Section 29 · Code Quality & Architecture

Secrets Management

How secrets are stored, loaded, and protected across environments

6 items 6 recommended

This guide walks you through auditing a project's secrets management practices - how secrets are stored, loaded, and protected.

The Goal: Zero Leaked Secrets

Secrets should be impossible to leak through code, impossible to access without authorization, and impossible to share across environments.

  • Managed secrets — production credentials in a dedicated secret manager with rotation and audit trails
  • Environment injection — secrets loaded via environment variables at startup, never read from files at runtime
  • No git exposure — nothing committed to version control, with scanning to prevent future leaks
  • Isolated environments — dev, staging, and prod use completely separate credentials
  • Least privilege — access follows principle of minimal permissions with proper service accounts and controls

Before You Start

  1. Identify deployment target (GCP, AWS, Azure, self-hosted, etc.)
  2. Identify secret manager in use (GCP Secret Manager, AWS Secrets Manager, Vault, Doppler, etc.)
  3. Understand deployment method (Kubernetes, Docker, serverless, VMs, etc.)
  4. Check for existing secret scanning tools (gitleaks, trufflehog, GitHub secret scanning)

Secret Storage

SEC-001
Use Secret Manager or Equivalent recommended

Production secrets managed by dedicated secret manager with rotation and audit capabilities

“Where are your production secrets stored right now?”
SEC-002
Secrets Loaded into Process Environment recommended

Secrets injected into process environment at startup, not read from files at runtime

“Would a crash dump expose any credentials?”
SEC-003
Not Stored on File System recommended

Secrets exist only in memory after environment injection - no files on production servers

“Any .env files sitting on a production server right now?”

Secret Security

SEC-004
No Secrets Committed to Git recommended

Secret scanning in place to prevent commits and detect past leaks

“Has anyone actually scanned your full git history for leaks?”
SEC-005
Different Secrets Per Environment recommended

Each environment has completely separate credentials - compromising one doesn't expose others

“Would a staging breach give access to production data?”
SEC-006
Least Privilege Access to Secrets recommended

Secret access follows least privilege - dedicated service accounts, limited human access, audit trails

“How many people on your team can read production database passwords?”
← Previous section

Code Architecture

3 items

 Next section →

Rate Limiting

3 items