Skip to content
Docs
Marketplace and Workflow Gallery

Marketplace and Workflow Gallery

Marketplace and Workflow Gallery

This is the public control-plane view of the SecurityRecipes browser workbench.

Use it to answer four questions before a team enables a pack:

  1. What context enters the run?
  2. What report contract leaves the run?
  3. Which downstream system receives it?
  4. Is the path live, live-or-copy, or still template-only?
Everything on this page is driven by the Hugo data files under data/marketplace/. That means integration packs and workflow bundles can be reviewed, forked, and contributed like any other site content.

Client-side security control plane

Inspect every input, report, output, and workflow pack before you trust it.

A BYO-token browser control plane for AI security work: connect GitHub, GitLab, Azure DevOps, local scan artifacts, Snyk issues, Defender XDR incidents, Sentinel incidents, DefectDojo findings, Tenable exports, CrowdStrike detections, Prisma Cloud alerts, Security Hub findings, Confluence runbooks, and recipe context; surface source freshness, classify source failures, refresh browser-safe sources inline, and route manual uploads back to local setup before the next run; surface navigator mission-control cards for due schedules, queue head, source issues, open cases, portfolio gaps, and saved-case handoff drift; export a browser-local daily ops brief as markdown or JSON; keep a browser-local operations ledger for source syncs, chat sessions, agent runs, case actions, and report exports; group correlated source pulls, AI runs, case captures, and handoff exports into browser-local investigation sessions; filter the ledger by category, state, or free-text; inspect either one record or one grouped session as JSON; and jump back into the linked browser surface without leaving the navigator; register browser-local assets, owner teams, criticality, service portfolios, and lightweight asset relationships; turn imported findings into a prioritized browser-local Exposure Board; roll related repositories, services, APIs, and data stores into a portfolio-aware service map; score each service portfolio by owner coverage, case coverage, routing coverage, and live-delivery blockers; open a Reports desk that can seed a normalized handoff packet from a saved case, exposure queue item, or grouped investigation session; generate normalized reports with both current handoff readiness and source-case readiness provenance, and compare the current handoff context to the captured run before anything is routed downstream; hand results to downstream systems like Teams, ServiceNow, Linear, GitLab, Azure DevOps, Splunk, Elastic, PagerDuty, Google Chat, Cortex XSOAR, IBM SOAR, Sentinel playbooks, or custom webhooks without server-side secret storage; author private workflow, report, or integration packs locally with schema-backed validation; carry versioned pack governance, docs linkage, review cadence, and explicit pack dependencies alongside those contracts; capture reviewed runs as reusable browser-local case files with evidence timeline, replayable planner state, and captured launch-readiness provenance; author owner-aware and portfolio-aware routing policies that prefill downstream routes, approvals, and ticket metadata; inspect auditable routing analysis that shows which policy matched, which defaults were recommended, and where the planner still diverges before anything leaves the browser; audit the active planner for missing provider credentials, target-scope gaps, stale evidence, workflow-pack blockers, and route prerequisites before a run is generated; export portfolio coverage evidence alongside normalized report bundles so downstream review can see which services are still unrouted or only handoff-ready; and move validated case, asset, routing, marketplace, operations-history, or operations-session libraries between browser profiles before contributing anything back to Hugo.

30 Input channels
24 Output channels
10 Report profiles
27 Workflow packs

Runtime readiness

See what the browser can execute today versus what is still a reviewed starter contract for later promotion.

14 Browser-live inputs
18 Browser-live routes
3 Local-only handoffs
19 Template contracts

Readiness matrix

Drill into the auth pattern, operator prerequisites, and the blockers that still keep a pack in fallback or starter-contract mode.

Output routes

Downstream destinations with the exact browser-side review model called out.

Azure DevOps work item Ticketing
Live with copy fallback native

Browser-side route for creating an Azure DevOps work item from a normalized remediation or scan handoff, with local preview fallback when direct delivery is blocked.

Requirement
Requires an Azure DevOps organization, project, work item type, and a PAT or bearer token with Work Items write scope.
Auth
Personal access token, OAuth delegated token
Config
azure_devops_work_item
Browser delivery
yes

Readiness requirements

  • The browser can try a direct write when the operator supplies the required config, and it still keeps a safe local copy or export fallback.
  • A user-scoped personal access token must stay in browser storage and carry only the minimum read or write scope required for the selected task.
  • The browser runtime needs an OAuth-capable flow and a delegated token with the provider scopes required for the selected source or route.
  • Browser delivery is always operator-triggered and keeps provider secrets in browser storage instead of a SecurityRecipes backend.

Current blockers

  • Operator-owned credentials, webhook targets, or tenant metadata still need to be configured in the browser before a live call can run.
  • Provider cross-origin behavior and tenant policy still decide whether the direct browser path succeeds, so the local handoff fallback remains part of the design.
Cortex XSOAR incident SOAR and case management
Live with copy fallback native

Browser-side route for creating a Cortex XSOAR incident from a reviewed SecurityRecipes packet, with incident-shaped payloads and local preview fallback when direct delivery is blocked.

Requirement
Requires a Cortex XSOAR tenant URL or incident endpoint plus API key ID and API key with incident create access. Direct browser delivery still depends on tenant CORS and any mandatory incident fields.
Auth
API key
Config
cortex_xsoar_incident
Browser delivery
yes

Readiness requirements

  • The browser can try a direct write when the operator supplies the required config, and it still keeps a safe local copy or export fallback.
  • The operator must paste a provider-issued API key into browser storage before the pack can call the provider API directly.
  • Browser delivery is always operator-triggered and keeps provider secrets in browser storage instead of a SecurityRecipes backend.

Current blockers

  • Operator-owned credentials, webhook targets, or tenant metadata still need to be configured in the browser before a live call can run.
  • Provider cross-origin behavior and tenant policy still decide whether the direct browser path succeeds, so the local handoff fallback remains part of the design.
Draft PR packet Code handoff
Local copy only native

Reviewer-ready markdown and metadata for a pull request without writing to the source host.

Requirement
No GitHub write required. Produces branch name, PR body, tests, rollback, and reviewer checklist.
Auth
No external auth
Config
draft_pr_packet
Browser delivery
yes

Readiness requirements

  • This pack intentionally stops at a local contract and never performs the external write for the operator.
  • No provider credential is required; the operator still chooses the exact page, file, or route input in the browser.
  • Browser delivery is always operator-triggered and keeps provider secrets in browser storage instead of a SecurityRecipes backend.

Current blockers

  • No external write path exists by design, so a reviewer or downstream tool must copy, download, or relay the generated payload.
Elastic Security case SIEM and analytics
Live with copy fallback native

Creates an Elastic case with the generated remediation or scan summary.

Requirement
Requires a Kibana base URL and Elastic API key with Cases write access.
Auth
API key
Config
elastic_security_case
Browser delivery
yes

Readiness requirements

  • The browser can try a direct write when the operator supplies the required config, and it still keeps a safe local copy or export fallback.
  • The operator must paste a provider-issued API key into browser storage before the pack can call the provider API directly.
  • Browser delivery is always operator-triggered and keeps provider secrets in browser storage instead of a SecurityRecipes backend.

Current blockers

  • Operator-owned credentials, webhook targets, or tenant metadata still need to be configured in the browser before a live call can run.
  • Provider cross-origin behavior and tenant policy still decide whether the direct browser path succeeds, so the local handoff fallback remains part of the design.
Email handoff Collaboration
Live with copy fallback native

Generates a browser mail draft or sends through a configured relay endpoint.

Requirement
Uses a local mailto draft, or a configured CORS-enabled email relay URL.
Auth
No external auth
Config
email_handoff
Browser delivery
yes

Readiness requirements

  • The browser can try a direct write when the operator supplies the required config, and it still keeps a safe local copy or export fallback.
  • No provider credential is required; the operator still chooses the exact page, file, or route input in the browser.
  • Browser delivery is always operator-triggered and keeps provider secrets in browser storage instead of a SecurityRecipes backend.

Current blockers

  • Operator-owned credentials, webhook targets, or tenant metadata still need to be configured in the browser before a live call can run.
  • Provider cross-origin behavior and tenant policy still decide whether the direct browser path succeeds, so the local handoff fallback remains part of the design.
Generic webhook Custom integrations
Live with copy fallback native

Posts the full SecurityRecipes delivery envelope to a custom SOAR, queue, or workflow endpoint.

Requirement
Requires a browser-reachable webhook URL and any required headers or bearer token.
Auth
Webhook secret or URL
Config
generic_webhook
Browser delivery
yes

Readiness requirements

  • The browser can try a direct write when the operator supplies the required config, and it still keeps a safe local copy or export fallback.
  • The destination system must expose a pre-approved webhook endpoint or secret-backed URL that the browser can post to directly.
  • Browser delivery is always operator-triggered and keeps provider secrets in browser storage instead of a SecurityRecipes backend.

Current blockers

  • Operator-owned credentials, webhook targets, or tenant metadata still need to be configured in the browser before a live call can run.
  • Provider cross-origin behavior and tenant policy still decide whether the direct browser path succeeds, so the local handoff fallback remains part of the design.
GitHub issue Ticketing
Browser live native

Creates a GitHub issue with a normalized remediation or scan handoff body.

Requirement
Requires GitHub PAT or OAuth token with issues write access.
Auth
Personal access token, OAuth delegated token
Config
github_issue
Browser delivery
yes

Readiness requirements

  • The browser workbench already has a direct BYO-token runtime path for this pack today.
  • A user-scoped personal access token must stay in browser storage and carry only the minimum read or write scope required for the selected task.
  • The browser runtime needs an OAuth-capable flow and a delegated token with the provider scopes required for the selected source or route.
  • Browser delivery is always operator-triggered and keeps provider secrets in browser storage instead of a SecurityRecipes backend.

Current blockers

  • No catalog-level blocker is left in the current browser model; only operator configuration and reviewer judgment remain.
GitLab issue Ticketing
Live with copy fallback native

Browser-side route for creating a GitLab issue with a normalized remediation or triage brief, with local preview fallback when direct delivery is blocked.

