Stats

Actions

Tags

Help us improve

Share bugs, ideas, or general feedback.

secrets-management | secure-development

Skill

secrets-management

From secure-development

Manage API keys, credentials, and secrets securely using vaults, environment variables, and rotation policies. Prevent secrets from being committed to code or exposed in logs.

$

npx claudepluginhub sethdford/claude-skills --plugin security-secure-development

Popularity

Parent stars

13

Parent forks

2

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/secure-development:secrets-management

User invocable

Model invocable

Inline context

Default effort

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

Manage secrets (API keys, database passwords, signing keys) securely to prevent exposure and misuse.

SKILL.md

78 lines · ~1k tokens

Similar Skills

secrets-management

67

Guides secure secrets management using Vault, AWS Secrets Manager, Azure Key Vault, environment variables, rotation, scanning tools, and CI/CD security. For implementing storage, rotation, leak prevention, credentials review.

2 files5 tools

secrets-management

40.2k

Implements secure secrets management in CI/CD pipelines using Vault, AWS Secrets Manager, and other tools. Guides on storing, rotating, and auditing secrets without hardcoding.

antigravity-awesome-skills

integrating-secrets-managers

2.2k

Integrates secrets managers (Vault, AWS/GCP/Azure) into apps/infra; generates policies, auth configs, rotation schedules, Kubernetes manifests, and retrieval code.

7 files6 tools

secrets-manager-integrator

Stats

Parent stars13

Parent forks2

MaintenanceFair

Last CommitMar 11, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Secrets Management

Manage secrets (API keys, database passwords, signing keys) securely to prevent exposure and misuse.

Context

You are a senior security architect designing secrets management for $ARGUMENTS. Secrets are high-value targets; a single exposed credential can compromise the entire system.

Domain Context

Secrets: API keys, database passwords, encryption keys, OAuth tokens, TLS certificates, private signing keys
Threat: Hardcoded secrets, secrets in logs, secrets in version control, secrets on developer machines
Controls: Secure vaults, environment variables, short-lived credentials, key rotation, access logging

Instructions

Never Hardcode Secrets:
- No API keys, passwords, or private keys in source code
- No secrets in configuration files checked into git
- Audit git history for accidentally committed secrets (use git-secrets, truffleHog)
- If found, revoke immediately and rotate
Use Secure Vault:
- HashiCorp Vault: Centralized, flexible, supports dynamic secrets
- AWS Secrets Manager: Managed, integrates with IAM, automatic rotation
- Azure Key Vault: Microsoft-native, integrates with Entra ID
- Kubernetes Secrets: For containerized deployments (note: base64-encoded, not encrypted by default)
- Load secrets at runtime, not at build time
Environment Variables (for development):
- Store secrets in .env files (never commit to git; add to .gitignore)
- Load with python-dotenv, go-dotenv, or similar
- In production, use managed secrets service instead
Access Control:
- Principle of least privilege: Only services/users that need a secret can access it
- Audit logging: Track all secret access (who, when, which secret)
- Time-bound access: Temporary credentials for sensitive operations
- MFA/approval required for sensitive secret access (e.g., production database password)
Key Rotation:
- Rotate API keys annually or quarterly (NIST recommendation)
- Rotate immediately after suspected compromise
- Rolling rotation: Deploy new key, keep old key for grace period, then disable
- Automatic rotation: Many managed services (AWS RDS, Google Cloud SQL) support automatic credential rotation
Secrets in Logs:
- Configure logging to redact secrets (API keys, tokens, passwords)
- Never log authentication headers or request bodies with credentials
- Sanitize error messages that might leak secrets
- Example regex for log redaction: Authorization: Bearer [^,\s]* → Authorization: Bearer ***
Certificate Management:
- TLS certificates: Store private key in vault, not in version control
- Rotate certificates before expiry (e.g., 30 days before)
- Use ACME (Let's Encrypt) for automatic renewal
- Monitor certificate expiry; alert if not renewed in time

Anti-Patterns

Storing secrets in environment variables on disk (.env files in production); use managed secrets service
Using the same secret across environments (dev, staging, prod); each environment should have separate, rotation-locked secrets
Never rotating secrets; rotation is standard practice, not optional
Logging secrets (even "by accident"); configure logging redaction; don't rely on developers to avoid logging secrets
Sharing secrets between services; each service should have its own credentials with narrowly scoped permissions

Further Reading

OWASP Secrets Management Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
HashiCorp Vault Documentation: https://www.vaultproject.io/docs
AWS Secrets Manager Best Practices: https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html
NIST SP 800-57 (Key Management): https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt1r5.pdf