Public documentation for governed AI labor
SDKs/Governance/Connectors
Arx / Docs / ARX Security Agent Workflow Library

Documentation

ARX Security Agent Workflow Library

Project-Agent / library/README.md

Project-Agent repo-root library/README.md

Open source security automation workflows — each one governed by ARX from first run.

> New to agent governance? Start with the 5‑level maturity model to see where your program is today, or take the 2‑minute assessment. Every workflow below is tagged with the maturity level it belongs to.

Every workflow documents:

  • The security operation it automates
  • The manual time it replaces
  • The tools/connectors involved
  • The risk classification of every action
  • The maturity level it supports (L3 Enforced → L5 Accountable)
  • How ARX governs it (policy, HITL gates, audit trail)

Workflows

Connector Management

| Workflow | Purpose | Connectors | Risk | |----------|---------|------------|------| | Connector Health Monitor | Probe all bound connectors every 15 min; classify failures as credential or structural | Slack | LOW — Auto-Approved | | Connector Remediation | Auto-remediate connector failures: Jira ticket for credential issues; Claude-proposed fix + GitHub issue for structural breaks | Slack, Jira, GitHub | HIGH — HITL Gated |

Alert & Triage

| Workflow | Time Saved | Connectors | Risk | Level | |----------|-----------|------------|------|-------| | Alert Triage Automation | 3 hrs/analyst/day | Splunk, CrowdStrike, ServiceNow | HIGH — HITL Gated | L4+ | | Wiz Finding Distribution | 4 hrs/week → 4 min | Wiz, Jira, Slack | LOW — Auto-Approved | L3+ | | Vulnerability Ticket Creation | 3-5 hrs/week | Wiz, Qualys, Jira | MEDIUM | L3–4 |

Identity & Access

| Workflow | Time Saved | Connectors | Risk | Level | |----------|-----------|------------|------|-------| | Access Certification Campaign | 2 days/quarter → 2 hrs | Okta, ServiceNow, Slack | HIGH — HITL Gated | L4+ | | Stale Account Deactivation | 4 hrs/month | Okta, Slack | HIGH — HITL Gated | L4+ | | MFA Enforcement Check | 2 hrs/week | Okta, Slack, Jira | LOW — Auto-Approved | L3+ |

Incident Response

| Workflow | Time Saved | Connectors | Risk | Level | |----------|-----------|------------|------|-------| | Incident Closure Documentation | 2 hrs/incident | CrowdStrike, Splunk, ServiceNow | MEDIUM | L3–4 | | Host Containment Automation | 15 min/incident → 30 sec | CrowdStrike, Slack, PagerDuty | HIGH — HITL Gated | L4+ | | Phishing Response Automation | 45 min/incident | Splunk, Okta, CrowdStrike, Jira | HIGH — HITL Gated | L4+ |

Supply Chain Security

| Workflow | Time Saved | Connectors | Risk | Level | |----------|-----------|------------|------|-------| | Endor Labs Finding Triage | 3 hrs/week | Endor Labs, Jira, Slack | MEDIUM | L3–4 | | Dependency Risk Alerting | 2 hrs/week | Endor Labs, Slack, PagerDuty | LOW — Auto-Approved | L3+ | | SCA Policy Violation Response | 1 hr/violation | Endor Labs, Jira, Slack | MEDIUM | L3–4 |

Cloud Security

| Workflow | Time Saved | Connectors | Risk | Level | |----------|-----------|------------|------|-------| | Cloud Misconfiguration Remediation | 5 hrs/week | Wiz, Jira, Slack | MEDIUM | L3–4 | | Sentinel Alert Enrichment | 20 min/alert | Microsoft Sentinel, CrowdStrike, ServiceNow | LOW — Auto-Approved | L3+ |

Compliance & Reporting

| Workflow | Time Saved | Connectors | Risk | Level | |----------|-----------|------------|------|-------| | Compliance Evidence Collection | 8 hrs/audit | Splunk, Okta, CrowdStrike, Wiz | LOW — Auto-Approved | L4–5 | | SLA Breach Alerting | 1 hr/week | ServiceNow, PagerDuty, Slack | LOW — Auto-Approved | L3+ |

Vulnerability Management

| Workflow | Time Saved | Connectors | Risk | Level | |----------|-----------|------------|------|-------| | Critical Vuln Escalation | 30 min/vuln | Wiz, Qualys, PagerDuty, Jira | MEDIUM | L3–4 | | Patch Verification Check | 3 hrs/week | Qualys, CrowdStrike, ServiceNow | LOW — Auto-Approved | L3+ | | Container Image Scan Gating | 15 min/deploy | Endor Labs, Wiz, Slack | MEDIUM | L3–4 |

Threat Intelligence

| Workflow | Time Saved | Connectors | Risk | Level | |----------|-----------|------------|------|-------| | IOC Auto-Enrichment | 10 min/IOC | CrowdStrike, Splunk, VirusTotal | LOW — Auto-Approved | L3+ | | Threat Hunt Automation | 4 hrs/hunt | Splunk, CrowdStrike, Sentinel | MEDIUM | L3–4 |

On-Call & Escalation

| Workflow | Time Saved | Connectors | Risk | Level | |----------|-----------|------------|------|-------| | PagerDuty Incident Auto-Triage | 15 min/incident | PagerDuty, Splunk, Slack | MEDIUM | L3–4 | | Slack Escalation Bot | 5 min/escalation | Slack, PagerDuty, Jira | LOW — Auto-Approved | L3+ | | Off-Hours Alert Routing | 10 min/night | PagerDuty, Slack, Splunk | LOW — Auto-Approved | L3+ |

Getting Started

``bash pip install arx ``

Each workflow includes:

  • workflow.py — The automation code
  • arx.yaml — ARX governance configuration (policy, HITL gates, risk thresholds)
  • README.md — Documentation with setup instructions

To fork a workflow and tune it to your environment — approver groups, cron schedule, HITL thresholds, connector swaps — see the Workflow Customization guide.

License

MIT — Fork it, improve it, submit yours.