Requirement
Requires a GitLab project path or ID plus a personal access token or bearer token. GitLab.com works out of the box; self-managed hosts need a browser-allowed API base URL.
Auth
Personal access token, OAuth delegated token
Config
gitlab_issue
Browser delivery
yes

Readiness requirements

  • The browser can try a direct write when the operator supplies the required config, and it still keeps a safe local copy or export fallback.
  • A user-scoped personal access token must stay in browser storage and carry only the minimum read or write scope required for the selected task.
  • The browser runtime needs an OAuth-capable flow and a delegated token with the provider scopes required for the selected source or route.
  • Browser delivery is always operator-triggered and keeps provider secrets in browser storage instead of a SecurityRecipes backend.

Current blockers

  • Operator-owned credentials, webhook targets, or tenant metadata still need to be configured in the browser before a live call can run.
  • Provider cross-origin behavior and tenant policy still decide whether the direct browser path succeeds, so the local handoff fallback remains part of the design.
Google Chat webhook Collaboration
Live with copy fallback native

Starter browser-side route for posting a normalized remediation or incident brief into a Google Chat space.

Requirement
Requires a Google Chat incoming webhook URL for the destination space.
Auth
Webhook secret or URL
Config
google_chat_webhook
Browser delivery
yes

Readiness requirements

  • The browser can try a direct write when the operator supplies the required config, and it still keeps a safe local copy or export fallback.
  • The destination system must expose a pre-approved webhook endpoint or secret-backed URL that the browser can post to directly.
  • Browser delivery is always operator-triggered and keeps provider secrets in browser storage instead of a SecurityRecipes backend.

Current blockers

  • Operator-owned credentials, webhook targets, or tenant metadata still need to be configured in the browser before a live call can run.
  • Provider cross-origin behavior and tenant policy still decide whether the direct browser path succeeds, so the local handoff fallback remains part of the design.
IBM SOAR incident SOAR and case management
Reviewed starter contract template

Starter browser-side route for creating an IBM SOAR incident from a structured SecurityRecipes packet.

Requirement
Requires an IBM SOAR organization URL and API credentials with incident create access.
Auth
API key
Config
ibm_soar_incident
Browser delivery
yes

Readiness requirements

  • This is a reviewed starter contract that still needs a verified browser-safe auth, API, and CORS story before promotion.
  • The operator must paste a provider-issued API key into browser storage before the pack can call the provider API directly.
  • Browser delivery is always operator-triggered and keeps provider secrets in browser storage instead of a SecurityRecipes backend.

Current blockers

  • The runtime path has not been promoted from starter contract to live browser flow yet.
  • Auth scope, request signing, pagination, throttling, and cross-origin behavior still need explicit verification for this provider.
Jira ticket Ticketing
Browser live native

Creates a Jira task with a structured remediation or scan summary.

Requirement
Requires Jira base URL, account email, API token, and project key.
Auth
API token
Config
jira_issue
Browser delivery
yes

Readiness requirements

  • The browser workbench already has a direct BYO-token runtime path for this pack today.
  • The operator must supply a provider token or service token in browser storage before this pack can run.
  • Browser delivery is always operator-triggered and keeps provider secrets in browser storage instead of a SecurityRecipes backend.

Current blockers

  • No catalog-level blocker is left in the current browser model; only operator configuration and reviewer judgment remain.
Linear issue Ticketing
Live with copy fallback native

Creates a Linear issue through the GraphQL API for security engineering or platform backlog handoff.

Requirement
Requires a Linear personal API key and a target team ID.
Auth
API key
Config
linear_issue
Browser delivery
yes

Readiness requirements

  • The browser can try a direct write when the operator supplies the required config, and it still keeps a safe local copy or export fallback.
  • The operator must paste a provider-issued API key into browser storage before the pack can call the provider API directly.
  • Browser delivery is always operator-triggered and keeps provider secrets in browser storage instead of a SecurityRecipes backend.

Current blockers

  • Operator-owned credentials, webhook targets, or tenant metadata still need to be configured in the browser before a live call can run.
  • Provider cross-origin behavior and tenant policy still decide whether the direct browser path succeeds, so the local handoff fallback remains part of the design.
Microsoft Sentinel playbook trigger SOAR and case management
Reviewed starter contract template

Starter browser-side route for forwarding a reviewed packet into a Microsoft Sentinel incident playbook.

Requirement
Requires Azure subscription and workspace identifiers plus an OAuth token permitted to run Sentinel playbooks.
Auth
OAuth delegated token
Config
microsoft_sentinel_playbook
Browser delivery
yes

Readiness requirements

  • This is a reviewed starter contract that still needs a verified browser-safe auth, API, and CORS story before promotion.
  • The browser runtime needs an OAuth-capable flow and a delegated token with the provider scopes required for the selected source or route.
  • Browser delivery is always operator-triggered and keeps provider secrets in browser storage instead of a SecurityRecipes backend.

Current blockers

  • The runtime path has not been promoted from starter contract to live browser flow yet.
  • Auth scope, request signing, pagination, throttling, and cross-origin behavior still need explicit verification for this provider.
Microsoft Teams workflow webhook Collaboration
Live with copy fallback native

Posts a browser-generated handoff to a Microsoft Teams channel or chat through a Workflows webhook.

Requirement
Requires a Teams Workflows webhook URL. Microsoft 365 connectors are nearing deprecation, so prefer a Workflows-owned webhook.
Auth
Webhook secret or URL
Config
teams_workflows_webhook
Browser delivery
yes

Readiness requirements

  • The browser can try a direct write when the operator supplies the required config, and it still keeps a safe local copy or export fallback.
  • The destination system must expose a pre-approved webhook endpoint or secret-backed URL that the browser can post to directly.
  • Browser delivery is always operator-triggered and keeps provider secrets in browser storage instead of a SecurityRecipes backend.

Current blockers

  • Operator-owned credentials, webhook targets, or tenant metadata still need to be configured in the browser before a live call can run.
  • Provider cross-origin behavior and tenant policy still decide whether the direct browser path succeeds, so the local handoff fallback remains part of the design.
PagerDuty Events API v2 Incident response
Live with copy fallback native

Starter browser-side route for escalating a high-confidence incident or remediation brief into PagerDuty event orchestration.

Requirement
Requires a PagerDuty Events API v2 routing key or service integration configured for the target escalation path.
Auth
API key
Config
pagerduty_events_v2
Browser delivery
yes

Readiness requirements

  • The browser can try a direct write when the operator supplies the required config, and it still keeps a safe local copy or export fallback.
  • The operator must paste a provider-issued API key into browser storage before the pack can call the provider API directly.
  • Browser delivery is always operator-triggered and keeps provider secrets in browser storage instead of a SecurityRecipes backend.

Current blockers

  • Operator-owned credentials, webhook targets, or tenant metadata still need to be configured in the browser before a live call can run.
  • Provider cross-origin behavior and tenant policy still decide whether the direct browser path succeeds, so the local handoff fallback remains part of the design.
Runbook receipt Reports and evidence
Local copy only native

Clipboard-friendly markdown for human execution with stop conditions and rollback.

Requirement
No external auth required. Produces copyable steps and evidence.
Auth
No external auth
Config
runbook_receipt
Browser delivery
yes

Readiness requirements

  • This pack intentionally stops at a local contract and never performs the external write for the operator.
  • No provider credential is required; the operator still chooses the exact page, file, or route input in the browser.
  • Browser delivery is always operator-triggered and keeps provider secrets in browser storage instead of a SecurityRecipes backend.

Current blockers

  • No external write path exists by design, so a reviewer or downstream tool must copy, download, or relay the generated payload.
Server runbook Reports and evidence
Local copy only native

Operations-focused handoff for patching or validation during a maintenance window.

Requirement
No automatic server changes. Produces commands for a human-run maintenance window.
Auth
No external auth
Config
server_runbook
Browser delivery
yes

Readiness requirements

  • This pack intentionally stops at a local contract and never performs the external write for the operator.
  • No provider credential is required; the operator still chooses the exact page, file, or route input in the browser.
  • Browser delivery is always operator-triggered and keeps provider secrets in browser storage instead of a SecurityRecipes backend.

Current blockers

  • No external write path exists by design, so a reviewer or downstream tool must copy, download, or relay the generated payload.
ServiceNow incident Ticketing
Live with copy fallback native

Creates a ServiceNow incident or task record with a normalized remediation or scan summary.

Requirement
Requires a ServiceNow instance URL, table name, and OAuth bearer token with create access to the target table.
Auth
OAuth delegated token
Config
servicenow_incident
Browser delivery
yes

Readiness requirements

  • The browser can try a direct write when the operator supplies the required config, and it still keeps a safe local copy or export fallback.
  • The browser runtime needs an OAuth-capable flow and a delegated token with the provider scopes required for the selected source or route.
  • Browser delivery is always operator-triggered and keeps provider secrets in browser storage instead of a SecurityRecipes backend.

Current blockers

  • Operator-owned credentials, webhook targets, or tenant metadata still need to be configured in the browser before a live call can run.
  • Provider cross-origin behavior and tenant policy still decide whether the direct browser path succeeds, so the local handoff fallback remains part of the design.
Slack webhook Collaboration
Browser live native

Posts the report or remediation handoff into a Slack channel using an incoming webhook.

Requirement
Requires an incoming Slack webhook URL.
Auth
Webhook secret or URL
Config
slack_webhook
Browser delivery
yes

Readiness requirements

  • The browser workbench already has a direct BYO-token runtime path for this pack today.
  • The destination system must expose a pre-approved webhook endpoint or secret-backed URL that the browser can post to directly.
  • Browser delivery is always operator-triggered and keeps provider secrets in browser storage instead of a SecurityRecipes backend.

Current blockers

  • No catalog-level blocker is left in the current browser model; only operator configuration and reviewer judgment remain.
Splunk HEC event SIEM and analytics
Live with copy fallback native

Posts the normalized report bundle directly to Splunk HTTP Event Collector for SIEM or analytics use.

Requirement
Requires a Splunk HEC URL and HEC token.
Auth
API token
Config
splunk_hec
Browser delivery
yes

Readiness requirements

  • The browser can try a direct write when the operator supplies the required config, and it still keeps a safe local copy or export fallback.
  • The operator must supply a provider token or service token in browser storage before this pack can run.
  • Browser delivery is always operator-triggered and keeps provider secrets in browser storage instead of a SecurityRecipes backend.

Current blockers

  • Operator-owned credentials, webhook targets, or tenant metadata still need to be configured in the browser before a live call can run.
  • Provider cross-origin behavior and tenant policy still decide whether the direct browser path succeeds, so the local handoff fallback remains part of the design.
Splunk SOAR incident SOAR and case management
Live with copy fallback native

Browser-side route for creating a Splunk SOAR container from a reviewed SecurityRecipes packet, with container-shaped payloads and local preview fallback when direct delivery is blocked.

