ENGINEERING

Block GitLab MRs that touch secrets and escalate to security

Scans changed files in a new merge request for secret-like patterns and hardcoded credentials; on a hit it adds a do-not-merge label, posts findings as an MR comment.

CategoryEngineering

Enginesim

Difficultyadvanced

Triggerwebhook

Steps5

Setup~25 min

How it runs

The automated pipeline, trigger to output.

TriggerGitLab merge request opened or updatedGitLab
ActionFetch the MR diffGitLab
LogicScan diff for secret patterns and high entropy
ActionApply do-not-merge label and comment findingsGitLab
OutputPage the security on-call poolPagerDuty

What it does

Catches credentials before they merge. When a merge request opens, the flow scans its diff for secret-like patterns (API keys, tokens, private keys, connection strings). If anything matches, it applies a `do-not-merge` label, comments the exact offending lines on the MR, and pages the security reviewer pool so a human confirms before the branch goes anywhere.

When to use it

Use it as a backstop alongside (not instead of) pre-commit hooks, for teams where a leaked secret in history is a serious incident. Especially valuable when contributors include contractors or forks where local hooks aren't guaranteed.

How it works

1A GitLab webhook fires on merge request open or update.
2The flow pulls the MR diff text from the GitLab API.
3A logic step runs the diff through secret-detection patterns and entropy checks.
4Clean MRs pass through silently; on a match it labels the MR `do-not-merge` and comments the redacted findings.
5It pages the security on-call pool so a reviewer is pulled in immediately.

Set it up

What you configure once, before turning it on.

1
Connect GitLabRepos, MRs, pipelines, registry.
2
Connect PagerDutyIncidents, on-call, escalations.
3
Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
4
Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
5
Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.

More Engineering workflows

Upgrade Impact Router to Module Code Owners

Maps a dependency-bump PR's affected modules to their CODEOWNERS, then DMs each owner on Slack with only the changelog slice that touches code they own.

Re-Voice IVR Prompts on Phone-Tree Config Merge

When a phone-tree config change merges in GitHub, regenerates the ElevenLabs audio for any prompt whose script changed in the diff and opens a follow-up PR adding the new audio…

Agent reviews model-license fit and suggests compliant swaps on the PR

When a PR adds a Hugging Face model, an agent reads the model card and license, judges fit against your commercial-use policy.

Scan for deprecated endpoints and email consumers a weekly sunset countdown

On a weekly schedule, scans the OpenAPI spec for endpoints marked deprecated with a sunset date, and emails each consuming team a countdown of how many days remain before removal.

Publish a versioned API changelog to Confluence on each release tag

On a new semver release tag, gathers the contract changes since the last release and writes a clean.

Gate breaking API PRs behind downstream consumer acknowledgement

When a PR introduces a breaking contract change, comments the impact summary back on the PR, applies a blocking label.

Browse all Engineering →

Run it inside a business

This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.

Finance

Research & Trading Desk

Governance-first research, execution, and risk — every trade on the audit trail.

Operations

Internal Operations

Runbooks, on-call, vendor management — disciplined and audited.

Software

Agent Hive runs Agent Hive

The team that built Agent Hive, exactly as it runs today.

Browse all business templates →Solutions by industry →

Run this workflow in your colony.

14-day trial. No DevOps. No Sales call. Provisioned in under a minute.

Join the Waitlist Browse all workflows →