[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-0458dfaf-553c-42dc-8412-8530fff4d665":3,"$f5BSgNT3ZEjDAUzqtfRmT7I1lqTRwmxB_iuSux0vALn0":43},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":34},"0458dfaf-553c-42dc-8412-8530fff4d665","env-secrets-manager","管理本地开发和生产中的环境变量卫生和秘密安全。实用审计、漂移意识、轮换准备。在审计提交的秘密的.env文件、计划凭证轮换、调试缺失环境变量的生产事件或加强新项目对秘密泄露的防护时使用。","cat_life_career","mod_other","alirezarezvani,other","---\nname: \"env-secrets-manager\"\ndescription: \"Manage environment-variable hygiene and secrets safety across local development and production. Practical auditing, drift awareness, rotation readiness. Use when auditing .env files for committed secrets, planning a credential rotation, debugging missing-env-var production incidents, or hardening a new project against secrets leakage.\"\n---\n\n# Env & Secrets Manager\n\n**Tier:** POWERFUL\n**Category:** Engineering\n**Domain:** Security \u002F DevOps \u002F Configuration Management\n\n---\n\n## Overview\n\nManage environment-variable hygiene and secrets safety across local development and production workflows. This skill focuses on practical auditing, drift awareness, and rotation readiness.\n\n## Core Capabilities\n\n- `.env` and `.env.example` lifecycle guidance\n- Secret leak detection for repository working trees\n- Severity-based findings for likely credentials\n- Operational pointers for rotation and containment\n- Integration-ready outputs for CI checks\n\n---\n\n## When to Use\n\n- Before pushing commits that touched env\u002Fconfig files\n- During security audits and incident triage\n- When onboarding contributors who need safe env conventions\n- When validating that no obvious secrets are hardcoded\n\n---\n\n## Quick Start\n\n```bash\n# Scan a repository for likely secret leaks\npython3 scripts\u002Fenv_auditor.py \u002Fpath\u002Fto\u002Frepo\n\n# JSON output for CI pipelines\npython3 scripts\u002Fenv_auditor.py \u002Fpath\u002Fto\u002Frepo --json\n```\n\n---\n\n## Recommended Workflow\n\n1. Run `scripts\u002Fenv_auditor.py` on the repository root.\n2. Prioritize `critical` and `high` findings first.\n3. Rotate real credentials and remove exposed values.\n4. Update `.env.example` and `.gitignore` as needed.\n5. Add or tighten pre-commit\u002FCI secret scanning gates.\n\n---\n\n## Reference Docs\n\n- `references\u002Fvalidation-detection-rotation.md`\n- `references\u002Fsecret-patterns.md`\n\n---\n\n## Common Pitfalls\n\n- Committing real values in `.env.example`\n- Rotating one system but missing downstream consumers\n- Logging secrets during debugging or incident response\n- Treating suspected leaks as low urgency without validation\n\n## Best Practices\n\n1. Use a secret manager as the production source of truth.\n2. Keep dev env files local and gitignored.\n3. Enforce detection in CI before merge.\n4. Re-test application paths immediately after credential rotation.\n\n---\n\n## Cloud Secret Store Integration\n\nProduction applications should never read secrets from `.env` files or environment variables baked into container images. Use a dedicated secret store instead.\n\n### Provider Comparison\n\n| Provider | Best For | Key Feature |\n|----------|----------|-------------|\n| **HashiCorp Vault** | Multi-cloud \u002F hybrid | Dynamic secrets, policy engine, pluggable backends |\n| **AWS Secrets Manager** | AWS-native workloads | Native Lambda\u002FECS\u002FEKS integration, automatic RDS rotation |\n| **Azure Key Vault** | Azure-native workloads | Managed HSM, Azure AD RBAC, certificate management |\n| **GCP Secret Manager** | GCP-native workloads | IAM-based access, automatic replication, versioning |\n\n### Selection Guidance\n\n- **Single cloud provider** — use the cloud-native secret manager. It integrates tightly with IAM, reduces operational overhead, and costs less than self-hosting.\n- **Multi-cloud or hybrid** — use HashiCorp Vault. It provides a uniform API across environments and supports dynamic secret generation (database credentials, cloud IAM keys) that expire automatically.\n- **Kubernetes-heavy** — combine External Secrets Operator with any backend above to sync secrets into K8s `Secret` objects without hardcoding.\n\n### Application Access Patterns\n\n1. **SDK\u002FAPI pull** — application fetches secret at startup or on-demand via provider SDK.