Requirement
Requires a Splunk SOAR or Phantom tenant URL or /rest/container endpoint plus a ph-auth-token for an automation user with container create access. Direct browser delivery still depends on tenant CORS and label permissions.
Auth
API token
Config
splunk_soar_container
Browser delivery
yes

Readiness requirements

  • The browser can try a direct write when the operator supplies the required config, and it still keeps a safe local copy or export fallback.
  • The operator must supply a provider token or service token in browser storage before this pack can run.
  • Browser delivery is always operator-triggered and keeps provider secrets in browser storage instead of a SecurityRecipes backend.

Current blockers

  • Operator-owned credentials, webhook targets, or tenant metadata still need to be configured in the browser before a live call can run.
  • Provider cross-origin behavior and tenant policy still decide whether the direct browser path succeeds, so the local handoff fallback remains part of the design.
Swimlane case SOAR and case management
Reviewed starter contract template

Starter browser-side route for creating a Swimlane case or work item from a reviewed SecurityRecipes packet.

Requirement
Requires a Swimlane environment URL, app identifier, and API token with record create access for the target case app.
Auth
API token
Config
swimlane_record
Browser delivery
yes

Readiness requirements

  • This is a reviewed starter contract that still needs a verified browser-safe auth, API, and CORS story before promotion.
  • The operator must supply a provider token or service token in browser storage before this pack can run.
  • Browser delivery is always operator-triggered and keeps provider secrets in browser storage instead of a SecurityRecipes backend.

Current blockers

  • The runtime path has not been promoted from starter contract to live browser flow yet.
  • Auth scope, request signing, pagination, throttling, and cross-origin behavior still need explicit verification for this provider.
Tines webhook SOAR and case management
Live with copy fallback native

Browser-side route for forwarding a reviewed SecurityRecipes packet into a Tines story or event-driven workflow, with local preview fallback when direct delivery is blocked.

Requirement
Requires a Tines webhook or HTTP Request action endpoint approved for browser-triggered incident or remediation intake, with any optional auth header or custom headers configured in the browser.
Auth
Webhook secret or URL
Config
tines_webhook
Browser delivery
yes

Readiness requirements

  • The browser can try a direct write when the operator supplies the required config, and it still keeps a safe local copy or export fallback.
  • The destination system must expose a pre-approved webhook endpoint or secret-backed URL that the browser can post to directly.
  • Browser delivery is always operator-triggered and keeps provider secrets in browser storage instead of a SecurityRecipes backend.

Current blockers

  • Operator-owned credentials, webhook targets, or tenant metadata still need to be configured in the browser before a live call can run.
  • Provider cross-origin behavior and tenant policy still decide whether the direct browser path succeeds, so the local handoff fallback remains part of the design.
Torq workflow webhook SOAR and case management
Live with copy fallback native

Browser-side route for sending a reviewed remediation or incident packet into a Torq automation workflow, with local preview fallback when direct delivery is blocked.

Requirement
Requires a Torq webhook or API-triggered workflow endpoint plus any auth header or secret material approved for browser-side use.
Auth
Webhook secret or URL
Config
torq_webhook
Browser delivery
yes

Readiness requirements

  • The browser can try a direct write when the operator supplies the required config, and it still keeps a safe local copy or export fallback.
  • The destination system must expose a pre-approved webhook endpoint or secret-backed URL that the browser can post to directly.
  • Browser delivery is always operator-triggered and keeps provider secrets in browser storage instead of a SecurityRecipes backend.

Current blockers

  • Operator-owned credentials, webhook targets, or tenant metadata still need to be configured in the browser before a live call can run.
  • Provider cross-origin behavior and tenant policy still decide whether the direct browser path succeeds, so the local handoff fallback remains part of the design.

Input sources

Context and finding sources, including the auth pattern and the reason a source is live, local, or still only a starter contract.

AWS Inspector findings Scanner findings
Reviewed starter contract template

Starter config for pulling Amazon Inspector findings into browser-side prioritization, reporting, and downstream routing.

Auth
AWS SigV4 signing
Config
aws_inspector_findings

Readiness requirements

  • This is a reviewed starter contract that still needs a verified browser-safe auth, API, and CORS story before promotion.
  • The browser runtime needs real AWS SigV4 request signing and short-lived credentials before the provider API can be called honestly from the browser.
  • Provider endpoint: https://inspector2.us-east-1.amazonaws.com.

Current blockers

  • The runtime path has not been promoted from starter contract to live browser flow yet.
  • Auth scope, request signing, pagination, throttling, and cross-origin behavior still need explicit verification for this provider.
AWS Security Hub Scanner findings
Reviewed starter contract template

Config profile for pulling ASFF findings into remediation reports and downstream workflow packs.

Auth
AWS SigV4 signing
Config
aws_security_hub

Readiness requirements

  • This is a reviewed starter contract that still needs a verified browser-safe auth, API, and CORS story before promotion.
  • The browser runtime needs real AWS SigV4 request signing and short-lived credentials before the provider API can be called honestly from the browser.

Current blockers

  • The runtime path has not been promoted from starter contract to live browser flow yet.
  • Auth scope, request signing, pagination, throttling, and cross-origin behavior still need explicit verification for this provider.
Azure DevOps repository context Code and findings sources
Browser live native

Pulls bounded Azure DevOps repository metadata, useful repo files, active pull requests, and recent open work items directly in the browser for remediation planning.

Auth
OAuth delegated token, Personal access token
Config
azure_devops_repository

Readiness requirements

  • The browser workbench already has a direct BYO-token runtime path for this pack today.
  • The browser runtime needs an OAuth-capable flow and a delegated token with the provider scopes required for the selected source or route.
  • A user-scoped personal access token must stay in browser storage and carry only the minimum read or write scope required for the selected task.
  • Provider endpoint: https://dev.azure.com.

Current blockers

  • No catalog-level blocker is left; the remaining step is loading the selected page, repository, or file into the browser session.
Checkmarx One findings Scanner findings
Reviewed starter contract template

Starter config for pulling high-severity Checkmarx One findings into browser-side triage and routed handoff workflows.

Auth
OAuth delegated token, API key
Config
checkmarx_one_findings

Readiness requirements

  • This is a reviewed starter contract that still needs a verified browser-safe auth, API, and CORS story before promotion.
  • The browser runtime needs an OAuth-capable flow and a delegated token with the provider scopes required for the selected source or route.
  • The operator must paste a provider-issued API key into browser storage before the pack can call the provider API directly.
  • Provider endpoint: https://ast.checkmarx.net/api.

Current blockers

  • The runtime path has not been promoted from starter contract to live browser flow yet.
  • Auth scope, request signing, pagination, throttling, and cross-origin behavior still need explicit verification for this provider.
Confluence runbook context Knowledge sources
Browser live native

Searches Confluence Cloud pages in the browser to bring internal runbooks, exception notes, and operational context into a scoped agent session.

Auth
API token, OAuth delegated token
Config
confluence_search

Readiness requirements

  • The browser workbench already has a direct BYO-token runtime path for this pack today.
  • The operator must supply a provider token or service token in browser storage before this pack can run.
  • The browser runtime needs an OAuth-capable flow and a delegated token with the provider scopes required for the selected source or route.
  • Provider endpoint: https://example.atlassian.net/wiki.

Current blockers

  • No catalog-level blocker is left; the remaining step is loading the selected page, repository, or file into the browser session.
CrowdStrike detections Scanner findings
Reviewed starter contract template

Starter config for bounded CrowdStrike Falcon detection intake into browser-side triage and response workflows.

Auth
OAuth delegated token, API key
Config
crowdstrike_detections

Readiness requirements

  • This is a reviewed starter contract that still needs a verified browser-safe auth, API, and CORS story before promotion.
  • The browser runtime needs an OAuth-capable flow and a delegated token with the provider scopes required for the selected source or route.
  • The operator must paste a provider-issued API key into browser storage before the pack can call the provider API directly.
  • Provider endpoint: https://api.crowdstrike.com.

Current blockers

  • The runtime path has not been promoted from starter contract to live browser flow yet.
  • Auth scope, request signing, pagination, throttling, and cross-origin behavior still need explicit verification for this provider.
Current page context Local browser context
Browser live native

Sends the current page title, headings, and bounded body text to the model.

Auth
No external auth
Config
page_context
Source
active_document

Readiness requirements

  • The browser workbench already has a direct BYO-token runtime path for this pack today.
  • No provider credential is required; the operator still chooses the exact page, file, or route input in the browser.

Current blockers

  • No catalog-level blocker is left; the remaining step is loading the selected page, repository, or file into the browser session.
DefectDojo findings Scanner findings
Reviewed starter contract template

Starter config for pulling active high-severity DefectDojo findings with enough context for analyst routing and ticket creation.

Auth
API token, OAuth delegated token
Config
defectdojo_findings

Readiness requirements

  • This is a reviewed starter contract that still needs a verified browser-safe auth, API, and CORS story before promotion.
  • The operator must supply a provider token or service token in browser storage before this pack can run.
  • The browser runtime needs an OAuth-capable flow and a delegated token with the provider scopes required for the selected source or route.
  • Provider endpoint: https://dojo.example.com/api/v2.

Current blockers

  • The runtime path has not been promoted from starter contract to live browser flow yet.
  • Auth scope, request signing, pagination, throttling, and cross-origin behavior still need explicit verification for this provider.
deps.dev advisory context Code and findings sources
Browser live native

Checks public GitHub Dependency Graph SBOM packages against deps.dev advisory metadata.

Auth
Public access, Personal access token, OAuth delegated token
Config
deps_dev_lookup

Readiness requirements

  • The browser workbench already has a direct BYO-token runtime path for this pack today.
  • The pack can rely on public or anonymously readable data, but the browser still needs a bounded repository, tenant, or document target.
  • A user-scoped personal access token must stay in browser storage and carry only the minimum read or write scope required for the selected task.
  • The browser runtime needs an OAuth-capable flow and a delegated token with the provider scopes required for the selected source or route.

Current blockers

  • No catalog-level blocker is left; the remaining step is loading the selected page, repository, or file into the browser session.
GitHub code scanning alerts Scanner findings
Reviewed starter contract template

Starter config for pulling open high-severity GitHub code scanning alerts into browser-side triage and remediation planning.

