SEC-003 recommended Secret Storage

Not Stored on File System

Secrets exist only in memory after environment injection - no files on production servers

Question to ask

"Any .env files sitting on a production server right now?"

What to check

  • No .env files in deployment artifacts
  • .gitignore covers secret patterns
  • Dockerfile doesn't copy secret files
  • No file-based secret loading in production code
  • TLS certs managed by infrastructure, not committed

Pass criteria

  • No .env or secret files deployed to production
  • Secrets exist only in memory
  • No file-based secret loading in production
  • TLS certificates managed by infrastructure or secret manager

Related items

SEC-001 All environments behind Cloudflare SEC-002 No direct IP exposure GIT-016 Test results gitignored

Verification guide

Severity: Critical

Secrets should not exist as files on production servers. They exist only in memory after being injected via environment. No .env files, no key files deployed from the codebase.

Check automatically:

  1. Check for secret files in deployment artifacts:
# .env files that might be deployed
find . -name ".env" -o -name ".env.production" -o -name ".env.prod" 2>/dev/null | grep -v node_modules

# Check if .env files are gitignored (they should be)
grep -E "^\.env" .gitignore 2>/dev/null

# Secret/key files that shouldn't exist in deployable code
find . -name "*.pem" -o -name "*.key" -o -name "*secret*" -o -name "*credential*" 2>/dev/null | grep -v node_modules | grep -v test
  1. Check deployment doesn't copy secret files:
# Dockerfile copying .env files (anti-pattern)
grep -E "COPY.*\.env|ADD.*\.env" Dockerfile* 2>/dev/null

# CI/CD writing secrets to files
grep -rE "echo.*>.*\.env|cat.*>.*secret|write.*\.env" .github/workflows/ 2>/dev/null
  1. Check for file-based secret loading patterns (anti-pattern in prod):
# Reading secrets from files
grep -rE "readFileSync.*\.env|read_file.*secret|ioutil\.ReadFile.*secret" src/ lib/ app/ 2>/dev/null

# Config pointing to file paths for secrets
grep -rE "SECRET_FILE|KEY_PATH|CREDENTIALS_PATH" src/ lib/ app/ 2>/dev/null
  1. Check deployment documentation for file-based instructions:
# Docs mentioning scp or copying env files to servers
grep -rE "scp.*\.env|copy.*\.env.*server|upload.*secret" README.md docs/ DEPLOY.md 2>/dev/null

Ask user:

  • "How do secrets reach your production servers?"
  • "Are any .env files or secret files present on production hosts?"
  • "Does deployment involve copying secret files to servers?"

Cross-reference with:

  • SEC-001 (secret manager is the alternative)
  • SEC-002 (environment injection is the alternative)
  • GIT-016 (no credentials in repo)
  • INFRA-002 (Cloudflare/infrastructure security)

Pass criteria:

  • No .env or secret files deployed to production servers
  • Secrets exist only in memory (injected via environment)
  • No file-based secret loading in production code
  • Deployment process doesn't copy secret files
  • TLS certificates managed by infrastructure (Cloudflare, cert-manager) or secret manager, not committed to repo

Fail criteria:

  • .env files present on production servers
  • Secrets stored in files on disk (even if "secured")
  • Deployment docs mention copying secret files
  • Application reads secrets from filesystem in production
  • TLS certificates committed to repo or deployed from codebase

Evidence to capture:

  • Presence of secret files in deployment
  • How secrets reach production (injection vs file copy)
  • How TLS certificates are managed (Cloudflare, cert-manager, secret manager)

Section

29. Secrets Management

Code Quality & Architecture

← Previous

SEC-002

Secrets Loaded into Process Environment

 Next →

SEC-004

No Secrets Committed to Git