kissrosecicd-hub/secrets-env-manager
.agents/skills/patricio0312rev-ci-cd-secrets/SKILL.md
Validates environment variables in CI, prevents secret leaks, enforces masking, and provides fail-fast validation with clear documentation. Use for "secrets management", "env var validation", "credential security", or "secret masking".
$ install --global
skillsauthnpx skillsauth add kissrosecicd-hub/agents-evolution secrets-env-managerInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 11:32 AM4.6s1 file scanned
SKILL.md
- name:
- secrets-env-manager
- description:
- Validates environment variables in CI, prevents secret leaks, enforces masking, and provides fail-fast validation with clear documentation. Use for "secrets management", "env var validation", "credential security", or "secret masking".
Secrets & Env Manager
Secure secrets handling and environment variable validation in CI/CD.
Environment Variable Validation
validate-env:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Validate required environment variables
run: |
REQUIRED_VARS=(
"DATABASE_URL"
"API_KEY"
"AWS_REGION"
"STRIPE_SECRET_KEY"
)
MISSING=()
for var in "${REQUIRED_VARS[@]}"; do
if [ -z "${!var}" ]; then
MISSING+=("$var")
fi
done
if [ ${#MISSING[@]} -ne 0 ]; then
echo "❌ Missing required environment variables:"
printf '%s\n' "${MISSING[@]}"
exit 1
fi
echo "✅ All required environment variables are set"
env:
DATABASE_URL: ${{ secrets.DATABASE_URL }}
API_KEY: ${{ secrets.API_KEY }}
AWS_REGION: ${{ secrets.AWS_REGION }}
STRIPE_SECRET_KEY: ${{ secrets.STRIPE_SECRET_KEY }}
Secret Masking
- name: Mask sensitive values
run: |
# Automatically masked in GitHub Actions
echo "::add-mask::${{ secrets.API_KEY }}"
echo "::add-mask::${{ secrets.DATABASE_PASSWORD }}"
# Safe to use in commands
curl -H "Authorization: Bearer ${{ secrets.API_KEY }}" https://api.example.com
Leak Prevention
- name: Check for leaked secrets
uses: trufflesecurity/trufflehog@main
with:
path: ./
base: ${{ github.event.repository.default_branch }}
head: HEAD
- name: Detect hardcoded secrets
uses: reviewdog/action-detect-secrets@master
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
reporter: github-pr-review
Environment-specific Secrets
deploy:
runs-on: ubuntu-latest
environment:
name: ${{ github.event.inputs.environment }}
steps:
- name: Deploy
run: |
# Environment-specific secrets are automatically scoped
echo "Deploying to ${{ github.event.inputs.environment }}"
env:
DATABASE_URL: ${{ secrets.DATABASE_URL }}
API_KEY: ${{ secrets.API_KEY }}
Secret Validation Script
// scripts/validate-env.ts
import * as fs from "fs";
interface EnvConfig {
required: string[];
optional: string[];
}
const config: EnvConfig = {
required: ["DATABASE_URL", "JWT_SECRET", "STRIPE_SECRET_KEY"],
optional: ["SENTRY_DSN", "LOG_LEVEL"],
};
function validateEnv(): boolean {
const missing: string[] = [];
config.required.forEach((key) => {
if (!process.env[key]) {
missing.push(key);
}
});
if (missing.length > 0) {
console.error("❌ Missing required environment variables:");
missing.forEach((key) => console.error(` - ${key}`));
return false;
}
console.log("✅ All required environment variables are set");
return true;
}
if (!validateEnv()) {
process.exit(1);
}
.env.example Template
# .env.example - Check into git
# Copy to .env and fill in values
# Database
DATABASE_URL=postgresql://user:password@localhost:5432/mydb
# Authentication
JWT_SECRET=your-secret-here
JWT_EXPIRY=24h
# External APIs
STRIPE_SECRET_KEY=sk_test_...
SENDGRID_API_KEY=SG....
# AWS
AWS_ACCESS_KEY_ID=AKIA...
AWS_SECRET_ACCESS_KEY=...
AWS_REGION=us-east-1
# Optional
SENTRY_DSN=https://...
LOG_LEVEL=info
Documentation Template
# Environment Variables
## Required Variables
### DATABASE_URL
**Description:** PostgreSQL connection string
**Format:** `postgresql://user:password@host:5432/database`
**Example:** `postgresql://app:secret@localhost:5432/myapp`
**Where to get:** Create database on Heroku/RDS
### STRIPE_SECRET_KEY
**Description:** Stripe API secret key
**Format:** `sk_test_...` or `sk_live_...`
**Example:** `sk_test_51abc123...`
**Where to get:** Stripe Dashboard → Developers → API Keys
**⚠️ Never commit to git**
## Optional Variables
### LOG_LEVEL
**Description:** Logging verbosity
**Format:** `error | warn | info | debug`
**Default:** `info`
Fail-Fast Validation
jobs:
validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Validate secrets exist
run: |
if [ -z "${{ secrets.DATABASE_URL }}" ]; then
echo "::error::DATABASE_URL secret not set"
exit 1
fi
if [ -z "${{ secrets.API_KEY }}" ]; then
echo "::error::API_KEY secret not set"
exit 1
fi
deploy:
needs: validate
runs-on: ubuntu-latest
steps:
- name: Deploy
run: echo "Deploying..."
Best Practices
- Never log secrets: Always mask sensitive values
- Validate early: Check secrets before deployment
- Use GitHub Secrets: Never hardcode in workflows
- Environment separation: Dev/staging/prod secrets
- Rotate regularly: Update secrets periodically
- Principle of least privilege: Minimal permissions
- Document clearly: Where to get each secret
- Scan for leaks: Automated detection
Output Checklist
- [ ] Required env vars validated
- [ ] Secret masking configured
- [ ] Leak detection enabled
- [ ] .env.example template
- [ ] Environment variables documented
- [ ] Fail-fast validation
- [ ] Environment-specific secrets
- [ ] Rotation policy documented
Related Skills
kissrosecicd-hub/v2raya-linux-basic
tools
VerifiedTrustedCommunity
KISS reference skill for v2rayA on Arch/Ubuntu/Fedora with TUN, RoutingA, DoH DNS and Outline key import.
26SKILL.mdUpdated Apr 16, 2026
kissrosecicd-hub/supply-chain-risk-auditor
testing
VerifiedTrustedCommunity
Identifies dependencies at heightened risk of exploitation or takeover. Use when assessing supply chain attack surface, evaluating dependency health, or scoping security engagements.
26SKILL.mdUpdated Apr 16, 2026
kissrosecicd-hub/semgrep
development
VerifiedTrustedCommunity
Run Semgrep static analysis scan on a codebase using parallel subagents. Supports two scan modes — "run all" (full ruleset coverage) and "important only" (high-confidence security vulnerabilities). Automatically detects and uses Semgrep Pro for cross-file taint analysis when available. Use when asked to scan code for vulnerabilities, run a security audit with Semgrep, find bugs, or perform static analysis. Spawns parallel workers for multi-language codebases.
26SKILL.mdUpdated Apr 16, 2026
kissrosecicd-hub/sharp-edges
development
VerifiedTrustedCommunity
Identifies error-prone APIs, dangerous configurations, and footgun designs that enable security mistakes. Use when reviewing API designs, configuration schemas, cryptographic library ergonomics, or evaluating whether code follows 'secure by default' and 'pit of success' principles. Triggers: footgun, misuse-resistant, secure defaults, API usability, dangerous configuration.
26SKILL.mdUpdated Apr 16, 2026