Update a Render secret file when GitHub flags a leaked secret
A leaked credential is a race against the clock. Notis watches GitHub secret scanning alerts and, when one fires, updates the affected Render secret file so your rotation begins in seconds instead of after the alert email sits unread.
Trigger
New Secret Scanning Alert Detected
Triggers when a new secret scanning alert is detected in a GitHub repository. Monitors open secret scanning alerts and fires an event for each newly detected alert. Supports filtering by secret type (e.g., personal access tokens, AWS keys) and by token validity status (active, inactive, unknown). The payload includes the alert number, secret type, validity status, resolution state, timestamps, URLs, and flags for push protection bypass, public exposure, and multi-repo detection.
Action
Add or Update Secret File
Tool to add or update a secret file for a Render service. Use when you need to create a new secret file or update the content of an existing secret file.
Why this helps
A secret gets exposed, GitHub emails you, and that email lands in a pile you will not open for hours. Meanwhile the live credential in Render is still valid, and rotating it means remembering exactly which file to touch under pressure.
- Start rotating an exposed credential the moment GitHub detects it.
- Cut the window between a leak and a fix from hours to seconds.
- Skip the panic of remembering which Render secret file to edit.
- Turn a scary security email into an automatic first response.
Setup
Build it in a few focused steps.
- 1Connect GitHub and Render to Notis once from the portal.
- 2Open your portal link and start a New Automation.
- 3Describe the outcome plainly: when GitHub detects a new secret scanning alert, update the matching Render secret file and alert me.
- 4Select the New Secret Scanning Alert Detected trigger and choose an urgent channel for reports.
- 5Trigger a test alert or run a dry check to confirm Notis updates the secret file and notifies you.
Questions about this workflow
Does this fully rotate the credential for me?
It updates the Render secret file to kick off rotation and alerts you so you can complete any downstream steps. You describe the intended value or source in plain language.
Will I still be told a leak happened?
Yes. Notis reports every run to the channel you choose, so you always know an alert fired and what it did.
Can it filter by secret type?
Yes. Mention the secret types you care about in the instruction and Notis will act only on those.
When this happens · Trigger
Do this · Action
Supported Triggers and Actions
Notis builds workflows that link GitHub to Render. A trigger fires from one place; an action lands in another.
GitHub triggers
Render actions
New Workflow Artifact Created
Triggers when a new workflow artifact is created in a GitHub repository. Monitors for newly created GitHub Actions workflow artifacts. Optionally filters by artifact name to restrict monitoring to specific artifacts.
Add Header Rule
Tool to add a custom HTTP header rule to a Render service. Use when you need to configure headers like Cache-Control, security headers, or CORS headers for specific request paths.
Branch Changed
Triggers when a GitHub branch changes. Monitors a specific branch for: - New commits pushed (head commit SHA changes) - Protection status toggled (branch becomes protected or unprotected) - Protection settings changed, including: required status checks and their enforcement level, admin enforcement, required pull request reviews (dismiss stale reviews, code owner reviews, approving review count, last push approval), required linear history, force push allowance, deletion allowance, conversation resolution, branch locking, and fork syncing.
Add or Update Secret File
Tool to add or update a secret file for a Render service. Use when you need to create a new secret file or update the content of an existing secret file.
New Branch Created
Triggers when a new branch is created in a GitHub repository. Detects newly created branches. Deleted branches do not fire events.
Add Resources to Environment
Tool to add resources to a Render environment. Use when you need to associate services, databases, Redis instances, or environment groups with an existing environment.
Check Run Status / Conclusion Changed
Triggers when a specific GitHub check run changes its status or conclusion. Monitors a single check run for changes to: status (queued, in_progress, completed, etc.), conclusion (success, failure, neutral, cancelled, skipped, timed_out, action_required), started_at, and completed_at.
Add Route
Tool to add redirect or rewrite rules to a Render service. Use when you need to configure URL routing, redirects, or rewrites for a service. Redirect rules send HTTP redirects to clients, while rewrite rules modify the request path internally.
Check Suite Status / Conclusion Changed
Triggers when a GitHub check suite changes its status or conclusion for a given ref. Monitors all check suites associated with a git reference (branch, tag, or commit SHA) for changes to status (queued, in_progress, completed, etc.) and conclusion (success, failure, neutral, cancelled, skipped, timed_out, action_required, startup_failure, stale). Optionally filters by GitHub App ID.
Create Custom Domain
Tool to add a custom domain to a Render service. Use when you need to configure a custom domain for a service.
New Code Scanning Alert Created
Triggers when a new code scanning alert is created in a repository. Fires an event for each newly created code scanning alert detected in the configured repository. Alerts can be filtered by Git reference, scanning tool, state, and severity. The payload includes the alert number, rule details, tool information, state, severity, and the location of the most recent instance.
Create Environment Group
Tool to create a new environment group. Use when you need to create a shared collection of environment variables and secret files that can be used across multiple services.
New Repository Collaborator Added
Triggers when a new collaborator is added to a GitHub repository. Monitors the full list of collaborators on a repository and fires an event for each newly added collaborator. The payload includes the collaborator's GitHub username, account ID, profile URL, avatar URL, permission flags (pull, triage, push, maintain, admin), and assigned role name.
Create Environment
Tool to create a new environment within a Render project. Use when you need to set up a new environment for organizing services, databases, and other resources.
Commit Event
Triggered when a new commit is pushed to a repository.
Create Postgres Instance
Tool to create a new Postgres instance on Render. Use when you need to provision a new PostgreSQL database with configurable plan, version, and region.
Connect any two apps with Notis in the middle.
Not just GitHub and Render. Any combination from 985+ integrations.
When this happens · Trigger
Do this · Action
Save your first hour today.
7 days free trial with 20$ free usage included.
No card. Works with personal or business Render.
