sawrus/areas/software/platform/skills/secrets-management
areas/software/platform/skills/secrets-management/SKILL.md
# Skill: Secrets Management ## When to load When provisioning a new service, rotating credentials, or setting up CI/CD secrets. ## Secrets Hierarchy ``` Level 1: Static secrets (rotate quarterly) → AWS Secrets Manager / HashiCorp Vault → Database passwords, API keys for external services Level 2: Dynamic secrets (auto-expire, 1 hour) → Vault dynamic secrets / AWS IAM OIDC roles Level 3: Runtime injection (never on disk) → K8s ExternalSecrets Operator → mounts as env vars → Never
$ install --global
skillsauthnpx skillsauth add sawrus/agent-guides areas/software/platform/skills/secrets-managementInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 18, 2026, 4:32 AM38.6s1 file scanned
SKILL.md
Skill: Secrets Management
When to load
When provisioning a new service, rotating credentials, or setting up CI/CD secrets.
Secrets Hierarchy
Level 1: Static secrets (rotate quarterly)
→ AWS Secrets Manager / HashiCorp Vault
→ Database passwords, API keys for external services
Level 2: Dynamic secrets (auto-expire, 1 hour)
→ Vault dynamic secrets / AWS IAM OIDC roles
Level 3: Runtime injection (never on disk)
→ K8s ExternalSecrets Operator → mounts as env vars
→ Never in container image or Git
ExternalSecrets Pattern
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
spec:
refreshInterval: 1h
secretStoreRef: { kind: ClusterSecretStore, name: aws-secretsmanager }
data:
- secretKey: DATABASE_URL
remoteRef: { key: prod/api/database, property: connection_string }
- secretKey: STRIPE_SECRET_KEY
remoteRef: { key: prod/api/stripe, property: secret_key }
Rotation Checklist
- [ ] New secret created, old secret still active
- [ ] Service updated to accept both (dual-read window)
- [ ] New secret deployed and verified
- [ ] Old secret revoked
- [ ] Rotation documented (next rotation: +90 days)
Related Skills
sawrus/qa_expert
testing
VerifiedTrustedCommunity
QA Expert for writing E2E tests, test scenarios, test plans, and ensuring test coverage quality.
12SKILL.mdUpdated Apr 18, 2026
sawrus/design_expert
development
VerifiedTrustedCommunity
Expert UI/UX design intelligence for creating distinctive, high-craft, and mobile-first interfaces. Focuses on premium aesthetics, touch-first ergonomics, and Flutter performance.
12SKILL.mdUpdated Apr 18, 2026
sawrus/code_review_expert
development
VerifiedTrustedCommunity
Code Review Expert for static analysis, security auditing, architecture review, and ensuring code quality standards.
12SKILL.mdUpdated Apr 18, 2026
sawrus/babysit-pr
development
VerifiedTrustedCommunity
Babysit a GitHub pull request after creation by continuously polling review comments, CI checks/workflow runs, and mergeability state until the PR is merged/closed or user help is required. Diagnose failures, retry likely flaky failures up to 3 times, auto-fix/push branch-related issues when appropriate, and keep watching open PRs so fresh review feedback is surfaced promptly. Use when the user asks Codex to monitor a PR, watch CI, handle review comments, or keep an eye on failures and feedback on an open PR.
12SKILL.mdUpdated Apr 18, 2026