SECOPS
Quarterly OAuth Grant Attestation Pack
Builds a quarterly inventory of every third-party OAuth app authorized in Google Workspace, summarizes scope risk and usage.
How it runs
The automated pipeline, trigger to output.
- TriggerQuarterly attestation schedule fires
- ActionPull all authorized apps and scopes from WorkspaceGoogle Drive
- ActionSummarize each app's purpose and risk rationaleOpenAI
- ActionPublish dated attestation page to ConfluenceConfluence
- OutputRequest sign-off from security owner in SlackSlack
What it does
This workflow produces the artifact auditors ask for: a point-in-time list of every third-party app with access to your workspace, what scopes each holds, how many users granted it, and a plain-English risk note per app. It writes the inventory to a Confluence page and posts a Slack request asking the security owner to attest that each grant is still warranted.
When to use it
Use it ahead of SOC 2, ISO, or internal access reviews when you need defensible evidence that OAuth grants were reviewed on a cadence. It replaces the manual screenshot-the-admin-console ritual with a repeatable, dated record.
How it works
- 1A quarterly schedule starts the run.
- 2The flow pulls the full list of authorized apps and their scopes from Workspace.
- 3An agent step summarizes each app's purpose and writes a risk rationale from the scopes and grant count.
- 4The assembled inventory is published as a dated Confluence attestation page.
- 5A Slack message links the page and asks the security owner to sign off or flag apps for revocation.
Set it up
What you configure once, before turning it on.
- 1Connect Google DriveDocs, sheets, slides, files.
- 2Connect ConfluenceSpaces, pages, blueprints.
- 3Connect SlackChannels, DMs, threads, mentions.
- 4Connect OpenAIModels, embeddings, files.
- 5Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 6Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 7Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Scheduled AWS Access-Key Age Sweep and Forced Rotation
Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.
Correlate Datadog WAF anomaly alert with Cloudflare evidence
When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
Non-Rotatable Leaked Secret to PagerDuty Escalation
Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.
GitHub Secret-Scan Hit to Auto-Revoke and Rotate
When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.