All articles
TIP · 4 min read

Secrets Management Quick Wins

Most breaches I chase start with a leaked credential — committed to git, shipped in a container, or pasted in Slack. These quick wins remove 90% of the exposure.

Scan history, not just HEAD

Run gitleaks/trufflehog against full git history and every container image. Rotate anything that ever existed in a public commit.

Short-lived over long-lived

OIDC federation for CI, IAM Roles Anywhere for workloads, STS for cloud. Long-lived keys belong in a museum.

  • GitHub OIDC → AWS/GCP/Azure
  • Per-job tokens, never repo-wide PATs
  • Auto-expire dev creds in 1 hour

Centralize the vault

One vault, audited access, automatic rotation. Apps fetch at runtime — never bake secrets into images.

Tools mentioned

gitleakstrufflehogVaultAWS Secrets ManagerDoppler
⟩ takeaway

Treat secrets like radioactive material: short half-life, tracked custody, no copies lying around.

⟩ keep reading

Related articles