SECOPS
Auto-rotate Cloudflare secret on GitHub secret-scanning alert
When GitHub's secret-scanning raises an alert, this rotates the leaked value in Cloudflare Workers secrets, marks the GitHub alert resolved.
How it runs
The automated pipeline, trigger to output.
- TriggerGitHub secret-scanning alertGitHub
- LogicMap secret type to Cloudflare secret name
- LogicBranch: authorized to auto-rotate?
- ActionSet new value in Cloudflare Workers secretCloudflare
- ActionResolve GitHub alert with noteGitHub
- ActionAppend entry to Notion evidence logNotion
- OutputConfirm rotation in SlackSlack
What it does
Listens for GitHub secret-scanning alerts (native push protection and partner detections), rotates the matching secret in your Cloudflare Workers project, then closes the loop by updating the alert status in GitHub and recording the full chain of custody in a Notion evidence log.
When to use it
Use this when GitHub Advanced Security is already scanning your repos and your runtime config lives in Cloudflare Workers. It turns a passive alert into an executed rotation plus an auditable record, instead of an email a human triages hours later.
How it works
- 1A GitHub secret-scanning alert webhook fires with the secret type and location.
- 2A mapping step resolves which Cloudflare Worker secret name corresponds to the leaked credential.
- 3A branch confirms the secret is one this workflow is authorized to rotate; unknown types escalate instead.
- 4Cloudflare receives the new value via its secrets API and the Worker picks it up on next deploy.
- 5The GitHub alert is patched to resolved with a rotation note.
- 6A Notion page is appended with the alert id, repo, rotation timestamp, and operator.
- 7A Slack message confirms completion to the on-call channel.
Set it up
What you configure once, before turning it on.
- 1Connect GitHubRepos, issues, pull requests, actions.
- 2Connect CloudflareWorkers, Pages, R2, KV — the edge stack.
- 3Connect NotionPages, databases, comments.
- 4Connect SlackChannels, DMs, threads, mentions.
- 5Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 6Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 7Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Scheduled AWS Access-Key Age Sweep and Forced Rotation
Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.
Correlate Datadog WAF anomaly alert with Cloudflare evidence
When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
Non-Rotatable Leaked Secret to PagerDuty Escalation
Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.
GitHub Secret-Scan Hit to Auto-Revoke and Rotate
When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.