Track GitHub Secret Scanning Alerts in HubSpot

A secret gets exposed in your repo and GitHub alerts you, but the alert disappears from your inbox within hours. Notis logs every secret scanning alert as feedback in HubSpot so you have a permanent record for audit and compliance purposes.

Trigger

New Secret Scanning Alert Detected

Triggers when a new secret scanning alert is detected in a GitHub repository. Monitors open secret scanning alerts and fires an event for each newly detected alert. Supports filtering by secret type (e.g., personal access tokens, AWS keys) and by token validity status (active, inactive, unknown). The payload includes the alert number, secret type, validity status, resolution state, timestamps, URLs, and flags for push protection bypass, public exposure, and multi-repo detection.

Hubspot logo

Action

Create batch of feedback submissions

Creates a batch of feedback submissions in hubspot, ideal for bulk imports; all property names, `associationtypeid`s, and association `to id`s must reference existing entities in hubspot.

Why this helps

Secret scanning alerts are critical but ephemeral, making it impossible to prove remediation to auditors or track patterns across your organization.

  • Permanent audit trail of security issues
  • Easy compliance reporting
  • Pattern detection across secrets

Setup

Build it in a few focused steps.

  • 1Connect GitHub and HubSpot to Notis.
  • 2Open Automations.
  • 3Write: 'When GitHub detects a secret scanning alert, create a feedback submission in HubSpot with the secret type, validity status, repository, and remediation link.'
  • 4Select: GitHub > New Secret Scanning Alert Detected.
  • 5Filter by severity if needed and confirm.

Questions about this workflow

Will Notis log secrets that were immediately revoked?

Yes. Every alert gets logged regardless of revocation status so you have a complete history for compliance.

Can we automatically notify security team members?

Absolutely. Tell Notis to route high-severity alerts to your security lead and others to your engineering team.

How do we keep sensitive secret data out of HubSpot?

Notis logs the alert metadata (type, repo, status) but not the actual secret content, keeping HubSpot safe.

When this happens · Trigger

Do this · Action

Supported Triggers and Actions

Notis builds workflows that link GitHub to Hubspot. A trigger fires from one place; an action lands in another.

GitHub logo

GitHub triggers

Hubspot logo

Hubspot actions

New Workflow Artifact Created

Triggers when a new workflow artifact is created in a GitHub repository. Monitors for newly created GitHub Actions workflow artifacts. Optionally filters by artifact name to restrict monitoring to specific artifacts.

TriggerPolling

Add asset association

Associates an existing asset ('form', 'object list', or 'external web url') with a specified hubspot marketing campaign.

ActionInstant

Branch Changed

Triggers when a GitHub branch changes. Monitors a specific branch for: - New commits pushed (head commit SHA changes) - Protection status toggled (branch becomes protected or unprotected) - Protection settings changed, including: required status checks and their enforcement level, admin enforcement, required pull request reviews (dismiss stale reviews, code owner reviews, approving review count, last push approval), required linear history, force push allowance, deletion allowance, conversation resolution, branch locking, and fork syncing.

TriggerPolling

Add token to event template

Adds a new custom data token to an existing event template for a specified hubspot application, optionally populating a crm object property if objectpropertyname is provided.

ActionInstant

New Branch Created

Triggers when a new branch is created in a GitHub repository. Detects newly created branches. Deleted branches do not fire events.

TriggerPolling

Archive email

Archives the hubspot email specified by `emailid` by moving it to the recycling bin, making it inaccessible unless restored.

ActionInstant

Check Run Status / Conclusion Changed

Triggers when a specific GitHub check run changes its status or conclusion. Monitors a single check run for changes to: status (queued, in_progress, completed, etc.), conclusion (success, failure, neutral, cancelled, skipped, timed_out, action_required), started_at, and completed_at.

TriggerPolling

Archive a batch of emails by ID

Archives multiple hubspot crm emails by id; ids must exist as archiving is irreversible.

ActionInstant

Check Suite Status / Conclusion Changed

Triggers when a GitHub check suite changes its status or conclusion for a given ref. Monitors all check suites associated with a git reference (branch, tag, or commit SHA) for changes to status (queued, in_progress, completed, etc.) and conclusion (success, failure, neutral, cancelled, skipped, timed_out, action_required, startup_failure, stale). Optionally filters by GitHub App ID.

TriggerPolling

Archive a batch of quotes by id

Archives a batch of existing, non-archived quotes by their ids; this action is irreversible and useful for managing outdated or irrelevant quotes.

ActionInstant

New Code Scanning Alert Created

Triggers when a new code scanning alert is created in a repository. Fires an event for each newly created code scanning alert detected in the configured repository. Alerts can be filtered by Git reference, scanning tool, state, and severity. The payload includes the alert number, rule details, tool information, state, severity, and the location of the most recent instance.

TriggerPolling

Archive batch of companies by id

Archives a batch of companies by their unique ids; targeted companies must exist, not be previously archived, and this api operation is irreversible.

ActionInstant

New Repository Collaborator Added

Triggers when a new collaborator is added to a GitHub repository. Monitors the full list of collaborators on a repository and fires an event for each newly added collaborator. The payload includes the collaborator's GitHub username, account ID, profile URL, avatar URL, permission flags (pull, triage, push, maintain, admin), and assigned role name.

TriggerPolling

Archive batch of contacts by id

Archives a batch of existing contacts by their hubspot crm ids, rendering them inactive; this action is irreversible via the api and requires manual restoration or a separate unarchive endpoint.

ActionInstant

Commit Event

Triggered when a new commit is pushed to a repository.

TriggerInstant

Archive batch of deals by id

Archives a batch of existing deals by their unique hubspot ids, removing them from active views and reports (soft delete); archived deals may be restorable.

ActionInstant

Connect any two apps with Notis in the middle.

Not just GitHub and Hubspot. Any combination from 985+ integrations.

When this happens · Trigger

Do this · Action

Save your first hour today.

7 days free trial with 20$ free usage included.
No card. Works with personal or business Hubspot.