\n2. **Sidecar injection** — a sidecar container (e.g., Vault Agent) writes secrets to a shared volume or injects them as environment variables.\n3. **Init container** — a Kubernetes init container fetches secrets before the main container starts.\n4. **CSI driver** — secrets mount as a filesystem volume via the Secrets Store CSI Driver.\n\n> **Cross-reference:** See `engineering\u002Fsecrets-vault-manager` for production vault infrastructure patterns, HA deployment, and disaster recovery procedures.\n\n---\n\n## Secret Rotation Workflow\n\nStale secrets are a liability. Rotation ensures that even if a credential leaks, its useful lifetime is bounded.\n\n### Phase 1: Detection\n\n- Track secret creation and expiry dates in your secret store metadata.\n- Set alerts at 30, 14, and 7 days before expiry.\n- Use `scripts\u002Fenv_auditor.py` to flag secrets with no recorded rotation date.\n\n### Phase 2: Rotation\n\n1. **Generate** a new credential (API key, database password, certificate).\n2. **Deploy** the new credential to all consumers (apps, services, pipelines) in parallel.\n3. **Verify** each consumer can authenticate using the new credential.\n4. **Revoke** the old credential only after all consumers are confirmed healthy.\n5. **Update** metadata with the new rotation timestamp and next rotation date.\n\n### Phase 3: Automation\n\n- **AWS Secrets Manager** — use built-in Lambda-based rotation for RDS, Redshift, and DocumentDB.\n- **HashiCorp Vault** — configure dynamic secrets with TTLs; credentials are generated on-demand and auto-expire.\n- **Azure Key Vault** — use Event Grid notifications to trigger rotation functions.\n- **GCP Secret Manager** — use Pub\u002FSub notifications tied to Cloud Functions for rotation logic.\n\n### Emergency Rotation Checklist\n\nWhen a secret is confirmed leaked:\n\n1. **Immediately revoke** the compromised credential at the provider level.\n2. Generate and deploy a replacement credential to all consumers.\n3. Audit access logs for unauthorized usage during the exposure window.\n4. Scan git history, CI logs, and artifact registries for the leaked value.\n5. File an incident report documenting scope, timeline, and remediation steps.\n6. Review and tighten detection controls to prevent recurrence.\n\n---\n\n## CI\u002FCD Secret Injection\n\nSecrets in CI\u002FCD pipelines require careful handling to avoid exposure in logs, artifacts, or pull request contexts.\n\n### GitHub Actions\n\n- Use **repository secrets** or **environment secrets** via `${{ secrets.SECRET_NAME }}`.\n- Prefer **OIDC federation** (`aws-actions\u002Fconfigure-aws-credentials` with `role-to-assume`) over long-lived access keys.\n- Environment secrets with required reviewers add approval gates for production deployments.\n- GitHub automatically masks secrets in logs, but avoid `echo` or `toJSON()` on secret values.\n\n### GitLab CI\n\n- Store secrets as **CI\u002FCD variables** with the `masked` and `protected` flags enabled.\n- Use **HashiCorp Vault integration** (`secrets:vault`) for dynamic secret injection without storing values in GitLab.\n- Scope variables to specific environments (`production`, `staging`) to enforce least privilege.\n\n### Universal Patterns\n\n- **Never echo or print** secret values in pipeline output, even for debugging.\n- **Use short-lived tokens** (OIDC, STS AssumeRole) instead of static credentials wherever possible.\n- **Restrict PR access** — do not expose secrets to pipelines triggered by forks or untrusted branches.\n- **Rotate CI secrets** on the same schedule as application secrets; pipeline credentials are attack vectors too.\n- **Audit pipeline logs** periodically for accidental secret exposure that masking may have missed.\n\n---\n\n## Pre-Commit Secret Detection\n\nCatching secrets before they reach version control is the most cost-effective defense. Two leading tools cover this space.\n\n### gitleaks\n\n```toml\n# .gitleaks.toml — minimal configuration\n[extend]\nuseDefault = true\n\n[[rules]]\nid = \"custom-internal-token\"\ndescription = \"Internal service token pattern\"\nregex = '''INTERNAL_TOKEN_[A-Za-z0-9]{32}'''\nsecretGroup = 0\n```\n\n- Install: `brew install gitleaks` or download from GitHub releases.