SECOPS
Exposed-Secret Rotation Orchestrator with Owner Ack
When a secret scanner flags a leaked credential in a GitHub repo, it opens a tracked rotation ticket, pings the owning team in Slack.
How it runs
The automated pipeline, trigger to output.
- TriggerScanner posts exposed-secret hit via webhookHTTP webhook
- ActionResolve owning team + CODEOWNERS from repoGitHub
- ActionOpen labeled rotation issue with checklistGitHub
- ActionPost ack-required alert to owner channelSlack
- LogicBranch: acknowledged within SLA?
- OutputEscalate unacked hit to security on-callPagerDuty
What it does
Turns a raw scanner alert into a closed-loop rotation process. It identifies who owns the affected repository, demands an explicit acknowledgement that the secret is being rotated, and refuses to let the alert go silent by escalating unacknowledged hits to on-call.
When to use it
Run this when your secret scanner (GitHub secret scanning or a custom detector posting via webhook) produces alerts faster than humans triage them, and you need provable owner accountability for every exposed credential.
How it works
- 1A scanner hit arrives as an inbound webhook carrying the repo, secret type, and commit SHA.
- 2The flow looks up the repository's owning team and CODEOWNERS from GitHub.
- 3It files a rotation issue on the repo labeled `secret-rotation` with the leak details and a remediation checklist.
- 4It posts an ack-required message to the owning team's Slack channel linking the issue, asking the owner to react when rotation begins.
- 5A timer branch checks whether the issue was acknowledged within the SLA.
- 6If still unacknowledged, it pages the security on-call rotation in PagerDuty with the issue link as the final escalation.
Set it up
What you configure once, before turning it on.
- 1Connect HTTP webhookTrigger any URL on agent actions.
- 2Connect GitHubRepos, issues, pull requests, actions.
- 3Connect SlackChannels, DMs, threads, mentions.
- 4Connect PagerDutyIncidents, on-call, escalations.
- 5Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 6Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 7Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Scheduled AWS Access-Key Age Sweep and Forced Rotation
Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.
Correlate Datadog WAF anomaly alert with Cloudflare evidence
When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
Non-Rotatable Leaked Secret to PagerDuty Escalation
Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.
GitHub Secret-Scan Hit to Auto-Revoke and Rotate
When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.