Secrets Management

Secrets include API keys, database credentials, tokens, and private keys. Exposure leads to immediate compromise.

Requirements

1. Never commit secrets to source control. Enforce pre-commit scanners.
2. Store secrets in a dedicated vault (e.g., AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager).
3. Scope secrets to the minimum privilege required; separate environments by tenant.
4. Rotate secrets regularly and on demand (incident response, personnel changes).
5. Access via short-lived credentials; prefer IAM roles over long-lived keys.
6. Audit access and usage; alert on anomalies.

Examples

Node.js: read secret from environment injected by the platform

// The platform injects DB_URL at runtime from the vault (not in .env)
const url = process.env.DB_URL;
if (!url) throw new Error("DB_URL not configured");

Terraform: reference provider-managed secret

data "aws_secretsmanager_secret_version" "db" {
  secret_id = var.db_secret_id
}

output "db_url" {
  value     = jsondecode(data.aws_secretsmanager_secret_version.db.secret_string)["url"]
  sensitive = true
}

Detection

• Enable secret scanning in CI (e.g., gitleaks, trufflehog).
• Block pushes that introduce high-confidence findings.

Incident Response

1. Revoke exposed credentials immediately.
2. Rotate dependent secrets and tokens.
3. Review logs to scope impact; invalidate active sessions as needed.