SECOPS
Rotate leaked API key on GitHub push and redeploy Vercel
Scans every push to GitHub for credential patterns, and on a confirmed hit rotates the matching Vercel environment variable, revokes the old key.
How it runs
The automated pipeline, trigger to output.
- TriggerGitHub push receivedGitHub
- LogicScan diff for credential patterns and entropy
- LogicBranch: real secret detected?
- ActionRotate and update Vercel env varVercel
- ActionRevoke leaked credential at providerGitHub
- ActionOpen Linear evidence ticketLinear
- OutputPost alert with ticket link to SlackSlack
What it does
Watches pushes to your GitHub repositories, detects high-entropy strings and known credential formats (API keys, tokens, connection strings) in the diff, and when a real secret is found it immediately rotates the corresponding Vercel environment variable and files a tracked remediation ticket so nothing slips through review.
When to use it
Use this when your production app reads secrets from Vercel env vars and a developer occasionally hardcodes a key before catching it. It closes the window between commit and exploit by rotating automatically instead of waiting for a human to notice.
How it works
- 1A push to any monitored GitHub repo fires the trigger with the commit diff.
- 2A scan step matches the changed lines against credential signatures and entropy thresholds.
- 3A branch checks whether a genuine secret was found; clean pushes exit silently.
- 4On a hit, Vercel issues a fresh value and updates the env var for the affected project and environment.
- 5The old credential is revoked at its provider so the leaked copy is dead.
- 6A Linear issue is opened capturing the commit SHA, author, file, and rotation log.
- 7A Slack alert notifies the security channel with the ticket link.
Set it up
What you configure once, before turning it on.
- 1Connect GitHubRepos, issues, pull requests, actions.
- 2Connect VercelDeploys, runtime logs, analytics.
- 3Connect LinearIssues, projects, cycles, triage.
- 4Connect SlackChannels, DMs, threads, mentions.
- 5Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 6Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 7Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Scheduled AWS Access-Key Age Sweep and Forced Rotation
Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.
Correlate Datadog WAF anomaly alert with Cloudflare evidence
When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
Non-Rotatable Leaked Secret to PagerDuty Escalation
Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.
GitHub Secret-Scan Hit to Auto-Revoke and Rotate
When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.