SEC-005 recommended Secret Security

Different Secrets Per Environment

Each environment has completely separate credentials - compromising one doesn't expose others

Question to ask

"Would a staging breach give access to production data?"

What to check

  • Environment-specific secret naming in code
  • Deployment configs use different secret sources per env
  • CI/CD has separate secrets per environment
  • Environment detection determines which secrets load

Pass criteria

  • Each environment has its own set of secrets
  • Compromising one environment doesn't expose others
  • Secret manager organized by environment
  • CI/CD uses environment-specific secret contexts

Related items

SEC-001 All environments behind Cloudflare ENV-001 Production environment exists ENV-003 Dev environment(s) exist

Verification guide

Severity: Recommended

Each environment (dev, staging, prod) should have completely separate credentials. Compromising one environment's secrets should not expose others.

Check automatically:

  1. Check secret manager has environment separation:
# Look for env-specific secret naming patterns in code
grep -rE "SECRET.*prod|SECRET.*staging|SECRET.*dev|getSecret.*env|secret.*environment" src/ lib/ app/ 2>/dev/null

# Check for environment prefixes in secret references
grep -rE "projects/.*/secrets/prod-|projects/.*/secrets/staging-|/prod/|/staging/|/dev/" src/ lib/ terraform/ 2>/dev/null
  1. Check deployment configs use different secret sources per env:
# Kubernetes - different secrets per namespace/env
grep -rE "secretName:|secretKeyRef:" k8s/ kubernetes/ manifests/ 2>/dev/null

# Environment-specific deployment files
ls -la k8s/prod/ k8s/staging/ k8s/dev/ deploy/prod/ deploy/staging/ 2>/dev/null
ls -la .env.example .env.development .env.staging .env.production 2>/dev/null
  1. Check CI/CD has separate secrets per environment:
# GitHub Actions environment-specific secrets
grep -rE "environment:" .github/workflows/ 2>/dev/null
grep -rE "secrets\.(PROD_|STAGING_|DEV_)" .github/workflows/ 2>/dev/null
  1. Check for hardcoded environment detection (ensures right secrets load):
# Environment variable determines which secrets to load
grep -rE "NODE_ENV|APP_ENV|ENVIRONMENT" src/config* lib/config* app/config* 2>/dev/null

Ask user:

  • "Do dev, staging, and prod use completely separate credentials?"
  • "If staging DB password leaked, would prod be compromised?"
  • "How are environment-specific secrets organized in your secret manager?"

Cross-reference with:

  • SEC-001 (secret manager)
  • ENV-001 (environment tiers)
  • ENV-003 (staging requirements)

Pass criteria:

  • Each environment (dev, staging, prod) has its own set of secrets
  • Compromising one environment's secrets doesn't expose others
  • Secret manager organized by environment (folders, prefixes, or separate projects)
  • CI/CD uses environment-specific secret contexts

Fail criteria:

  • Same database credentials across environments
  • Same API keys shared between staging and prod
  • No environment separation in secret manager
  • "We just use the same secrets everywhere"

Evidence to capture:

  • How environments are separated in secret manager
  • Whether credentials are truly isolated per environment
  • Any shared secrets (and justification if intentional)

Section

29. Secrets Management

Code Quality & Architecture

← Previous

SEC-004

No Secrets Committed to Git

 Next →

SEC-006

Least Privilege Access to Secrets