Auth
Personal access token, OAuth delegated token
Config
github_code_scanning_alerts

Readiness requirements

  • This is a reviewed starter contract that still needs a verified browser-safe auth, API, and CORS story before promotion.
  • A user-scoped personal access token must stay in browser storage and carry only the minimum read or write scope required for the selected task.
  • The browser runtime needs an OAuth-capable flow and a delegated token with the provider scopes required for the selected source or route.
  • Provider endpoint: https://api.github.com.

Current blockers

  • The runtime path has not been promoted from starter contract to live browser flow yet.
  • Auth scope, request signing, pagination, throttling, and cross-origin behavior still need explicit verification for this provider.
GitHub repository context Code and findings sources
Browser live native

Pulls bounded public or authenticated GitHub repo metadata, manifest files, open issues, and pull requests.

Auth
Public access, Personal access token, OAuth delegated token
Config
github_repository

Readiness requirements

  • The browser workbench already has a direct BYO-token runtime path for this pack today.
  • The pack can rely on public or anonymously readable data, but the browser still needs a bounded repository, tenant, or document target.
  • A user-scoped personal access token must stay in browser storage and carry only the minimum read or write scope required for the selected task.
  • The browser runtime needs an OAuth-capable flow and a delegated token with the provider scopes required for the selected source or route.

Current blockers

  • No catalog-level blocker is left; the remaining step is loading the selected page, repository, or file into the browser session.
GitLab project context Code and findings sources
Browser live native

Pulls bounded GitLab project metadata, useful repository files, open issues, and open merge requests directly in the browser for GitLab-centered remediation work.

Auth
Public access, Personal access token, OAuth delegated token
Config
gitlab_project_context

Readiness requirements

  • The browser workbench already has a direct BYO-token runtime path for this pack today.
  • The pack can rely on public or anonymously readable data, but the browser still needs a bounded repository, tenant, or document target.
  • A user-scoped personal access token must stay in browser storage and carry only the minimum read or write scope required for the selected task.
  • The browser runtime needs an OAuth-capable flow and a delegated token with the provider scopes required for the selected source or route.
  • Provider endpoint: https://gitlab.com/api/v4.

Current blockers

  • No catalog-level blocker is left; the remaining step is loading the selected page, repository, or file into the browser session.
GitLab vulnerability findings Scanner findings
Browser live native

Pulls a bounded first page of GitLab project vulnerability findings directly in the browser when AppSec findings and fix ownership live in the same GitLab namespace.

Auth
Personal access token, OAuth delegated token
Config
gitlab_vulnerability_findings

Readiness requirements

  • The browser workbench already has a direct BYO-token runtime path for this pack today.
  • A user-scoped personal access token must stay in browser storage and carry only the minimum read or write scope required for the selected task.
  • The browser runtime needs an OAuth-capable flow and a delegated token with the provider scopes required for the selected source or route.
  • Provider endpoint: https://gitlab.com/api/v4.

Current blockers

  • No catalog-level blocker is left; the remaining step is loading the selected page, repository, or file into the browser session.
Google Cloud SCC findings Scanner findings
Reviewed starter contract template

Starter config for Security Command Center findings when cloud exposures need browser-side triage and routing.

Auth
OAuth delegated token
Config
google_cloud_scc_findings

Readiness requirements

  • This is a reviewed starter contract that still needs a verified browser-safe auth, API, and CORS story before promotion.
  • The browser runtime needs an OAuth-capable flow and a delegated token with the provider scopes required for the selected source or route.
  • Provider endpoint: https://securitycenter.googleapis.com.

Current blockers

  • The runtime path has not been promoted from starter contract to live browser flow yet.
  • Auth scope, request signing, pagination, throttling, and cross-origin behavior still need explicit verification for this provider.
Lacework alerts Scanner findings
Reviewed starter contract template

Starter config for pulling open high-severity Lacework alerts into browser-side remediation and escalation planning.

Auth
API key
Config
lacework_alerts

Readiness requirements

  • This is a reviewed starter contract that still needs a verified browser-safe auth, API, and CORS story before promotion.
  • The operator must paste a provider-issued API key into browser storage before the pack can call the provider API directly.
  • Provider endpoint: https://api.lacework.net.

Current blockers

  • The runtime path has not been promoted from starter contract to live browser flow yet.
  • Auth scope, request signing, pagination, throttling, and cross-origin behavior still need explicit verification for this provider.
Major scanner JSON exports Scanner findings
Browser live native

Uploads major scanner and findings-platform JSON exports in the browser, normalizes them into a bounded summary, and feeds the exposure queue plus downstream reports without any server-side secret handling.

Auth
No external auth
Config
scanner_export_bundle
Source
local_file

Readiness requirements

  • The browser workbench already has a direct BYO-token runtime path for this pack today.
  • No provider credential is required; the operator still chooses the exact page, file, or route input in the browser.
  • Accepted formats: aws-security-hub-asff, tenable-vulnerability-export, defectdojo-findings-json, generic-findings-array-json.

Current blockers

  • No catalog-level blocker is left; the remaining step is loading the selected page, repository, or file into the browser session.
Microsoft Defender XDR incidents Scanner findings
Browser live native

Pulls a bounded Microsoft Defender XDR incident sample directly in the browser with local severity and status filters for queueing, reporting, and remediation planning.

Auth
OAuth delegated token
Config
microsoft_defender_xdr_incidents

Readiness requirements

  • The browser workbench already has a direct BYO-token runtime path for this pack today.
  • The browser runtime needs an OAuth-capable flow and a delegated token with the provider scopes required for the selected source or route.
  • Provider endpoint: https://api.security.microsoft.com/api/incidents.

Current blockers

  • No catalog-level blocker is left; the remaining step is loading the selected page, repository, or file into the browser session.
Microsoft Sentinel incidents Scanner findings
Browser live native

Pulls a bounded Microsoft Sentinel workspace incident sample directly in the browser with local severity and status filters for queueing, reporting, and remediation planning.

Auth
OAuth delegated token
Config
microsoft_sentinel_incidents

Readiness requirements

  • The browser workbench already has a direct BYO-token runtime path for this pack today.
  • The browser runtime needs an OAuth-capable flow and a delegated token with the provider scopes required for the selected source or route.
  • Provider endpoint: https://management.azure.com.

Current blockers

  • No catalog-level blocker is left; the remaining step is loading the selected page, repository, or file into the browser session.
Orca Security alerts Scanner findings
Reviewed starter contract template

Starter config for Orca alert intake when cloud exposure and workload findings need browser-side case and report handling.

Auth
API token
Config
orca_security_alerts

Readiness requirements

  • This is a reviewed starter contract that still needs a verified browser-safe auth, API, and CORS story before promotion.
  • The operator must supply a provider token or service token in browser storage before this pack can run.
  • Provider endpoint: https://api.orcasecurity.io.

Current blockers

  • The runtime path has not been promoted from starter contract to live browser flow yet.
  • Auth scope, request signing, pagination, throttling, and cross-origin behavior still need explicit verification for this provider.
Prisma Cloud alerts Scanner findings
Reviewed starter contract template

Starter config for Prisma Cloud alert intake across posture and runtime findings.

Auth
Access key pair
Config
prisma_cloud_alerts

Readiness requirements

  • This is a reviewed starter contract that still needs a verified browser-safe auth, API, and CORS story before promotion.
  • The pack needs provider access-key style credentials and should only be promoted when the browser flow can keep those values bounded and explicit.
  • Provider endpoint: https://api.prismacloud.io.

Current blockers

  • The runtime path has not been promoted from starter contract to live browser flow yet.
  • Auth scope, request signing, pagination, throttling, and cross-origin behavior still need explicit verification for this provider.
Rapid7 InsightVM vulnerabilities Scanner findings
Reviewed starter contract template

Starter config for pulling high-risk Rapid7 InsightVM vulnerabilities into browser-side triage and routing workflows.

Auth
API key
Config
rapid7_insightvm_vulnerabilities

Readiness requirements

  • This is a reviewed starter contract that still needs a verified browser-safe auth, API, and CORS story before promotion.
  • The operator must paste a provider-issued API key into browser storage before the pack can call the provider API directly.
  • Provider endpoint: https://console.insight.rapid7.com/api/3.

Current blockers

  • The runtime path has not been promoted from starter contract to live browser flow yet.
  • Auth scope, request signing, pagination, throttling, and cross-origin behavior still need explicit verification for this provider.
SARIF upload Scanner findings
Browser live native

Uploads a local SARIF 2.1.0 file in the browser, normalizes the findings, and attaches a bounded summary to prompts and agent runs.

Auth
No external auth
Config
sarif_bundle
Source
local_file

Readiness requirements

  • The browser workbench already has a direct BYO-token runtime path for this pack today.
  • No provider credential is required; the operator still chooses the exact page, file, or route input in the browser.
  • Accepted formats: sarif-2.1.0-json.

Current blockers

  • No catalog-level blocker is left; the remaining step is loading the selected page, repository, or file into the browser session.
SBOM upload Scanner findings
Browser live native

Uploads a local CycloneDX or SPDX JSON SBOM in the browser and attaches a bounded package, dependency, and vulnerability summary to prompts.

Auth
No external auth
Config
sbom_bundle
Source
local_file

Readiness requirements

  • The browser workbench already has a direct BYO-token runtime path for this pack today.
  • No provider credential is required; the operator still chooses the exact page, file, or route input in the browser.
  • Accepted formats: cyclonedx-json, spdx-json.

Current blockers

  • No catalog-level blocker is left; the remaining step is loading the selected page, repository, or file into the browser session.
SecurityRecipes search index Local browser context
Browser live native

Searches the generated recipe index and attaches the most relevant docs, prompts, and remediation pages.

Auth
No external auth
Config
recipes_index
Source
/recipes-index.json

Readiness requirements

  • The browser workbench already has a direct BYO-token runtime path for this pack today.
  • No provider credential is required; the operator still chooses the exact page, file, or route input in the browser.

Current blockers

  • No catalog-level blocker is left; the remaining step is loading the selected page, repository, or file into the browser session.
Semgrep AppSec findings Scanner findings
Reviewed starter contract template

Starter config for bringing bounded Semgrep AppSec findings into browser-side reviewer queues and remediation handoffs.

