SECOPS

Auto-label GitLab MRs that introduce leaked secrets

On every merge request, scan the diff for hardcoded secrets and, if any are found, apply a security label, block the MR, and alert the secrets-response pod.

CategorySecOps

Enginesim

Difficultyadvanced

Triggerwebhook

Steps6

Setup~25 min

How it runs

The automated pipeline, trigger to output.

TriggerGitLab MR opened or updatedGitLab
ActionFetch MR diff from GitLabGitLab
ActionClassify hunks for secret patternsOpenAI
LogicExit if no secrets detected
ActionLabel and block MR in GitLabGitLab
OutputOpen Linear issue and alert Slack podSlack

What it does

Scans each new or updated merge request diff for credential patterns (API keys, tokens, private keys, connection strings). When it finds a likely secret, it applies a `security::leaked-secret` label, blocks the MR, opens a Linear issue, and pings the secrets-response pod in Slack with the file and line.

When to use it

Use it as a safety net upstream of human review, so a leaked credential gets caught and quarantined before a reviewer even looks. It feeds the same label namespace your reviewer-routing workflow consumes.

How it works

1A GitLab webhook fires when a merge request opens or its commits update.
2The flow fetches the MR diff via the GitLab API.
3An OpenAI step classifies each changed hunk for high-confidence secret patterns and returns matches with file and line.
4A branch exits quietly when no secrets are found.
5On a hit, it applies the `security::leaked-secret` label and `review::blocking` on the MR.
6It opens a Linear issue with the redacted finding and notifies the secrets-response Slack channel.

Set it up

What you configure once, before turning it on.

1
Connect GitLabRepos, MRs, pipelines, registry.
2
Connect OpenAIModels, embeddings, files.
3
Connect LinearIssues, projects, cycles, triage.
4
Connect SlackChannels, DMs, threads, mentions.
5
Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
6
Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
7
Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.

More SecOps workflows

Scheduled AWS Access-Key Age Sweep and Forced Rotation

Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.

Correlate Datadog WAF anomaly alert with Cloudflare evidence

When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.

Exposed-Secret Incident Triage and Remediation Agent

An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.

Non-Rotatable Leaked Secret to PagerDuty Escalation

Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.

GitHub Secret-Scan Hit to Auto-Revoke and Rotate

When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.

Post-Revocation Verification and Audit Logging

After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.

Browse all SecOps →

Run it inside a business

This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.

Software

AI Tools Startup

Ship an AI tool, distribute on every channel, watch the unit economics.

Software

Agent Hive runs Agent Hive

The team that built Agent Hive, exactly as it runs today.

Support

Customer Support Hub

Tier-1, tier-2, refunds, and escalations — same-hour.

Browse all business templates →Solutions by industry →

Run this workflow in your colony.

14-day trial. No DevOps. No Sales call. Provisioned in under a minute.

Join the Waitlist Browse all workflows →