SEC-001 recommended Secret Storage

Use Secret Manager or Equivalent

Production secrets managed by dedicated secret manager with rotation and audit capabilities

Question to ask

"Where are your production secrets stored right now?"

What to check

  • Secret manager SDK in dependencies (GCP, AWS, Vault, Doppler, etc.)
  • Deployment configs use secret injection (Kubernetes secretRef, etc.)
  • CI/CD uses secrets context (not hardcoded)
  • Rotation support configured

Pass criteria

  • Production secrets managed by dedicated secret manager
  • Rotation capability exists
  • Audit trail available for secret access

Related items

SEC-002 No direct IP exposure SEC-003 Cloudflare respects cache-control headers GIT-016 Test results gitignored

Verification guide

Severity: Critical

Production secrets must be managed by a dedicated secret manager (not plain files or environment variables in config). The secret manager should support rotation and provide audit trails.

Check automatically:

  1. Check for secrets manager integrations:
# Node.js/TypeScript
grep -rE "@google-cloud/secret-manager|@aws-sdk/client-secrets-manager|node-vault|hashi-vault-js|doppler|infisical|@1password" package.json 2>/dev/null

# Python
grep -rE "google-cloud-secret-manager|boto3.*secretsmanager|hvac|python-dotenv" requirements*.txt pyproject.toml 2>/dev/null

# Check for SDK usage in code
grep -rE "SecretManager|SecretsManager|Vault\.read|doppler|infisical" src/ lib/ app/ 2>/dev/null
  1. Check deployment configs for secret injection:
# Kubernetes secrets
grep -rE "secretKeyRef|secretRef|envFrom.*secretRef" k8s/ kubernetes/ manifests/ 2>/dev/null

# Docker Compose secrets
grep -rE "secrets:" docker-compose*.yml 2>/dev/null

# Cloud Run / App Engine
grep -rE "secretKeyRef|SECRET_" app.yaml cloudbuild.yaml 2>/dev/null
  1. Check CI/CD for secret injection (not hardcoded):
# GitHub Actions - should use secrets context
grep -rE '\$\{\{ secrets\.' .github/workflows/ 2>/dev/null
  1. Check for rotation support:
# AWS rotation config
grep -rE "rotation|RotationSchedule" terraform/ cloudformation/ 2>/dev/null

# Vault rotation policies
grep -rE "ttl|max_ttl|rotation" vault/ 2>/dev/null

Ask user:

  • "Which secret manager do you use?" (GCP Secret Manager, AWS Secrets Manager, Vault, Doppler, etc.)
  • "Is secret rotation configured?"
  • "Where can you see audit logs for secret access?"

Cross-reference with:

  • SEC-002 (secrets loaded into environment)
  • SEC-003 (not stored on filesystem)
  • GIT-016 (no credentials in repo)

Pass criteria:

  • Production secrets managed by dedicated secret manager
  • Rotation capability exists (even if not automated for all secrets)
  • Audit trail available for secret access

Fail criteria:

  • No secret manager - secrets in plain files or hardcoded
  • No rotation capability
  • No audit trail for who accessed secrets

Evidence to capture:

  • Secret manager in use (name)
  • Rotation policy (automatic, manual, or none)
  • Where audit logs are accessible
  • How secrets reach the application (injection method)

Section

29. Secrets Management

Code Quality & Architecture

← Previous

ARCH-003

Build Performance

 Next →

SEC-002

Secrets Loaded into Process Environment