Update a Render secret file when GitHub flags a leaked secret

A leaked credential is a race against the clock. Notis watches GitHub secret scanning alerts and, when one fires, updates the affected Render secret file so your rotation begins in seconds instead of after the alert email sits unread.

Trigger

New Secret Scanning Alert Detected

Triggers when a new secret scanning alert is detected in a GitHub repository. Monitors open secret scanning alerts and fires an event for each newly detected alert. Supports filtering by secret type (e.g., personal access tokens, AWS keys) and by token validity status (active, inactive, unknown). The payload includes the alert number, secret type, validity status, resolution state, timestamps, URLs, and flags for push protection bypass, public exposure, and multi-repo detection.

Render logo

Action

Add or Update Secret File

Tool to add or update a secret file for a Render service. Use when you need to create a new secret file or update the content of an existing secret file.

Why this helps

A secret gets exposed, GitHub emails you, and that email lands in a pile you will not open for hours. Meanwhile the live credential in Render is still valid, and rotating it means remembering exactly which file to touch under pressure.

  • Start rotating an exposed credential the moment GitHub detects it.
  • Cut the window between a leak and a fix from hours to seconds.
  • Skip the panic of remembering which Render secret file to edit.
  • Turn a scary security email into an automatic first response.

Setup

Build it in a few focused steps.

  • 1Connect GitHub and Render to Notis once from the portal.
  • 2Open your portal link and start a New Automation.
  • 3Describe the outcome plainly: when GitHub detects a new secret scanning alert, update the matching Render secret file and alert me.
  • 4Select the New Secret Scanning Alert Detected trigger and choose an urgent channel for reports.
  • 5Trigger a test alert or run a dry check to confirm Notis updates the secret file and notifies you.

Questions about this workflow

Does this fully rotate the credential for me?

It updates the Render secret file to kick off rotation and alerts you so you can complete any downstream steps. You describe the intended value or source in plain language.

Will I still be told a leak happened?

Yes. Notis reports every run to the channel you choose, so you always know an alert fired and what it did.

Can it filter by secret type?

Yes. Mention the secret types you care about in the instruction and Notis will act only on those.

When this happens · Trigger

Do this · Action

Supported Triggers and Actions

Notis builds workflows that link GitHub to Render. A trigger fires from one place; an action lands in another.

GitHub logo

GitHub triggers

Render logo

Render actions

New Workflow Artifact Created

Triggers when a new workflow artifact is created in a GitHub repository. Monitors for newly created GitHub Actions workflow artifacts. Optionally filters by artifact name to restrict monitoring to specific artifacts.

TriggerPolling

Add Header Rule

Tool to add a custom HTTP header rule to a Render service. Use when you need to configure headers like Cache-Control, security headers, or CORS headers for specific request paths.

ActionInstant

Branch Changed

Triggers when a GitHub branch changes. Monitors a specific branch for: - New commits pushed (head commit SHA changes) - Protection status toggled (branch becomes protected or unprotected) - Protection settings changed, including: required status checks and their enforcement level, admin enforcement, required pull request reviews (dismiss stale reviews, code owner reviews, approving review count, last push approval), required linear history, force push allowance, deletion allowance, conversation resolution, branch locking, and fork syncing.

TriggerPolling

Add or Update Secret File

Tool to add or update a secret file for a Render service. Use when you need to create a new secret file or update the content of an existing secret file.

ActionInstant

New Branch Created

Triggers when a new branch is created in a GitHub repository. Detects newly created branches. Deleted branches do not fire events.

TriggerPolling

Add Resources to Environment

Tool to add resources to a Render environment. Use when you need to associate services, databases, Redis instances, or environment groups with an existing environment.

ActionInstant

Check Run Status / Conclusion Changed

Triggers when a specific GitHub check run changes its status or conclusion. Monitors a single check run for changes to: status (queued, in_progress, completed, etc.), conclusion (success, failure, neutral, cancelled, skipped, timed_out, action_required), started_at, and completed_at.

TriggerPolling

Add Route

Tool to add redirect or rewrite rules to a Render service. Use when you need to configure URL routing, redirects, or rewrites for a service. Redirect rules send HTTP redirects to clients, while rewrite rules modify the request path internally.

ActionInstant

Check Suite Status / Conclusion Changed

Triggers when a GitHub check suite changes its status or conclusion for a given ref. Monitors all check suites associated with a git reference (branch, tag, or commit SHA) for changes to status (queued, in_progress, completed, etc.) and conclusion (success, failure, neutral, cancelled, skipped, timed_out, action_required, startup_failure, stale). Optionally filters by GitHub App ID.

TriggerPolling

Create Custom Domain

Tool to add a custom domain to a Render service. Use when you need to configure a custom domain for a service.

ActionInstant

New Code Scanning Alert Created

Triggers when a new code scanning alert is created in a repository. Fires an event for each newly created code scanning alert detected in the configured repository. Alerts can be filtered by Git reference, scanning tool, state, and severity. The payload includes the alert number, rule details, tool information, state, severity, and the location of the most recent instance.

TriggerPolling

Create Environment Group

Tool to create a new environment group. Use when you need to create a shared collection of environment variables and secret files that can be used across multiple services.

ActionInstant

New Repository Collaborator Added

Triggers when a new collaborator is added to a GitHub repository. Monitors the full list of collaborators on a repository and fires an event for each newly added collaborator. The payload includes the collaborator's GitHub username, account ID, profile URL, avatar URL, permission flags (pull, triage, push, maintain, admin), and assigned role name.

TriggerPolling

Create Environment

Tool to create a new environment within a Render project. Use when you need to set up a new environment for organizing services, databases, and other resources.

ActionInstant

Commit Event

Triggered when a new commit is pushed to a repository.

TriggerInstant

Create Postgres Instance

Tool to create a new Postgres instance on Render. Use when you need to provision a new PostgreSQL database with configurable plan, version, and region.

ActionInstant

Connect any two apps with Notis in the middle.

Not just GitHub and Render. Any combination from 985+ integrations.

When this happens · Trigger

Do this · Action

Save your first hour today.

7 days free trial with 20$ free usage included.
No card. Works with personal or business Render.