PluginBench
Skill
Fail
Audit score 45

secrets-management

wshobson/agents

Secure secrets management for CI/CD pipelines using Vault, AWS Secrets Manager, and native platform solutions.

What is secrets-management?

Implement secure handling of sensitive credentials, API keys, and certificates in CI/CD pipelines without hardcoding. Use this skill when storing secrets, rotating credentials, managing database passwords, or securing CI/CD environments across Vault, AWS, Azure, GCP, GitHub, and GitLab platforms.

  • Store and retrieve API keys, credentials, and certificates securely
  • Integrate with HashiCorp Vault for centralized secrets management with dynamic generation and rotation
  • Use AWS Secrets Manager for AWS-native secret storage with automatic rotation and RDS integration
  • Implement GitHub and GitLab native secret management with environment-specific access control
  • Rotate secrets automatically using Lambda functions or manual processes
  • Scan repositories for accidentally committed secrets using TruffleHog and pre-commit hooks

How to install secrets-management

npx skills add https://github.com/wshobson/agents --skill secrets-management
Prerequisites
  • Access to a secrets management platform (Vault, AWS Secrets Manager, Azure Key Vault, or Google Secret Manager)
  • CI/CD platform configured (GitHub Actions, GitLab CI, or similar)
  • AWS CLI or equivalent platform CLI for secret operations
  • Docker (optional, for running Vault dev server or TruffleHog)
Claude Code
Cursor
Windsurf
Cline

How to use secrets-management

  1. 1.Choose a secrets management platform (Vault for self-hosted, AWS Secrets Manager for AWS, or native GitHub/GitLab secrets)
  2. 2.Set up the platform: initialize Vault, create AWS secrets, or configure GitHub/GitLab organization secrets
  3. 3.Store sensitive values (passwords, API keys, certificates) in your chosen platform
  4. 4.Integrate with your CI/CD pipeline using provided examples (GitHub Actions, GitLab CI, or Terraform)
  5. 5.Configure secret rotation policies and audit logging
  6. 6.Add secret scanning to your pre-commit hooks or CI/CD pipeline to prevent accidental commits
  7. 7.Test secret retrieval and masking in logs before deploying to production

Use cases

Good for
  • Store database passwords and retrieve them in Terraform or application deployments
  • Integrate Vault with GitHub Actions or GitLab CI to inject secrets into pipeline jobs
  • Rotate AWS RDS passwords automatically using Lambda and Secrets Manager
  • Prevent secret leaks by scanning Git repositories with TruffleHog before commits
  • Manage TLS certificates and API keys across multiple environments with least-privilege access
Who it's for
  • DevOps engineers implementing secure CI/CD pipelines
  • Platform engineers managing multi-environment deployments
  • Security teams enforcing secret management policies
  • Infrastructure teams using Terraform or CloudFormation
  • Kubernetes operators managing application secrets

secrets-management FAQ

Should I use Vault, AWS Secrets Manager, or GitHub Secrets?

Use GitHub/GitLab native secrets for simple projects with few secrets. Use AWS Secrets Manager if you're AWS-native and need automatic rotation. Use Vault for multi-cloud, self-hosted, or complex access control requirements.

How do I prevent secrets from being printed in CI/CD logs?

Use the `::add-mask::` command in GitHub Actions, set variables as masked in GitLab CI, and never echo secrets directly. The provided examples show proper masking patterns.

How often should I rotate secrets?

Rotate credentials every 30-90 days depending on sensitivity. Use automatic rotation where available (AWS Secrets Manager, Vault). The skill includes Lambda examples for automated rotation.

Can I use secrets management with Kubernetes?

Yes, use the External Secrets Operator to sync secrets from Vault or AWS Secrets Manager into Kubernetes. The skill includes a complete YAML example for this integration.

What if I accidentally commit a secret to Git?

Immediately rotate the secret in your secrets manager. Use TruffleHog or GitGuardian to scan history. Add pre-commit hooks (included in this skill) to prevent future commits.

Full instructions (SKILL.md)

Source of truth, from wshobson/agents.


name: secrets-management description: Implement secure secrets management for CI/CD pipelines using Vault, AWS Secrets Manager, or native platform solutions. Use when handling sensitive credentials, rotating secrets, or securing CI/CD environments.

Secrets Management

Secure secrets management practices for CI/CD pipelines using Vault, AWS Secrets Manager, and other tools.

Purpose

Implement secure secrets management in CI/CD pipelines without hardcoding sensitive information.

When to Use

  • Store API keys and credentials
  • Manage database passwords
  • Handle TLS certificates
  • Rotate secrets automatically
  • Implement least-privilege access

Secrets Management Tools

HashiCorp Vault

  • Centralized secrets management
  • Dynamic secrets generation
  • Secret rotation
  • Audit logging
  • Fine-grained access control

AWS Secrets Manager

  • AWS-native solution
  • Automatic rotation
  • Integration with RDS
  • CloudFormation support

Azure Key Vault

  • Azure-native solution
  • HSM-backed keys
  • Certificate management
  • RBAC integration

Google Secret Manager

  • GCP-native solution
  • Versioning
  • IAM integration

HashiCorp Vault Integration

Setup Vault

# Start Vault dev server
vault server -dev

# Set environment
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN='root'

# Enable secrets engine
vault secrets enable -path=secret kv-v2

# Store secret
vault kv put secret/database/config username=admin password=secret

GitHub Actions with Vault

name: Deploy with Vault Secrets

on: [push]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Import Secrets from Vault
        uses: hashicorp/vault-action@v2
        with:
          url: https://vault.example.com:8200
          token: ${{ secrets.VAULT_TOKEN }}
          secrets: |
            secret/data/database username | DB_USERNAME ;
            secret/data/database password | DB_PASSWORD ;
            secret/data/api key | API_KEY

