SECOPS
GitHub Secret-Scan Hit to Auto-Revoke and Rotate
When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.
How it runs
The automated pipeline, trigger to output.
- TriggerGitHub secret-scanning alert webhookGitHub
- LogicClassify secret type and check auto-rotate eligibility
- ActionRevoke exposed key and mint replacement at providerHTTP webhook
- ActionWrite new secret to encrypted storeAWS S3
- OutputPost revocation summary to security channelSlack
What it does
Turns a GitHub secret-scanning alert into a closed-loop revocation. It reads the alert, identifies which provider the leaked key belongs to, calls that provider's API to revoke the exposed credential, generates a fresh one, and writes the replacement into your secret store so running services pick it up.
When to use it
Run this when you want exposed keys neutralized in seconds rather than hours. It is built for teams that have GitHub Advanced Security secret scanning turned on and want revocation to happen without a human in the loop for known, automatable key types.
How it works
- 1A GitHub secret-scanning alert webhook fires the moment a credential is detected in a push or existing code.
- 2A logic step matches the alert's secret type against a supported-provider map and branches on whether auto-rotation is allowed.
- 3An action calls the issuing provider over HTTP to revoke the exposed key and request a new one.
- 4The new secret is stored in AWS S3 (encrypted parameter bundle) for the runtime to consume.
- 5A Slack message posts the alert, the revoked key fingerprint, and rotation status to the security channel.
Set it up
What you configure once, before turning it on.
- 1Connect GitHubRepos, issues, pull requests, actions.
- 2Connect HTTP webhookTrigger any URL on agent actions.
- 3Connect AWS S3Buckets, objects, signed URLs.
- 4Connect SlackChannels, DMs, threads, mentions.
- 5Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 6Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 7Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Scheduled AWS Access-Key Age Sweep and Forced Rotation
Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.
Correlate Datadog WAF anomaly alert with Cloudflare evidence
When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
Non-Rotatable Leaked Secret to PagerDuty Escalation
Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Page on-call when a WAF rule mass-blocks legitimate traffic
On demand or every few minutes, it detects a single Cloudflare WAF rule suddenly blocking a broad spread of ASNs and paths (a likely false-positive storm).
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.