Auth
API token
Config
semgrep_appsec_findings

Readiness requirements

  • This is a reviewed starter contract that still needs a verified browser-safe auth, API, and CORS story before promotion.
  • The operator must supply a provider token or service token in browser storage before this pack can run.
  • Provider endpoint: https://semgrep.dev/api/v1.

Current blockers

  • The runtime path has not been promoted from starter contract to live browser flow yet.
  • Auth scope, request signing, pagination, throttling, and cross-origin behavior still need explicit verification for this provider.
Snyk issues API Scanner findings
Browser live native

Pulls a bounded first page of high-priority Snyk organization issues directly in the browser for scanner-aware triage and remediation planning.

Auth
API token
Config
snyk_issues

Readiness requirements

  • The browser workbench already has a direct BYO-token runtime path for this pack today.
  • The operator must supply a provider token or service token in browser storage before this pack can run.
  • Provider endpoint: https://api.snyk.io/rest.

Current blockers

  • No catalog-level blocker is left; the remaining step is loading the selected page, repository, or file into the browser session.
SonarQube security issues Scanner findings
Reviewed starter contract template

Starter config for pulling open SonarQube vulnerabilities and security hotspots into a browser-local remediation queue.

Auth
API token
Config
sonarqube_issues

Readiness requirements

  • This is a reviewed starter contract that still needs a verified browser-safe auth, API, and CORS story before promotion.
  • The operator must supply a provider token or service token in browser storage before this pack can run.
  • Provider endpoint: https://sonarqube.example.com/api.

Current blockers

  • The runtime path has not been promoted from starter contract to live browser flow yet.
  • Auth scope, request signing, pagination, throttling, and cross-origin behavior still need explicit verification for this provider.
Tenable vulnerability management Scanner findings
Reviewed starter contract template

Starter config for exporting high-severity Tenable vulnerabilities into remediation and report workflows.

Auth
API key
Config
tenable_vuln_export

Readiness requirements

  • This is a reviewed starter contract that still needs a verified browser-safe auth, API, and CORS story before promotion.
  • The operator must paste a provider-issued API key into browser storage before the pack can call the provider API directly.
  • Provider endpoint: https://cloud.tenable.com.

Current blockers

  • The runtime path has not been promoted from starter contract to live browser flow yet.
  • Auth scope, request signing, pagination, throttling, and cross-origin behavior still need explicit verification for this provider.
Veracode findings Scanner findings
Reviewed starter contract template

Starter config for pulling actionable Veracode findings into a browser-local remediation and reporting workflow.

Auth
API key
Config
veracode_findings

Readiness requirements

  • This is a reviewed starter contract that still needs a verified browser-safe auth, API, and CORS story before promotion.
  • The operator must paste a provider-issued API key into browser storage before the pack can call the provider API directly.
  • Provider endpoint: https://api.veracode.com/appsec/v1.

Current blockers

  • The runtime path has not been promoted from starter contract to live browser flow yet.
  • Auth scope, request signing, pagination, throttling, and cross-origin behavior still need explicit verification for this provider.
Wiz findings API Scanner findings
Reviewed starter contract template

Pre-populated browser-side config for pulling cloud and workload findings from Wiz when a customer enables direct API access.

Auth
API key, OAuth delegated token
Config
wiz_findings

Readiness requirements

  • This is a reviewed starter contract that still needs a verified browser-safe auth, API, and CORS story before promotion.
  • The operator must paste a provider-issued API key into browser storage before the pack can call the provider API directly.
  • The browser runtime needs an OAuth-capable flow and a delegated token with the provider scopes required for the selected source or route.
  • Provider endpoint: https://api.us1.app.wiz.io/graphql.

Current blockers

  • The runtime path has not been promoted from starter contract to live browser flow yet.
  • Auth scope, request signing, pagination, throttling, and cross-origin behavior still need explicit verification for this provider.

Public JSON feeds and schemas

Machine-readable control-plane contracts and browser-authored schemas generated by the Hugo build so downstream systems can consume the marketplace and contributors can validate packets without scraping page state.

Control plane manifest /marketplace-control-plane.json Combined catalog, routes, reports, and workflow bundles. Catalog feed /marketplace-catalog.json Positioning, browser runtime model, and market signals. Input channels /marketplace-input-channels.json Scanner, repo, runbook, and browser context intake contracts. Output channels /marketplace-output-channels.json Ticketing, collaboration, SIEM, and webhook route definitions. Report profiles /marketplace-report-profiles.json Reusable report and evidence contracts. Workflow templates /marketplace-workflow-templates.json Curated and community workflow packs built from the same data model. Readiness matrix /marketplace-readiness.json Derived input and output readiness view with auth labels, requirements, and blocker summaries. Schema manifest /marketplace-schemas/index.json Discovery list for contribution-packet plus case, asset, and routing schema URLs. Input contribution schema /marketplace-schemas/input-channel-contribution.schema.json Validates browser-exported input-channel submission packets before a marketplace PR. Output contribution schema /marketplace-schemas/output-channel-contribution.schema.json Validates browser-exported output-route submission packets before a marketplace PR. Report contribution schema /marketplace-schemas/report-profile-contribution.schema.json Validates browser-exported report-profile submission packets before a marketplace PR. Workflow contribution schema /marketplace-schemas/workflow-template-contribution.schema.json Validates reusable workflow-pack submission packets before they land in the public marketplace. Local library schema /marketplace-schemas/local-library.schema.json Validates portable browser-local library export and import payloads for private input, output, report, and workflow packs. Case file schema /marketplace-schemas/case-file.schema.json Validates exported Caseboard JSON before it is handed to another tool or reviewer. Case library schema /marketplace-schemas/case-library.schema.json Validates portable browser-local Caseboard library export and import payloads. Asset library schema /marketplace-schemas/asset-library.schema.json Validates browser-local asset criticality and ownership library exports and imports. Operations history schema /marketplace-schemas/operations-history.schema.json Validates browser-local source sync, agent run, case action, and report-export history before handoff. Operations session schema /marketplace-schemas/operations-session.schema.json Validates grouped browser-local investigation sessions before correlated run context is handed downstream. Routing policy schema /marketplace-schemas/routing-policy.schema.json Validates one owner-aware routing policy before it is applied across exposures, cases, or delivery flows. Routing library schema /marketplace-schemas/routing-library.schema.json Validates portable browser-local routing libraries for approval, ticket, and downstream route defaults.

Output channels

Downstream delivery routes for tickets, collaboration, SIEM, and custom relays.

Azure DevOps work item

Browser-side route for creating an Azure DevOps work item from a normalized remediation or scan handoff, with local preview fallback when direct delivery is blocked.

Ticketing native live_or_copy
Driver
azure-devops
Browser delivery
yes
Config type
azure_devops_work_item
Version
1.0.0
Review
2026-05-05

Requires an Azure DevOps organization, project, work item type, and a PAT or bearer token with Work Items write scope.

Cortex XSOAR incident

Browser-side route for creating a Cortex XSOAR incident from a reviewed SecurityRecipes packet, with incident-shaped payloads and local preview fallback when direct delivery is blocked.

SOAR and case management native live_or_copy
Driver
xsoar
Browser delivery
yes
Config type
cortex_xsoar_incident
Version
1.0.0
Review
2026-05-05

Requires a Cortex XSOAR tenant URL or incident endpoint plus API key ID and API key with incident create access. Direct browser delivery still depends on tenant CORS and any mandatory incident fields.

Draft PR packet

Reviewer-ready markdown and metadata for a pull request without writing to the source host.

Code handoff native copy_only
Driver
draft-pr
Browser delivery
yes
Config type
draft_pr_packet
Version
1.0.0
Review
2026-05-05

No GitHub write required. Produces branch name, PR body, tests, rollback, and reviewer checklist.

Elastic Security case

Creates an Elastic case with the generated remediation or scan summary.

SIEM and analytics native live_or_copy
Driver
elastic-case
Browser delivery
yes
Config type
elastic_security_case
Version
1.0.0
Review
2026-05-05

Requires a Kibana base URL and Elastic API key with Cases write access.

Email handoff

Generates a browser mail draft or sends through a configured relay endpoint.

Collaboration native live_or_copy
Driver
email
Browser delivery
yes
Config type
email_handoff
Version
1.0.0
Review
2026-05-05

Uses a local mailto draft, or a configured CORS-enabled email relay URL.

Generic webhook

Posts the full SecurityRecipes delivery envelope to a custom SOAR, queue, or workflow endpoint.

Custom integrations native live_or_copy
Driver
generic-webhook
Browser delivery
yes
Config type
generic_webhook
Version
1.0.0
Review
2026-05-05

Requires a browser-reachable webhook URL and any required headers or bearer token.

GitHub issue

Creates a GitHub issue with a normalized remediation or scan handoff body.

Ticketing native live
Driver
github-issue
Browser delivery
yes
Config type
github_issue
Version
1.0.0
Review
2026-05-05

Requires GitHub PAT or OAuth token with issues write access.

GitLab issue

Browser-side route for creating a GitLab issue with a normalized remediation or triage brief, with local preview fallback when direct delivery is blocked.

Ticketing native live_or_copy
Driver
gitlab-issue
Browser delivery
yes
Config type
gitlab_issue
Version
1.0.0
Review
2026-05-05

Requires a GitLab project path or ID plus a personal access token or bearer token. GitLab.com works out of the box; self-managed hosts need a browser-allowed API base URL.

Google Chat webhook

Starter browser-side route for posting a normalized remediation or incident brief into a Google Chat space.

Collaboration native live_or_copy
Driver
google-chat
Browser delivery
yes
Config type
google_chat_webhook
Version
1.0.0
Review
2026-05-05

Requires a Google Chat incoming webhook URL for the destination space.

IBM SOAR incident

Starter browser-side route for creating an IBM SOAR incident from a structured SecurityRecipes packet.

SOAR and case management template planned
Driver
ibm-soar
Browser delivery
yes
Config type
ibm_soar_incident
Version
1.0.0
Review
2026-05-05

Requires an IBM SOAR organization URL and API credentials with incident create access.

Jira ticket

Creates a Jira task with a structured remediation or scan summary.

Ticketing native live
Driver
jira
Browser delivery
yes
Config type
jira_issue
Version
1.0.0
Review
2026-05-05

Requires Jira base URL, account email, API token, and project key.

Linear issue

Creates a Linear issue through the GraphQL API for security engineering or platform backlog handoff.

Ticketing native live_or_copy
Driver
linear
Browser delivery
yes
Config type
linear_issue
Version
1.0.0
Review
2026-05-05

Requires a Linear personal API key and a target team ID.

