Part 7 : Secrets Management — The Right Way to Keep Your Secrets Safe
- Oct 15
- 4 min read
Hey everyone
Let’s talk about one of the most underrated but dangerous parts of automation and DevOps: secrets management.
You might not realize it, but every single system you build — whether it’s an app, CI/CD pipeline, or cloud deployment — has secrets. These are things like API tokens, SSH keys, database passwords, and service credentials that your automation tools, containers, and scripts need to function.
-------------------------------------------------------------------------------------------------------------
Why Secrets Management Matters
In modern DevOps and cloud environments, everything is automated — provisioning, configuration, deployment, and release pipelines. But automation often requires privileged access to services. That means your infrastructure and code are constantly touching credentials and tokens.
So if secrets are hardcoded, exposed in version control, or shared in plain text… well, you’re basically leaving your passwords under the doormat. 🫣
-------------------------------------------------------------------------------------------------------------
How Not to Keep Secrets
Let’s start with what not to do — because this is where many developers slip up.
Keeping Secrets in Code
A lot of people hardcode secrets right into their code because it’s quick and easy. But that’s a huge security risk. Why?
Anyone with access to your repository can read those secrets.
Even if you delete the secret later, it still lives in your version history.
In Git, everyone has a full copy of the repo — including that secret.
Rotating secrets means you have to redeploy the code every time.
Bottom line: never hardcode credentials. Ever.
-------------------------------------------------------------------------------------------------------------
Be Especially Careful with GitHub
GitHub is an amazing place for collaboration — but it’s also a goldmine for attackers searching for exposed secrets.
Tools to Scan for Secrets in Git Repos
Here are some great open-source tools that can help you detect secrets in your repositories:
Gitrob
Scan GitHub repos for sensitive files, credentials, and even things like IPs, domains, and tokens. It maps out all repos under your organization and flags risky content.
truffleHog
Performs deep searches through the entire commit history of a repo, looking for high-entropy strings (which often indicate secrets).
Git-all-secrets
Clones and scans repos using multiple tools (including truffleHog). A great “all-in-one” option.
These tools help you catch exposed secrets before they catch you.
-------------------------------------------------------------------------------------------------------------
Preventing Secrets from Getting Into Code
Detecting secrets is one thing — but wouldn’t it be better if they never made it into your codebase in the first place?
That’s where pre-commit tools come in. They stop you from accidentally committing secrets to your repo.
Here are some popular ones:
git-secrets (by AWS Labs)
Blocks commits that contain secrets. It can be installed locally and even customized with regex patterns.
Talisman (ThoughtWorks)
Hooks into Git’s pre-push process and scans for suspicious content — like private keys or tokens — before allowing a push.
SEDATED (OWASP)
Prevents sensitive data from being pushed to remote Git servers.
Git Hound
Uses regular expressions to detect sensitive data in commits and blocks the push if something looks fishy.
You can also check out the Pre-commit framework, which has a plugin called detect-secrets — easy to integrate with your workflow.
-------------------------------------------------------------------------------------------------------------
Hands-on with Git-Secrets
Let’s look at how to actually use git-secrets, since it’s one of the most popular tools out there.
Step 1: Install git-secrets
Inside your Git repo, run:
git secrets --install
This sets up pre-commit hooks automatically.
You should see:
✓ Installed commit-msg hook
✓ Installed pre-commit hook
✓ Installed prepare-commit-msg hook
Step 2: Register AWS patterns (optional)
If you’re using AWS credentials:
git secrets --register-aws
Step 3: Check what patterns are active
git secrets --list
This lists all the regex patterns it’s scanning for — like AWS access keys or secret keys.
Step 4: Scan your repo
git secrets --scan
If nothing shows up — awesome! It means your repo is clean. 🎉
-------------------------------------------------------------------------------------------------------------
Ansible — Keep It Simple, Keep It Safe
Ansible Vault (official docs) is built right into Ansible (since version 1.5).
It allows you to encrypt sensitive data (like passwords, private keys, and tokens) inside special files called vault files. These can be safely stored in your Git repo or shared between teams — no more plain-text secrets!
To use it:
ansible-vault create secrets.yml
You can then edit, view, or decrypt files with:
ansible-vault edit secrets.yml
ansible-vault view secrets.yml
-------------------------------------------------------------------------------------------------------------
Secret Keepers — Centralized Secrets Management
At some point, you’ll realize: instead of juggling secrets across multiple tools, you need a central place to store, rotate, and control access. That’s where Secret Keepers or Secrets Servers come in.
These are dedicated platforms that:
Store and encrypt secrets centrally
Allow secure API or CLI access
Support rotation, revocation, and auditing
Manage authentication and access policies
Provide high availability and logging
Open-Source Secret Keepers
Tool | Description |
Vault OSS (HashiCorp) | The most widely used open-source secrets manager. Supports dynamic secrets, key rotation, encryption as a service, and integrates with multiple backends (AWS, databases, etc.). |
Conjur OSS (CyberArk) | Open-source enterprise-grade secrets and identity manager. Handles access control and secret retrieval. |
Keywhiz (Square) | Provides secure access to secrets via REST API or FUSE filesystem. Uses mTLS for authentication. |
Confidant (Lyft) | AWS-native secrets manager that stores encrypted data in DynamoDB. |
Knox (Pinterest) | Lightweight, developer-friendly secrets tool written in Go for key creation and rotation. |
Commercial Secrets Management Tools
Tool | Description |
Amazon KMS | Manages encryption keys using dedicated hardware security modules (HSMs). Fully integrated with AWS services. |
Amazon Secrets Manager | Manages secrets like API keys and DB credentials with APIs for rotation and retrieval. |
CyberArk Secrets Manager | Enterprise-grade vaulting solution with AD/LDAP integration and strong auditing. |
Google KMS / Secret Manager | Scalable key and secret management for Google Cloud Platform. Integrated with IAM and audit logging. |
Microsoft Azure Key Vault | Protects keys and secrets using FIPS 140-2 certified HSMs. Integrates with Azure logging and identity services. |
Vault Enterprise (HashiCorp) | Commercial version of Vault with advanced identity management, MFA, replication, and enterprise support. |
-------------------------------------------------------------------------------------------------------------
Wrapping It Up
Secrets management is one of those things that’s boring until it’s not. One small mistake — a single exposed API key — can lead to massive data breaches or unauthorized access.
So, remember:
Never hardcode secrets.
Scan your repos regularly.
Use pre-commit hooks to stop leaks before they happen.
Automate responsibly.
Your code should be powerful — but your secrets should stay silent.
-------------------------------------------------Dean-------------------------------------------------------
Comments