Workflow Library Pre-built workflow templates covering auto-fix, admission gates, self-healing, vendor risk, compliance, and operations. One-click install.
Safeguard ships 50+ production-ready workflow templates. Each one is a complete YAML definition you can install with one click, tweak, and promote to your org. The library is versioned; templates pin to an SDK version so upgrades are safe.
Install from Workflows → Library or with:
safeguard workflows install < template-nam e > --team < tea m > Template What it does auto-fix-critical-kev-in-prodTriggers on any new KEV-listed critical finding on production assets; runs reachability; opens Griffin auto-fix PR auto-fix-daily-backlogRuns nightly against the top-N reachable findings and opens up to N PRs auto-fix-transitive-onlyRestricted to transitive-dependency upgrades only (safer for stable teams) griffin-review-assistantGriffin comments on open security PRs explaining the change and any remaining risk remediate-stale-dependencyOpens PRs for dependencies unchanged > 365 days with any open CVE
Template What it does prod-admission-gateBlocks admission of pods failing the production policy bundle; pages on-call for critical blocks sbom-required-at-admissionDenies admission of images without a valid CycloneDX SBOM attestation ≤ 30 days old kev-block-prodDenies admission of images with KEV-listed unpatched CVEs unsigned-image-blockDenies images without a valid Cosign / Notation signature runtime-drift-alertAlerts when a running pod's image digest diverges from its admission-time digest
Template What it does self-heal-base-imagesWatches container base images and rebuilds when new CVEs land self-heal-gold-substitutionWhen a Gold equivalent exists, swaps the image automatically self-heal-staged-rolloutCanary-based self-heal with automatic rollback on metric regression self-heal-ai-model-depsSelf-heal for the AI-side dependency chain (transformers, torch, tokenizers)
Template What it does weekly-sbom-freshness-auditAudits SBOM freshness across assets, emails owners of stale ones shadow-asset-sweepFinds repos / images / workloads missing ownership and opens tickets vendor-sbom-freshness-slaReminds vendors whose SBOMs are approaching SLA deep-scan-on-pushRuns a full 100-level scan on every push to main mono-repo-project-splitEmits per-service SBOMs from a monorepo push
Template What it does zero-day-impact-assessmentOn any zero_day.affecting_tenant event, produces an impact report and routes to owner zero-day-autofixFor zero-days where a patch exists at publication, auto-opens PRs zero-day-commsDrafts customer / exec comms from a template when a CRITICAL zero-day is published
Template What it does fedramp-continuous-monitoringGenerates the monthly FedRAMP evidence pack eo-14028-sbom-validationRuns SBOM minimum-elements validation; blocks non-compliant releases cra-readiness-checkEvaluates each product against CRA essential requirements; opens gaps as tickets ssdf-evidence-exportExports NIST SSDF evidence as OSCAL for auditors soc2-change-controlProduces SOC 2 change-control artifacts for every production push iso-27001-control-rollupRolls ISO 27001 Annex A control coverage into a dashboard dora-register-of-informationKeeps DORA Register of Information current from TPRM data
Template What it does vendor-sbom-intakeIngests new vendor SBOMs, evaluates policy, assigns risk score vendor-sbom-expiry-reminderEmails vendors whose SBOMs are stale vendor-kev-watchlistFlags vendors with any component on CISA KEV vendor-license-diffAlerts on vendor SBOM license-set changes vendor-offboardingRevokes access, purges data, archives history
Template What it does secret-verify-and-revokeOn verified-live secret, revokes via issuer API and rotates via secret manager secret-history-purgeWalks Git history, opens PR with filter-repo plan secret-exposure-dashboardMaintains the secrets dashboard and weekly digest
Template What it does daily-digest-to-leadsPer-team email digest of open urgent findings and this week's remediations slack-triage-bot#sec-triage bot that claims, escalates, or suppresses findings via slash commandspagerduty-p0-bridgePages on-call for P0 findings in production jira-ticket-syncKeeps Jira and Safeguard in sync: create / update / transition metric-export-otelExports Safeguard metrics to your OTLP endpoint
Template What it does ai-bom-generate-on-deployGenerates AI-BOM on every model push to the registry model-weight-verifyVerifies model-weight signatures before deployment eagle-pickle-scanScans every new model for unsafe pickle opcodes training-data-license-checkValidates training data licenses against policy
Every template is editable:
safeguard workflows install auto-fix-critical-kev-in-prod --team platform # installs to your org with status = disabled safeguard workflows edit auto-fix-critical-kev-in-prod # opens your editor with the YAML safeguard workflows enable auto-fix-critical-kev-in-prod --env staging # tests in staging first safeguard workflows enable auto-fix-critical-kev-in-prod --env production # promote to production Each template has a version; upgrading pulls the new version but keeps any customizations by three-way merge. Conflicts are flagged in the UI for review before apply.
If you want a template added to the library, open an issue at github.com/safeguard-sh/workflow-library or email workflows@safeguard.sh. Safeguard maintains the library — community templates are reviewed, signed, and published under community/ namespace once approved.