Public documentation for governed AI labor
SDKs/Governance/Connectors
Arx / Docs / Dependency Risk Alerting

Documentation

Dependency Risk Alerting

Project-Agent-trust-merge / library/workflows/dependency-risk-alerting/README.md

Project-Agent-trust-merge repo-root library/workflows/dependency-risk-alerting/README.md

Monitors Endor Labs for critical findings with confirmed reachability analysis, then sends targeted alerts to Slack and creates PagerDuty incidents for findings that require immediate attention.

Maturity: L3+ (Enforced and up)  ยท  See the 5-level maturity model for where this workflow fits in your program.

Time Saved

Before: ~2 hours per week manually reviewing Endor Labs findings, filtering for reachability, and escalating critical ones.

After: Automated filtering and alerting. Engineers receive only confirmed-reachable critical findings with remediation guidance.

Connectors

| Connector | Operations | Risk | |-----------|-----------|------| | Endor Labs | findings:read | LOW | | Slack | chat:write | LOW | | PagerDuty | incidents:create | MEDIUM |

Overall Risk: MEDIUM -- Creates PagerDuty incidents for critical reachable vulnerabilities. All source data operations are read-only.

How It Works

  1. Query Endor Labs for critical findings with reachable function paths.
  2. Deduplicate findings by package and vulnerability.
  3. For each unique critical reachable finding, create a PagerDuty incident.
  4. Post a consolidated Slack alert with finding details and remediation guidance.

ARX Governance

  • Risk Classification:
  • EndorLabs:findings:read -- LOW -- read-only finding queries with reachability filter
  • Slack:chat:write -- LOW -- informational alert notifications
  • PagerDuty:incidents:create -- MEDIUM -- pages on-call for critical reachable vulnerabilities
  • HITL Gate: Disabled -- PagerDuty incident creation is auto-approved for confirmed-reachable critical findings. The reachability filter ensures only actionable findings trigger pages.
  • Policy Rules:
  • PERMITTED: Reading findings and reachability data from Endor Labs
  • PERMITTED: Posting Slack alerts with finding summaries
  • PERMITTED (auto-approved): Creating PagerDuty incidents for critical reachable findings
  • DENIED: Any write-back to Endor Labs or modification of finding status
  • Audit Trail: Every finding queried, deduplication results, PagerDuty incident IDs, and Slack message timestamps are logged. Reachability analysis results are preserved for traceability.
  • Config: See arx.yaml for connector permissions, schedule, and severity/reachability filters.

Setup

Prerequisites

``bash pip install arx ``

Environment Variables

``bash export ENDOR_NAMESPACE="your-namespace" export ENDOR_API_KEY="your-endor-api-key" export SLACK_BOT_TOKEN="xoxb-your-slack-token" export SLACK_SECURITY_CHANNEL="#security-alerts" export PAGERDUTY_API_KEY="your-pagerduty-api-key" export PAGERDUTY_SERVICE_ID="your-service-id" ``

Run

```bash

One-time execution

arx run workflow.py

Register on schedule (daily at 07:00 UTC)

arx register --config arx.yaml ```

Customization

  • Adjust severity_filter to include High findings
  • Toggle reachability_required to alert on all critical findings regardless of reachability
  • Configure PagerDuty escalation policy mapping