Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 4Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 5Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Page on-call when a WAF rule mass-blocks legitimate traffic
On demand or every few minutes, it detects a single Cloudflare WAF rule suddenly blocking a broad spread of ASNs and paths (a likely false-positive storm).
PII Content Scan on New Dropbox External Share
When a file gets an external Dropbox link, it reads the file content, uses an AI classifier to detect PII or secrets.
Compile a weekly WAF tuning review with trends to Confluence
Every week an agent rolls up Cloudflare WAF block clusters by rule and ASN, compares them to prior weeks for trend direction.
Sensitive Dropbox Link Owner Remediation Loop
When a newly created Dropbox shared link points to a sensitive file, this workflow DMs the file owner, gives them a deadline to justify or revoke it.
GitLab Push Secret Detection to Block and History Purge
On a GitLab push that contains a detected secret, it revokes the exposed credential, opens a tracking issue with git-history purge instructions.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.