Skill

secrets

Secrets management. Leak detection, rotation, vault setup, .env management, access auditing.

Install

Run in your terminal

npx claudepluginhub arbazkhan971/godmode

Tool Access

This skill uses the workspace's default tool permissions.

Skill Content

Similar Skills

agent-harness-construction

Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.

everything-claude-code

139.2k

agent-payment-x402

Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.

everything-claude-code

139.2k

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

everything-claude-code

139.2k

Stats

Stars7

Forks3

Last CommitMar 25, 2026

Actions

View Source View Plugin View on GitHub View README

Secrets -- Secrets Management

Activate When

/godmode:secrets, "manage secrets", "rotate credentials"
"check for leaks", "scan for exposed secrets"
Security audit flags hardcoded credentials
Credential rotation is overdue

Workflow

Step 1: Secret Inventory

| Secret                | Source    | Status  |
|-----------------------|----------|---------|
| DATABASE_URL          | .env     | PRESENT |
| JWT_SECRET            | .env     | PRESENT |
| STRIPE_SECRET_KEY     | hardcoded| LEAKED  |

Step 2: Leak Detection

# Scan current codebase
gitleaks detect --source . --verbose

# Scan full git history
gitleaks detect --source . --log-opts="--all" --verbose

# Pattern scan for hardcoded secrets
grep -rn 'API_KEY=\|SECRET=\|PASSWORD=\|TOKEN=' \
  --include="*.ts" --include="*.py" --include="*.go" \
  --include="*.env" src/ 2>/dev/null

IF verified leak found:
  1. REVOKE the credential immediately
  2. ROTATE — generate new credential
  3. REMOVE from code (use env var or vault)
  4. SCRUB git history (BFG Repo-Cleaner)
  5. VERIFY old credential no longer works
  6. AUDIT access logs during exposure window

Step 3: Secret Store Setup

IF AWS infrastructure: AWS Secrets Manager
  (auto-rotation, IAM integration)
IF multi-cloud or on-prem: HashiCorp Vault KV-v2
IF GCP: GCP Secret Manager (auto-replication)
IF Azure: Azure Key Vault
WHEN self-hosted: Vault with AppRole auth

Step 4: .env File Management

# .env.example — committed (template)
DATABASE_URL=postgres://user:pass@localhost:5432/dev
JWT_SECRET=development-secret-change-in-production
STRIPE_KEY=sk_test_placeholder

# Validate .env against .env.example
diff <(grep -oP '^[A-Z_]+=?' .env.example | sort) \
     <(grep -oP '^[A-Z_]+=?' .env | sort)

.ENV SAFETY CHECK:
- [x] .env in .gitignore
- [x] .env.local in .gitignore
- [x] .env.production in .gitignore
- [x] .env.example exists with placeholders
- [ ] .env was never committed to git history

Step 5: Rotation Scheduling

| Secret Type       | Rotation | Threshold    |
|-------------------|----------|-------------|
| Database passwords| 30 days  | OVERDUE >45d|
| API keys          | 90 days  | OVERDUE >120d|
| JWT signing key   | 90 days  | OVERDUE >120d|
| TLS certificates  | 365 days | OVERDUE >400d|
| OAuth secrets     | 180 days | OVERDUE >210d|

ROTATION STEPS:
1. Generate new credential
2. Store in secret manager (new version)
3. Update app (auto if vault, deploy if env)
4. Verify app works with new credential
5. Revoke old (after 24h grace period)

Step 6: Access Auditing

ACCESS CONTROL:
- Each service has own identity (AppRole/IAM)
- Services access only their own secrets
- Human access requires MFA and is logged
- Production secrets never accessed directly
- Access logs retained 90+ days
- Alerts on anomalous access patterns

Step 7: Pre-Commit Prevention

# Install gitleaks pre-commit hook
cat >> .pre-commit-config.yaml << 'EOF'
repos:
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.18.0
    hooks:
      - id: gitleaks
EOF
pre-commit install

Step 8: Report

SECRETS AUDIT:
  Inventoried: <N>
  Managed (vault): <N>
  In .env (local): <N>
  LEAKED: <N>
  Rotation overdue: <N>
  Pre-commit hook: ACTIVE | MISSING
  Verdict: SECURE | NEEDS ROTATION | LEAKS FOUND

Commit: "secrets: <N> managed, <N> leaks fixed"

Key Behaviors

Leaks are emergencies. Revoke first, fix later.
Never commit secrets. Git history is permanent.
Env vars are not secret management. Use vault.
.env.example is documentation. Keep in sync.
Never ask to continue. Loop autonomously.

HARD RULES

NEVER hardcode secrets in source or Dockerfiles.
ADD .env files to .gitignore before first commit.
NEVER share secrets via Slack, email, or chat.
EVERY environment must have unique credentials.
NEVER log secrets. Mask in error messages.
Prefer short-lived credentials over long-lived.
EVERY repo must have pre-commit secret scanning.

Auto-Detection

ls .env .env.local .env.production 2>/dev/null
grep -q "\.env" .gitignore 2>/dev/null || echo "CRITICAL"
grep -r "vault\|aws-sdk.*secrets\|@google-cloud/secret" \
  package.json pyproject.toml 2>/dev/null

TSV Logging

Log to .godmode/secrets-audit.tsv: timestamp\ttotal\tmanaged\tleaked\trotation_overdue\tverdict

Keep/Discard Discipline

KEEP if: verified real credential in production code
DISCARD if: false positive (placeholder, public key)
  OR already remediated in previous iteration

Stop Conditions

STOP when:
  - Zero verified leaks in code and git history
  - Pre-commit hook installed and active
  - All production secrets in vault
  - User requests stop