Microsoft Sentinel playbook trigger

Starter browser-side route for forwarding a reviewed packet into a Microsoft Sentinel incident playbook.

SOAR and case management template planned
Driver
sentinel-playbook
Browser delivery
yes
Config type
microsoft_sentinel_playbook
Version
1.0.0
Review
2026-05-05

Requires Azure subscription and workspace identifiers plus an OAuth token permitted to run Sentinel playbooks.

Microsoft Teams workflow webhook

Posts a browser-generated handoff to a Microsoft Teams channel or chat through a Workflows webhook.

Collaboration native live_or_copy
Driver
teams
Browser delivery
yes
Config type
teams_workflows_webhook
Version
1.0.0
Review
2026-05-05

Requires a Teams Workflows webhook URL. Microsoft 365 connectors are nearing deprecation, so prefer a Workflows-owned webhook.

PagerDuty Events API v2

Starter browser-side route for escalating a high-confidence incident or remediation brief into PagerDuty event orchestration.

Incident response native live_or_copy
Driver
pagerduty
Browser delivery
yes
Config type
pagerduty_events_v2
Version
1.0.0
Review
2026-05-05

Requires a PagerDuty Events API v2 routing key or service integration configured for the target escalation path.

Runbook receipt

Clipboard-friendly markdown for human execution with stop conditions and rollback.

Reports and evidence native copy_only
Driver
runbook
Browser delivery
yes
Config type
runbook_receipt
Version
1.0.0
Review
2026-05-05

No external auth required. Produces copyable steps and evidence.

Server runbook

Operations-focused handoff for patching or validation during a maintenance window.

Reports and evidence native copy_only
Driver
server-runbook
Browser delivery
yes
Config type
server_runbook
Version
1.0.0
Review
2026-05-05

No automatic server changes. Produces commands for a human-run maintenance window.

ServiceNow incident

Creates a ServiceNow incident or task record with a normalized remediation or scan summary.

Ticketing native live_or_copy
Driver
servicenow
Browser delivery
yes
Config type
servicenow_incident
Version
1.0.0
Review
2026-05-05

Requires a ServiceNow instance URL, table name, and OAuth bearer token with create access to the target table.

Slack webhook

Posts the report or remediation handoff into a Slack channel using an incoming webhook.

Collaboration native live
Driver
slack
Browser delivery
yes
Config type
slack_webhook
Version
1.0.0
Review
2026-05-05

Requires an incoming Slack webhook URL.

Splunk HEC event

Posts the normalized report bundle directly to Splunk HTTP Event Collector for SIEM or analytics use.

SIEM and analytics native live_or_copy
Driver
splunk-hec
Browser delivery
yes
Config type
splunk_hec
Version
1.0.0
Review
2026-05-05

Requires a Splunk HEC URL and HEC token.

Splunk SOAR incident

Browser-side route for creating a Splunk SOAR container from a reviewed SecurityRecipes packet, with container-shaped payloads and local preview fallback when direct delivery is blocked.

SOAR and case management native live_or_copy
Driver
splunk-soar
Browser delivery
yes
Config type
splunk_soar_container
Version
1.0.0
Review
2026-05-05

Requires a Splunk SOAR or Phantom tenant URL or /rest/container endpoint plus a ph-auth-token for an automation user with container create access. Direct browser delivery still depends on tenant CORS and label permissions.

Swimlane case

Starter browser-side route for creating a Swimlane case or work item from a reviewed SecurityRecipes packet.

SOAR and case management template planned
Driver
swimlane
Browser delivery
yes
Config type
swimlane_record
Version
1.0.0
Review
2026-05-05

Requires a Swimlane environment URL, app identifier, and API token with record create access for the target case app.

Tines webhook

Browser-side route for forwarding a reviewed SecurityRecipes packet into a Tines story or event-driven workflow, with local preview fallback when direct delivery is blocked.

SOAR and case management native live_or_copy
Driver
tines
Browser delivery
yes
Config type
tines_webhook
Version
1.0.0
Review
2026-05-05

Requires a Tines webhook or HTTP Request action endpoint approved for browser-triggered incident or remediation intake, with any optional auth header or custom headers configured in the browser.

Torq workflow webhook

Browser-side route for sending a reviewed remediation or incident packet into a Torq automation workflow, with local preview fallback when direct delivery is blocked.

SOAR and case management native live_or_copy
Driver
torq
Browser delivery
yes
Config type
torq_webhook
Version
1.0.0
Review
2026-05-05

Requires a Torq webhook or API-triggered workflow endpoint plus any auth header or secret material approved for browser-side use.

Input channels

Context and scanner sources that the browser workbench can attach to chat and agent runs.

AWS Inspector findings

Starter config for pulling Amazon Inspector findings into browser-side prioritization, reporting, and downstream routing.

Scanner findings template planned
Auth
aws_sigv4
Config type
aws_inspector_findings
Version
1.0.0
Review
2026-05-05

AWS Security Hub

Config profile for pulling ASFF findings into remediation reports and downstream workflow packs.

Scanner findings template planned
Auth
aws_sigv4
Config type
aws_security_hub
Version
1.0.0
Review
2026-05-05

Azure DevOps repository context

Pulls bounded Azure DevOps repository metadata, useful repo files, active pull requests, and recent open work items directly in the browser for remediation planning.

Code and findings sources native live
Auth
oauth, pat
Config type
azure_devops_repository
Version
1.0.0
Review
2026-05-05

Checkmarx One findings

Starter config for pulling high-severity Checkmarx One findings into browser-side triage and routed handoff workflows.

Scanner findings template planned
Auth
oauth, api_key
Config type
checkmarx_one_findings
Version
1.0.0
Review
2026-05-05

Confluence runbook context

Searches Confluence Cloud pages in the browser to bring internal runbooks, exception notes, and operational context into a scoped agent session.

Knowledge sources native live
Auth
api_token, oauth
Config type
confluence_search
Version
1.0.0
Review
2026-05-05

CrowdStrike detections

Starter config for bounded CrowdStrike Falcon detection intake into browser-side triage and response workflows.

Scanner findings template planned
Auth
oauth, api_key
Config type
crowdstrike_detections
Version
1.0.0
Review
2026-05-05

Current page context

Sends the current page title, headings, and bounded body text to the model.

Local browser context native live
Auth
none
Config type
page_context
Source
active_document
Version
1.0.0
Review
2026-05-05

DefectDojo findings

Starter config for pulling active high-severity DefectDojo findings with enough context for analyst routing and ticket creation.

Scanner findings template planned
Auth
api_token, oauth
Config type
defectdojo_findings
Version
1.0.0
Review
2026-05-05

deps.dev advisory context

Checks public GitHub Dependency Graph SBOM packages against deps.dev advisory metadata.

Code and findings sources native live
Auth
public, pat, oauth
Config type
deps_dev_lookup
Version
1.0.0
Review
2026-05-05

GitHub code scanning alerts

Starter config for pulling open high-severity GitHub code scanning alerts into browser-side triage and remediation planning.

Scanner findings template planned
Auth
pat, oauth
Config type
github_code_scanning_alerts
Version
1.0.0
Review
2026-05-05

GitHub repository context

Pulls bounded public or authenticated GitHub repo metadata, manifest files, open issues, and pull requests.

Code and findings sources native live
Auth
public, pat, oauth
Config type
github_repository
Version
1.0.0
Review
2026-05-05

GitLab project context

Pulls bounded GitLab project metadata, useful repository files, open issues, and open merge requests directly in the browser for GitLab-centered remediation work.

Code and findings sources native live
Auth
public, pat, oauth
Config type
gitlab_project_context
Version
1.0.0
Review
2026-05-05

GitLab vulnerability findings

Pulls a bounded first page of GitLab project vulnerability findings directly in the browser when AppSec findings and fix ownership live in the same GitLab namespace.

Scanner findings native live
Auth
pat, oauth
Config type
gitlab_vulnerability_findings
Version
1.0.0
Review
2026-05-05

Google Cloud SCC findings

Starter config for Security Command Center findings when cloud exposures need browser-side triage and routing.

Scanner findings template planned
Auth
oauth
Config type
google_cloud_scc_findings
Version
1.0.0
Review
2026-05-05

Lacework alerts

Starter config for pulling open high-severity Lacework alerts into browser-side remediation and escalation planning.

Scanner findings template planned
Auth
api_key
Config type
lacework_alerts
Version
1.0.0
Review
2026-05-05

Major scanner JSON exports

Uploads major scanner and findings-platform JSON exports in the browser, normalizes them into a bounded summary, and feeds the exposure queue plus downstream reports without any server-side secret handling.

Scanner findings native live
Auth
none
Config type
scanner_export_bundle
Source
local_file
Version
1.0.0
Review
2026-05-05

Microsoft Defender XDR incidents

Pulls a bounded Microsoft Defender XDR incident sample directly in the browser with local severity and status filters for queueing, reporting, and remediation planning.

Scanner findings native live
Auth
oauth
Config type
microsoft_defender_xdr_incidents
Version
1.0.0
Review
2026-05-05

Microsoft Sentinel incidents

Pulls a bounded Microsoft Sentinel workspace incident sample directly in the browser with local severity and status filters for queueing, reporting, and remediation planning.

Scanner findings native live
Auth
oauth
Config type
microsoft_sentinel_incidents
Version
1.0.0
Review
2026-05-05

Orca Security alerts

Starter config for Orca alert intake when cloud exposure and workload findings need browser-side case and report handling.

Scanner findings template planned
Auth
api_token
Config type
orca_security_alerts
Version
1.0.0
Review
2026-05-05

Prisma Cloud alerts

Starter config for Prisma Cloud alert intake across posture and runtime findings.

Scanner findings template planned
Auth
access_key
Config type
prisma_cloud_alerts
Version
1.0.0
Review
2026-05-05

Rapid7 InsightVM vulnerabilities

Starter config for pulling high-risk Rapid7 InsightVM vulnerabilities into browser-side triage and routing workflows.

Scanner findings template planned
Auth
api_key
Config type
rapid7_insightvm_vulnerabilities
Version
1.0.0
Review
2026-05-05

SARIF upload

Uploads a local SARIF 2.1.0 file in the browser, normalizes the findings, and attaches a bounded summary to prompts and agent runs.

