SECOPS
Non-Rotatable Leaked Secret to PagerDuty Escalation
Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.
How it runs
The automated pipeline, trigger to output.
- TriggerGitHub secret-scanning alert webhookGitHub
- LogicFilter for manual-only or high-severity secrets
- ActionSearch repos for additional occurrences (blast radius)GitHub
- ActionOpen PagerDuty incident with runbook and contextPagerDuty
- OutputMirror page to security Slack threadSlack
What it does
Not every leaked secret can be revoked by an API call. This workflow handles the ones that need a human: database root passwords, signing keys, hardcoded service accounts. It enriches the alert with where the key is used, then escalates to on-call with a ready-to-run rotation checklist.
When to use it
Use it as the fallback path for high-severity secrets your auto-rotator cannot touch. It guarantees a leaked production credential never sits quietly in a backlog by forcing an acknowledged page within minutes.
How it works
- 1A GitHub secret-scanning alert webhook triggers on detection.
- 2A logic step filters for secret types flagged as manual-only or high-severity, dropping anything the auto-rotator already owns.
- 3An action searches the codebase and other repos for additional occurrences of the same secret to estimate blast radius.
- 4A PagerDuty incident is opened with severity derived from the secret class and the enriched context attached.
- 5A Slack thread mirrors the page so the security team can coordinate the manual rotation in one place.
Set it up
What you configure once, before turning it on.
- 1Connect GitHubRepos, issues, pull requests, actions.
- 2Connect PagerDutyIncidents, on-call, escalations.
- 3Connect SlackChannels, DMs, threads, mentions.
- 4Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 5Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 6Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Scheduled AWS Access-Key Age Sweep and Forced Rotation
Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.
Correlate Datadog WAF anomaly alert with Cloudflare evidence
When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
GitHub Secret-Scan Hit to Auto-Revoke and Rotate
When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Page on-call when a WAF rule mass-blocks legitimate traffic
On demand or every few minutes, it detects a single Cloudflare WAF rule suddenly blocking a broad spread of ASNs and paths (a likely false-positive storm).
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.