Secret Detection Alerts to Your Inbox

The moment GitHub detects a secret (API key, token, credential) in your code, Notis emails you the secret type, validity status, and whether it's been compromised—so you can revoke it immediately.

Trigger

New Secret Scanning Alert Detected

Triggers when a new secret scanning alert is detected in a GitHub repository. Monitors open secret scanning alerts and fires an event for each newly detected alert. Supports filtering by secret type (e.g., personal access tokens, AWS keys) and by token validity status (active, inactive, unknown). The payload includes the alert number, secret type, validity status, resolution state, timestamps, URLs, and flags for push protection bypass, public exposure, and multi-repo detection.

Gmail logo

Action

Send Email

Sends an email via gmail api using the authenticated user's google profile display name, requiring `is html=true` if the body contains html and valid `s3key`, `mimetype`, `name` for any attachment.

Why this helps

Exposed secrets can linger undetected, giving attackers active access to production systems, databases, and services until discovered weeks or months later.

  • Respond to exposed secrets within minutes instead of hours or days
  • Automatically know which secrets are actively compromised vs. inactive
  • Create an urgent action trail via email to track and revoke secrets
  • Prevent account breaches by catching exposed credentials before they're exploited

Setup

Build it in a few focused steps.

  • 1Connect GitHub and Gmail to your Notis account
  • 2Create an automation: 'When secret scanning detects a new secret, send me an urgent email with the secret type, validity status, and which file exposed it'
  • 3Select 'New Secret Scanning Alert Detected' as your trigger and filter for all secret types
  • 4Choose email as your notification destination
  • 5Test by committing a dummy token or credential to trigger the alert and confirm the email is urgent and actionable

Questions about this workflow

Will the email show the actual secret?

No, for security reasons the email only shows the secret type (e.g., 'AWS Key') and location, not the exposed credential itself.

Can I filter by secret type?

Yes, tell Notis to only alert on 'active' secrets or certain types like AWS keys, so you focus on the most dangerous exposures.

What does 'validity status' mean?

It tells you if the secret is still active (high risk), inactive (lower risk), or unknown—so you prioritize revocation efforts.

When this happens · Trigger

Do this · Action

Supported Triggers and Actions

Notis builds workflows that link GitHub to Gmail. A trigger fires from one place; an action lands in another.

GitHub logo

GitHub triggers

Gmail logo

Gmail actions

New Workflow Artifact Created

Triggers when a new workflow artifact is created in a GitHub repository. Monitors for newly created GitHub Actions workflow artifacts. Optionally filters by artifact name to restrict monitoring to specific artifacts.

TriggerPolling

Modify email labels

Adds and/or removes specified gmail labels for a message; ensure `message id` and all `label ids` are valid (use 'listlabels' for custom label ids).

ActionInstant

Branch Changed

Triggers when a GitHub branch changes. Monitors a specific branch for: - New commits pushed (head commit SHA changes) - Protection status toggled (branch becomes protected or unprotected) - Protection settings changed, including: required status checks and their enforcement level, admin enforcement, required pull request reviews (dismiss stale reviews, code owner reviews, approving review count, last push approval), required linear history, force push allowance, deletion allowance, conversation resolution, branch locking, and fork syncing.

TriggerPolling

Create email draft

Creates a gmail email draft, supporting to/cc/bcc, subject, plain/html body (ensure `is html=true` for html), attachments, and threading.

ActionInstant

New Branch Created

Triggers when a new branch is created in a GitHub repository. Detects newly created branches. Deleted branches do not fire events.

TriggerPolling

Create label

Creates a new label with a unique name in the specified user's gmail account.

ActionInstant

Check Run Status / Conclusion Changed

Triggers when a specific GitHub check run changes its status or conclusion. Monitors a single check run for changes to: status (queued, in_progress, completed, etc.), conclusion (success, failure, neutral, cancelled, skipped, timed_out, action_required), started_at, and completed_at.

TriggerPolling

Delete Draft

Permanently deletes a specific gmail draft using its id; ensure the draft exists and the user has necessary permissions for the given `user id`.

ActionInstant

Check Suite Status / Conclusion Changed

Triggers when a GitHub check suite changes its status or conclusion for a given ref. Monitors all check suites associated with a git reference (branch, tag, or commit SHA) for changes to status (queued, in_progress, completed, etc.) and conclusion (success, failure, neutral, cancelled, skipped, timed_out, action_required, startup_failure, stale). Optionally filters by GitHub App ID.

TriggerPolling

Delete message

Permanently deletes a specific email message by its id from a gmail mailbox; for `user id`, use 'me' for the authenticated user or an email address to which the authenticated user has delegated access.

ActionInstant

New Code Scanning Alert Created

Triggers when a new code scanning alert is created in a repository. Fires an event for each newly created code scanning alert detected in the configured repository. Alerts can be filtered by Git reference, scanning tool, state, and severity. The payload includes the alert number, rule details, tool information, state, severity, and the location of the most recent instance.

TriggerPolling

Fetch emails

Fetches a list of email messages from a gmail account, supporting filtering, pagination, and optional full content retrieval.

ActionInstant

New Repository Collaborator Added

Triggers when a new collaborator is added to a GitHub repository. Monitors the full list of collaborators on a repository and fires an event for each newly added collaborator. The payload includes the collaborator's GitHub username, account ID, profile URL, avatar URL, permission flags (pull, triage, push, maintain, admin), and assigned role name.

TriggerPolling

Fetch message by message ID

Fetches a specific email message by its id, provided the `message id` exists and is accessible to the authenticated `user id`.

ActionInstant

Commit Event

Triggered when a new commit is pushed to a repository.

TriggerInstant

Fetch Message by Thread ID

Retrieves messages from a gmail thread using its `thread id`, where the thread must be accessible by the specified `user id`.

ActionInstant

Connect any two apps with Notis in the middle.

Not just GitHub and Gmail. Any combination from 985+ integrations.

When this happens · Trigger

Do this · Action

Save your first hour today.

7 days free trial with 20$ free usage included.
No card. Works with personal or business Gmail.