DEVOPS
Page on-call when a Vercel env var leaks a secret or breaks naming policy
On each Vercel env change, scan the new variables for exposed secrets, plaintext credentials, and naming-policy violations against rules in GitLab.
How it runs
The automated pipeline, trigger to output.
- TriggerVercel env var created or updated webhookVercel
- ActionFetch changed variables and scope from VercelVercel
- ActionLoad secret-pattern and naming rules from GitLabGitLab
- LogicScan and classify findings by severity
- LogicBranch: high-severity exposure?
- ActionOpen PagerDuty incident if high severityPagerDuty
- OutputPost finding and remediation to SlackSlack
What it does
This workflow treats env changes as a security surface. Whenever a Vercel environment variable is added or updated, it inspects the new values for high-risk patterns — credentials stored in plaintext where they should be encrypted, secrets placed in a non-sensitive scope, or names that violate the policy defined in your GitLab repo. Genuine high-severity findings page on-call; lower-severity ones go to Slack only.
When to use it
Use it when an exposed secret is a security incident, not a cleanup task. Best for teams with compliance obligations who need fast, paged response when a credential lands in the wrong place.
How it works
- 1A Vercel env-var-created-or-updated webhook fires.
- 2The flow fetches the changed variables and their scope from Vercel.
- 3It loads the secret-pattern and naming-policy rules from GitLab.
- 4A scan step classifies each finding by severity.
- 5Branch: a high-severity exposure opens a PagerDuty incident; anything else routes to Slack only.
- 6The full finding, with remediation steps, is posted to Slack either way.
Set it up
What you configure once, before turning it on.
- 1Connect VercelDeploys, runtime logs, analytics.
- 2Connect GitLabRepos, MRs, pipelines, registry.
- 3Connect PagerDutyIncidents, on-call, escalations.
- 4Connect SlackChannels, DMs, threads, mentions.
- 5Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 6Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 7Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More DevOps workflows
Slack-approved pause for idle Hugging Face Spaces
On a daily scan it finds idle paid Spaces and posts an interactive Slack approval; on approve it pauses the Space and logs the decision to a GitHub issue audit trail.
Block costly Hugging Face Space hardware upgrades in PR review
When a pull request changes a Space's hardware config, it estimates the new monthly cost and posts a GitHub PR comment that flags upgrades crossing a budget ceiling.
Hugging Face Spaces idle-runtime sweep with auto-pause
On a schedule, scans all Hugging Face Spaces for ones running idle past a threshold, pauses them to stop billing, and posts a Slack summary with the estimated monthly savings.
Open a Zoom war-room from a Datadog multi-alert storm
When a Datadog monitor crosses a critical threshold, this workflow dedupes against active incidents, and only for a genuinely new outage it creates a Zoom bridge.
Auto-spin a Zoom war-room when PagerDuty hits SEV-1
When a PagerDuty incident escalates to a critical severity, this workflow creates a dedicated Zoom meeting and posts the bridge link to the incident's Slack channel so responders…
Spin up a war-room on demand from a Slack slash command
When an engineer runs a Slack command, this workflow creates a Zoom bridge, opens a tracking Sentry-linked incident, files a Linear issue for follow-up.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.