SECOPS
Rotate exposed secret on demand and write an immutable Postgres audit record
Receives a secret-exposure report via webhook, rotates the value in Cloudflare and revokes the old key, writes an immutable audit row to Postgres.
How it runs
The automated pipeline, trigger to output.
- TriggerExposure report received via webhookHTTP webhook
- LogicValidate payload signature and fields
- LogicBranch: known and rotatable secret?
- ActionRotate value in Cloudflare and revoke old keyCloudflare
- ActionWrite immutable audit row to PostgresPostgres
- OutputNotify compliance via Microsoft TeamsMicrosoft Teams
What it does
Exposes a secure webhook that any scanner, SIEM, or bug-bounty intake can call to report an exposed credential. On receipt it rotates the value in Cloudflare, revokes the old key, persists a tamper-evident audit record to Postgres for compliance, and notifies the compliance channel with the record id.
When to use it
Use this when secret reports arrive from many sources and you need one canonical rotation-and-audit path with a durable record auditors can query. The webhook entry point makes it the standard sink that every detector points at.
How it works
- 1An inbound webhook delivers the exposure report with the secret reference and reporter.
- 2A validation step verifies the payload signature and required fields; bad requests are rejected.
- 3A branch confirms the secret is known and rotatable; unknown references go to manual review.
- 4Cloudflare rotates the secret value and the old credential is revoked at its provider.
- 5An append-only audit row is written to Postgres with hash, timestamp, reporter, and outcome.
- 6A Microsoft Teams message notifies compliance with the audit record id and rotation status.
Set it up
What you configure once, before turning it on.
- 1Connect HTTP webhookTrigger any URL on agent actions.
- 2Connect CloudflareWorkers, Pages, R2, KV — the edge stack.
- 3Connect PostgresAny Postgres URL — query, write, migrate.
- 4Connect Microsoft TeamsChannels, chats, files.
- 5Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 6Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 7Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More SecOps workflows
Post-Revocation Verification and Audit Logging
After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.
Page on-call when a WAF rule mass-blocks legitimate traffic
On demand or every few minutes, it detects a single Cloudflare WAF rule suddenly blocking a broad spread of ASNs and paths (a likely false-positive storm).
PII Content Scan on New Dropbox External Share
When a file gets an external Dropbox link, it reads the file content, uses an AI classifier to detect PII or secrets.
Compile a weekly WAF tuning review with trends to Confluence
Every week an agent rolls up Cloudflare WAF block clusters by rule and ASN, compares them to prior weeks for trend direction.
Sensitive Dropbox Link Owner Remediation Loop
When a newly created Dropbox shared link points to a sensitive file, this workflow DMs the file owner, gives them a deadline to justify or revoke it.
GitLab Push Secret Detection to Block and History Purge
On a GitLab push that contains a detected secret, it revokes the exposed credential, opens a tracking issue with git-history purge instructions.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.