Skill

secrets-management

Manage API keys, credentials, and secrets securely using vaults, environment variables, and rotation policies. Prevent secrets from being committed to code or exposed in logs.

From secure-development

Install

Run in your terminal

npx claudepluginhub sethdford/claude-skills --plugin security-secure-development

Tool Access

This skill uses the workspace's default tool permissions.

Skill Content

Similar Skills

skill-lookup

Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.

prompts.chat

157.5k

prompt-lookup

Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.

prompts.chat

157.5k

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

ecc

140.7k

Stats

Parent Repo Stars3

Parent Repo Forks0

Last CommitMar 11, 2026

Actions

View Source View Plugin View on GitHub View README

Domain Context

Secrets: API keys, database passwords, encryption keys, OAuth tokens, TLS certificates, private signing keys

Threat: Hardcoded secrets, secrets in logs, secrets in version control, secrets on developer machines

Controls: Secure vaults, environment variables, short-lived credentials, key rotation, access logging

Instructions

Never Hardcode Secrets:

No API keys, passwords, or private keys in source code
No secrets in configuration files checked into git
Audit git history for accidentally committed secrets (use git-secrets, truffleHog)
If found, revoke immediately and rotate

Use Secure Vault:

HashiCorp Vault: Centralized, flexible, supports dynamic secrets
AWS Secrets Manager: Managed, integrates with IAM, automatic rotation
Azure Key Vault: Microsoft-native, integrates with Entra ID
Kubernetes Secrets: For containerized deployments (note: base64-encoded, not encrypted by default)
Load secrets at runtime, not at build time

Environment Variables (for development):

Store secrets in .env files (never commit to git; add to .gitignore)
Load with python-dotenv, go-dotenv, or similar
In production, use managed secrets service instead

Access Control:

Principle of least privilege: Only services/users that need a secret can access it
Audit logging: Track all secret access (who, when, which secret)
Time-bound access: Temporary credentials for sensitive operations
MFA/approval required for sensitive secret access (e.g., production database password)

Key Rotation:

Rotate API keys annually or quarterly (NIST recommendation)
Rotate immediately after suspected compromise
Rolling rotation: Deploy new key, keep old key for grace period, then disable
Automatic rotation: Many managed services (AWS RDS, Google Cloud SQL) support automatic credential rotation

Secrets in Logs:

Configure logging to redact secrets (API keys, tokens, passwords)
Never log authentication headers or request bodies with credentials
Sanitize error messages that might leak secrets
Example regex for log redaction: Authorization: Bearer [^,\s]* → Authorization: Bearer ***

Certificate Management:

TLS certificates: Store private key in vault, not in version control
Rotate certificates before expiry (e.g., 30 days before)
Use ACME (Let's Encrypt) for automatic renewal
Monitor certificate expiry; alert if not renewed in time

Anti-Patterns

Storing secrets in environment variables on disk (.env files in production); use managed secrets service

Using the same secret across environments (dev, staging, prod); each environment should have separate, rotation-locked secrets

Never rotating secrets; rotation is standard practice, not optional

Logging secrets (even "by accident"); configure logging redaction; don't rely on developers to avoid logging secrets

Sharing secrets between services; each service should have its own credentials with narrowly scoped permissions

Domain Context

Secrets: API keys, database passwords, encryption keys, OAuth tokens, TLS certificates, private signing keys

Threat: Hardcoded secrets, secrets in logs, secrets in version control, secrets on developer machines

Controls: Secure vaults, environment variables, short-lived credentials, key rotation, access logging

Instructions

Never Hardcode Secrets:

No API keys, passwords, or private keys in source code
No secrets in configuration files checked into git
Audit git history for accidentally committed secrets (use git-secrets, truffleHog)
If found, revoke immediately and rotate

Use Secure Vault:

HashiCorp Vault: Centralized, flexible, supports dynamic secrets
AWS Secrets Manager: Managed, integrates with IAM, automatic rotation
Azure Key Vault: Microsoft-native, integrates with Entra ID
Kubernetes Secrets: For containerized deployments (note: base64-encoded, not encrypted by default)
Load secrets at runtime, not at build time

Environment Variables (for development):

Store secrets in .env files (never commit to git; add to .gitignore)
Load with python-dotenv, go-dotenv, or similar
In production, use managed secrets service instead

Access Control:

Principle of least privilege: Only services/users that need a secret can access it
Audit logging: Track all secret access (who, when, which secret)
Time-bound access: Temporary credentials for sensitive operations
MFA/approval required for sensitive secret access (e.g., production database password)

Key Rotation:

Rotate API keys annually or quarterly (NIST recommendation)
Rotate immediately after suspected compromise
Rolling rotation: Deploy new key, keep old key for grace period, then disable
Automatic rotation: Many managed services (AWS RDS, Google Cloud SQL) support automatic credential rotation

Secrets in Logs:

Configure logging to redact secrets (API keys, tokens, passwords)
Never log authentication headers or request bodies with credentials
Sanitize error messages that might leak secrets
Example regex for log redaction: Authorization: Bearer [^,\s]* → Authorization: Bearer ***

Certificate Management:

TLS certificates: Store private key in vault, not in version control
Rotate certificates before expiry (e.g., 30 days before)
Use ACME (Let's Encrypt) for automatic renewal
Monitor certificate expiry; alert if not renewed in time

Anti-Patterns

Storing secrets in environment variables on disk (.env files in production); use managed secrets service

Using the same secret across environments (dev, staging, prod); each environment should have separate, rotation-locked secrets

Never rotating secrets; rotation is standard practice, not optional

Logging secrets (even "by accident"); configure logging redaction; don't rely on developers to avoid logging secrets

Sharing secrets between services; each service should have its own credentials with narrowly scoped permissions

secrets-management

secrets-management

Secrets Management

Context

Domain Context

Instructions

Anti-Patterns

Further Reading

Secrets Management

Context

Domain Context

Instructions

Anti-Patterns

Further Reading