Scanner findings native live
Auth
none
Config type
sarif_bundle
Source
local_file
Version
1.0.0
Review
2026-05-05

SBOM upload

Uploads a local CycloneDX or SPDX JSON SBOM in the browser and attaches a bounded package, dependency, and vulnerability summary to prompts.

Scanner findings native live
Auth
none
Config type
sbom_bundle
Source
local_file
Version
1.0.0
Review
2026-05-05

SecurityRecipes search index

Searches the generated recipe index and attaches the most relevant docs, prompts, and remediation pages.

Local browser context native live
Auth
none
Config type
recipes_index
Source
/recipes-index.json
Version
1.0.0
Review
2026-05-05

Semgrep AppSec findings

Starter config for bringing bounded Semgrep AppSec findings into browser-side reviewer queues and remediation handoffs.

Scanner findings template planned
Auth
api_token
Config type
semgrep_appsec_findings
Version
1.0.0
Review
2026-05-05

Snyk issues API

Pulls a bounded first page of high-priority Snyk organization issues directly in the browser for scanner-aware triage and remediation planning.

Scanner findings native live
Auth
api_token
Config type
snyk_issues
Version
1.0.0
Review
2026-05-05

SonarQube security issues

Starter config for pulling open SonarQube vulnerabilities and security hotspots into a browser-local remediation queue.

Scanner findings template planned
Auth
api_token
Config type
sonarqube_issues
Version
1.0.0
Review
2026-05-05

Tenable vulnerability management

Starter config for exporting high-severity Tenable vulnerabilities into remediation and report workflows.

Scanner findings template planned
Auth
api_key
Config type
tenable_vuln_export
Version
1.0.0
Review
2026-05-05

Veracode findings

Starter config for pulling actionable Veracode findings into a browser-local remediation and reporting workflow.

Scanner findings template planned
Auth
api_key
Config type
veracode_findings
Version
1.0.0
Review
2026-05-05

Wiz findings API

Pre-populated browser-side config for pulling cloud and workload findings from Wiz when a customer enables direct API access.

Scanner findings template planned
Auth
api_key, oauth
Config type
wiz_findings
Version
1.0.0
Review
2026-05-05

Report profiles

Normalized report contracts that make browser runs reusable outside the prompt transcript.

Case management packet

Structured case payload optimized for SOAR and case-management systems that want fields instead of freeform prose.

native json
Sections
title, severity, scope, tasks, entities, references, custom_fields
ID
case-management-packet
Version
1.0.0
Review
2026-05-05

Connector intake decision

Structured approval, hold, or deny pack for new MCP or API integration candidates.

native json
Sections
candidate, auth, egress, tool_surface, decision, required_controls
ID
connector-intake-decision
Version
1.0.0
Review
2026-05-05

Executive risk brief

Short-form leadership update for weekly risk review or board prep.

native markdown+json
Sections
risk_statement, trend, top_findings, business_impact, next_actions
ID
exec-risk-brief
Version
1.0.0
Review
2026-05-05

Incident response brief

Short-form incident commander brief for XDR, SIEM, and responder escalation workflows.

native markdown+json
Sections
incident_summary, triage, impacted_assets, containment, owner_handoff, evidence_links
ID
incident-response-brief
Version
1.0.0
Review
2026-05-05

Investigation session packet

Grouped browser-local investigation session export with timeline, linked case reference, and handoff guidance.

native json
Sections
investigation_session, session, timeline, linked_case, next_actions
ID
investigation-session-packet
Version
1.0.0
Review
2026-05-05

Remediation PR packet

Reviewer-ready packet for a code or configuration fix that stops at draft stage.

native markdown+json
Sections
executive_summary, scope, root_cause, proposed_change, validation, rollback, approvals
ID
remediation-pr-packet
Version
1.0.0
Review
2026-05-05

Run receipt

Evidence-oriented receipt for a browser-run investigation or remediation planning session.

native json
Sections
run_metadata, inputs, decisions, outputs, operator_notes
ID
run-receipt
Version
1.0.0
Review
2026-05-05

Scan findings bundle

Normalized browser-side report for imported SARIF, SBOM, and scanner context that can be copied or exported downstream as JSON.

native json
Sections
metadata, source, summary, findings, severity_counts, recommended_workflows, artifacts
ID
scan-findings-bundle
Version
1.0.0
Review
2026-05-05

SIEM forwarding envelope

Normalized telemetry envelope for SIEM, webhook, and downstream analytics ingestion paths.

native json
Sections
metadata, routing, summary, findings, entities, observables, artifacts
ID
siem-forwarding-envelope
Version
1.0.0
Review
2026-05-05

Ticket-ready brief

Compact summary optimized for Jira, GitHub Issues, ServiceNow, Linear, or GitLab.

native markdown
Sections
title, impact, scope, actions, owner_notes, links
ID
ticket-ready-brief
Version
1.0.0
Review
2026-05-05

Workflow templates

Opinionated packs that bind inputs, recipes, reports, and outputs into repeatable operating motions.

AWS Inspector to ServiceNow

Pull AWS Inspector findings into a reviewed ServiceNow-ready incident or remediation handoff for cloud and platform teams.

community recipe-runbook
Inputs
recipe-index, aws-inspector-findings, confluence-knowledge
Report
incident-response-brief
Output
servicenow-incident
Cadence
On new finding
Approval
Security reviewer required
Version
1.0.0
Review
2026-05-05

Azure DevOps remediation to work item

Use Azure DevOps repo context plus imported scanner artifacts to generate a governed remediation work item.

community dependency
Inputs
page-context, recipe-index, azure-devops-repository, sarif-manual-import, sbom-manual-import
Report
ticket-ready-brief
Output
azure-devops-work-item
Cadence
Manual approval
Approval
Code owner required
Version
1.0.0
Review
2026-05-05

Browser run receipt

Document a BYO-token browser investigation or planning session with an evidence-first receipt.

curated recipe-runbook
Inputs
page-context, recipe-index
Report
run-receipt
Output
runbook-receipt
Cadence
Manual approval
Approval
Security reviewer required
Version
1.0.0
Review
2026-05-05

Cloud alerts to XSOAR case

Aggregate Wiz, Prisma Cloud, or Security Hub findings into a structured case payload for Cortex XSOAR.

community recipe-runbook
Inputs
recipe-index, wiz-findings-api, prisma-cloud-alerts, security-hub-api
Report
case-management-packet
Output
cortex-xsoar-incident
Cadence
On new finding
Approval
Two-person review
Version
1.0.0
Review
2026-05-05

Community scan to SIEM

Example community-submitted profile for normalizing scan outputs before forwarding them to a SIEM pipeline.

community recipe-runbook
Inputs
sarif-manual-import, sbom-manual-import
Report
scan-findings-bundle
Output
splunk-hec
Cadence
On new finding
Approval
Ticket required
Version
1.0.0
Review
2026-05-05

DefectDojo findings to Jira

Bundle active DefectDojo findings into a Jira-ready analyst brief with recipe-backed remediation steps.

community sast
Inputs
recipe-index, defectdojo-findings, confluence-knowledge
Report
ticket-ready-brief
Output
jira-ticket
Cadence
Daily review queue
Approval
Security reviewer required
Version
1.0.0
Review
2026-05-05

Defender XDR incident to ServiceNow

Pull a bounded Defender XDR incident, align containment with internal runbooks, and draft a ServiceNow follow-up.

curated recipe-runbook
Inputs
page-context, recipe-index, microsoft-defender-xdr-incidents, confluence-knowledge
Report
incident-response-brief
Output
servicenow-incident
Cadence
On new finding
Approval
Security reviewer required
Version
1.0.0
Review
2026-05-05

Defender XDR to Splunk SOAR

Take a bounded Defender XDR incident, attach recipe and runbook context, and package it for a Splunk SOAR container.

community recipe-runbook
Inputs
page-context, recipe-index, microsoft-defender-xdr-incidents, confluence-knowledge
Report
case-management-packet
Output
splunk-soar-incident
Cadence
On new finding
Approval
Security reviewer required
Version
1.0.0
Review
2026-05-05

Dependency fix to Linear

Draft a reviewer-ready dependency remediation handoff and create a Linear issue for platform backlog tracking.

community dependency
Inputs
page-context, recipe-index, github-repository, deps-dev-advisories, sbom-manual-import
Report
ticket-ready-brief
Output
linear-issue
Cadence
Manual approval
Approval
Code owner required
Version
1.0.0
Review
2026-05-05

GitHub code scanning to Jira

Turn GitHub code scanning alerts into a reviewer-ready Jira handoff that keeps repository context and remediation prompts together.

community sast
Inputs
page-context, recipe-index, github-repository, github-code-scanning-alerts
Report
ticket-ready-brief
Output
jira-ticket
Cadence
On new finding
Approval
Code owner required
Version
1.0.0
Review
2026-05-05

GitHub dependency PR handoff

Use GitHub repo + deps.dev context to draft a narrow dependency remediation packet for human review.

curated dependency
Inputs
page-context, recipe-index, github-repository, deps-dev-advisories
Report
remediation-pr-packet
Output
draft-pr-packet
Cadence
Manual approval
Approval
Security reviewer required
Version
1.0.0
Review
2026-05-05

GitLab vulnerability to GitLab issue

Turn GitLab vulnerability findings into a reviewer-ready fix plan and open a GitLab issue in the same project.

community dependency
Inputs
recipe-index, gitlab-project-context, gitlab-vulnerability-findings, sbom-manual-import
Report
ticket-ready-brief
Output
gitlab-issue
Cadence
Manual approval
Approval
Code owner required
Version
1.0.0
Review
2026-05-05

High-severity detection to Google Chat

Post a compact high-severity detection brief to Google Chat for cross-functional review without leaving the browser runtime.

community recipe-runbook
Inputs
page-context, recipe-index, microsoft-defender-xdr-incidents, crowdstrike-detections
Report
incident-response-brief
Output
google-chat-webhook
Cadence
On new finding
Approval
Security reviewer required
Version
1.0.0
Review
2026-05-05

MCP connector intake review

Score a proposed connector, produce a hold/allow decision pack, and route it to governance stakeholders.

curated mcp-guardrail
Inputs
page-context, recipe-index, confluence-knowledge
Report
connector-intake-decision
Output
runbook-receipt
Cadence
Manual approval
Approval
Two-person review
Version
1.0.0
Review
2026-05-05

Orca alerts to Tines

Normalize Orca alerts into a Tines-ready payload so cloud exposure review can move straight into deterministic workflow automation.

