Weekly Doppler stale secret rotation digest in Jira and Slack

Every Monday at 8am in my timezone, run a stale secret rotation triage across my Doppler workplace and turn it into a prioritized Jira backlog plus a Slack digest.

Trigger: cron, weekly on Monday at 8am.

Step 1, map the workplace. Use Doppler List Projects to enumerate every project. For each project, use Doppler List Environments and Doppler List Configs to find every production-like config. Treat anything in a production environment (prd, prod, production) as in scope. Skip development and branch configs on the first pass unless every production config already looks clean.

Step 2, gather signals. For each in-scope config, use Doppler List Secret Names to enumerate the secrets, and use Doppler List Config Logs to read the change history. From the logs, work out the last-changed timestamp per secret. Never request the actual secret values.

Step 3, score risk. Build a per-secret score that favors anything unchanged for 90 or more days in a production environment. Increase the weight for high-blast-radius name patterns, including DATABASE_URL, STRIPE_, AWS_, OAUTH_, JWT_, ROOT, and ADMIN. Drop low-signal infrastructure defaults like NODE_ENV, PORT, LOG_LEVEL, and similar non-secret config. Pick the top rotation candidates for the week, aiming for a manageable number rather than every single hit.

Step 4, file Jira tickets. For each rotation candidate, use Jira Create Issue in a configurable security or platform project. If there are many candidates, use Jira Create Issues Bulk instead. Each ticket should have a clear summary like "Rotate STRIPE_SECRET_KEY in payments / prod", a body that explains why it surfaced (days since last change, environment, evidence from the config logs), and a checklist of rotation steps (generate a new value in the upstream provider, update the Doppler secret, verify the deploy, revoke the old value). Never put secret values in the ticket body.

Step 5, post the Slack digest. Use Slack Send a Message to post to a configurable security or platform channel. Include the total count of stale production secrets, the top five worst offenders by score with their new Jira ticket links, and a one line week-over-week comparison if there is prior context to draw on. Keep the tone calm and operational, never alarmist. Do not include any secret values.

Configurables to expose: the Doppler token, the Jira destination project key, the Slack channel, the staleness threshold in days (default 90), and the maximum number of tickets to file per run.

Additional information

What does this prompt do?

Scans every production-like Doppler config in your workplace and figures out when each secret was last changed.
Scores secrets by staleness and blast radius so high-risk credentials like database, payments, and admin keys surface first.
Files a Jira ticket for each rotation candidate with the reason it surfaced and a checklist of rotation steps.
Posts a calm Monday morning Slack digest with the total stale count, top five offenders, and links to the new tickets.

What do I need to use this?

A Doppler workplace with at least one production environment and an API token that can read projects, configs, and logs.
A Jira project where rotation tickets should land, such as a Security or Platform backlog.
A Slack channel where your security or platform team reads weekly hygiene updates.

How can I customize it?

Change the cadence or time. Many teams run this Sunday night so tickets are waiting at the start of the week.
Tune the risk weighting. Adjust the staleness threshold from 90 days, or expand the list of high-blast-radius name patterns to match your stack.
Pick a different destination. Swap the Jira project, the Slack channel, or the number of offenders called out in the digest.

Frequently asked questions

Does this ever read or expose secret values?

No. The workflow only looks at secret names and change history. It never reads the actual secret values, and nothing in the Jira tickets or Slack digest contains a credential.

What if a secret has never been changed since it was created?

It counts as stale from its creation date. The agent treats long-untouched secrets in production as higher risk, especially when the name suggests broad access like a database URL or admin key.

Will it skip development or branch configs?

Yes. By default the workflow focuses on production-like configs and ignores development or branch configs unless every production config is already clean.

How are rotation candidates picked each week?

The agent scores every production secret by how long it has been unchanged and how dangerous it would be to leak. The top candidates become Jira tickets, and the top five become the Slack digest.

Can I send the tickets to a different Jira project later?

Yes. The destination project is configurable, so you can start in a Platform backlog and move it to a dedicated Security project once your team is ready.