Secrets Management

Problem We're Solving

Secrets in code: Credentials, API keys, and passwords accidentally committed to Git, leading to security risks and potential breaches.

Solution

Layered secrets management based on context + automated scanning to prevent secrets from ever reaching Git.

The Golden Rules

NEVER commit secrets to Git - not even in private repos
Use the right tool for the context - Ansible Vault for infrastructure, GitHub Secrets for CI/CD
Automate detection - Pre-commit hooks and CI scans catch mistakes
Rotate immediately if exposed - Assume compromised, rotate within 1 hour
Document where secrets live - Team members should know where to find them

Secrets by Context

Context	Tool	When to Use
Ansible/Infrastructure	Ansible Vault	Server config, deployment credentials
GitHub Actions/CI	GitHub Secrets	CI/CD pipelines, automated deployments
Docker Containers	Docker Secrets	Runtime application secrets
Local Development	`.env` files (gitignored)	Developer machine testing
Application Runtime	Environment variables	Production app configuration

Defense Layers

Layer 1: Prevention (Pre-Commit)

# Pre-commit hook runs locally
- gitleaks (secret detection)
- Custom patterns for your org

Result: Blocks commit if secrets detected

Layer 2: Detection (CI)

# GitHub Actions runs on every PR
- Secret scanning
- Dependency vulnerability scan

Result: Blocks PR merge if secrets found

Layer 3: Monitoring (GitHub)

# GitHub Advanced Security
- Automatic secret scanning
- Partner token revocation (AWS, DigitalOcean)

Result: Alerts to #security channel

Layer 4: Audit (Regular Reviews)

# Manual verification
- Monthly secret audit
- Quarterly rotation checks

Result: Find and rotate stale secrets

Quick Reference

Storing Secrets

Need to store a database password for production? → Use Ansible Vault

Need an API key for CI/CD deployment? → Use GitHub Secrets

Need secrets in a Docker container? → Use Docker Secrets (deployed via Ansible)

Developer needs to test locally? → Use .env file (add to .gitignore)

Finding Secrets

Where is the production DB password? → infrastructure/inventory/production/group_vars/all/vault.yml

Where are the CI/CD secrets? → GitHub repo Settings → Secrets

How do I access secrets in production? → They're injected as environment variables (see runbook)

Detailed Guides

Ansible Vault Guide - Infrastructure secrets encryption
GitHub Secrets Guide - CI/CD secrets management
Docker Secrets Guide - Container runtime secrets
Secret Scanning Setup - Automated detection
Secret Rotation Procedures - How to rotate compromised secrets
Local Development Secrets - .env file best practices

Emergency: Secret Exposed

If you accidentally commit a secret:

DO NOT just delete it from the next commit (it's still in Git history)
IMMEDIATELY rotate the secret:
- Change the password/key at the source
- Update in Ansible Vault / GitHub Secrets
Report in #security Rocket.Chat channel

Clean history (if needed):

# Use git-filter-repo to remove from history
git filter-repo --path-glob '**/.env' --invert-paths

Document in incident report

Runbook: Leaked Secret Response

Metrics

We track:

Number of secrets detected by pre-commit hooks (target: 0)
Number of secrets caught in CI (target: 0)
Time to rotate exposed secrets (target: < 1 hour)
% of secrets rotated in last 90 days (target: > 90%)

Dashboard: (link to monitoring)

Problem We're Solving​

Solution​

The Golden Rules​

Secrets by Context​

Defense Layers​

Layer 1: Prevention (Pre-Commit)​

Layer 2: Detection (CI)​

Layer 3: Monitoring (GitHub)​

Layer 4: Audit (Regular Reviews)​

Quick Reference​

Storing Secrets​

Finding Secrets​

Detailed Guides​

Emergency: Secret Exposed​

Metrics​