SECOPS
Loom-leaked secret correlation with GitHub rotation PR
When a secret is found in a Loom video, searches the org's GitHub repos for the same secret in code, and if it lives in a tracked file.
How it runs
The automated pipeline, trigger to output.
- TriggerLoom recording publishedLoom
- ActionConfirm secret in transcript and framesOpenAI
- LogicContinue only on confirmed secret
- ActionSearch org repos for the leaked valueGitHub
- LogicCheck secret is in a tracked file
- ActionOpen GitHub rotation PRGitHub
- OutputNotify security Slack with both linksSlack
What it does
A secret shown in a recording is often also committed in code. This workflow takes a confirmed Loom-leaked credential and pivots to GitHub: it searches the org's repositories for the same value, and where it finds a hardcoded match in a tracked file, it opens a pull request that replaces the literal with an environment-variable reference and links back to the originating recording.
When to use it
Use this when leaks in recordings are a symptom of secrets hardcoded in your codebase. It turns a single video finding into a concrete code remediation rather than just an alert, giving reviewers a ready-to-merge fix.
How it works
- 1A Loom webhook fires on a published recording.
- 2The transcript and frame text are scanned and any secret is confirmed by an OpenAI classification pass.
- 3A logic branch continues only for confirmed secrets.
- 4The flow searches org GitHub repos for the exact secret value via code search.
- 5A logic check confirms the secret appears in a tracked source file.
- 6The flow opens a GitHub PR replacing the literal with an env-var reference, citing the Loom URL.
- 7A Slack message notifies the security channel with links to both the recording and the PR.
Set it up
What you configure once, before turning it on.
- 1Connect LoomVideo transcripts, libraries.
- 2Connect OpenAIModels, embeddings, files.
- 3Connect GitHubRepos, issues, pull requests, actions.
- 4Connect SlackChannels, DMs, threads, mentions.
- 5Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 6Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 7Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Scheduled AWS Access-Key Age Sweep and Forced Rotation
Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.
Correlate Datadog WAF anomaly alert with Cloudflare evidence
When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
Non-Rotatable Leaked Secret to PagerDuty Escalation
Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.
GitHub Secret-Scan Hit to Auto-Revoke and Rotate
When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.