From engineering-advanced-skills
Manage environment-variable hygiene and secrets safety across local development and production. Practical auditing, drift awareness, rotation readiness. Use when auditing .env files for committed secrets, planning a credential rotation, debugging missing-env-var production incidents, or hardening a new project against secrets leakage.
How this skill is triggered — by the user, by Claude, or both
Slash command
/engineering-advanced-skills:env-secrets-managerThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
**Tier:** POWERFUL
Tier: POWERFUL Category: Engineering Domain: Security / DevOps / Configuration Management
Manage environment-variable hygiene and secrets safety across local development and production workflows. This skill focuses on practical auditing, drift awareness, and rotation readiness.
.env and .env.example lifecycle guidance# Scan a repository for likely secret leaks
python3 scripts/env_auditor.py /path/to/repo
# JSON output for CI pipelines
python3 scripts/env_auditor.py /path/to/repo --json
scripts/env_auditor.py on the repository root.critical and high findings first..env.example and .gitignore as needed.references/validation-detection-rotation.mdreferences/secret-patterns.md.env.exampleProduction applications should never read secrets from .env files or environment variables baked into container images. Use a dedicated secret store instead.
| Provider | Best For | Key Feature |
|---|---|---|
| HashiCorp Vault | Multi-cloud / hybrid | Dynamic secrets, policy engine, pluggable backends |
| AWS Secrets Manager | AWS-native workloads | Native Lambda/ECS/EKS integration, automatic RDS rotation |
| Azure Key Vault | Azure-native workloads | Managed HSM, Azure AD RBAC, certificate management |
| GCP Secret Manager | GCP-native workloads | IAM-based access, automatic replication, versioning |
Secret objects without hardcoding.Cross-reference: See
engineering/secrets-vault-managerfor production vault infrastructure patterns, HA deployment, and disaster recovery procedures.
Stale secrets are a liability. Rotation ensures that even if a credential leaks, its useful lifetime is bounded.
scripts/env_auditor.py to flag secrets with no recorded rotation date.When a secret is confirmed leaked:
Secrets in CI/CD pipelines require careful handling to avoid exposure in logs, artifacts, or pull request contexts.
${{ secrets.SECRET_NAME }}.aws-actions/configure-aws-credentials with role-to-assume) over long-lived access keys.echo or toJSON() on secret values.masked and protected flags enabled.secrets:vault) for dynamic secret injection without storing values in GitLab.production, staging) to enforce least privilege.Catching secrets before they reach version control is the most cost-effective defense. Two leading tools cover this space.
# .gitleaks.toml — minimal configuration
[extend]
useDefault = true
[[rules]]
id = "custom-internal-token"
description = "Internal service token pattern"
regex = '''INTERNAL_TOKEN_[A-Za-z0-9]{32}'''
secretGroup = 0
brew install gitleaks or download from GitHub releases.gitleaks git --pre-commit --stagedgitleaks detect --source . --report-path gitleaks-report.json.gitleaksignore (one fingerprint per line).# Generate baseline
detect-secrets scan --all-files > .secrets.baseline
# Pre-commit hook (via pre-commit framework)
# .pre-commit-config.yaml
repos:
- repo: https://github.com/Yelp/detect-secrets
rev: v1.5.0
hooks:
- id: detect-secrets
args: ['--baseline', '.secrets.baseline']
detect-secrets audit .secrets.baseline interactively marks true/false positives..gitleaksignore or .secrets.baseline in version control so the whole team shares exclusions.Knowing who accessed which secret and when is critical for incident investigation and compliance.
| Provider | Service | What It Captures |
|---|---|---|
| AWS | CloudTrail | Every GetSecretValue, DescribeSecret, RotateSecret API call |
| Azure | Activity Log + Diagnostic Logs | Key Vault access events, including caller identity and IP |
| GCP | Cloud Audit Logs | Data access logs for Secret Manager with principal and timestamp |
| Vault | Audit Backend | Full request/response logging (file, syslog, or socket backend) |
This skill covers env hygiene and secret detection. For deeper coverage of related domains, see:
| Skill | Path | Relationship |
|---|---|---|
| Secrets Vault Manager | engineering/secrets-vault-manager | Production vault infrastructure, HA deployment, DR |
| Senior SecOps | engineering/senior-secops | Security operations perspective, incident response |
| CI/CD Pipeline Builder | engineering/ci-cd-pipeline-builder | Pipeline architecture, secret injection patterns |
| Infrastructure as Code | engineering/infrastructure-as-code | Terraform/Pulumi secret backend configuration |
| Container Orchestration | engineering/container-orchestration | Kubernetes secret mounting, sealed secrets |
Creates structured, bite-sized implementation plans from specs or requirements before writing code. Useful for breaking down multi-step tasks into testable steps with file structure and task boundaries.
27plugins reuse this skill
First indexed Jun 3, 2026
Showing the 6 earliest of 27 plugins
npx claudepluginhub sandeepyadav1478/claude-skills --plugin engineering-advanced-skills