Track GitHub Secret Scanning Alerts in HubSpot
A secret gets exposed in your repo and GitHub alerts you, but the alert disappears from your inbox within hours. Notis logs every secret scanning alert as feedback in HubSpot so you have a permanent record for audit and compliance purposes.
Trigger
New Secret Scanning Alert Detected
Triggers when a new secret scanning alert is detected in a GitHub repository. Monitors open secret scanning alerts and fires an event for each newly detected alert. Supports filtering by secret type (e.g., personal access tokens, AWS keys) and by token validity status (active, inactive, unknown). The payload includes the alert number, secret type, validity status, resolution state, timestamps, URLs, and flags for push protection bypass, public exposure, and multi-repo detection.
Action
Create batch of feedback submissions
Creates a batch of feedback submissions in hubspot, ideal for bulk imports; all property names, `associationtypeid`s, and association `to id`s must reference existing entities in hubspot.
Why this helps
Secret scanning alerts are critical but ephemeral, making it impossible to prove remediation to auditors or track patterns across your organization.
- Permanent audit trail of security issues
- Easy compliance reporting
- Pattern detection across secrets
Setup
Build it in a few focused steps.
- 1Connect GitHub and HubSpot to Notis.
- 2Open Automations.
- 3Write: 'When GitHub detects a secret scanning alert, create a feedback submission in HubSpot with the secret type, validity status, repository, and remediation link.'
- 4Select: GitHub > New Secret Scanning Alert Detected.
- 5Filter by severity if needed and confirm.
Questions about this workflow
Will Notis log secrets that were immediately revoked?
Yes. Every alert gets logged regardless of revocation status so you have a complete history for compliance.
Can we automatically notify security team members?
Absolutely. Tell Notis to route high-severity alerts to your security lead and others to your engineering team.
How do we keep sensitive secret data out of HubSpot?
Notis logs the alert metadata (type, repo, status) but not the actual secret content, keeping HubSpot safe.
When this happens · Trigger
Do this · Action
Supported Triggers and Actions
Notis builds workflows that link GitHub to Hubspot. A trigger fires from one place; an action lands in another.
GitHub triggers
Hubspot actions
New Workflow Artifact Created
Triggers when a new workflow artifact is created in a GitHub repository. Monitors for newly created GitHub Actions workflow artifacts. Optionally filters by artifact name to restrict monitoring to specific artifacts.
Add asset association
Associates an existing asset ('form', 'object list', or 'external web url') with a specified hubspot marketing campaign.
Branch Changed
Triggers when a GitHub branch changes. Monitors a specific branch for: - New commits pushed (head commit SHA changes) - Protection status toggled (branch becomes protected or unprotected) - Protection settings changed, including: required status checks and their enforcement level, admin enforcement, required pull request reviews (dismiss stale reviews, code owner reviews, approving review count, last push approval), required linear history, force push allowance, deletion allowance, conversation resolution, branch locking, and fork syncing.
Add token to event template
Adds a new custom data token to an existing event template for a specified hubspot application, optionally populating a crm object property if objectpropertyname is provided.
New Branch Created
Triggers when a new branch is created in a GitHub repository. Detects newly created branches. Deleted branches do not fire events.
Archive email
Archives the hubspot email specified by `emailid` by moving it to the recycling bin, making it inaccessible unless restored.
Check Run Status / Conclusion Changed
Triggers when a specific GitHub check run changes its status or conclusion. Monitors a single check run for changes to: status (queued, in_progress, completed, etc.), conclusion (success, failure, neutral, cancelled, skipped, timed_out, action_required), started_at, and completed_at.
Archive a batch of emails by ID
Archives multiple hubspot crm emails by id; ids must exist as archiving is irreversible.
Check Suite Status / Conclusion Changed
Triggers when a GitHub check suite changes its status or conclusion for a given ref. Monitors all check suites associated with a git reference (branch, tag, or commit SHA) for changes to status (queued, in_progress, completed, etc.) and conclusion (success, failure, neutral, cancelled, skipped, timed_out, action_required, startup_failure, stale). Optionally filters by GitHub App ID.
Archive a batch of quotes by id
Archives a batch of existing, non-archived quotes by their ids; this action is irreversible and useful for managing outdated or irrelevant quotes.
New Code Scanning Alert Created
Triggers when a new code scanning alert is created in a repository. Fires an event for each newly created code scanning alert detected in the configured repository. Alerts can be filtered by Git reference, scanning tool, state, and severity. The payload includes the alert number, rule details, tool information, state, severity, and the location of the most recent instance.
Archive batch of companies by id
Archives a batch of companies by their unique ids; targeted companies must exist, not be previously archived, and this api operation is irreversible.
New Repository Collaborator Added
Triggers when a new collaborator is added to a GitHub repository. Monitors the full list of collaborators on a repository and fires an event for each newly added collaborator. The payload includes the collaborator's GitHub username, account ID, profile URL, avatar URL, permission flags (pull, triage, push, maintain, admin), and assigned role name.
Archive batch of contacts by id
Archives a batch of existing contacts by their hubspot crm ids, rendering them inactive; this action is irreversible via the api and requires manual restoration or a separate unarchive endpoint.
Commit Event
Triggered when a new commit is pushed to a repository.
Archive batch of deals by id
Archives a batch of existing deals by their unique hubspot ids, removing them from active views and reports (soft delete); archived deals may be restorable.
Connect any two apps with Notis in the middle.
Not just GitHub and Hubspot. Any combination from 985+ integrations.
When this happens · Trigger
Do this · Action
Save your first hour today.
7 days free trial with 20$ free usage included.
No card. Works with personal or business Hubspot.