      - name: Use secrets
        run: |
          echo "Connecting to database as $DB_USERNAME"
          # Use $DB_PASSWORD, $API_KEY

GitLab CI with Vault

deploy:
  image: vault:1.17
  before_script:
    - export VAULT_ADDR=https://vault.example.com:8200
    - export VAULT_TOKEN=$VAULT_TOKEN
    - apk add curl jq
  script:
    - |
      DB_PASSWORD=$(vault kv get -field=password secret/database/config)
      API_KEY=$(vault kv get -field=key secret/api/credentials)
      echo "Deploying with secrets..."
      # Use $DB_PASSWORD, $API_KEY

Reference: See references/vault-setup.md

AWS Secrets Manager

Store Secret

aws secretsmanager create-secret \
  --name production/database/password \
  --secret-string "super-secret-password"

Retrieve in GitHub Actions

- name: Configure AWS credentials
  uses: aws-actions/configure-aws-credentials@v4
  with:
    aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
    aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    aws-region: us-west-2

- name: Get secret from AWS
  run: |
    SECRET=$(aws secretsmanager get-secret-value \
      --secret-id production/database/password \
      --query SecretString \
      --output text)
    echo "::add-mask::$SECRET"
    echo "DB_PASSWORD=$SECRET" >> $GITHUB_ENV

- name: Use secret
  run: |
    # Use $DB_PASSWORD
    ./deploy.sh

Terraform with AWS Secrets Manager

data "aws_secretsmanager_secret_version" "db_password" {
  secret_id = "production/database/password"
}

resource "aws_db_instance" "main" {
  allocated_storage    = 100
  engine              = "postgres"
  instance_class      = "db.t3.large"
  username            = "admin"
  password            = jsondecode(data.aws_secretsmanager_secret_version.db_password.secret_string)["password"]
}

GitHub Secrets

Organization/Repository Secrets

- name: Use GitHub secret
  env:
    API_KEY: ${{ secrets.API_KEY }}
    DATABASE_URL: ${{ secrets.DATABASE_URL }}
  run: |
    # Secrets are injected as env vars — never print them to logs
    ./deploy.sh

Environment Secrets

deploy:
  runs-on: ubuntu-latest
  environment: production
  steps:
    - name: Deploy
      env:
        PROD_API_KEY: ${{ secrets.PROD_API_KEY }}
      run: |
        # Secret injected as env var — never print to logs
        ./deploy.sh

Reference: See references/github-secrets.md

GitLab CI/CD Variables

Project Variables

deploy:
  script:
    - echo "Deploying with $API_KEY"
    - echo "Database: $DATABASE_URL"

Protected and Masked Variables

  • Protected: Only available in protected branches
  • Masked: Hidden in job logs
  • File type: Stored as file

Best Practices

  1. Never commit secrets to Git
  2. Use different secrets per environment
  3. Rotate secrets regularly
  4. Implement least-privilege access
  5. Enable audit logging
  6. Use secret scanning (GitGuardian, TruffleHog)
  7. Mask secrets in logs
  8. Encrypt secrets at rest
  9. Use short-lived tokens when possible
  10. Document secret requirements

Secret Rotation

Automated Rotation with AWS

import boto3
import json

def lambda_handler(event, context):
    client = boto3.client('secretsmanager')

    # Get current secret
    response = client.get_secret_value(SecretId='my-secret')
    current_secret = json.loads(response['SecretString'])

    # Generate new password
    new_password = generate_strong_password()

    # Update database password
    update_database_password(new_password)

    # Update secret
    client.put_secret_value(
        SecretId='my-secret',
        SecretString=json.dumps({
            'username': current_secret['username'],
            'password': new_password
        })
    )

    return {'statusCode': 200}

Manual Rotation Process

  1. Generate new secret
  2. Update secret in secret store
  3. Update applications to use new secret
  4. Verify functionality
  5. Revoke old secret

External Secrets Operator

Kubernetes Integration

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: vault-backend
  namespace: production
spec:
  provider:
    vault:
      server: "https://vault.example.com:8200"
      path: "secret"
      version: "v2"
      auth:
        kubernetes:
          mountPath: "kubernetes"
          role: "production"

---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: database-credentials
  namespace: production
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: vault-backend
    kind: SecretStore
  target:
    name: database-credentials
    creationPolicy: Owner
  data:
    - secretKey: username
      remoteRef:
        key: database/config
        property: username
    - secretKey: password
      remoteRef:
        key: database/config
        property: password

Secret Scanning

Pre-commit Hook

#!/bin/bash
# .git/hooks/pre-commit

# Check for secrets with TruffleHog
docker run --rm -v "$(pwd):/repo" \
  trufflesecurity/trufflehog:3.88 \
  filesystem --directory=/repo

if [ $? -ne 0 ]; then
  echo "❌ Secret detected! Commit blocked."
  exit 1
fi

CI/CD Secret Scanning

secret-scan:
  stage: security
  image: trufflesecurity/trufflehog:3.88
  script:
    - trufflehog filesystem .
  allow_failure: false

Related Skills

  • github-actions-templates - For GitHub Actions integration
  • gitlab-ci-patterns - For GitLab CI integration
  • deployment-pipeline-design - For pipeline architecture