ENGINEERING

Scan new GitLab MR diffs for leaked secrets and block the merge

On every new merge request, this scans the diff for hardcoded secrets and credentials, and if any are found it sets the MR to draft, applies a blocking label.

CategoryEngineering

Enginesim

Difficultyadvanced

Triggerwebhook

Steps6

Setup~25 min

How it runs

The automated pipeline, trigger to output.

TriggerGitLab MR webhook fires on open or updateGitLab
ActionFetch the MR diff from GitLabGitLab
ActionClassify suspicious strings as secrets with OpenAIOpenAI
LogicBranch: any confirmed secret found?
ActionSet MR to draft + apply blocking labelGitLab
OutputAlert the security channel in SlackSlack

What it does

Inspects the diff of every incoming merge request for leaked credentials — API keys, tokens, private keys, connection strings — using pattern matching plus an LLM pass to catch context-specific secrets the regex misses. When something looks exposed, it converts the MR to draft, applies a `blocked:secret-detected` label, and notifies the security team with the exact files and lines.

When to use it

Use it as a last-line guard before merge when pre-commit hooks are inconsistently installed across a team. It catches secrets that slip past local tooling and stops them from reaching a protected branch.

How it works

1A GitLab merge request webhook fires when an MR opens or updates.
2The flow pulls the MR diff via the GitLab API.
3An OpenAI pass classifies suspicious strings as real secrets versus false positives and returns the affected file and line.
4A branch checks whether any confirmed secret was found.
5If yes, the flow marks the MR draft and applies the blocking label via GitLab.
6A Slack alert goes to the security channel listing each finding.

Set it up

What you configure once, before turning it on.

1
Connect GitLabRepos, MRs, pipelines, registry.
2
Connect OpenAIModels, embeddings, files.
3
Connect SlackChannels, DMs, threads, mentions.
4
Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
5
Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
6
Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.

More Engineering workflows

Gate breaking API PRs behind downstream consumer acknowledgement

When a PR introduces a breaking contract change, comments the impact summary back on the PR, applies a blocking label.

Publish a versioned API changelog to Confluence on each release tag

On a new semver release tag, gathers the contract changes since the last release and writes a clean.

Agent reviews model-license fit and suggests compliant swaps on the PR

When a PR adds a Hugging Face model, an agent reads the model card and license, judges fit against your commercial-use policy.

Upgrade Impact Router to Module Code Owners

Maps a dependency-bump PR's affected modules to their CODEOWNERS, then DMs each owner on Slack with only the changelog slice that touches code they own.

Re-Voice IVR Prompts on Phone-Tree Config Merge

When a phone-tree config change merges in GitHub, regenerates the ElevenLabs audio for any prompt whose script changed in the diff and opens a follow-up PR adding the new audio…

Upstream Release to Notion Upgrade Brief

When a watched package publishes a new release, fetches the release notes, maps them to the internal modules that depend on it.

Browse all Engineering →

Run it inside a business

This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.

Software

AI Tools Startup

Ship an AI tool, distribute on every channel, watch the unit economics.

Software

Agent Hive runs Agent Hive

The team that built Agent Hive, exactly as it runs today.

Marketing

Content Marketing Agency

SEO, blogs, social, and reporting on autopilot.

Browse all business templates →Solutions by industry →

Run this workflow in your colony.

14-day trial. No DevOps. No Sales call. Provisioned in under a minute.

Join the Waitlist Browse all workflows →