authegg/secrets-management
skills/secrets-management/SKILL.md
Enforce secrets management best practices for containers and cloud-native applications. Use when configuring environment variables, Docker secrets, Kubernetes secrets, Vault integration, AWS SSM/Secrets Manager, or any credential handling in Dockerfiles, compose files, Kubernetes manifests, or CI pipelines. Activates on keywords like "secrets", "credentials", "API key", "password", "environment variables", ".env file", "Vault", "sealed secrets", or "secret manager".
$ install --global
skillsauthnpx skillsauth add authegg/agent-skills secrets-managementInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 3, 2026, 11:51 AM10.2s2 files scanned
SKILL.md
- name:
- secrets-management
- description:
- Enforce secrets management best practices for containers and cloud-native applications. Use when configuring environment variables, Docker secrets, Kubernetes secrets, Vault integration, AWS SSM/Secrets Manager, or any credential handling in Dockerfiles, compose files, Kubernetes manifests, or CI pipelines. Activates on keywords like "secrets", "credentials", "API key", "password", "environment variables", ".env file", "Vault", "sealed secrets", or "secret manager".
- allowed-tools:
- Read, Grep, Glob, Bash, Edit, Write
Secrets Management
Enforce secure secrets handling across Docker, Kubernetes, and CI/CD environments. Prevent credential leaks at every stage of the container lifecycle.
When to Use
- Configuring environment variables in Dockerfiles or compose files
- Setting up Kubernetes Secrets or external secret operators
- Integrating with HashiCorp Vault, AWS Secrets Manager, or similar
- Reviewing code for hardcoded credentials
- Setting up CI/CD pipeline secrets
- When the user mentions "API key", "password", "token", "credentials", ".env", or "secrets"
Cardinal Rules
- NEVER put secrets in Dockerfiles (ENV, ARG, or COPY)
- NEVER commit secrets to version control
- NEVER pass secrets via command-line arguments (visible in process lists)
- NEVER log secrets — scrub them from output
- ALWAYS rotate secrets regularly
- ALWAYS use the principle of least privilege for secret access
Where Secrets Should NOT Be
Dockerfiles — NEVER do this
# ❌ ALL of these are wrong
ENV DATABASE_URL=postgres://user:password@host/db
ARG API_KEY=sk-abc123
COPY .env /app/.env
RUN echo "password" > /app/config
docker-compose — NEVER do this
# ❌ Wrong
services:
app:
environment:
- DB_PASSWORD=mysecretpassword
- API_KEY=sk-abc123
Kubernetes — NEVER do this
# ❌ Wrong — plaintext in manifest
env:
- name: DB_PASSWORD
value: "mysecretpassword"
Where Secrets SHOULD Be
Docker — BuildKit Secret Mounts
For build-time secrets (e.g., private npm tokens):
# ✅ Secret never persists in image layers
RUN --mount=type=secret,id=npm_token \
NPM_TOKEN=$(cat /run/secrets/npm_token) \
npm ci
Build command:
docker build --secret id=npm_token,src=.npm_token .
Docker Compose — External Secrets
# ✅ Secrets from files, not inline
services:
app:
secrets:
- db_password
environment:
- DB_PASSWORD_FILE=/run/secrets/db_password
secrets:
db_password:
file: ./secrets/db_password.txt # gitignored
Docker Swarm — Native Secrets
# Create secret
echo "mysecret" | docker secret create db_password -
# Reference in stack
services:
app:
secrets:
- db_password
secrets:
db_password:
external: true
Kubernetes — Secrets + External Operators
Basic (acceptable for non-production):
apiVersion: v1
kind: Secret
metadata:
name: app-secrets
type: Opaque
stringData:
DB_PASSWORD: "value" # Encrypt at rest in etcd
Mount as volume (preferred over env vars):
volumeMounts:
- name: secrets
mountPath: /etc/secrets
readOnly: true
volumes:
- name: secrets
secret:
secretName: app-secrets
Production — use an external operator:
- ExternalSecrets Operator: Syncs from AWS/GCP/Azure/Vault
- SealedSecrets: Encrypt secrets for safe git storage
- Vault Secrets Operator: Direct HashiCorp Vault integration
CI/CD — Pipeline Secrets
# GitHub Actions — use encrypted secrets
env:
DB_PASSWORD: ${{ secrets.DB_PASSWORD }}
# NEVER echo or log secrets
- run: |
# ✅ Mask the secret
echo "::add-mask::$DB_PASSWORD"
Secret Detection in CI
Add to every pipeline:
# Trivy secret scan
trivy fs --scanners secret --exit-code 1 .
# git-secrets (AWS-focused)
git secrets --scan
# Gitleaks
gitleaks detect --source . --verbose
.gitignore Essentials
Every project must exclude:
.env
.env.*
*.secret
*.pem
*.key
*.p12
*.pfx
secrets/
credentials/
Secrets Rotation Checklist
- [ ] All secrets have an expiration policy
- [ ] Rotation can happen without downtime
- [ ] Old secrets are revoked after rotation
- [ ] Rotation is automated where possible
- [ ] Rotation events are logged and auditable
References
references/secrets-checklist.md— Full review checklist
Related Skills
authegg/kubernetes-pod-security
testing
VerifiedTrustedCommunity
Enforce Kubernetes pod and workload security best practices. Use when creating or editing Kubernetes manifests, Helm charts, or Kustomize overlays involving pods, deployments, statefulsets, daemonsets, jobs, or cronjobs. Covers Pod Security Standards (Restricted), SecurityContext hardening, RBAC least privilege, network policies, resource quotas, and admission control. Activates on keywords like "pod security", "K8s manifest", "deployment.yaml", "Helm chart", "securityContext", or "RBAC".
3SKILL.mdUpdated Apr 3, 2026
authegg/docker-security-hardening
development
VerifiedTrustedCommunity
Enforce Docker container security best practices during development. Use when creating or editing Dockerfiles, docker-compose files, Kubernetes manifests, or CI/CD pipelines involving containers. Covers non-root users, slim base images, multi-stage builds, CVE scanning with Trivy, secrets management, capability dropping, network isolation, SBOM generation, and production readiness gates. Activates on keywords like "Dockerfile", "docker-compose", "container security", "image hardening", "Docker deploy", or "production readiness".
3SKILL.mdUpdated Apr 3, 2026
authegg/ci-security-pipeline
development
VerifiedTrustedCommunity
Generate and enforce security scanning stages in CI/CD pipelines. Use when creating or editing GitHub Actions workflows, GitLab CI, CircleCI, Jenkins, or any CI pipeline that builds Docker images or deploys containers. Covers Dockerfile linting with Hadolint, CVE scanning with Trivy, secret detection, SBOM generation, image signing, and deployment gates. Activates on keywords like "CI pipeline", "GitHub Actions", "security scanning", "Trivy", "Hadolint", "SBOM", or "deploy gate".
3SKILL.mdUpdated Apr 3, 2026
openclaw/openclaw-secret-scanning-maintainer
development
VerifiedTrustedCommunity
Maintainer-only workflow for handling GitHub Secret Scanning alerts on OpenClaw. Use when Codex needs to triage, redact, clean up, and resolve secret leakage found in issue comments, issue bodies, PR comments, or other GitHub content.
357,764SKILL.mdUpdated Apr 15, 2026