SECOPS
Exposed-secret kill switch from an external scanner webhook
When an external secret scanner posts a detection webhook, this workflow rotates the credential in its source system, force-expires user sessions.
How it runs
The automated pipeline, trigger to output.
- TriggerExternal scanner posts detection webhookHTTP webhook
- ActionRotate credential in its owning source system
- LogicBranch on rotation success or failure
- ActionEscalate to PagerDuty if rotation failedPagerDuty
- ActionWrite audit record to Postgres on successPostgres
- OutputConfirm kill-switch outcome in SlackSlack
What it does
Acts as a single kill-switch endpoint any external scanner can call. On a detection it rotates the credential in whichever system owns it, force-expires affected user sessions, and writes an audit record. If the rotation call fails, it escalates straight to PagerDuty so the leak never goes unhandled.
When to use it
Use this when you run a third-party or homegrown secret scanner that emits webhooks and you want one consistent, auditable response path regardless of which tool detected the leak.
How it works
- 1An external scanner posts a detection to the workflow's webhook with the credential type and owning system.
- 2The workflow rotates the credential in its source system via the appropriate API call.
- 3It force-expires user sessions tied to the compromised credential.
- 4A branch checks whether rotation succeeded; on failure it opens a PagerDuty incident for human follow-up.
- 5On success it writes an audit record to Postgres and confirms in Slack.
Set it up
What you configure once, before turning it on.
- 1Connect HTTP webhookTrigger any URL on agent actions.
- 2Connect PostgresAny Postgres URL — query, write, migrate.
- 3Connect PagerDutyIncidents, on-call, escalations.
- 4Connect SlackChannels, DMs, threads, mentions.
- 5Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 6Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 7Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Scheduled AWS Access-Key Age Sweep and Forced Rotation
Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.
Correlate Datadog WAF anomaly alert with Cloudflare evidence
When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.
Exposed-Secret Incident Triage and Remediation Agent
An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.
Non-Rotatable Leaked Secret to PagerDuty Escalation
Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.
GitHub Secret-Scan Hit to Auto-Revoke and Rotate
When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.