\n- Pre-commit hook: `gitleaks git --pre-commit --staged`\n- Baseline scanning: `gitleaks detect --source . --report-path gitleaks-report.json`\n- Manage false positives in `.gitleaksignore` (one fingerprint per line).\n\n### detect-secrets\n\n```bash\n# Generate baseline\ndetect-secrets scan --all-files > .secrets.baseline\n\n# Pre-commit hook (via pre-commit framework)\n# .pre-commit-config.yaml\nrepos:\n  - repo: https:\u002F\u002Fgithub.com\u002FYelp\u002Fdetect-secrets\n    rev: v1.5.0\n    hooks:\n      - id: detect-secrets\n        args: ['--baseline', '.secrets.baseline']\n```\n\n- Supports **custom plugins** for organization-specific patterns.\n- Audit workflow: `detect-secrets audit .secrets.baseline` interactively marks true\u002Ffalse positives.\n\n### False Positive Management\n\n- Maintain `.gitleaksignore` or `.secrets.baseline` in version control so the whole team shares exclusions.\n- Review false positive lists during security audits — patterns may mask real leaks over time.\n- Prefer tightening regex patterns over broadly ignoring files.\n\n---\n\n## Audit Logging\n\nKnowing who accessed which secret and when is critical for incident investigation and compliance.\n\n### Cloud-Native Audit Trails\n\n| Provider | Service | What It Captures |\n|----------|---------|-----------------|\n| **AWS** | CloudTrail | Every `GetSecretValue`, `DescribeSecret`, `RotateSecret` API call |\n| **Azure** | Activity Log + Diagnostic Logs | Key Vault access events, including caller identity and IP |\n| **GCP** | Cloud Audit Logs | Data access logs for Secret Manager with principal and timestamp |\n| **Vault** | Audit Backend | Full request\u002Fresponse logging (file, syslog, or socket backend) |\n\n### Alerting Strategy\n\n- Alert on **access from unknown IP ranges** or service accounts outside the expected set.\n- Alert on **bulk secret reads** (more than N secrets accessed within a time window).\n- Alert on **access outside deployment windows** when no CI\u002FCD pipeline is running.\n- Feed audit logs into your SIEM (Splunk, Datadog, Elastic) for correlation with other security events.\n- Review audit logs quarterly as part of access recertification.\n\n---\n\n## Cross-References\n\nThis skill covers env hygiene and secret detection. For deeper coverage of related domains, see:\n\n| Skill | Path | Relationship |\n|-------|------|-------------|\n| **Secrets Vault Manager** | `engineering\u002Fsecrets-vault-manager` | Production vault infrastructure, HA deployment, DR |\n| **Senior SecOps** | `engineering\u002Fsenior-secops` | Security operations perspective, incident response |\n| **CI\u002FCD Pipeline Builder** | `engineering\u002Fci-cd-pipeline-builder` | Pipeline architecture, secret injection patterns |\n| **Infrastructure as Code** | `engineering\u002Finfrastructure-as-code` | Terraform\u002FPulumi secret backend configuration |\n| **Container Orchestration** | `engineering\u002Fcontainer-orchestration` | Kubernetes secret mounting, sealed secrets |\n","","imported","https:\u002F\u002Fgithub.com\u002Falirezarezvani\u002Fclaude-skills","user_system_seed","SkillOPIC",true,199,2016,"2026-05-16 13:53:46",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"其他","other","mdi-page-next-outline","其他类型Skill",5,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":32,"skillCount":33,"createdAt":26},"职场发展","career","mdi-briefcase-outline","面试准备、简历优化、职业规划",4,575,[35],{"id":36,"skillId":4,"version":37,"fileName":38,"fileSize":39,"filePath":40,"fileHash":41,"manifest":42,"createdAt":19},"730d0d3a-f57b-4f74-8166-2553039f3f1c","1.0.0","env-secrets-manager.zip",11620,"uploads\u002Fskills\u002F0458dfaf-553c-42dc-8412-8530fff4d665\u002Fenv-secrets-manager.zip","3f5ff48ea05405df9a6dd924485a51a76a1713b1d6cc2da6b5b26c84a5234550","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":10700},{\"path\":\"references\u002Fsecret-patterns.md\",\"isDirectory\":false,\"size\":1140},{\"path\":\"references\u002Fvalidation-detection-rotation.md\",\"isDirectory\":false,\"size\":9457},{\"path\":\"scripts\u002Fenv_auditor.py\",\"isDirectory\":false,\"size\":4482}]",{"code":44,"message":45,"data":46},200,"success",{"items":47,"stats":48,"page":51},[],{"averageRating":49,"totalRatings":49,"ratingCounts":50},0,[49,49,49,49,49],{"limit":52,"offset":49,"hasMore":53,"nextOffset":52,"ratedOnly":16},15,false]