SECOPS
Loom recording secret scanner with auto-revoke and incident page
Scans every newly published Loom recording's on-screen text for exposed credentials, revokes confirmed secrets at the source, and pages the security team.
How it runs
The automated pipeline, trigger to output.
- TriggerLoom recording publishedLoom
- ActionFetch transcript and frame OCR textLoom
- ActionClassify candidates as real secret vs false positiveOpenAI
- LogicBranch: confirmed secret vs clean
- ActionRevoke leaked GitHub tokenGitHub
- ActionOpen PagerDuty incidentPagerDuty
- OutputPost alert to security Slack channelSlack
What it does
When a teammate publishes a Loom recording, this workflow pulls the video's transcript and OCR'd screen text, runs it through a secret-detection pass, and acts on any hit. Confirmed GitHub tokens are revoked immediately, and a PagerDuty incident is opened so the on-call engineer sees it within seconds rather than after the video has circulated.
When to use it
Run this in any org where engineers record screen-share walkthroughs, debugging sessions, or demos in Loom. Terminal output, .env files, and dashboard URLs with embedded tokens leak constantly in these recordings. This catches them at publish time instead of relying on someone noticing.
How it works
- 1A Loom webhook fires when a recording is published.
- 2The flow fetches the recording's transcript and frame text from Loom.
- 3An OpenAI pass classifies any candidate strings as a real secret vs. a false positive (placeholder, example key).
- 4A logic branch splits confirmed secrets from clean videos.
- 5For confirmed GitHub tokens, the flow calls the GitHub API to revoke the token.
- 6A PagerDuty incident is opened with the recording link, secret type, and owner.
- 7A Slack alert is posted to the security channel as the final record.
Set it up
What you configure once, before turning it on.
- 1Connect LoomVideo transcripts, libraries.
- 2Connect OpenAIModels, embeddings, files.
- 3Connect GitHubRepos, issues, pull requests, actions.
- 4Connect PagerDutyIncidents, on-call, escalations.
- 5Connect SlackChannels, DMs, threads, mentions.
- 6Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 7Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 8Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Scheduled AWS Access-Key Age Sweep and Forced Rotation
Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.
Correlate Datadog WAF anomaly alert with Cloudflare evidence
When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
Non-Rotatable Leaked Secret to PagerDuty Escalation
Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.
GitHub Secret-Scan Hit to Auto-Revoke and Rotate
When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.