community recipe-runbook
Inputs
recipe-index, orca-security-alerts, prisma-cloud-alerts
Report
case-management-packet
Output
tines-webhook
Cadence
On new finding
Approval
Two-person review
Version
1.0.0
Review
2026-05-05

Rapid7 vulnerability to Swimlane

Turn Rapid7 InsightVM vulnerabilities into a structured Swimlane case packet for downstream coordination and response.

community recipe-runbook
Inputs
recipe-index, rapid7-insightvm-vulnerabilities, confluence-knowledge
Report
case-management-packet
Output
swimlane-case
Cadence
On new finding
Approval
Ticket required
Version
1.0.0
Review
2026-05-05

SARIF to ServiceNow incident

Turn imported SARIF findings into a governed ServiceNow incident for SecOps or platform follow-up.

curated sast
Inputs
page-context, recipe-index, sarif-manual-import
Report
ticket-ready-brief
Output
servicenow-incident
Cadence
On new finding
Approval
Ticket required
Version
1.0.0
Review
2026-05-05

SAST triage to Jira

Bundle bounded SAST findings into a Jira-ready brief and route the follow-up through a governed ticket.

curated sast
Inputs
page-context, recipe-index, sarif-manual-import
Report
ticket-ready-brief
Output
jira-ticket
Cadence
Manual approval
Approval
Code owner required
Version
1.0.0
Review
2026-05-05

Scan bundle to Elastic case

Normalize imported scanner evidence into a browser-side report bundle, then open an Elastic Security case.

community recipe-runbook
Inputs
sarif-manual-import, sbom-manual-import
Report
scan-findings-bundle
Output
elastic-security-case
Cadence
On new finding
Approval
Security reviewer required
Version
1.0.0
Review
2026-05-05

Scanner export to ServiceNow

Normalize a browser-local scanner export bundle into a reviewer-ready incident or remediation handoff for ServiceNow.

curated recipe-runbook
Inputs
page-context, recipe-index, scanner-export-bundle, confluence-knowledge
Report
incident-response-brief
Output
servicenow-incident
Cadence
On new finding
Approval
Security reviewer required
Version
1.0.0
Review
2026-05-05

Scanner export to Splunk

Forward normalized browser-local scanner export findings into a SIEM-ready envelope for Splunk or another downstream analytics pipeline.

community recipe-runbook
Inputs
scanner-export-bundle, sarif-manual-import, sbom-manual-import
Report
siem-forwarding-envelope
Output
splunk-hec
Cadence
On new finding
Approval
Ticket required
Version
1.0.0
Review
2026-05-05

Security Hub risk brief

Aggregate cloud findings into an executive summary and downstream analyst brief.

curated recipe-runbook
Inputs
page-context, security-hub-api
Report
exec-risk-brief
Output
slack-webhook
Cadence
Weekly sweep
Approval
Security reviewer required
Version
1.0.0
Review
2026-05-05

Semgrep findings to Linear

Use Semgrep AppSec findings plus recipe context to create a platform-ready Linear issue without leaving the browser workbench.

community sast
Inputs
recipe-index, semgrep-appsec-findings, confluence-knowledge
Report
ticket-ready-brief
Output
linear-issue
Cadence
Daily review queue
Approval
Security reviewer required
Version
1.0.0
Review
2026-05-05

Sentinel incident to PagerDuty

Summarize a live Sentinel incident and escalate a high-confidence response brief into PagerDuty.

community recipe-runbook
Inputs
page-context, recipe-index, microsoft-sentinel-incidents, confluence-knowledge
Report
incident-response-brief
Output
pagerduty-events-v2
Cadence
On new finding
Approval
Security reviewer required
Version
1.0.0
Review
2026-05-05

Snyk triage with runbooks

Pull bounded Snyk issues plus Confluence runbooks into a reviewer-ready remediation or triage brief.

curated recipe-runbook
Inputs
recipe-index, snyk-issues-api, confluence-knowledge
Report
ticket-ready-brief
Output
jira-ticket
Cadence
Daily review queue
Approval
Security reviewer required
Version
1.0.0
Review
2026-05-05

Veracode review to Torq

Route reviewed Veracode findings into a Torq workflow for coordinated remediation, approvals, or exception handling.

community sast
Inputs
recipe-index, veracode-findings, confluence-knowledge
Report
case-management-packet
Output
torq-webhook
Cadence
Daily review queue
Approval
Security reviewer required
Version
1.0.0
Review
2026-05-05

Weekly risk brief to Teams

Assemble a review-ready risk brief from imported findings and route it to a Teams channel through a workflow webhook.

community recipe-runbook
Inputs
page-context, recipe-index, sarif-manual-import, sbom-manual-import
Report
exec-risk-brief
Output
teams-workflow-webhook
Cadence
Weekly sweep
Approval
Security reviewer required
Version
1.0.0
Review
2026-05-05

The public gallery now exposes runtime readiness directly, but routing decisions themselves remain tenant-local on purpose. The live site can tell you which inputs and outputs are browser-ready; the in-app Router and Agents views are where an operator inspects which routing policy matched, which defaults were suggested, and whether the current planner still diverges before a case or webhook leaves the browser.

The gallery now also includes a dedicated readiness matrix for input and output packs plus a derived /marketplace-readiness.json feed. That surface answers a more operational question than the normal catalog cards do: what exactly must the operator configure, and what is still blocking a starter contract from being considered honestly live in the browser?

The browser workbench now derives one more layer on top of that public readiness view: a tenant-local portfolio coverage snapshot. The Router and Asset portfolio preview score each service portfolio by owner metadata, case coverage, routing coverage, and route blockers, then ship that JSON inside normalized report bundles for downstream review.

The in-app Security navigator now sits beside that gallery with a source freshness watch. It can refresh browser-safe sources such as GitHub, deps.dev, Snyk, and Confluence inline, while still routing manual-upload channels like SARIF and SBOM back to the browser-local upload flow instead of pretending those files can be silently reopened. It also exposes a source recovery hub that turns failed browser fetches, credential issues, missing setup, and file-format problems into copyable operator diagnostics before the next run.

The same navigator now also keeps a browser-local process log and history view. It records source syncs, chat sessions, agent runs, case actions, and report exports so the workbench has a lightweight operator chronology instead of leaving that context fragmented across tabs. The latest layer on top of that ledger is a grouped investigation sessions view that correlates source pulls, AI runs, case captures, and handoff exports into one browser-local session pack that can be inspected or exported as JSON.

Feed contract

The gallery now also publishes root-level JSON feeds for the combined control-plane manifest plus the catalog, input-channel, output-channel, report-profile, workflow-template, and derived readiness inventories.

The derived readiness feed sits alongside those root contracts:

  • /marketplace-readiness.json

It also publishes root-level schema files for browser-authored contribution packets, local marketplace-library exports, and portable Caseboard records:

  • /marketplace-schemas/index.json
  • /marketplace-schemas/input-channel-contribution.schema.json
  • /marketplace-schemas/output-channel-contribution.schema.json
  • /marketplace-schemas/report-profile-contribution.schema.json
  • /marketplace-schemas/workflow-template-contribution.schema.json
  • /marketplace-schemas/local-library.schema.json
  • /marketplace-schemas/case-file.schema.json
  • /marketplace-schemas/case-library.schema.json
  • /marketplace-schemas/asset-library.schema.json
  • /marketplace-schemas/operations-history.schema.json
  • /marketplace-schemas/operations-session.schema.json
  • /marketplace-schemas/portfolio-coverage.schema.json
  • /marketplace-schemas/routing-policy.schema.json
  • /marketplace-schemas/routing-library.schema.json

That matters for two reasons:

  • external systems can consume the marketplace as structured data instead of scraping embedded page state
  • contributors still only edit the Hugo data files under data/marketplace/; the public feeds and schema files are generated or shipped from the same contribution model during the site build

Contribution path

To add a new marketplace pack or workflow bundle:

  • edit data/marketplace/input_channels.json, output_channels.json, report_profiles.json, or workflow_templates.json
  • add or update a docs page that explains operator intent, auth shape, and review expectations
  • open a pull request with example inputs, expected output shape, and the runtime maturity you are claiming

If the pack is not yet browser-safe, keep it honest:

  • live: the browser can call it directly today
  • live_or_copy: the browser can deliver directly when config and CORS allow it, but still has a safe local fallback
  • copy_only: the browser produces the handoff contract but does not write externally
  • config_only or planned: the JSON contract exists before the connector is promoted to a live runtime path

For workflow packs specifically, the browser workbench now includes a local Workflow Pack Lab that can clone marketplace packs, capture the current agent planner configuration, and copy a contribution-ready JSON packet before you open a pull request.

For report contracts, the same Control Plane tab now includes a local Report Profile Lab that can author browser-local report profiles, validate them, and copy contribution-ready JSON for data/marketplace/report_profiles.json.

For integration packs, the same Control Plane tab now includes an Integration Pack Lab that can clone input/output contracts, save private local drafts, and export or import a full local marketplace library JSON bundle before the contracts are contributed publicly.

Both labs now also expose browser-side validation so the operator can check the draft against the published schema before copying the submission packet or importing a portable local-library export.

The Caseboard follows the same pattern: exported case files and full case-library backups now sit on published schema contracts, so portable browser investigations can be validated before they are handed to another tool, reviewer, or browser profile.

The new Asset and Ownership Board follows the same contract model: portable browser-local asset libraries now validate against the published asset-library schema before they are imported, copied, or downloaded, including optional portfolio IDs, portfolio labels, and related asset links for a lightweight local service map.

That service map is no longer just descriptive data. The browser now derives a coverage score and coverage state for each portfolio so an operator can see whether the linked service still has owner gaps, unrouted exposure items, only copy-safe delivery routes, or starter contracts that still need promotion before live browser use.

The latest layer on top of that local service map is dependency-aware coverage. Linked assets now fan out into upstream and downstream portfolio relationships so the Router and Asset preview can show whether one partially covered service is still blocking or amplifying risk for other services. The exported portfolio snapshot is now schema-backed as /marketplace-schemas/portfolio-coverage.schema.json, which makes the copy/download path usable as a stable contract for external consumers.

The Routing Policy Lab follows the same pattern: single-policy exports and full routing-library exports now validate against published routing schemas before the browser applies, copies, downloads, or imports them, including portfolio-aware match logic when multiple assets roll up to one business service.